ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-02-28 09:32:58 +08:00
Code Issues Projects Releases Packages Wiki Activity

enh: add --max-inactive-days to accountCreate

Browse source
This commit is contained in:
Stéphane Lesimple 2021-09-06 10:29:05 +00:00 committed by Stéphane Lesimple
parent ef10d509fd
commit 4a21cfc421
4 changed files with 75 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
bin/helper/osh-accountCreate
View file

@ -34,21 +34,22 @@ if (not defined $self) {
# Fetch command options
my $fnret;
my ($result, @optwarns);
my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $immutableKey, $ttl);
my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl);
eval {
local $SIG{__WARN__} = sub { push @optwarns, shift };
$result = GetOptions(
"type=s" => sub { $type //= $_[1] },
"from=s" => sub { $realmFrom //= $_[1] },
"uid=s" => sub { $uid //= $_[1] },
"account=s" => sub { $account //= $_[1] },
"always-active" => sub { $alwaysActive //= $_[1] },
"pubKey=s" => \@pubKeys,
"comment=s" => sub { $comment //= $_[1] },
'uid-auto' => sub { $uidAuto //= $_[1] },
'osh-only' => sub { $oshOnly //= $_[1] },
'immutable-key' => sub { $immutableKey //= $_[1] },
'ttl=i' => sub { $ttl //= $_[1] },
"type=s" => sub { $type //= $_[1] },
"from=s" => sub { $realmFrom //= $_[1] },
"uid=s" => sub { $uid //= $_[1] },
"account=s" => sub { $account //= $_[1] },
"always-active" => sub { $alwaysActive //= $_[1] },
"pubKey=s" => \@pubKeys,
"comment=s" => sub { $comment //= $_[1] },
'uid-auto' => sub { $uidAuto //= $_[1] },
'osh-only' => sub { $oshOnly //= $_[1] },
'max-inactive-days=i' => sub { $maxInactiveDays //= $_[1] },
'immutable-key' => sub { $immutableKey //= $_[1] },
'ttl=i' => sub { $ttl //= $_[1] },
);
};
if ($@) { die $@ }
@ -129,6 +130,10 @@ elsif ($uidAuto) {
#<PARAMS:UID
if (defined $maxInactiveDays && $maxInactiveDays < 0) {
HEXIT('ERR_INVALID_PARAMETER', msg => "Expected a >= 0 amount of days for --max-inactive-days");
}
#>PARAMS
my $ttygroup = "$account-tty";
$fnret = OVH::Bastion::is_group_existing(group => $ttygroup);
@ -377,6 +382,12 @@ if ($oshOnly) {
$fnret or HEXIT($fnret);
}
# specific expiration policy. Note that 0 is a valid value (means "never").
if (defined $maxInactiveDays) {
$fnret = OVH::Bastion::account_config(account => $account, %{OVH::Bastion::OPT_ACCOUNT_MAX_INACTIVE_DAYS()}, value => $maxInactiveDays);
$fnret or HEXIT($fnret);
}
# chown to root so user can no longer touch it
if ($immutableKey) {
chown 0, -1, $akfile;

39
bin/plugin/restricted/accountCreate
View file

@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
'comment=s' => \my $comment,
'uid-auto' => \my $uidAuto,
'osh-only' => \my $oshOnly,
'max-inactive-days=i' => \my $maxInactiveDays,
'immutable-key' => \my $immutableKey,
'no-key' => \my $noKey,
'ttl=s' => \my $ttl,
@ -28,18 +29,20 @@ Create a new bastion account
Usage: --osh SCRIPT_NAME --account ACCOUNT <--uid UID|--uid-auto> [OPTIONS]
--account NAME Account name to create, NAME must contain only valid UNIX account name characters
--uid UID Account system UID, also see --uid-auto
--uid-auto Auto-select an UID from the allowed range (the upper available one will be used)
--always-active This account's activation won't be challenged on connection, even if the bastion is globally
configured to check for account activation
--osh-only This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
--immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
--comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell.
--public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present,
you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
--no-key Don't prompt for an SSH key, no ingress public key will be installed
--ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
--account NAME Account name to create, NAME must contain only valid UNIX account name characters
--uid UID Account system UID, also see --uid-auto
--uid-auto Auto-select an UID from the allowed range (the upper available one will be used)
--always-active This account's activation won't be challenged on connection, even if the bastion is globally
configured to check for account activation
--osh-only This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
--max-inactive-days DAYS Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
setting this option to zero disables account expiration.
--immutable-key Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
--comment '"STRING"' An optional comment when creating the account. Quote it twice as shown if you're under a shell.
--public-key '"KEY"' Account public SSH key to deposit on the bastion, if not present,
you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
--no-key Don't prompt for an SSH key, no ingress public key will be installed
--ttl SECONDS|DURATION Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
EOF
);
@ -93,6 +96,11 @@ if (defined $pubKey && $noKey) {
osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --public-key and --no-key at the same time";
}
if (defined $maxInactiveDays && $maxInactiveDays < 0) {
help();
osh_exit 'ERR_INVALID_PARAMETER', "Expected a >= 0 amount of days for --max-inactive-days";
}
if (!$pubKey && !$noKey) {
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
$fnret or osh_exit $fnret;
@ -126,9 +134,10 @@ push @command, "--type", "normal";
push @command, "--account", $account;
push @command, "--pubKey", $pubKey if !$noKey;
push @command, "--always-active" if $alwaysActive;
push @command, "--comment", $comment if $comment;
push @command, "--uid", $uid if defined $uid;
push @command, "--osh-only", $oshOnly if $oshOnly;
push @command, "--comment", $comment if $comment;
push @command, "--uid", $uid if defined $uid;
push @command, "--osh-only", $oshOnly if $oshOnly;
push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays;
push @command, "--uid-auto" if $uidAuto;
push @command, "--immutable-key" if $immutableKey;
push @command, '--ttl', $ttl if $ttl;

29
doc/sphinx/plugins/restricted/accountCreate.rst
View file

@ -14,45 +14,50 @@ Create a new bastion account
.. program:: accountCreate
.. option:: --account NAME
.. option:: --account NAME
Account name to create, NAME must contain only valid UNIX account name characters
.. option:: --uid UID
.. option:: --uid UID
Account system UID, also see --uid-auto
.. option:: --uid-auto
.. option:: --uid-auto
Auto-select an UID from the allowed range (the upper available one will be used)
.. option:: --always-active
.. option:: --always-active
This account's activation won't be challenged on connection, even if the bastion is globally
configured to check for account activation
.. option:: --osh-only
configured to check for account activation
.. option:: --osh-only
This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
.. option:: --immutable-key
.. option:: --max-inactive-days DAYS
Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
setting this option to zero disables account expiration.
.. option:: --immutable-key
Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
.. option:: --comment '"STRING"'
.. option:: --comment '"STRING"'
An optional comment when creating the account. Quote it twice as shown if you're under a shell.
.. option:: --public-key '"KEY"'
.. option:: --public-key '"KEY"'
Account public SSH key to deposit on the bastion, if not present,
you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
.. option:: --no-key
you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
.. option:: --no-key
Don't prompt for an SSH key, no ingress public key will be installed
.. option:: --ttl SECONDS|DURATION
.. option:: --ttl SECONDS|DURATION
Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")

11
tests/functional/tests.d/325-accountinfo.sh
View file

@ -75,12 +75,23 @@ testsuite_accountinfo()
success 325-accountinfo a1_accountinfo_a2_inactive_days_default $a1 --osh accountInfo --account $account2
json .value.max_inactive_days null
# should work with accountcreate too
grant accountCreate
success 325-accountinfo a0_accountcreate_a4_max_inactive_days $a0 --osh accountCreate --account $account4 --uid $uid4 --max-inactive-days 42 --no-key
revoke accountCreate
grant auditor
success 325-accountinfo a0_accountinfo_a4_max_inactive_days $a0 --osh accountInfo --account $account4
json .value.max_inactive_days 42
revoke auditor
revoke accountModify
# delete account1 & account2
grant accountDelete
success 325-accountinfo a0_delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
success 325-accountinfo a0_delete_a2 $a0 --osh accountDelete --account $account2 --no-confirm
success 325-accountinfo a0_delete_a4 $a0 --osh accountDelete --account $account4 --no-confirm
revoke accountDelete
}