-
-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathuser-auth
executable file
·69 lines (54 loc) · 2.06 KB
/
user-auth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
#!/usr/bin/env bash
# When enabled via the DOKKU_ACL_USER_COMMANDS variable, allow normal users
# to run only these commands.
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "${BASH_SOURCE[0]}")/internal-functions"
DOKKU_SUPER_USER="${DOKKU_SUPER_USER:-}"
DOKKU_ACL_USER_COMMANDS="${DOKKU_ACL_USER_COMMANDS:-}"
DOKKU_ACL_PER_APP_COMMANDS="${DOKKU_ACL_PER_APP_COMMANDS:-}"
DOKKU_ACL_PER_SERVICE_COMMANDS="${DOKKU_ACL_PER_SERVICE_COMMANDS:-}"
DOKKU_ACL_LINK_COMMANDS="${DOKKU_ACL_LINK_COMMANDS:-}"
SSH_USER=$1
SSH_NAME=$2
shift 2
[[ -z "$DOKKU_ACL_USER_COMMANDS" && -z "$DOKKU_ACL_PER_APP_COMMANDS" && -z "$DOKKU_ACL_PER_SERVICE_COMMANDS" && -z "$DOKKU_ACL_LINK_COMMANDS" ]] && exit 0
[[ "$SSH_USER" == "root" ]] && exit 0
[[ -n "$DOKKU_SUPER_USER" ]] && [[ "$SSH_NAME" == "$DOKKU_SUPER_USER" ]] && exit 0
CMD=$1
for allowed in $DOKKU_ACL_USER_COMMANDS; do
[[ "$CMD" == "$allowed" ]] && exit 0
done
for allowed in $DOKKU_ACL_PER_APP_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "An app name is required"
fi
# shellcheck disable=SC1003
APP_NAME="$(echo "$2" | perl -pe 's/(?<!\\)'\''//g' | sed 's/\\'\''/'\''/g' | sed 's/^\///g')"
fn-check-app-acl "$APP_NAME" "$SSH_NAME" && exit 0
fi
done
for allowed in $DOKKU_ACL_PER_SERVICE_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "A service name is required"
fi
fn-check-service-acl "$CMD" "$2" "$SSH_NAME" && exit 0
fi
done
for allowed in $DOKKU_ACL_LINK_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "A service name is required"
fi
if [[ -z "$3" ]]; then
dokku_log_fail "An app name is required"
fi
(fn-check-service-acl "$CMD" "$2" "$SSH_NAME") && (fn-check-app-acl "$3" "$SSH_NAME") && exit 0
# An appropriate failure message has already been sent by the check- function
exit 1
fi
done
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD"