Improve SSH context handling

2024-01-19 07:32:41 +01:00 · 2024-01-19 07:32:41 +01:00 · 64985fcaed
commit 64985fcaed
parent f75dcbd624
2 changed files with 31 additions and 11 deletions
--- a/agent/sockets/callingcontext.go
+++ b/agent/sockets/callingcontext.go
@ -16,6 +16,7 @@ type CallingContext struct {
 	ProcessPid             int
 	ParentProcessPid       int
 	GrandParentProcessPid  int
+	Error                  bool
 }

 func GetCallingContext(connection net.Conn) CallingContext {
@ -28,11 +29,23 @@ func GetCallingContext(connection net.Conn) CallingContext {
 		ProcessPid:             0,
 		ParentProcessPid:       0,
 		GrandParentProcessPid:  0,
+		Error:                  true,
 	}
 	if err != nil {
 		return errorContext
 	}
-	pid, _ := creds.PID()
+	uid, _ := creds.UserID()
+	username, err := user.LookupId(uid)
+	if err != nil {
+		return errorContext
+	}
+	errorContext.UserName = username.Username
+
+	pid, ok := creds.PID()
+	if !ok {
+		return errorContext
+	}
+
 	process, err := gops.FindProcess(pid)
 	if err != nil {
 		return errorContext
@ -50,7 +63,6 @@ func GetCallingContext(connection net.Conn) CallingContext {
 		}
 	}

-	uid, _ := creds.UserID()
 	ppid := process.PPid()
 	if err != nil {
 		return errorContext
@ -66,11 +78,6 @@ func GetCallingContext(connection net.Conn) CallingContext {
 		return errorContext
 	}

-	username, err := user.LookupId(uid)
-	if err != nil {
-		return errorContext
-	}
-
 	return CallingContext{
 		UserName:               username.Username,
 		ProcessName:            process.Executable(),
@ -79,5 +86,6 @@ func GetCallingContext(connection net.Conn) CallingContext {
 		ProcessPid:             pid,
 		ParentProcessPid:       ppid,
 		GrandParentProcessPid:  parentParentProcess.PPid(),
+		Error:                  false,
 	}
 }
--- a/agent/ssh/ssh.go
+++ b/agent/ssh/ssh.go
@ -107,11 +107,23 @@ func (vaultAgent vaultAgent) Sign(key ssh.PublicKey, data []byte) (*ssh.Signatur
 		isGit = true
 	}

-	requestTemplate := "%s on %s>%s>%s is requesting ssh signage with key %s"
-	if isGit {
-		requestTemplate = "%s on %s>%s>%s is requesting git signage with key %s"
+	requestTemplate := ""
+	message := ""
+	if !vaultAgent.context.Error {
+		if isGit {
+			requestTemplate = "%s on %s>%s>%s is requesting git signage with key %s"
+		} else {
+			requestTemplate = "%s on %s>%s>%s is requesting ssh signage with key %s"
+		}
+		message = fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, vaultAgent.context.GrandParentProcessName, vaultAgent.context.ParentProcessName, vaultAgent.context.ProcessName, sshKey.Name)
+	} else {
+		if isGit {
+			requestTemplate = "%s is requesting git signage with key %s"
+		} else {
+			requestTemplate = "%s is requesting ssh signage with key %s"
+		}
+		message = fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, sshKey.Name)
 	}
-	message := fmt.Sprintf(requestTemplate, vaultAgent.context.UserName, vaultAgent.context.GrandParentProcessName, vaultAgent.context.ParentProcessName, vaultAgent.context.ProcessName, sshKey.Name)

 	if approved, err := pinentry.GetApproval("SSH Key Signing Request", message); err != nil || !approved {
 		log.Info("Sign Request for key: %s denied", sshKey.Name)