if test are hard :)

2019-07-18 12:33:10 +02:00 · 2019-07-18 12:33:10 +02:00 · 2c289f8125
parent e18aa583d0
commit 2c289f8125
2 changed files with 23 additions and 10 deletions
--- a/httpd.go
+++ b/httpd.go
@ -120,8 +120,8 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {

 	webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
 	_, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
-	if inArray(h.neededProfiles, profilePath) {
-		http.Error(w, fmt.Sprintf("You need on of %s profile", h.neededProfiles), 403)
+	if !inArray(h.neededProfiles, profilePath) {
+		http.Error(w, fmt.Sprintf("You need on of %s profile and you have %s", h.neededProfiles, profilePath), 403)
 		return
 	}
 	log.Printf("%s is connected via the web interfaces\n", webuser)
--- a/openvpn-dm-mgt-server.conf.example
+++ b/openvpn-dm-mgt-server.conf.example
@ -5,21 +5,34 @@ config
 ###################################################################
 ###                       Security Model                        ###
 ###                                                             ###
-###          +---> CONTRACT                                     ###
+###          +-1-> CONTRACT                                     ###
 ###          |                                                  ###
-###     start-here                     +------->  DATACENTER    ###
+###     start-here                     +---5--->  DATACENTER    ###
 ###          |                         |                        ###
-###          +---> CORP ------------> DEV ----->  ADMINS        ###
+###          +-2-> CORP -----4------> DEV -6--->  ADMINS        ###
 ###                 |                  ^                        ###
+###                 3                  4                        ###
 ###                 |                  |                        ###
 ###                 +--> IT-AND-SEC ---+                        ###
 ###                                                             ###
-###  CORP/IT-AND-SEC  have the same IPs but not the web perms   ###
-###  ADMIN/DATACENTER have the same IPs but not the web perms   ###
+###  CORP/IT-AND-SEC   have the same IPs but not the API access ###
+###  ADMINS/DATACENTER have the same IPs but not the API access ###
 ###                                                             ###
-###  attributes[0] must match validGroups                       ###
-###  attributes[1] is the login for the next security groups    ###
-###  attributes[2] is used as a salt for mfa generation         ###
+###  at each step:                                              ###
+###   attributes[0] must match validGroups                      ###
+###   attributes[1] is the login for the next security checks   ###
+###   attributes[2] is used as a salt for mfa generation        ###
+###                                                             ###
+###  Security Checks:                                           ###
+###                                                             ###
+###  1/2: check AD groups and password. get mail address        ###
+###    3: user must be in some AD security group (IT or SEC)    ###
+###    4: mail must be in infra LDAP. User must have a ssh key  ###
+###    5: user must be in the datacenter group in infra ldap    ###
+###    6: user must be in the infra/net groups in infra ldap    ###
+###                                                             ###
+###  mfa setup is set according the mfa attribute of the final  ###
+###    group reached                                            ###
 ###                                                             ###
 ###################################################################
        CONTRACT: