diff --git a/bin/plugin/group-owner/groupModify.json b/bin/plugin/group-owner/groupModify.json index 7f90021..def7ea8 100644 --- a/bin/plugin/group-owner/groupModify.json +++ b/bin/plugin/group-owner/groupModify.json @@ -7,5 +7,6 @@ "groupModify --group \\S+ --mfa-required \\S+" , {"pr" : [""]}, "groupModify --group \\S+ --guest-ttl-limit" , {"pr" : [""]}, "groupModify --group \\S+ --guest-ttl-limit \\S+", {"pr" : [""]} - ] + ], + "master_only": 1 } diff --git a/bin/plugin/open/help b/bin/plugin/open/help index 7548e2c..f15c74f 100755 --- a/bin/plugin/open/help +++ b/bin/plugin/open/help @@ -43,13 +43,14 @@ my @knownPlugins = ( 'other commands' => [qw{ selfModify }], ], 'MANAGE OTHER ACCOUNTS' => [ - 'manage bastion accounts' => - [qw{ accountList accountCreate accountCreateOvh accountDelete accountUnexpire accountModify accountPIV }], + 'manage bastion accounts' => [ + qw{ accountList accountInfo accountCreate accountDelete accountUnexpire accountUnlock accountFreeze accountUnfreeze accountModify accountPIV } + ], 'manage accounts ingress credentials (them->bastion)' => [qw{ accountListIngressKeys accountResetIngressKeys accountMFAResetPassword accountMFAResetTOTP }], 'manage accounts egress credentials (bastion->server)' => [qw{ accountListEgressKeys accountGeneratePassword accountListPasswords }], - 'manage access to restricted commands' => [qw{ accountGrantCommand accountRevokeCommand accountInfo }], + 'manage access to restricted commands' => [qw{ accountGrantCommand accountRevokeCommand }], 'manage another account accesses to servers' => [qw{ accountListAccesses accountAddPersonalAccess accountDelPersonalAccess whoHasAccessTo }], 'review past sessions' => [qw{ accountListSessions globalListSessions }], @@ -58,7 +59,7 @@ my @knownPlugins = ( 'information and lifecycle' => [qw{ groupInfo groupListServers groupList groupCreate groupDelete }], 'group owner commands' => [ qw{ groupAddGatekeeper groupDelGatekeeper groupAddAclkeeper groupDelAclkeeper - groupAddOwner groupDelOwner groupTransmitOwnership groupGenerateEgressKey groupDelEgressKey groupModify } + groupAddOwner groupDelOwner groupTransmitOwnership groupGenerateEgressKey groupDelEgressKey groupModify groupDestroy } ], 'egress passwords commands' => [qw{ groupListPasswords groupGeneratePassword groupDelPassword }], 'gatekeeper commands to manage members' => [qw{ groupAddMember groupDelMember }], @@ -71,7 +72,7 @@ my @knownPlugins = ( ], 'MISC COMMANDS' => [ 'basic commands' => [qw{ help info }], - 'utility commands' => [qw{ nc ping mtr alive clush scp batch }], + 'utility commands' => [qw{ nc ping mtr alive clush scp sftp batch }], 'realm commands' => [qw{ realmList realmInfo realmCreate realmDelete }], 'audit commands' => [qw{ rootListIngressKeys }], 'other specific commands', @@ -165,8 +166,8 @@ if ($docURL && $docURL->value) { } if (OVH::Bastion::config('readOnlySlaveMode')->value) { - osh_warn "\nNOTICE: This bastion is part of a cluster, and this instance is a read-only one (slave), " - . "so only read-only compliant commands are available. If you need to use write/modify commands, " + osh_warn "\nNOTICE: This bastion is part of a cluster, and this instance is a read-only one (slave),\n" + . "so only read-only compliant commands are available.\nIf you need to use write/modify commands, " . "please do it on the master of the cluster instead."; } diff --git a/bin/plugin/restricted/accountFreeze.json b/bin/plugin/restricted/accountFreeze.json new file mode 100644 index 0000000..94a581e --- /dev/null +++ b/bin/plugin/restricted/accountFreeze.json @@ -0,0 +1,10 @@ +{ + "interactive": [ + "accountFreeze" , {"ac" : ["--account"]}, + "accountFreeze --account" , {"ac" : [""]}, + "accountFreeze --account \\S+" , {"ac" : ["--reason",""]}, + "accountFreeze --account \\S+ --reason" , {"pr" : ["\"reason between quotes\""]}, + "accountFreeze --account \\S+ --reason .+" , {"pr" : [""]} + ], + "master_only": 1 +} diff --git a/bin/plugin/restricted/accountPIV.json b/bin/plugin/restricted/accountPIV.json index 449bb6b..7a812d7 100644 --- a/bin/plugin/restricted/accountPIV.json +++ b/bin/plugin/restricted/accountPIV.json @@ -8,5 +8,6 @@ "accountPIV --account \\S+ --policy grace" , {"ac": ["--ttl"]}, "accountPIV --account \\S+ --policy grace --ttl" , {"pr": [""]}, "accountPIV --account \\S+ --policy grace --ttl (.*)" , {"pr": [""]} - ] + ], + "master_only": 1 } diff --git a/bin/plugin/restricted/accountRevokeCommand.json b/bin/plugin/restricted/accountRevokeCommand.json index 7e21a37..3e7d35d 100644 --- a/bin/plugin/restricted/accountRevokeCommand.json +++ b/bin/plugin/restricted/accountRevokeCommand.json @@ -5,5 +5,6 @@ "accountRevokeCommand --account \\S+" , {"ac" : ["--command"]}, "accountRevokeCommand --account \\S+ --command" , {"ac" : [""]}, "accountRevokeCommand --account \\S+ --command \\S+" , {"pr" : [""]} - ] + ], + "master_only": 1 } diff --git a/bin/plugin/restricted/accountUnfreeze.json b/bin/plugin/restricted/accountUnfreeze.json new file mode 100644 index 0000000..f8dbdbf --- /dev/null +++ b/bin/plugin/restricted/accountUnfreeze.json @@ -0,0 +1,8 @@ +{ + "interactive": [ + "accountUnfreeze" , {"ac" : ["--account"]}, + "accountUnfreeze --account" , {"ac" : [""]}, + "accountUnfreeze --account \\S+" , {"pr" : [""]} + ], + "master_only": 1 +} diff --git a/bin/plugin/restricted/accountUnlock.json b/bin/plugin/restricted/accountUnlock.json new file mode 100644 index 0000000..36af114 --- /dev/null +++ b/bin/plugin/restricted/accountUnlock.json @@ -0,0 +1,8 @@ +{ + "interactive": [ + "accountUnlock" , {"ac" : ["--account"]}, + "accountUnlock --account" , {"ac" : [""]}, + "accountUnlock --account \\S+" , {"pr" : [""]} + ], + "master_only": 1 +}