Make sudo access managed via IAM rather than group checkmark
All checks were successful
continuous-integration/drone/push Build is passing
continuous-integration/drone Build is passing

This commit is contained in:
Garrett Mills 2021-04-15 10:56:11 -05:00
parent f2995899ec
commit b26519ea88
Signed by: garrettmills
GPG Key ID: D2BF5FBA8298F246
3 changed files with 39 additions and 14 deletions

View File

@ -62,7 +62,7 @@ class GroupResource extends CRUDBase {
required: true, required: true,
type: 'text', type: 'text',
}, },
{ /*{
name: 'Superuser equivalent?', name: 'Superuser equivalent?',
field: 'grants_sudo', field: 'grants_sudo',
type: 'select', type: 'select',
@ -70,7 +70,7 @@ class GroupResource extends CRUDBase {
{display: 'Yes', value: true}, {display: 'Yes', value: true},
{display: 'No', value: false}, {display: 'No', value: false},
], ],
}, },*/
{ {
name: 'Users', name: 'Users',
field: 'user_ids', field: 'user_ids',

View File

@ -26,6 +26,7 @@ class SudoController extends LDAPController {
return next(new LDAP.InsufficientAccessRightsError()) return next(new LDAP.InsufficientAccessRightsError())
} }
const iam_targets = this.parse_iam_targets(req.filter)
if ( req.scope === 'base' ) { if ( req.scope === 'base' ) {
// If scope is base, check if the base DN matches the filter. // If scope is base, check if the base DN matches the filter.
// If so, return it. Else, return empty. // If so, return it. Else, return empty.
@ -34,12 +35,12 @@ class SudoController extends LDAPController {
const user = await this.get_resource_from_dn(req.dn) const user = await this.get_resource_from_dn(req.dn)
// Make sure the user is ldap visible && match the filter // Make sure the user is ldap visible && match the filter
if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo()) ) { if ( user && user.ldap_visible && req.filter.matches(await user.to_sudo(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')), dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
attributes: await user.to_sudo(), attributes: await user.to_sudo(iam_targets),
}) })
} }
} else if ( req.scope === 'one' ) { } else if ( req.scope === 'one' ) {
@ -55,12 +56,12 @@ class SudoController extends LDAPController {
if ( req.dn.equals(user.sudo_dn) || user.sudo_dn.parent().equals(req.dn) ) { if ( req.dn.equals(user.sudo_dn) || user.sudo_dn.parent().equals(req.dn) ) {
// Check if the filter matches // Check if the filter matches
if ( req.filter.matches(await user.to_sudo()) ) { if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')), dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
attributes: await user.to_sudo(), attributes: await user.to_sudo(iam_targets),
}) })
} }
} }
@ -79,12 +80,12 @@ class SudoController extends LDAPController {
if ( req.dn.equals(user.sudo_dn) || req.dn.parentOf(user.sudo_dn) ) { if ( req.dn.equals(user.sudo_dn) || req.dn.parentOf(user.sudo_dn) ) {
// Check if filter matches // Check if filter matches
if ( req.filter.matches(await user.to_sudo()) ) { if ( req.filter.matches(await user.to_sudo(iam_targets)) ) {
// If so, send the object // If so, send the object
res.send({ res.send({
dn: user.sudo_dn.format(this.configs.get('ldap:server.format')), dn: user.sudo_dn.format(this.configs.get('ldap:server.format')),
attributes: await user.to_sudo(), attributes: await user.to_sudo(iam_targets),
}) })
} }
} }
@ -98,6 +99,20 @@ class SudoController extends LDAPController {
return next() return next()
} }
parse_iam_targets(filter, target_ids = []) {
if ( Array.isArray(filter?.filters) ) {
for ( const sub_filter of filter.filters ) {
target_ids = [...target_ids, ...this.parse_iam_targets(sub_filter)]
}
} else if ( filter?.attribute ) {
if ( filter.attribute === 'iamtarget' ) {
target_ids.push(filter.value)
}
}
return target_ids
}
get_cn_from_dn(dn) { get_cn_from_dn(dn) {
try { try {
if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn) if ( typeof dn === 'string' ) dn = LDAP.parseDN(dn)
@ -108,8 +123,7 @@ class SudoController extends LDAPController {
async get_resource_from_dn(sudo_dn) { async get_resource_from_dn(sudo_dn) {
const cn = this.get_cn_from_dn(sudo_dn) const cn = this.get_cn_from_dn(sudo_dn)
if ( cn ) { if ( cn ) {
const user = this.User.findOne({uid: cn.substr(5), ldap_visible: true}) return this.User.findOne({uid: cn.substr(5), ldap_visible: true})
if ( user && (await user.has_sudo()) ) return user
} }
} }
} }

View File

@ -207,14 +207,25 @@ class User extends AuthUser {
return groups.some(group => group.grants_sudo) return groups.some(group => group.grants_sudo)
} }
async to_sudo() { async to_sudo(iam_targets = []) {
const Policy = this.models.get('iam:Policy')
const granted = []
for ( const target of iam_targets ) {
if ( await Policy.check_user_access(this, target, 'sudo') ) {
granted.push(target)
}
}
return { return {
objectClass: ['sudoRole'], objectClass: ['sudoRole'],
cn: `sudo_${this.uid.toLowerCase()}`, cn: `sudo_${this.uid.toLowerCase()}`,
sudoUser: this.uid.toLowerCase(), sudoUser: this.uid.toLowerCase(),
...(granted.length ? {
iamtarget: granted,
sudoHost: 'ALL', sudoHost: 'ALL',
sudoRunAs: 'ALL', sudoRunAs: 'ALL',
sudoCommand: 'ALL', sudoCommand: 'ALL',
} : {})
} }
} }