the-bastion/bin/plugin/group-gatekeeper/groupAddGuestAccess

94 lines
3.7 KiB
Text
Raw Normal View History

2020-10-16 00:32:37 +08:00
#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::groupSetRole;
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => "add access to one server of a group to an account",
options => {
"group=s" => \my $group,
"account=s" => \my $account,
"user-any" => \my $userAny,
"port-any" => \my $portAny,
"scpup" => \my $scpUp,
"scpdown" => \my $scpDown,
"ttl=s" => \my $ttl,
},
helptext => <<'EOF',
Add a specific group server access to an account
Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
--group GROUP group to add guest access to
--account ACCOUNT name of the other bastion account to add access to, he'll be given access to the GROUP key
--host HOST|IP add access to this HOST (which must belong to the GROUP)
--user USER allow connecting to HOST only with remote login USER
--user-any allow connecting to HOST with any remote login
--port PORT allow connecting to HOST only to remote port PORT
--port-any allow connecting to HOST with any remote port
--scpup allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown allow SCP download, you<--bastion--server (omit --user in this case)
--ttl SECONDS|DURATION Specify a number of seconds after which the access will automatically expire
This command adds, to an existing bastion account, access to the egress keys of a group,
but only to accessing one or several given servers, instead of all the servers of this group.
If you want to add complete access to an account to all the present and future servers
of the group, using the group key, please use ``groupAddMember`` instead.
If you want to add access to an account to a group server but using his personal bastion
key instead of the group key, please use ``accountAddPersonalAccess`` instead (his public key
must be on the remote server).
This command is the opposite of ``groupDelGuestAccess``.
EOF
);
if (not $ip and $host) {
osh_exit 'ERR_INVALID_HOST', "Specified host ($host) didn't resolve correctly, fix your DNS or specify the IP instead";
}
if ($scpUp and $scpDown) {
help();
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "You specified both --scpup and --scpdown, if you want to grant both, please do it in two separate commands";
}
if (($scpUp or $scpDown) and ($user or $userAny)) {
help();
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS',
"To grant SCP access, first ensure SSH access is granted to the machine (with the --user you need, or --user-any), then grant with --scpup and/or --scpdown, omitting --user/--user-any";
}
if (defined $ttl) {
my $fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);
$fnret or osh_exit $fnret;
$ttl = $fnret->value->{'seconds'};
}
my $realUser = $user;
$realUser = '!scpupload' if $scpUp;
$realUser = '!scpdownload' if $scpDown;
my $fnret = OVH::Bastion::Plugin::groupSetRole::act(
account => $account,
group => $group,
action => 'add',
type => 'guest',
user => $realUser,
userAny => $userAny,
port => $port,
portAny => $portAny,
host => ($ip || $host),
ttl => $ttl,
sudo => 0,
silentoverride => 0,
self => $self,
scriptName => $scriptName,
savedArgs => $savedArgs
);
help() if not $fnret;
osh_exit($fnret);