| 1214 | ) |
| 1215 | |
| 1216 | func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) { |
| 1217 | defer func() { |
| 1218 | c.vlogf("matchRule(%+v): %v", r, err) |
| 1219 | }() |
| 1220 | |
| 1221 | if c == nil { |
| 1222 | return nil, "", nil, errInvalidConn |
| 1223 | } |
| 1224 | if c.info == nil { |
| 1225 | c.logf("invalid connection state") |
| 1226 | return nil, "", nil, errInvalidConn |
| 1227 | } |
| 1228 | if r == nil { |
| 1229 | return nil, "", nil, errNilRule |
| 1230 | } |
| 1231 | if r.Action == nil { |
| 1232 | return nil, "", nil, errNilAction |
| 1233 | } |
| 1234 | if c.ruleExpired(r) { |
| 1235 | return nil, "", nil, errRuleExpired |
| 1236 | } |
| 1237 | if !c.anyPrincipalMatches(r.Principals) { |
| 1238 | return nil, "", nil, errPrincipalMatch |
| 1239 | } |
| 1240 | if !r.Action.Reject { |
| 1241 | // For all but Reject rules, SSHUsers is required. |
| 1242 | // If SSHUsers is nil or empty, mapLocalUser will return an |
| 1243 | // empty string anyway. |
| 1244 | localUser = mapLocalUser(r.SSHUsers, c.info.sshUser) |
| 1245 | if localUser == "" { |
| 1246 | return nil, "", nil, errUserMatch |
| 1247 | } |
| 1248 | } |
| 1249 | return r.Action, localUser, r.AcceptEnv, nil |
| 1250 | } |
| 1251 | |
| 1252 | func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) { |
| 1253 | v, ok := ruleSSHUsers[reqSSHUser] |