feat: add BastionHost ACL check

Needed to reject known key if the requested bastion host is not accessible to that user, so ssh client tries next key. See moul#453
alterway · Jul 17, 2023 · 66ee7e6 · 66ee7e6
1 parent 561e482
commit 66ee7e6
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/pkg/bastion/ssh.go b/pkg/bastion/ssh.go
@@ -346,6 +346,19 @@ func PublicKeyAuthHandler(db *gorm.DB, logsLocation, aclCheckCmd, aesKey, dbDriv
 			if actx.userType() == userTypeInvite {
 				actx.err = fmt.Errorf("invites are only supported for new SSH keys; your ssh key is already associated with the user %q", actx.user.Email)
 			}
+			if actx.userType() == userTypeBastion {
+				log.Printf("Checking if %s has access to %s\n", actx.user.Name, actx.inputUsername)
+				host, err := dbmodels.HostByName(actx.db, actx.inputUsername)
+				if err != nil {
+					actx.err = err
+					return false
+				}
+				_, err = bastionClientConfig(ctx, host)
+				if err != nil {
+					actx.err = err
+					return false
+				}
+			}
 			return true
 		}