MCPcopy
hub / github.com/tailscale/tailscale / matchRule

Method matchRule

ssh/tailssh/tailssh.go:1216–1250  ·  view source on GitHub ↗
(r *tailcfg.SSHRule)

Source from the content-addressed store, hash-verified

1214)
1215
1216func (c *conn) matchRule(r *tailcfg.SSHRule) (a *tailcfg.SSHAction, localUser string, acceptEnv []string, err error) {
1217 defer func() {
1218 c.vlogf("matchRule(%+v): %v", r, err)
1219 }()
1220
1221 if c == nil {
1222 return nil, "", nil, errInvalidConn
1223 }
1224 if c.info == nil {
1225 c.logf("invalid connection state")
1226 return nil, "", nil, errInvalidConn
1227 }
1228 if r == nil {
1229 return nil, "", nil, errNilRule
1230 }
1231 if r.Action == nil {
1232 return nil, "", nil, errNilAction
1233 }
1234 if c.ruleExpired(r) {
1235 return nil, "", nil, errRuleExpired
1236 }
1237 if !c.anyPrincipalMatches(r.Principals) {
1238 return nil, "", nil, errPrincipalMatch
1239 }
1240 if !r.Action.Reject {
1241 // For all but Reject rules, SSHUsers is required.
1242 // If SSHUsers is nil or empty, mapLocalUser will return an
1243 // empty string anyway.
1244 localUser = mapLocalUser(r.SSHUsers, c.info.sshUser)
1245 if localUser == "" {
1246 return nil, "", nil, errUserMatch
1247 }
1248 }
1249 return r.Action, localUser, r.AcceptEnv, nil
1250}
1251
1252func mapLocalUser(ruleSSHUsers map[string]string, reqSSHUser string) (localUser string) {
1253 v, ok := ruleSSHUsers[reqSSHUser]

Callers 2

evalSSHPolicyMethod · 0.95
TestMatchRuleFunction · 0.95

Calls 5

vlogfMethod · 0.95
logfMethod · 0.95
ruleExpiredMethod · 0.95
anyPrincipalMatchesMethod · 0.95
mapLocalUserFunction · 0.85

Tested by 1

TestMatchRuleFunction · 0.76