Skip to content

Commit

Permalink
feat: add admin-configurable lock/kill timeout per plugin
Browse files Browse the repository at this point in the history
  • Loading branch information
speed47 committed Nov 8, 2023
1 parent 027521b commit 2d4accf
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 13 deletions.
31 changes: 21 additions & 10 deletions bin/shell/osh.pl
Original file line number Diff line number Diff line change
Expand Up @@ -863,6 +863,16 @@ sub main_exit {
},
);

# For either an SSH connection or a plugin,
# we first compute the correct idle-kill-timeout and idle-lock-timeout value,
# as these can be overridden for group accesses, see the help of groupModify command
# for details on the algorithm's logic.
# it can also be overridden on a per-plugin basis
my %idleTimeout = (
kill => OVH::Bastion::config("idleKillTimeout")->value,
lock => OVH::Bastion::config("idleLockTimeout")->value,
);

#
# First case. We have an OSH command
#
Expand Down Expand Up @@ -1052,6 +1062,14 @@ sub main_exit {
}
$ENV{'OSH_IP_FROM'} = $ipfrom; # used in some plugins for is_access_granted()

# check if we have a plugin override for idle lock/kill timeouts
foreach my $timeoutType (qw{ idle kill }) {
$fnret = OVH::Bastion::plugin_config(plugin => $osh_command, key => "idle_${timeoutType}_timeout");
if ($fnret && defined $fnret->value) {
$idleTimeout{${timeoutType}} = $fnret->value;
}
}

# build ttyrec command that'll prefix the real command
$fnret = OVH::Bastion::build_ttyrec_cmdline(
ip => $osh_command,
Expand All @@ -1073,6 +1091,8 @@ sub main_exit {
plugin => $osh_command,
key => "stealth_stderr"
)->value ? 1 : 0,
idleLockTimeout => $idleTimeout{'lock'},
idleKillTimeout => $idleTimeout{'kill'},
);
main_exit(OVH::Bastion::EXIT_TTYREC_CMDLINE_FAILED, "ttyrec_failed", $fnret->msg) if !$fnret;

Expand Down Expand Up @@ -1306,16 +1326,7 @@ sub main_exit {
else {
my @preferredAuths;

# we first compute the correct idle-kill-timeout and idle-lock-timeout value,
# as these can be overriden for group accesses, see the help of groupModify command
# for details on the algorithm's logic, it is also commented below.
# First, we init the vars with the global setting.
my %idleTimeout = (
kill => OVH::Bastion::config("idleKillTimeout")->value,
lock => OVH::Bastion::config("idleLockTimeout")->value,
);

# Then, gather all the timeouts overrides that may be defined for the matching groups
# Now gather all the timeouts overrides that may be defined for the matching groups
my %idleTimeoutsOverride = (kill => [], lock => []);
foreach my $access (@accessList) {
next if ($access->{'type'} !~ /^group/);
Expand Down
6 changes: 3 additions & 3 deletions lib/perl/OVH/Bastion.pm
Original file line number Diff line number Diff line change
Expand Up @@ -1064,11 +1064,11 @@ sub build_ttyrec_cmdline {
my $fnret = build_ttyrec_cmdline_part1of2(%params);
$fnret or return $fnret;

# for this simple version, use global timeout values
# for this simple version, use global timeout values if not specified in %params
return build_ttyrec_cmdline_part2of2(
input => $fnret->value,
idleLockTimeout => OVH::Bastion::config("idleLockTimeout")->value,
idleKillTimeout => OVH::Bastion::config("idleKillTimeout")->value
idleLockTimeout => ($params{'idleLockTimeout'} // OVH::Bastion::config("idleLockTimeout")->value),
idleKillTimeout => ($params{'idleKillTimeout'} // OVH::Bastion::config("idleKillTimeout")->value)
);
}

Expand Down

0 comments on commit 2d4accf

Please sign in to comment.