From 2c289f812597077c7dc8eddf90032e8e4d75b30f Mon Sep 17 00:00:00 2001 From: Xavier Henner Date: Thu, 18 Jul 2019 12:33:10 +0200 Subject: [PATCH] if test are hard :) --- httpd.go | 4 ++-- openvpn-dm-mgt-server.conf.example | 29 +++++++++++++++++++++-------- 2 files changed, 23 insertions(+), 10 deletions(-) diff --git a/httpd.go b/httpd.go index cdde00d..6cdfba7 100644 --- a/httpd.go +++ b/httpd.go @@ -120,8 +120,8 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) { webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1) _, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false) - if inArray(h.neededProfiles, profilePath) { - http.Error(w, fmt.Sprintf("You need on of %s profile", h.neededProfiles), 403) + if !inArray(h.neededProfiles, profilePath) { + http.Error(w, fmt.Sprintf("You need on of %s profile and you have %s", h.neededProfiles, profilePath), 403) return } log.Printf("%s is connected via the web interfaces\n", webuser) diff --git a/openvpn-dm-mgt-server.conf.example b/openvpn-dm-mgt-server.conf.example index 386cb92..f771109 100644 --- a/openvpn-dm-mgt-server.conf.example +++ b/openvpn-dm-mgt-server.conf.example @@ -5,21 +5,34 @@ config ################################################################### ### Security Model ### ### ### -### +---> CONTRACT ### +### +-1-> CONTRACT ### ### | ### -### start-here +-------> DATACENTER ### +### start-here +---5---> DATACENTER ### ### | | ### -### +---> CORP ------------> DEV -----> ADMINS ### +### +-2-> CORP -----4------> DEV -6---> ADMINS ### ### | ^ ### +### 3 4 ### ### | | ### ### +--> IT-AND-SEC ---+ ### ### ### -### CORP/IT-AND-SEC have the same IPs but not the web perms ### -### ADMIN/DATACENTER have the same IPs but not the web perms ### +### CORP/IT-AND-SEC have the same IPs but not the API access ### +### ADMINS/DATACENTER have the same IPs but not the API access ### ### ### -### attributes[0] must match validGroups ### -### attributes[1] is the login for the next security groups ### -### attributes[2] is used as a salt for mfa generation ### +### at each step: ### +### attributes[0] must match validGroups ### +### attributes[1] is the login for the next security checks ### +### attributes[2] is used as a salt for mfa generation ### +### ### +### Security Checks: ### +### ### +### 1/2: check AD groups and password. get mail address ### +### 3: user must be in some AD security group (IT or SEC) ### +### 4: mail must be in infra LDAP. User must have a ssh key ### +### 5: user must be in the datacenter group in infra ldap ### +### 6: user must be in the infra/net groups in infra ldap ### +### ### +### mfa setup is set according the mfa attribute of the final ### +### group reached ### ### ### ################################################################### CONTRACT: