if test are hard :)
This commit is contained in:
Xavier Henner
parent
e18aa583d0
commit
2c289f8125
4
httpd.go
4
httpd.go
|
|
@ -120,8 +120,8 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
|
||||||
|
|
||||||
webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
|
webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
|
||||||
_, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
|
_, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
|
||||||
if inArray(h.neededProfiles, profilePath) {
|
if !inArray(h.neededProfiles, profilePath) {
|
||||||
http.Error(w, fmt.Sprintf("You need on of %s profile", h.neededProfiles), 403)
|
http.Error(w, fmt.Sprintf("You need on of %s profile and you have %s", h.neededProfiles, profilePath), 403)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
log.Printf("%s is connected via the web interfaces\n", webuser)
|
log.Printf("%s is connected via the web interfaces\n", webuser)
|
||||||
|
|
|
||||||
|
|
@ -5,21 +5,34 @@ config
|
||||||
###################################################################
|
###################################################################
|
||||||
### Security Model ###
|
### Security Model ###
|
||||||
### ###
|
### ###
|
||||||
### +---> CONTRACT ###
|
### +-1-> CONTRACT ###
|
||||||
### | ###
|
### | ###
|
||||||
### start-here +-------> DATACENTER ###
|
### start-here +---5---> DATACENTER ###
|
||||||
### | | ###
|
### | | ###
|
||||||
### +---> CORP ------------> DEV -----> ADMINS ###
|
### +-2-> CORP -----4------> DEV -6---> ADMINS ###
|
||||||
### | ^ ###
|
### | ^ ###
|
||||||
|
### 3 4 ###
|
||||||
### | | ###
|
### | | ###
|
||||||
### +--> IT-AND-SEC ---+ ###
|
### +--> IT-AND-SEC ---+ ###
|
||||||
### ###
|
### ###
|
||||||
### CORP/IT-AND-SEC have the same IPs but not the web perms ###
|
### CORP/IT-AND-SEC have the same IPs but not the API access ###
|
||||||
### ADMIN/DATACENTER have the same IPs but not the web perms ###
|
### ADMINS/DATACENTER have the same IPs but not the API access ###
|
||||||
### ###
|
### ###
|
||||||
### attributes[0] must match validGroups ###
|
### at each step: ###
|
||||||
### attributes[1] is the login for the next security groups ###
|
### attributes[0] must match validGroups ###
|
||||||
### attributes[2] is used as a salt for mfa generation ###
|
### attributes[1] is the login for the next security checks ###
|
||||||
|
### attributes[2] is used as a salt for mfa generation ###
|
||||||
|
### ###
|
||||||
|
### Security Checks: ###
|
||||||
|
### ###
|
||||||
|
### 1/2: check AD groups and password. get mail address ###
|
||||||
|
### 3: user must be in some AD security group (IT or SEC) ###
|
||||||
|
### 4: mail must be in infra LDAP. User must have a ssh key ###
|
||||||
|
### 5: user must be in the datacenter group in infra ldap ###
|
||||||
|
### 6: user must be in the infra/net groups in infra ldap ###
|
||||||
|
### ###
|
||||||
|
### mfa setup is set according the mfa attribute of the final ###
|
||||||
|
### group reached ###
|
||||||
### ###
|
### ###
|
||||||
###################################################################
|
###################################################################
|
||||||
CONTRACT:
|
CONTRACT:
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue