feat: plugins: add loadConfig parameter & config validator support

2024-11-10 17:26:51 +08:00 · 2023-05-31 13:03:24 +00:00 · 2023-05-31 13:03:24 +00:00 · 482eddb10c
commit 482eddb10c
parent 262e545bbb
4 changed files with 49 additions and 15 deletions
--- a/bin/plugin/restricted/accountAddPersonalAccess
+++ b/bin/plugin/restricted/accountAddPersonalAccess
@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help );
 use OVH::Bastion::Plugin::ACL;

 my $remainingOptions = OVH::Bastion::Plugin::begin(
-    argv    => \@ARGV,
-    header  => "adding personal access to a server on an account",
-    options => {
+    loadConfig => 1,
+    argv       => \@ARGV,
+    header     => "adding personal access to a server on an account",
+    options    => {
        "account=s"        => \my $account,
        "user-any"         => \my $userAny,
        "port-any"         => \my $portAny,
--- a/bin/plugin/restricted/selfAddPersonalAccess
+++ b/bin/plugin/restricted/selfAddPersonalAccess
@ -10,9 +10,10 @@ use OVH::Bastion::Plugin qw( :DEFAULT help );
 use OVH::Bastion::Plugin::ACL;

 my $remainingOptions = OVH::Bastion::Plugin::begin(
-    argv    => \@ARGV,
-    header  => "adding personal access to a server on your account",
-    options => {
+    loadConfig => 1,
+    argv       => \@ARGV,
+    header     => "adding personal access to a server on your account",
+    options    => {
        "user-any"         => \my $userAny,
        "port-any"         => \my $portAny,
        "scpup"            => \my $scpUp,
--- a/lib/perl/OVH/Bastion/Plugin.pm
+++ b/lib/perl/OVH/Bastion/Plugin.pm
@ -15,8 +15,10 @@ $SIG{'PIPE'} = 'IGNORE';    # continue even if osh_info gets a SIGPIPE because t
 $| = 1;

 use Exporter 'import';
-our ($user, $ip, $host, $port, $scriptName, $self, $sysself, $realm, $remoteself, $HOME, $savedArgs); ## no critic (ProhibitPackageVars)
-our @EXPORT = qw( $user $ip $host $port $scriptName $self $sysself $realm $remoteself $HOME $savedArgs ); ## no critic (ProhibitAutomaticExportation)
+## no critic (ProhibitPackageVars)
+our ($user, $ip, $host, $port, $scriptName, $self, $sysself, $realm, $remoteself, $HOME, $savedArgs, $pluginConfig);
+## no critic (ProhibitAutomaticExportation)
+our @EXPORT = qw( $user $ip $host $port $scriptName $self $sysself $realm $remoteself $HOME $savedArgs $pluginConfig );
 our @EXPORT_OK = qw( help );

 my $_helptext;
@ -25,10 +27,11 @@ sub help { osh_info $_helptext; return 1; }
 sub begin {
    my %params = @_;

-    my $options  = $params{'options'};
-    my $header   = $params{'header'};
-    my $argv     = $params{'argv'};
-    my $helpfunc = $params{'help'};
+    my $options    = $params{'options'};
+    my $header     = $params{'header'};
+    my $argv       = $params{'argv'};
+    my $loadConfig = $params{'loadConfig'};
+    my $helpfunc   = $params{'help'};
    $_helptext = $params{'helptext'};

    my $fnret;
@ -147,6 +150,16 @@ sub begin {
          "Error with your USER (\"$sysself\" vs \"$ENV{'USER'}\"), please report to your sysadmin.";
    }

+    if ($loadConfig) {
+        # try to load config, and abort if we get an error
+        $fnret = OVH::Bastion::plugin_config(plugin => $scriptName);
+        if (!$fnret) {
+            warn_syslog("Invalid configuration for plugin $scriptName: $fnret");
+            osh_exit 'ERR_INVALID_CONFIGURATION', "Error in plugin configuration, aborting";
+        }
+        $pluginConfig = $fnret->value;
+    }
+
    # only unparsed options are remaining there
    return \@pluginOptions;
 }
--- a/lib/perl/OVH/Bastion/configuration.inc
+++ b/lib/perl/OVH/Bastion/configuration.inc
@ -788,7 +788,6 @@ sub plugin_config {
                secure => 1
            );
            if ($fnret->err eq 'KO_CANNOT_OPEN_FILE') {
-
                # chmod error, don't fail silently
                warn_syslog("Can't read configuration file '"
                      . OVH::Bastion::main_configuration_directory()
@ -796,13 +795,33 @@ sub plugin_config {
                return R('ERR_CONFIGURATION_ERROR',
                    msg => "Configuration file has improper rights, ask your sysadmin!");
            }
-            if ($fnret && ref $fnret->value eq 'HASH') {
-
+            elsif ($fnret->err eq 'KO_NO_SUCH_FILE') {
+                # no configuration, just continue
+            }
+            elsif (!($fnret && ref $fnret->value eq 'HASH')) {
+                # other error, report it and fail
+                warn_syslog("Error loading plugin $plugin configuration ($fnret)");
+                return R('ERR_CONFIGURATION_ERROR', msg => "Plugin configuration is invalid, aborting");
+            }
+            else {
                # avoid overriding keys
                foreach my $key (keys %{$fnret->value}) {
                    $config{$key} = $fnret->value->{$key} if not exists $config{$key};
                }
            }
+
+            # do we have a config validator for this plugin?
+            ## no critic(Modules::RequireBarewordIncludes)
+            eval { require "OVH::Bastion::Plugin::$plugin"; };
+            if (!$@) {
+                my $validator = "OVH::Bastion::Plugin::${plugin}::validate_config";
+                $fnret = $validator->(config => \%config);
+                if (!$fnret || !$fnret->value) {
+                    warn_syslog("Invalid configuration for plugin $plugin: $fnret");
+                    return R('ERR_INVALID_CONFIGURATION', msg => "Plugin configuration is invalid");
+                }
+                %config = %{$fnret->value};
+            }
        }
        else {
            %config = %$mock_data;