the-bastion/bin/plugin/restricted/accountList

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use Term::ANSIColor;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );

# globally allow sys_getpw* and sys_getgr* cache use
$ENV{'PW_GR_CACHE'} = 1;

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv    => \@ARGV,
    header  => "list bastion accounts",
    options => {
        "inactive-only"    => \my $inactiveOnly,
        "realm-only"       => \my $realmOnly,
        "account=s"        => \my $account,
        "audit"            => \my $audit,
        "no-password-info" => \my $noPasswordInfo,
        "no-output"        => \my $noOutput,
        'exclude=s'        => \my @excludes,
        'include=s'        => \my @includes,
    },
    helptext => <<'EOF',
List the bastion accounts

Usage: --osh SCRIPT_NAME [OPTIONS]

  --account ACCOUNT  Only list the specified account. This is an easy way to check whether the account exists
  --inactive-only    Only list inactive accounts
  --audit            Show more verbose information (SLOW!), you need to be a bastion auditor
  --no-password-info Don't gather password info in audit mode (makes --audit way faster)
  --no-output        Don't print human-readable output (faster, use with --json)
  --include PATTERN  Only show accounts whose name match the given PATTERN (see below)
                        This option can be used multiple times to refine results
  --exclude PATTERN  Omit accounts whose name match the given PATTERN (see below)
                        This option can be used multiple times.
                        Note that --exclude takes precedence over --include

**Note:** PATTERN supports the ``*`` and ``?`` wildcards.
If PATTERN is a simple string without wildcards, then names containing this string will be considered.
EOF
);

sub tristate2str {
    my $v = shift;
    my $r = shift;
    return (
        defined $v
        ? ($v ? colored('yes', $r ? 'red' : 'green') : colored('no', $r ? 'green' : 'red'))
        : colored('-', 'blue')
    );
}

if ($realmOnly) {
    osh_exit(R('ERR_INVALID_PARAMETER'), "Option --realm-only is no longer supported, use realmList instead");
}

my $fnret;
if ($account) {
    $fnret = OVH::Bastion::get_account_list(accounts => [$account]);
}
else {
    $fnret = OVH::Bastion::get_account_list();
}

$fnret or osh_exit $fnret;
my $accounts = $fnret->value;

if ($audit && !OVH::Bastion::is_auditor(account => $self)) {
    osh_exit(R('ERR_PERMISSION_DENIED', msg => "You need to be a bastion auditor to use --audit"));
}

my $fnretPassword;
if ($audit && !$noPasswordInfo) {
    # get UNIX password info for all accounts
    my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };
    push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountGetPasswordInfo', '--all';
    $fnretPassword = OVH::Bastion::helper(cmd => \@command);
}

# if we have excludes and/or includes, transform those into regexes
my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes, implicit_contains => 1)->value;
my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes, implicit_contains => 1)->value;

my $result_hash = {};
foreach my $account (sort keys %$accounts) {

    # if we have excludes, match name against the built regex
    next if ($excludere && $account =~ $excludere);

    # same for includes
    next if ($includere && $account !~ $includere);

    my %states;
    $states{'is_active'} = undef;
    $fnret = OVH::Bastion::is_account_active(account => $account);
    if ($fnret->is_ok) {
        next if $inactiveOnly;
        $states{'is_active'} = 1;
    }
    elsif ($fnret->is_ko) {
        $states{'is_active'} = 0;
    }

    if ($audit) {
        $fnret = OVH::Bastion::is_account_ttl_nonexpired(sysaccount => $account, account => $account);
        $states{'is_ttl_expired'} = undef;
        if ($fnret->is_ok) {
            $states{'is_ttl_expired'} = 0;
        }
        elsif ($fnret->is_ko) {
            $states{'is_ttl_expired'}      = 1;
            $states{'ttl_expired_details'} = $fnret->value->{'details'};
        }

        $fnret = OVH::Bastion::is_account_nonexpired(sysaccount => $account);
        $states{'is_expired'} = undef;
        if ($fnret->is_ok) {
            $states{'is_expired'} = 0;
        }
        elsif ($fnret->is_ko) {
            $states{'is_expired'}   = 1;
            $states{'expired_days'} = $fnret->value->{'days'};
        }

        $states{'already_seen_before'} = undef;
        if ($fnret->value && defined $fnret->value->{'already_seen_before'}) {
            $states{'already_seen_before'} = $fnret->value->{'already_seen_before'} ? 1 : 0;
        }

        $states{'last_activity'}           = undef;
        $states{'last_activity_timestamp'} = undef;
        my $seconds = $fnret->value->{'seconds'};
        if (defined $seconds) {
            $fnret = OVH::Bastion::duration2human(seconds => $seconds, tense => "past");
            if ($fnret) {
                $states{'last_activity_timestamp'} = time() - $seconds;
                $states{'last_activity'}           = sprintf(
                    "%s on %s (%s ago)",
                    (
                        defined $states{'already_seen_before'}
                        ? ($states{'already_seen_before'} ? "Last seen" : "Created")
                        : "Last activity"
                    ),
                    $fnret->value->{'date'},
                    $fnret->value->{'duration'}
                );
            }
        }

        $states{'can_connect'} = 1;
        $states{'can_connect'} = 0 if (!defined $states{'is_active'} || $states{'is_active'} == 0);
        $states{'can_connect'} = 0 if (!defined $states{'is_expired'} || $states{'is_expired'} == 0);
        $states{'can_connect'} = 0 if (!defined $states{'is_ttl_expired'} || $states{'is_ttl_expired'} == 0);

        $states{'mfa_password_required'} = OVH::Bastion::is_user_in_group(
            user  => $account,
            group => OVH::Bastion::MFA_PASSWORD_REQUIRED_GROUP,
        ) ? 1 : 0;
        $states{'mfa_password_configured'} =
          OVH::Bastion::is_user_in_group(
            user  => $account,
            group => OVH::Bastion::MFA_PASSWORD_CONFIGURED_GROUP,
          )
          ? 1
          : 0;
        $states{'mfa_password_bypass'} = OVH::Bastion::is_user_in_group(
            user  => $account,
            group => OVH::Bastion::MFA_PASSWORD_BYPASS_GROUP,
        ) ? 1 : 0;
        $states{'mfa_totp_required'} =
          OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_REQUIRED_GROUP)
          ? 1
          : 0;
        $states{'mfa_totp_configured'} = OVH::Bastion::is_user_in_group(
            user  => $account,
            group => OVH::Bastion::MFA_TOTP_CONFIGURED_GROUP,
        ) ? 1 : 0;
        $states{'mfa_totp_bypass'} =
          OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_BYPASS_GROUP)
          ? 1
          : 0;
        $states{'pam_auth_bypass'} =
          OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::PAM_AUTH_BYPASS_GROUP)
          ? 1
          : 0;
        $states{'pubkey_auth_optional'} =
          OVH::Bastion::is_user_in_group(
            user  => $account,
            group => OVH::Bastion::OSH_PUBKEY_AUTH_OPTIONAL_GROUP,
          )
          ? 1
          : 0;

        if ($fnretPassword) {
            $states{"password_$_"} = $fnretPassword->value->{$account}{$_}
              for (keys %{$fnretPassword->value->{$account}});
        }
    }

    $fnret = OVH::Bastion::account_config(account => $account, key => "creation_info");
    if ($fnret && $fnret->value) {
        eval {
            my $data = decode_json($fnret->value);
            $states{'created_by'} = $data->{'by'};
        };
        if ($@) {
            osh_warn("Error decoding creation_info of account '$account' ($@)");
        }
    }

    $result_hash->{$account}         = \%states;
    $result_hash->{$account}{'name'} = $account;
    $result_hash->{$account}{'uid'}  = $accounts->{$account}{'uid'};

    # don't print human-readable version (usually used with --json)
    next if $noOutput;

    if ($audit) {
        my @mfaPassword;
        push @mfaPassword, 'required' if $states{'mfa_password_required'};
        push @mfaPassword, 'enabled'  if $states{'mfa_password_configured'};
        push @mfaPassword, 'bypass'   if $states{'mfa_password_bypass'};
        my @mfaTOTP;
        push @mfaTOTP, 'required' if $states{'mfa_totp_required'};
        push @mfaTOTP, 'enabled'  if $states{'mfa_totp_configured'};
        push @mfaTOTP, 'bypass'   if $states{'mfa_totp_bypass'};

