diff options
| author | Paul Buetow <paul@buetow.org> | 2026-03-02 10:42:33 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-03-02 10:42:33 +0200 |
| commit | a426a2f9f33b1125a05d3aac29e7b98afdc36a99 (patch) | |
| tree | 13d21a5aef7ec1e586e364ce5bebabb65fd77523 /internal/server/server.go | |
| parent | 3002bdcaa4ec22aa46b6c98eefda2f926dfff618 (diff) | |
server: use auth strategy registry and stabilize turbo EOF sync
Diffstat (limited to 'internal/server/server.go')
| -rw-r--r-- | internal/server/server.go | 64 |
1 files changed, 43 insertions, 21 deletions
diff --git a/internal/server/server.go b/internal/server/server.go index 53aeec6..e00dba9 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -36,8 +36,12 @@ type Server struct { sched *scheduler // Mointor log files for pattern (if configured) cont *continuous + // Authentication strategies keyed by SSH username. + authStrategies map[string]authStrategy } +type authStrategy func(*user.User, string, string) bool + // New returns a new server. func New(cfg config.RuntimeConfig) *Server { if cfg.Server == nil || cfg.Common == nil { @@ -61,6 +65,7 @@ func New(cfg config.RuntimeConfig) *Server { sched: newScheduler(cfg), cont: newContinuous(cfg), } + s.authStrategies = s.newAuthStrategies() s.sshServerConfig.PasswordCallback = s.Callback s.sshServerConfig.PublicKeyCallback = server.PublicKeyCallback @@ -279,32 +284,49 @@ func (s *Server) Callback(c gossh.ConnMetadata, splitted := strings.Split(c.RemoteAddr().String(), ":") remoteIP := splitted[0] - switch user.Name { - case config.HealthUser: - if authInfo == config.HealthUser { - dlog.Server.Debug(user, "Granting permissions to health user") - return nil, nil - } - case config.ScheduleUser: - for _, job := range s.cfg.Server.Schedule { - if s.backgroundCanSSH(user, authInfo, remoteIP, job.Name, job.AllowFrom) { - dlog.Server.Debug(user, "Granting SSH connection") - return nil, nil - } - } - case config.ContinuousUser: - for _, job := range s.cfg.Server.Continuous { - if s.backgroundCanSSH(user, authInfo, remoteIP, job.Name, job.AllowFrom) { - dlog.Server.Debug(user, "Granting SSH connection") - return nil, nil - } - } - default: + if strategy, found := s.authStrategies[user.Name]; found && strategy(user, authInfo, remoteIP) { + return nil, nil } return nil, fmt.Errorf("user %s not authorized", user) } +func (s *Server) newAuthStrategies() map[string]authStrategy { + return map[string]authStrategy{ + config.HealthUser: s.authorizeHealthUser, + config.ScheduleUser: s.authorizeScheduleUser, + config.ContinuousUser: s.authorizeContinuousUser, + } +} + +func (s *Server) authorizeHealthUser(user *user.User, authInfo, _ string) bool { + if authInfo != config.HealthUser { + return false + } + dlog.Server.Debug(user, "Granting permissions to health user") + return true +} + +func (s *Server) authorizeScheduleUser(user *user.User, authInfo, remoteIP string) bool { + for _, job := range s.cfg.Server.Schedule { + if s.backgroundCanSSH(user, authInfo, remoteIP, job.Name, job.AllowFrom) { + dlog.Server.Debug(user, "Granting SSH connection") + return true + } + } + return false +} + +func (s *Server) authorizeContinuousUser(user *user.User, authInfo, remoteIP string) bool { + for _, job := range s.cfg.Server.Continuous { + if s.backgroundCanSSH(user, authInfo, remoteIP, job.Name, job.AllowFrom) { + dlog.Server.Debug(user, "Granting SSH connection") + return true + } + } + return false +} + func (s *Server) backgroundCanSSH(user *user.User, jobName, remoteIP, allowedJobName string, allowFrom []string) bool { |