tailcfg, ssh/tailssh: make SSHUser value '=' map ssh-user to same local-user
Updates #3802 Change-Id: Icde60d4150ca15c25d615a4effb3d3c236f020a8 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
This commit is contained in:
parent
21445b56a5
commit
f7e976db55
|
@ -624,10 +624,14 @@ func matchRule(r *tailcfg.SSHRule, ci *sshConnInfo) (a *tailcfg.SSHAction, local
|
||||||
}
|
}
|
||||||
|
|
||||||
func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) {
|
func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) {
|
||||||
if v, ok := ruleSSHUsers[reqSSHUser]; ok {
|
v, ok := ruleSSHUsers[reqSSHUser]
|
||||||
return v
|
if !ok {
|
||||||
|
v = ruleSSHUsers["*"]
|
||||||
}
|
}
|
||||||
return ruleSSHUsers["*"]
|
if v == "=" {
|
||||||
|
return reqSSHUser
|
||||||
|
}
|
||||||
|
return v
|
||||||
}
|
}
|
||||||
|
|
||||||
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool {
|
func matchesPrincipal(ps []*tailcfg.SSHPrincipal, ci *sshConnInfo) bool {
|
||||||
|
|
|
@ -153,6 +153,18 @@ func TestMatchRule(t *testing.T) {
|
||||||
ci: &sshConnInfo{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}},
|
ci: &sshConnInfo{uprof: &tailcfg.UserProfile{LoginName: "foo@bar.com"}},
|
||||||
wantUser: "ubuntu",
|
wantUser: "ubuntu",
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "ssh-user-equal",
|
||||||
|
rule: &tailcfg.SSHRule{
|
||||||
|
Action: someAction,
|
||||||
|
Principals: []*tailcfg.SSHPrincipal{{Any: true}},
|
||||||
|
SSHUsers: map[string]string{
|
||||||
|
"*": "=",
|
||||||
|
},
|
||||||
|
},
|
||||||
|
ci: &sshConnInfo{sshUser: "alice"},
|
||||||
|
wantUser: "alice",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
for _, tt := range tests {
|
for _, tt := range tests {
|
||||||
t.Run(tt.name, func(t *testing.T) {
|
t.Run(tt.name, func(t *testing.T) {
|
||||||
|
|
|
@ -1573,6 +1573,8 @@ type SSHRule struct {
|
||||||
// actual user that's logged in.
|
// actual user that's logged in.
|
||||||
// If the map value is the empty string (for either the
|
// If the map value is the empty string (for either the
|
||||||
// requested SSH user or "*"), the rule doesn't match.
|
// requested SSH user or "*"), the rule doesn't match.
|
||||||
|
// If the map value is "=", it means the ssh-user should map
|
||||||
|
// directly to the local-user.
|
||||||
// It may be nil if the Action is reject.
|
// It may be nil if the Action is reject.
|
||||||
SSHUsers map[string]string `json:"sshUsers"`
|
SSHUsers map[string]string `json:"sshUsers"`
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue