fix(ssh): enforce firewall rules on cloud instances#6588
Merged
Conversation
Session.Evaluate ran the firewall check only in pure enterprise mode, so cloud connections skipped it entirely. Active Deny rules appeared in the UI but were never evaluated at connection time, silently bypassing an access-control feature that Cloud is documented to support. The guard assumed cloud excludes enterprise, when cloud actually extends it. Decouple the firewall check from the license check and run it whenever either mode is enabled, so cloud enforces firewall rules alongside billing instead of in place of it.
|
Claude finished @geovannewashington's task in 6m 39s —— View job Code Review CompleteReviewed 2 files across code quality, security, testing, Go patterns, and architecture — no new issues found. The code looks good as-is. Review highlights:
If you push additional changes and want a new review, tag |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Run the SSH firewall check on cloud instances, not just pure enterprise
ones. Active "Deny" rules are now evaluated at connection time in cloud.
Why
Session.EvaluategatedcheckFirewallbehindIsEnterprise() && !IsCloud(), so cloud connections skipped it entirely and fell through tothe billing check. An operator could create an Active Deny rule, see it
listed in the UI, and still connect — the rule had no effect.
This is a silent enforcement bypass of an access-control feature. Firewall
rules are a documented Cloud + Enterprise capability (included on the free
Cloud tier), so they are expected to work in cloud. The root cause is the
recurring "cloud excludes enterprise" assumption, where it should be
"cloud extends enterprise": a cloud instance is also an enterprise
instance and should run the firewall check in addition to billing.
Changes
ssh/session/session.go: decouple the firewall check from the licensecheck in
Session.Evaluateand run it wheneverIsEnterprise()orIsCloud()is set. License stays enterprise-only, billing stayscloud-only, firewall now spans both.
ssh/session/session_test.go: cover firewall enforcement acrosscommunity, enterprise, and cloud modes to lock in the behaviour.
Testing
All devices.
Expected: the connection is denied by the rule. Before this change it
succeeded and the Deny rule was never evaluated.
Closes: shellhub-io/team#166