        osh_info sprintf(
            "%-18s %6d active:%-12s expired:%-12s ttl_expired:%-12s"
              . "can_connect:%-12s already_seen:%-12s mfa_password:%-25s "
              . "mfa_totp:%-25s pam_bypass:%-12s pubkey_auth_optional:%-12s "
              . "pass_status:%-15s pass_changed:%-10s pass_min_days:%-3d "
              . "pass_max_days:%-3d pass_warn_days:%-3d created_by:%-12s " . " %s\n",
            $account,
            $accounts->{$account}{'uid'},
            tristate2str($states{'is_active'}),
            tristate2str($states{'is_expired'},     1),
            tristate2str($states{'is_ttl_expired'}, 1),
            tristate2str($states{'can_connect'}),
            tristate2str($states{'already_seen_before'}),
            @mfaPassword ? colored(join(',', @mfaPassword), 'green') : colored('-', 'blue'),
            @mfaTOTP     ? colored(join(',', @mfaTOTP),     'green') : colored('-', 'blue'),
            tristate2str($states{'pam_auth_bypass'},      1),
            tristate2str($states{'pubkey_auth_optional'}, 1),
            (
                $states{'password_password'} eq 'locked' ? colored('locked', 'blue')
                : (
                    $states{'password_password'} eq 'set' ? colored('set', 'green')
                    : colored($states{'password_password'}, 'red')
                )
            ),
            $states{'password_date_changed'},
            $states{'password_min_days'},
            $states{'password_max_days'},
            $states{'password_warn_days'},
            $states{'created_by'},
            $states{'last_activity'},
        );
    }
    else {
        osh_info sprintf("%-18s %6d\n", $account, $accounts->{$account}{'uid'});
    }
}

if ($noOutput) {
    osh_info "No-output requested, if you see only this message, you might have omitted --json";
}

osh_ok $result_hash;
Initial commit 2020-10-16 00:32:37 +08:00			`#! /usr/bin/env perl`
			`# vim: set filetype=perl ts=4 sw=4 sts=4 et:`
			`use common::sense;`
			`use Term::ANSIColor;`

			`use File::Basename;`
			`use lib dirname(__FILE__) . '/../../../lib/perl';`
			`use OVH::Result;`
			`use OVH::Bastion;`
			`use OVH::Bastion::Plugin qw( :DEFAULT help );`

fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`# globally allow sys_getpw* and sys_getgr* cache use`
			`$ENV{'PW_GR_CACHE'} = 1;`

Initial commit 2020-10-16 00:32:37 +08:00			`my $remainingOptions = OVH::Bastion::Plugin::begin(`
			`argv => \@ARGV,`
			`header => "list bastion accounts",`
			`options => {`
enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`"inactive-only" => \my $inactiveOnly,`
			`"realm-only" => \my $realmOnly,`
			`"account=s" => \my $account,`
			`"audit" => \my $audit,`
			`"no-password-info" => \my $noPasswordInfo,`
			`"no-output" => \my $noOutput,`
			`'exclude=s' => \my @excludes,`
			`'include=s' => \my @includes,`
Initial commit 2020-10-16 00:32:37 +08:00			`},`
			`helptext => <<'EOF',`
			`List the bastion accounts`

feat: add filtering options to several cmds,nicify print_acls() The commands selfListAccesses, accountListAccesses, groupList, groupListServers, groupListGuestAccesses and accountList now have options to filter their output through pattern matching, with --include and --exclude. The output from the commands using print_acls() is also more human-friendly, with auto-adjusting column length, and empty columns omitted. Closes #60. 2021-03-31 14:54:15 +08:00			`Usage: --osh SCRIPT_NAME [OPTIONS]`
Initial commit 2020-10-16 00:32:37 +08:00
			`--account ACCOUNT Only list the specified account. This is an easy way to check whether the account exists`
			`--inactive-only Only list inactive accounts`
			`--audit Show more verbose information (SLOW!), you need to be a bastion auditor`
enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`--no-password-info Don't gather password info in audit mode (makes --audit way faster)`
			`--no-output Don't print human-readable output (faster, use with --json)`
feat: add filtering options to several cmds,nicify print_acls() The commands selfListAccesses, accountListAccesses, groupList, groupListServers, groupListGuestAccesses and accountList now have options to filter their output through pattern matching, with --include and --exclude. The output from the commands using print_acls() is also more human-friendly, with auto-adjusting column length, and empty columns omitted. Closes #60. 2021-03-31 14:54:15 +08:00			`--include PATTERN Only show accounts whose name match the given PATTERN (see below)`
			`This option can be used multiple times to refine results`
			`--exclude PATTERN Omit accounts whose name match the given PATTERN (see below)`
			`This option can be used multiple times.`
			`Note that --exclude takes precedence over --include`

			Note: PATTERN supports the ``*`` and ``?`` wildcards.
			`If PATTERN is a simple string without wildcards, then names containing this string will be considered.`
Initial commit 2020-10-16 00:32:37 +08:00			`EOF`
			`);`

			`sub tristate2str {`
			`my $v = shift;`
			`my $r = shift;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`return (`
			`defined $v`
			`? ($v ? colored('yes', $r ? 'red' : 'green') : colored('no', $r ? 'green' : 'red'))`
			`: colored('-', 'blue')`
			`);`
Initial commit 2020-10-16 00:32:37 +08:00			`}`

			`if ($realmOnly) {`
			`osh_exit(R('ERR_INVALID_PARAMETER'), "Option --realm-only is no longer supported, use realmList instead");`
			`}`

			`my $fnret;`
			`if ($account) {`
			`$fnret = OVH::Bastion::get_account_list(accounts => [$account]);`
			`}`
			`else {`
			`$fnret = OVH::Bastion::get_account_list();`
			`}`

			`$fnret or osh_exit $fnret;`
			`my $accounts = $fnret->value;`

			`if ($audit && !OVH::Bastion::is_auditor(account => $self)) {`
			`osh_exit(R('ERR_PERMISSION_DENIED', msg => "You need to be a bastion auditor to use --audit"));`
			`}`

			`my $fnretPassword;`
enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`if ($audit && !$noPasswordInfo) {`
Initial commit 2020-10-16 00:32:37 +08:00			`# get UNIX password info for all accounts`
			`my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };`
			`push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountGetPasswordInfo', '--all';`
			`$fnretPassword = OVH::Bastion::helper(cmd => \@command);`
			`}`

feat: groupList/accountList: add --include --exclude 2021-01-20 17:55:58 +08:00			`# if we have excludes and/or includes, transform those into regexes`
feat: add filtering options to several cmds,nicify print_acls() The commands selfListAccesses, accountListAccesses, groupList, groupListServers, groupListGuestAccesses and accountList now have options to filter their output through pattern matching, with --include and --exclude. The output from the commands using print_acls() is also more human-friendly, with auto-adjusting column length, and empty columns omitted. Closes #60. 2021-03-31 14:54:15 +08:00			`my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes, implicit_contains => 1)->value;`
			`my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes, implicit_contains => 1)->value;`
feat: groupList/accountList: add --include --exclude 2021-01-20 17:55:58 +08:00
Initial commit 2020-10-16 00:32:37 +08:00			`my $result_hash = {};`
			`foreach my $account (sort keys %$accounts) {`

feat: groupList/accountList: add --include --exclude 2021-01-20 17:55:58 +08:00			`# if we have excludes, match name against the built regex`
			`next if ($excludere && $account =~ $excludere);`

			`# same for includes`
			`next if ($includere && $account !~ $includere);`

			`my %states;`
Initial commit 2020-10-16 00:32:37 +08:00			`$states{'is_active'} = undef;`
			`$fnret = OVH::Bastion::is_account_active(account => $account);`
			`if ($fnret->is_ok) {`
			`next if $inactiveOnly;`
			`$states{'is_active'} = 1;`
			`}`
			`elsif ($fnret->is_ko) {`
			`$states{'is_active'} = 0;`
			`}`

			`if ($audit) {`
fix: accountInfo wasn't showing TTL account expiration #329 2022-07-15 19:22:48 +08:00			`$fnret = OVH::Bastion::is_account_ttl_nonexpired(sysaccount => $account, account => $account);`
			`$states{'is_ttl_expired'} = undef;`
			`if ($fnret->is_ok) {`
			`$states{'is_ttl_expired'} = 0;`
			`}`
			`elsif ($fnret->is_ko) {`
			`$states{'is_ttl_expired'} = 1;`
			`$states{'ttl_expired_details'} = $fnret->value->{'details'};`
			`}`

Initial commit 2020-10-16 00:32:37 +08:00			`$fnret = OVH::Bastion::is_account_nonexpired(sysaccount => $account);`
			`$states{'is_expired'} = undef;`
			`if ($fnret->is_ok) {`
			`$states{'is_expired'} = 0;`
			`}`
			`elsif ($fnret->is_ko) {`
			`$states{'is_expired'} = 1;`
			`$states{'expired_days'} = $fnret->value->{'days'};`
			`}`

