forked from TrueCloudLab/certificates
Merge pull request #297 from smallstep/no-bastion-bastion
Do not return bastion for the configured bastion host.
This commit is contained in:
commit
39650637d4
2 changed files with 12 additions and 1 deletions
|
@ -186,8 +186,18 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user string, hostname str
|
|||
}
|
||||
if a.config.SSH != nil {
|
||||
if a.config.SSH.Bastion != nil && a.config.SSH.Bastion.Hostname != "" {
|
||||
// Do not return a bastion for a bastion host.
|
||||
//
|
||||
// This condition might fail if a different name or IP is used.
|
||||
// Trying to resolve hostnames to IPs and compare them won't be a
|
||||
// complete solution because it depends on the network
|
||||
// configuration, of the CA and clients and can also return false
|
||||
// positives. Although not perfect, this simple solution will work
|
||||
// in most cases.
|
||||
if !strings.EqualFold(hostname, a.config.SSH.Bastion.Hostname) {
|
||||
return a.config.SSH.Bastion, nil
|
||||
}
|
||||
}
|
||||
return nil, nil
|
||||
}
|
||||
return nil, errs.NotFound("authority.GetSSHBastion; ssh is not configured")
|
||||
|
|
|
@ -646,6 +646,7 @@ func TestAuthority_GetSSHBastion(t *testing.T) {
|
|||
wantErr bool
|
||||
}{
|
||||
{"config", fields{&Config{SSH: &SSHConfig{Bastion: bastion}}, nil}, args{"user", "host.local"}, bastion, false},
|
||||
{"bastion", fields{&Config{SSH: &SSHConfig{Bastion: bastion}}, nil}, args{"user", "bastion.local"}, nil, false},
|
||||
{"nil", fields{&Config{SSH: &SSHConfig{Bastion: nil}}, nil}, args{"user", "host.local"}, nil, false},
|
||||
{"empty", fields{&Config{SSH: &SSHConfig{Bastion: &Bastion{}}}, nil}, args{"user", "host.local"}, nil, false},
|
||||
{"func", fields{&Config{}, func(_ context.Context, _, _ string) (*Bastion, error) { return bastion, nil }}, args{"user", "host.local"}, bastion, false},
|
||||
|
|
Loading…
Reference in a new issue