the-bastion/bin/plugin/group-gatekeeper/groupAddGuestAccess

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::groupSetRole;

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv    => \@ARGV,
    header  => "add access to one server of a group to an account",
    options => {
        "group=s"   => \my $group,
        "account=s" => \my $account,
        "user-any"  => \my $userAny,
        "port-any"  => \my $portAny,
        "scpup"     => \my $scpUp,
        "scpdown"   => \my $scpDown,
        "ttl=s"     => \my $ttl,
        "comment=s" => \my $comment,
    },
    helptext => <<'EOF',
Add a specific group server access to an account

Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]

  --group GROUP           group to add guest access to
  --account ACCOUNT       name of the other bastion account to add access to, they'll be given access to the GROUP key
  --host HOST|IP          add access to this HOST (which must belong to the GROUP)
  --user USER             allow connecting to HOST only with remote login USER
  --user-any              allow connecting to HOST with any remote login
  --port PORT             allow connecting to HOST only to remote port PORT
  --port-any              allow connecting to HOST with any remote port
  --scpup                 allow SCP upload, you--bastion-->server (omit --user in this case)
  --scpdown               allow SCP download, you<--bastion--server (omit --user in this case)
  --ttl SECONDS|DURATION  specify a number of seconds after which the access will automatically expire
  --comment '"ANY TEXT"'  add a comment alongside this access.
                            If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers

This command adds, to an existing bastion account, access to the egress keys of a group,
but only to accessing one or several given servers, instead of all the servers of this group.

If you want to add complete access to an account to all the present and future servers
of the group, using the group key, please use ``groupAddMember`` instead.

If you want to add access to an account to a group server but using his personal bastion
key instead of the group key, please use ``accountAddPersonalAccess`` instead (his public key
must be on the remote server).

This command is the opposite of ``groupDelGuestAccess``.
EOF
);

if (not $ip and $host) {
    osh_exit 'ERR_INVALID_HOST', "Specified host ($host) didn't resolve correctly, fix your DNS or specify the IP instead";
}
if ($scpUp and $scpDown) {
    help();
    osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You specified both --scpup and --scpdown, if you want to grant both, please do it in two separate commands";
}
if (($scpUp or $scpDown) and ($user or $userAny)) {
    help();
    osh_exit 'ERR_INCOMPATIBLE_PARAMETERS',
"To grant SCP access, first ensure SSH access is granted to the machine (with the --user you need, or --user-any), then grant with --scpup and/or --scpdown, omitting --user/--user-any";
}
if (defined $ttl) {
    my $fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);
    $fnret or osh_exit $fnret;
    $ttl = $fnret->value->{'seconds'};
}

my $realUser = $user;
$realUser = '!scpupload'   if $scpUp;
$realUser = '!scpdownload' if $scpDown;
my $fnret = OVH::Bastion::Plugin::groupSetRole::act(
    account        => $account,
    group          => $group,
    action         => 'add',
    type           => 'guest',
    user           => $realUser,
    userAny        => $userAny,
    port           => $port,
    portAny        => $portAny,
    host           => ($ip || $host),
    ttl            => $ttl,
    comment        => $comment,
    sudo           => 0,
    silentoverride => 0,
    self           => $self,
    scriptName     => $scriptName,
    savedArgs      => $savedArgs
);
help() if not $fnret;
osh_exit($fnret);
Initial commit 2020-10-16 00:32:37 +08:00			`#! /usr/bin/env perl`
			`# vim: set filetype=perl ts=4 sw=4 sts=4 et:`
			`use common::sense;`

			`use File::Basename;`
			`use lib dirname(__FILE__) . '/../../../lib/perl';`
			`use OVH::Result;`
			`use OVH::Bastion;`
			`use OVH::Bastion::Plugin qw( :DEFAULT help );`
			`use OVH::Bastion::Plugin::groupSetRole;`

