if test are hard :)

This commit is contained in:
Xavier Henner 2019-07-18 12:33:10 +02:00
parent e18aa583d0
commit 2c289f8125
2 changed files with 23 additions and 10 deletions

View File

@ -120,8 +120,8 @@ func (h *HttpServer) ajaxHandler(w http.ResponseWriter, r *http.Request) {
webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1) webuser := strings.Replace(r.TLS.PeerCertificates[0].Subject.CommonName, " ", "", -1)
_, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false) _, _, _, profilePath := h.ovpn.AuthLoop(h.minProfile, webuser, "", false)
if inArray(h.neededProfiles, profilePath) { if !inArray(h.neededProfiles, profilePath) {
http.Error(w, fmt.Sprintf("You need on of %s profile", h.neededProfiles), 403) http.Error(w, fmt.Sprintf("You need on of %s profile and you have %s", h.neededProfiles, profilePath), 403)
return return
} }
log.Printf("%s is connected via the web interfaces\n", webuser) log.Printf("%s is connected via the web interfaces\n", webuser)

View File

@ -5,21 +5,34 @@ config
################################################################### ###################################################################
### Security Model ### ### Security Model ###
### ### ### ###
### +---> CONTRACT ### ### +-1-> CONTRACT ###
### | ### ### | ###
### start-here +-------> DATACENTER ### ### start-here +---5---> DATACENTER ###
### | | ### ### | | ###
### +---> CORP ------------> DEV -----> ADMINS ### ### +-2-> CORP -----4------> DEV -6---> ADMINS ###
### | ^ ### ### | ^ ###
### 3 4 ###
### | | ### ### | | ###
### +--> IT-AND-SEC ---+ ### ### +--> IT-AND-SEC ---+ ###
### ### ### ###
### CORP/IT-AND-SEC have the same IPs but not the web perms ### ### CORP/IT-AND-SEC have the same IPs but not the API access ###
### ADMIN/DATACENTER have the same IPs but not the web perms ### ### ADMINS/DATACENTER have the same IPs but not the API access ###
### ### ### ###
### attributes[0] must match validGroups ### ### at each step: ###
### attributes[1] is the login for the next security groups ### ### attributes[0] must match validGroups ###
### attributes[2] is used as a salt for mfa generation ### ### attributes[1] is the login for the next security checks ###
### attributes[2] is used as a salt for mfa generation ###
### ###
### Security Checks: ###
### ###
### 1/2: check AD groups and password. get mail address ###
### 3: user must be in some AD security group (IT or SEC) ###
### 4: mail must be in infra LDAP. User must have a ssh key ###
### 5: user must be in the datacenter group in infra ldap ###
### 6: user must be in the infra/net groups in infra ldap ###
### ###
### mfa setup is set according the mfa attribute of the final ###
### group reached ###
### ### ### ###
################################################################### ###################################################################
CONTRACT: CONTRACT: