the-bastion/bin/plugin/admin/adminSudo

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv    => \@ARGV,
    header  => "launching a bastion command or connection, impersonating another user",
    options => {
        "sudo-as=s"  => \my $sudoAs,
        "sudo-cmd=s" => \my $sudoCmd,
    },
    helptext => <<'EOF',
Impersonate another user

Usage: --osh SCRIPT_NAME -- --sudo-as ACCOUNT <--sudo-cmd PLUGIN -- [PLUGIN specific options...]>

  --sudo-as ACCOUNT  Specify which bastion account we want to impersonate
  --sudo-cmd PLUGIN  --osh command we want to launch as the user (see --osh help)

Example::

  --osh SCRIPT_NAME -- --sudo-as user12 --sudo-cmd info -- --name somebodyelse

Don't forget the double-double-dash as seen in the example above: one after the plugin name,
and another one to separate SCRIPT_NAME options from the options of the plugin to be called.
EOF
);

my $fnret;

if (not $sudoAs or not $sudoCmd) {
    help();
    osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'sudo-as' or 'sudo-cmd'";
}

$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $sudoAs);
$fnret or osh_exit($fnret);

$fnret = OVH::Bastion::can_account_execute_plugin(account => $sudoAs, plugin => $sudoCmd);
$fnret or osh_exit($fnret);

my @cmd = qw( sudo -n -u );
push @cmd, $sudoAs;
push @cmd, qw( -- /usr/bin/env perl );
push @cmd, $OVH::Bastion::BASEPATH . '/bin/shell/osh.pl';
push @cmd, '-c';

my $stringified;
$stringified = " --osh $sudoCmd" if $sudoCmd;
$stringified .= " --host $host" if $host;
$stringified .= " --port $port" if $port;
$stringified .= " --user $user" if $user;
$stringified .= " " . join(" ", @$remainingOptions) if ($remainingOptions and @$remainingOptions);

push @cmd, $stringified;

OVH::Bastion::syslogFormatted(
    criticity => 'info',
    type      => 'security',
    fields    => [['type', 'admin-sudo'], ['account', $self], ['sudo-as', $sudoAs], ['plugin', ($sudoCmd ? $sudoCmd : 'ssh')], ['params', $stringified]]
);

osh_warn("ADMIN SUDO: $self, you'll now impersonate $sudoAs, this has been logged.");

$fnret = OVH::Bastion::execute(cmd => \@cmd, noisy_stdout => 1, noisy_stderr => 1);

osh_exit $fnret;
Initial commit 2020-10-16 00:32:37 +08:00			`#! /usr/bin/env perl`
			`# vim: set filetype=perl ts=4 sw=4 sts=4 et:`
			`use common::sense;`

			`use File::Basename;`
			`use lib dirname(__FILE__) . '/../../../lib/perl';`
			`use OVH::Result;`
			`use OVH::Bastion;`
			`use OVH::Bastion::Plugin qw( :DEFAULT help );`

			`my $remainingOptions = OVH::Bastion::Plugin::begin(`
			`argv => \@ARGV,`
			`header => "launching a bastion command or connection, impersonating another user",`
			`options => {`
			`"sudo-as=s" => \my $sudoAs,`
			`"sudo-cmd=s" => \my $sudoCmd,`
			`},`
			`helptext => <<'EOF',`
			`Impersonate another user`

			`Usage: --osh SCRIPT_NAME -- --sudo-as ACCOUNT <--sudo-cmd PLUGIN -- [PLUGIN specific options...]>`

			`--sudo-as ACCOUNT Specify which bastion account we want to impersonate`
			`--sudo-cmd PLUGIN --osh command we want to launch as the user (see --osh help)`

			`Example::`

			`--osh SCRIPT_NAME -- --sudo-as user12 --sudo-cmd info -- --name somebodyelse`

			`Don't forget the double-double-dash as seen in the example above: one after the plugin name,`
			`and another one to separate SCRIPT_NAME options from the options of the plugin to be called.`
			`EOF`
			`);`

			`my $fnret;`

			`if (not $sudoAs or not $sudoCmd) {`
			`help();`
			`osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'sudo-as' or 'sudo-cmd'";`
			`}`

			`$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $sudoAs);`
			`$fnret or osh_exit($fnret);`

			`$fnret = OVH::Bastion::can_account_execute_plugin(account => $sudoAs, plugin => $sudoCmd);`
			`$fnret or osh_exit($fnret);`

			`my @cmd = qw( sudo -n -u );`
			`push @cmd, $sudoAs;`
			`push @cmd, qw( -- /usr/bin/env perl );`
			`push @cmd, $OVH::Bastion::BASEPATH . '/bin/shell/osh.pl';`
			`push @cmd, '-c';`

			`my $stringified;`
			`$stringified = " --osh $sudoCmd" if $sudoCmd;`
			`$stringified .= " --host $host" if $host;`
			`$stringified .= " --port $port" if $port;`
			`$stringified .= " --user $user" if $user;`
			`$stringified .= " " . join(" ", @$remainingOptions) if ($remainingOptions and @$remainingOptions);`

			`push @cmd, $stringified;`

			`OVH::Bastion::syslogFormatted(`
			`criticity => 'info',`
			`type => 'security',`
			`fields => [['type', 'admin-sudo'], ['account', $self], ['sudo-as', $sudoAs], ['plugin', ($sudoCmd ? $sudoCmd : 'ssh')], ['params', $stringified]]`
			`);`

			`osh_warn("ADMIN SUDO: $self, you'll now impersonate $sudoAs, this has been logged.");`

			`$fnret = OVH::Bastion::execute(cmd => \@cmd, noisy_stdout => 1, noisy_stderr => 1);`

			`osh_exit $fnret;`