			`my $remainingOptions = OVH::Bastion::Plugin::begin(`
			`argv => \@ARGV,`
			`header => "add access to one server of a group to an account",`
			`options => {`
			`"group=s" => \my $group,`
			`"account=s" => \my $account,`
			`"user-any" => \my $userAny,`
			`"port-any" => \my $portAny,`
			`"scpup" => \my $scpUp,`
			`"scpdown" => \my $scpDown,`
			`"ttl=s" => \my $ttl,`
enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17 2021-02-17 22:38:59 +08:00			`"comment=s" => \my $comment,`
Initial commit 2020-10-16 00:32:37 +08:00			`},`
			`helptext => <<'EOF',`
			`Add a specific group server access to an account`

			`Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]`

			`--group GROUP group to add guest access to`
enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17 2021-02-17 22:38:59 +08:00			`--account ACCOUNT name of the other bastion account to add access to, they'll be given access to the GROUP key`
Initial commit 2020-10-16 00:32:37 +08:00			`--host HOST\|IP add access to this HOST (which must belong to the GROUP)`
			`--user USER allow connecting to HOST only with remote login USER`
			`--user-any allow connecting to HOST with any remote login`
			`--port PORT allow connecting to HOST only to remote port PORT`
			`--port-any allow connecting to HOST with any remote port`
			`--scpup allow SCP upload, you--bastion-->server (omit --user in this case)`
			`--scpdown allow SCP download, you<--bastion--server (omit --user in this case)`
enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17 2021-02-17 22:38:59 +08:00			`--ttl SECONDS\|DURATION specify a number of seconds after which the access will automatically expire`
chore: microfixes after review 2021-02-22 19:00:56 +08:00			`--comment '"ANY TEXT"' add a comment alongside this access.`
enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17 2021-02-17 22:38:59 +08:00			`If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers`
Initial commit 2020-10-16 00:32:37 +08:00
			`This command adds, to an existing bastion account, access to the egress keys of a group,`
			`but only to accessing one or several given servers, instead of all the servers of this group.`

			`If you want to add complete access to an account to all the present and future servers`
			of the group, using the group key, please use ``groupAddMember`` instead.

			`If you want to add access to an account to a group server but using his personal bastion`
			key instead of the group key, please use ``accountAddPersonalAccess`` instead (his public key
			`must be on the remote server).`

			This command is the opposite of ``groupDelGuestAccess``.
			`EOF`
			`);`

			`if (not $ip and $host) {`
			`osh_exit 'ERR_INVALID_HOST', "Specified host ($host) didn't resolve correctly, fix your DNS or specify the IP instead";`
			`}`
			`if ($scpUp and $scpDown) {`
			`help();`
			`osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You specified both --scpup and --scpdown, if you want to grant both, please do it in two separate commands";`
			`}`
			`if (($scpUp or $scpDown) and ($user or $userAny)) {`
			`help();`
			`osh_exit 'ERR_INCOMPATIBLE_PARAMETERS',`
			`"To grant SCP access, first ensure SSH access is granted to the machine (with the --user you need, or --user-any), then grant with --scpup and/or --scpdown, omitting --user/--user-any";`
			`}`
			`if (defined $ttl) {`
			`my $fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);`
			`$fnret or osh_exit $fnret;`
			`$ttl = $fnret->value->{'seconds'};`
			`}`

			`my $realUser = $user;`
			`$realUser = '!scpupload' if $scpUp;`
			`$realUser = '!scpdownload' if $scpDown;`
			`my $fnret = OVH::Bastion::Plugin::groupSetRole::act(`
			`account => $account,`
			`group => $group,`
			`action => 'add',`
			`type => 'guest',`
			`user => $realUser,`
			`userAny => $userAny,`
			`port => $port,`
			`portAny => $portAny,`
			`host => ($ip \|\| $host),`
			`ttl => $ttl,`
enh: guests: groupAddGuestAccess now supports setting a comment If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17 2021-02-17 22:38:59 +08:00			`comment => $comment,`
Initial commit 2020-10-16 00:32:37 +08:00			`sudo => 0,`
			`silentoverride => 0,`
			`self => $self,`
			`scriptName => $scriptName,`
			`savedArgs => $savedArgs`
			`);`
			`help() if not $fnret;`
			`osh_exit($fnret);`