-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuser-auth
executable file
·67 lines (51 loc) · 1.93 KB
/
user-auth
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#!/usr/bin/env bash
# When enabled via the DOKKU_ACL_USER_COMMANDS variable, allow normal users
# to run only these commands.
set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$(dirname "${BASH_SOURCE[0]}")/internal-functions"
DOKKU_SUPER_USER="${DOKKU_SUPER_USER:-}"
DOKKU_ACL_USER_COMMANDS="${DOKKU_ACL_USER_COMMANDS:-}"
DOKKU_ACL_PER_APP_COMMANDS="${DOKKU_ACL_PER_APP_COMMANDS:-}"
DOKKU_ACL_PER_SERVICE_COMMANDS="${DOKKU_ACL_PER_SERVICE_COMMANDS:-}"
DOKKU_ACL_LINK_COMMANDS="${DOKKU_ACL_LINK_COMMANDS:-}"
SSH_USER=$1
SSH_NAME=$2
shift 2
[[ -z "$DOKKU_ACL_USER_COMMANDS" && -z "$DOKKU_ACL_PER_APP_COMMANDS" && -z "$DOKKU_ACL_PER_SERVICE_COMMANDS" && -z "$DOKKU_ACL_LINK_COMMANDS" ]] && exit 0
[[ "$SSH_USER" == "root" ]] && exit 0
[[ -n "$DOKKU_SUPER_USER" ]] && [[ "$SSH_NAME" == "$DOKKU_SUPER_USER" ]] && exit 0
CMD=$1
for allowed in $DOKKU_ACL_USER_COMMANDS; do
[[ "$CMD" == "$allowed" ]] && exit 0
done
for allowed in $DOKKU_ACL_PER_APP_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "An app name is required"
fi
fn-check-app-acl "$2" "$SSH_NAME" && exit 0
fi
done
for allowed in $DOKKU_ACL_PER_SERVICE_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "A service name is required"
fi
fn-check-service-acl "$CMD" "$2" "$SSH_NAME" && exit 0
fi
done
for allowed in $DOKKU_ACL_LINK_COMMANDS; do
if [[ "$CMD" == "$allowed" ]]; then
if [[ -z "$2" ]]; then
dokku_log_fail "A service name is required"
fi
if [[ -z "$3" ]]; then
dokku_log_fail "An app name is required"
fi
(fn-check-service-acl "$CMD" "$2" "$SSH_NAME") && (fn-check-app-acl "$3" "$SSH_NAME") && exit 0
# An appropriate failure message has already been sent by the check- function
exit 1
fi
done
dokku_log_fail "User $SSH_NAME does not have permissions to run $CMD"