Do not return bastion for the configured bastion host.

Fixes #296
This commit is contained in:
Mariano Cano 2020-06-19 12:37:08 -07:00
parent be030309a4
commit b0fdd0b2be
2 changed files with 12 additions and 1 deletions

View file

@ -177,8 +177,18 @@ func (a *Authority) GetSSHBastion(ctx context.Context, user string, hostname str
} }
if a.config.SSH != nil { if a.config.SSH != nil {
if a.config.SSH.Bastion != nil && a.config.SSH.Bastion.Hostname != "" { if a.config.SSH.Bastion != nil && a.config.SSH.Bastion.Hostname != "" {
// Do not return a bastion for a bastion host.
//
// This condition might fail if a different name or IP is used.
// Trying to resolve hostnames to IPs and compare them won't be a
// complete solution because it depends on the network
// configuration, of the CA and clients and can also return false
// positives. Although not perfect, this simple solution will work
// in most cases.
if !strings.EqualFold(hostname, a.config.SSH.Bastion.Hostname) {
return a.config.SSH.Bastion, nil return a.config.SSH.Bastion, nil
} }
}
return nil, nil return nil, nil
} }
return nil, errs.NotFound("authority.GetSSHBastion; ssh is not configured") return nil, errs.NotFound("authority.GetSSHBastion; ssh is not configured")

View file

@ -629,6 +629,7 @@ func TestAuthority_GetSSHBastion(t *testing.T) {
wantErr bool wantErr bool
}{ }{
{"config", fields{&Config{SSH: &SSHConfig{Bastion: bastion}}, nil}, args{"user", "host.local"}, bastion, false}, {"config", fields{&Config{SSH: &SSHConfig{Bastion: bastion}}, nil}, args{"user", "host.local"}, bastion, false},
{"bastion", fields{&Config{SSH: &SSHConfig{Bastion: bastion}}, nil}, args{"user", "bastion.local"}, nil, false},
{"nil", fields{&Config{SSH: &SSHConfig{Bastion: nil}}, nil}, args{"user", "host.local"}, nil, false}, {"nil", fields{&Config{SSH: &SSHConfig{Bastion: nil}}, nil}, args{"user", "host.local"}, nil, false},
{"empty", fields{&Config{SSH: &SSHConfig{Bastion: &Bastion{}}}, nil}, args{"user", "host.local"}, nil, false}, {"empty", fields{&Config{SSH: &SSHConfig{Bastion: &Bastion{}}}, nil}, args{"user", "host.local"}, nil, false},
{"func", fields{&Config{}, func(_ context.Context, _, _ string) (*Bastion, error) { return bastion, nil }}, args{"user", "host.local"}, bastion, false}, {"func", fields{&Config{}, func(_ context.Context, _, _ string) (*Bastion, error) { return bastion, nil }}, args{"user", "host.local"}, bastion, false},