			`$states{'already_seen_before'} = undef;`
			`if ($fnret->value && defined $fnret->value->{'already_seen_before'}) {`
			`$states{'already_seen_before'} = $fnret->value->{'already_seen_before'} ? 1 : 0;`
			`}`

			`$states{'last_activity'} = undef;`
			`$states{'last_activity_timestamp'} = undef;`
			`my $seconds = $fnret->value->{'seconds'};`
			`if (defined $seconds) {`
			`$fnret = OVH::Bastion::duration2human(seconds => $seconds, tense => "past");`
			`if ($fnret) {`
			`$states{'last_activity_timestamp'} = time() - $seconds;`
			`$states{'last_activity'} = sprintf(`
			`"%s on %s (%s ago)",`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`(`
			`defined $states{'already_seen_before'}`
			`? ($states{'already_seen_before'} ? "Last seen" : "Created")`
			`: "Last activity"`
			`),`
Initial commit 2020-10-16 00:32:37 +08:00			`$fnret->value->{'date'},`
			`$fnret->value->{'duration'}`
			`);`
			`}`
			`}`

fix: accountInfo wasn't showing TTL account expiration #329 2022-07-15 19:22:48 +08:00			`$states{'can_connect'} = 1;`
			`$states{'can_connect'} = 0 if (!defined $states{'is_active'} \|\| $states{'is_active'} == 0);`
			`$states{'can_connect'} = 0 if (!defined $states{'is_expired'} \|\| $states{'is_expired'} == 0);`
			`$states{'can_connect'} = 0 if (!defined $states{'is_ttl_expired'} \|\| $states{'is_ttl_expired'} == 0);`
Initial commit 2020-10-16 00:32:37 +08:00
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`$states{'mfa_password_required'} = OVH::Bastion::is_user_in_group(`
			`user => $account,`
			`group => OVH::Bastion::MFA_PASSWORD_REQUIRED_GROUP,`
			`) ? 1 : 0;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'mfa_password_configured'} =`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`OVH::Bastion::is_user_in_group(`
			`user => $account,`
			`group => OVH::Bastion::MFA_PASSWORD_CONFIGURED_GROUP,`
			`)`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`? 1`
			`: 0;`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`$states{'mfa_password_bypass'} = OVH::Bastion::is_user_in_group(`
			`user => $account,`
			`group => OVH::Bastion::MFA_PASSWORD_BYPASS_GROUP,`
			`) ? 1 : 0;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'mfa_totp_required'} =`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_REQUIRED_GROUP)`
			`? 1`
			`: 0;`
			`$states{'mfa_totp_configured'} = OVH::Bastion::is_user_in_group(`
			`user => $account,`
			`group => OVH::Bastion::MFA_TOTP_CONFIGURED_GROUP,`
			`) ? 1 : 0;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'mfa_totp_bypass'} =`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::MFA_TOTP_BYPASS_GROUP)`
			`? 1`
			`: 0;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'pam_auth_bypass'} =`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`OVH::Bastion::is_user_in_group(user => $account, group => OVH::Bastion::PAM_AUTH_BYPASS_GROUP)`
			`? 1`
			`: 0;`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'pubkey_auth_optional'} =`
fix: performance issues introduced by effab4a Commit that introduced the performance degradation is effab4a (fix: workaround for undocumented caching in getpw/getgr funcs) Rewrote caching at the getpwent/getpwnam/getgrent/getgrnam level, which restores performance pre-effab4a and even enhances it in somes cases, for example on a 2000-accounts and 2000-groups bastion, we are: - 11% faster on --osh help - 35% faster on --osh selfListAccesses (reduces syscalls by 87%) 2022-07-07 19:23:55 +08:00			`OVH::Bastion::is_user_in_group(`
			`user => $account,`
			`group => OVH::Bastion::OSH_PUBKEY_AUTH_OPTIONAL_GROUP,`
			`)`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`? 1`
			`: 0;`
Initial commit 2020-10-16 00:32:37 +08:00
			`if ($fnretPassword) {`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{"password_$_"} = $fnretPassword->value->{$account}{$_}`
			`for (keys %{$fnretPassword->value->{$account}});`
Initial commit 2020-10-16 00:32:37 +08:00			`}`
			`}`

enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`$fnret = OVH::Bastion::account_config(account => $account, key => "creation_info");`
			`if ($fnret && $fnret->value) {`
			`eval {`
			`my $data = decode_json($fnret->value);`
			`$states{'created_by'} = $data->{'by'};`
			`};`
			`if ($@) {`
			`osh_warn("Error decoding creation_info of account '$account' ($@)");`
			`}`
			`}`

Initial commit 2020-10-16 00:32:37 +08:00			`$result_hash->{$account} = \%states;`
			`$result_hash->{$account}{'name'} = $account;`
			`$result_hash->{$account}{'uid'} = $accounts->{$account}{'uid'};`

enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`# don't print human-readable version (usually used with --json)`
			`next if $noOutput;`

Initial commit 2020-10-16 00:32:37 +08:00			`if ($audit) {`
			`my @mfaPassword;`
			`push @mfaPassword, 'required' if $states{'mfa_password_required'};`
			`push @mfaPassword, 'enabled' if $states{'mfa_password_configured'};`
			`push @mfaPassword, 'bypass' if $states{'mfa_password_bypass'};`
			`my @mfaTOTP;`
			`push @mfaTOTP, 'required' if $states{'mfa_totp_required'};`
			`push @mfaTOTP, 'enabled' if $states{'mfa_totp_configured'};`
			`push @mfaTOTP, 'bypass' if $states{'mfa_totp_bypass'};`

			`osh_info sprintf(`
enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`"%-18s %6d active:%-12s expired:%-12s ttl_expired:%-12s"`
			`. "can_connect:%-12s already_seen:%-12s mfa_password:%-25s "`
			`. "mfa_totp:%-25s pam_bypass:%-12s pubkey_auth_optional:%-12s "`
			`. "pass_status:%-15s pass_changed:%-10s pass_min_days:%-3d "`
			`. "pass_max_days:%-3d pass_warn_days:%-3d created_by:%-12s " . " %s\n",`
Initial commit 2020-10-16 00:32:37 +08:00			`$account,`
			`$accounts->{$account}{'uid'},`
			`tristate2str($states{'is_active'}),`
fix: accountInfo wasn't showing TTL account expiration #329 2022-07-15 19:22:48 +08:00			`tristate2str($states{'is_expired'}, 1),`
			`tristate2str($states{'is_ttl_expired'}, 1),`
Initial commit 2020-10-16 00:32:37 +08:00			`tristate2str($states{'can_connect'}),`
			`tristate2str($states{'already_seen_before'}),`
			`@mfaPassword ? colored(join(',', @mfaPassword), 'green') : colored('-', 'blue'),`
			`@mfaTOTP ? colored(join(',', @mfaTOTP), 'green') : colored('-', 'blue'),`
new account option: --pubkey-auth-optional, to allow ingress login with or without pubkey when pam is required 2021-09-29 22:16:07 +08:00			`tristate2str($states{'pam_auth_bypass'}, 1),`
			`tristate2str($states{'pubkey_auth_optional'}, 1),`
Initial commit 2020-10-16 00:32:37 +08:00			`(`
chore: new perltidy rules 2022-06-30 21:00:29 +08:00			`$states{'password_password'} eq 'locked' ? colored('locked', 'blue')`
			`: (`
			`$states{'password_password'} eq 'set' ? colored('set', 'green')`
			`: colored($states{'password_password'}, 'red')`
			`)`
Initial commit 2020-10-16 00:32:37 +08:00			`),`
			`$states{'password_date_changed'},`
			`$states{'password_min_days'},`
			`$states{'password_max_days'},`
			`$states{'password_warn_days'},`
enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`$states{'created_by'},`
Initial commit 2020-10-16 00:32:37 +08:00			`$states{'last_activity'},`
			`);`
			`}`
			`else {`
			`osh_info sprintf("%-18s %6d\n", $account, $accounts->{$account}{'uid'});`
			`}`
			`}`

enh: accountInfo: add --no-password-info and --no-output 2022-12-17 02:07:49 +08:00			`if ($noOutput) {`
			`osh_info "No-output requested, if you see only this message, you might have omitted --json";`
			`}`

Initial commit 2020-10-16 00:32:37 +08:00			`osh_ok $result_hash;`