calvin.erfmann/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-21 16:25:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

derived only from roles that the user holds AND are assigned to the target resource

Browse Source
This commit is contained in:
Owen
2026-05-19 10:39:40 -07:00
parent 68e775659b
commit 08a08e73b3
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
server/private/routers/ssh/signSshKey.ts
View File

@@ -19,6 +19,7 @@ import {
logsDb, logsDb,
newts, newts,
roles, roles,
roleSiteResources,
roundTripMessageTracker, roundTripMessageTracker,
siteResources, siteResources,
siteNetworks, siteNetworks,
@@ -361,9 +362,26 @@ export async function signSshKey(
} }
const roleRows = await db const roleRows = await db
.select() .select({
sshSudoCommands: roles.sshSudoCommands,
sshUnixGroups: roles.sshUnixGroups,
sshCreateHomeDir: roles.sshCreateHomeDir,
sshSudoMode: roles.sshSudoMode
})
.from(roles) .from(roles)
.where(inArray(roles.roleId, roleIds)); .innerJoin(
roleSiteResources,
eq(roleSiteResources.roleId, roles.roleId)
)
.where(
and(
inArray(roles.roleId, roleIds),
eq(
roleSiteResources.siteResourceId,
resource.siteResourceId
)
)
);
const parsedSudoCommands: string[] = []; const parsedSudoCommands: string[] = [];
const parsedGroupsSet = new Set<string>(); const parsedGroupsSet = new Set<string>();
@@ -379,13 +397,17 @@ export async function signSshKey(
} }
try { try {
const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]"); const grps = JSON.parse(roleRow?.sshUnixGroups ?? "[]");
if (Array.isArray(grps)) grps.forEach((g: string) => parsedGroupsSet.add(g)); if (Array.isArray(grps))
grps.forEach((g: string) => parsedGroupsSet.add(g));
} catch { } catch {
// skip // skip
} }
if (roleRow?.sshCreateHomeDir === true) homedir = true; if (roleRow?.sshCreateHomeDir === true) homedir = true;
const m = roleRow?.sshSudoMode ?? "none"; const m = roleRow?.sshSudoMode ?? "none";
if (sudoModeOrder[m as keyof typeof sudoModeOrder] > sudoModeOrder[sudoMode]) { if (
sudoModeOrder[m as keyof typeof sudoModeOrder] >
sudoModeOrder[sudoMode]
) {
sudoMode = m as "none" | "commands" | "full"; sudoMode = m as "none" | "commands" | "full";
} }
} }