From 4a21cfc421de4a60cfba3b7c23c06c14a2d6735b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Mon, 6 Sep 2021 10:29:05 +0000
Subject: [PATCH] enh: add --max-inactive-days to accountCreate

---
 bin/helper/osh-accountCreate                  | 35 +++++++++++------
 bin/plugin/restricted/accountCreate           | 39 ++++++++++++-------
 .../plugins/restricted/accountCreate.rst      | 29 ++++++++------
 tests/functional/tests.d/325-accountinfo.sh   | 11 ++++++
 4 files changed, 75 insertions(+), 39 deletions(-)

diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate
index e7fe0d5..1b3dd34 100755
--- a/bin/helper/osh-accountCreate
+++ b/bin/helper/osh-accountCreate
@@ -34,21 +34,22 @@ if (not defined $self) {
 # Fetch command options
 my $fnret;
 my ($result, @optwarns);
-my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $immutableKey, $ttl);
+my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl);
 eval {
     local $SIG{__WARN__} = sub { push @optwarns, shift };
     $result = GetOptions(
-        "type=s"        => sub { $type         //= $_[1] },
-        "from=s"        => sub { $realmFrom    //= $_[1] },
-        "uid=s"         => sub { $uid          //= $_[1] },
-        "account=s"     => sub { $account      //= $_[1] },
-        "always-active" => sub { $alwaysActive //= $_[1] },
-        "pubKey=s"      => \@pubKeys,
-        "comment=s"     => sub { $comment      //= $_[1] },
-        'uid-auto'      => sub { $uidAuto      //= $_[1] },
-        'osh-only'      => sub { $oshOnly      //= $_[1] },
-        'immutable-key' => sub { $immutableKey //= $_[1] },
-        'ttl=i'         => sub { $ttl          //= $_[1] },
+        "type=s"              => sub { $type            //= $_[1] },
+        "from=s"              => sub { $realmFrom       //= $_[1] },
+        "uid=s"               => sub { $uid             //= $_[1] },
+        "account=s"           => sub { $account         //= $_[1] },
+        "always-active"       => sub { $alwaysActive    //= $_[1] },
+        "pubKey=s"            => \@pubKeys,
+        "comment=s"           => sub { $comment         //= $_[1] },
+        'uid-auto'            => sub { $uidAuto         //= $_[1] },
+        'osh-only'            => sub { $oshOnly         //= $_[1] },
+        'max-inactive-days=i' => sub { $maxInactiveDays //= $_[1] },
+        'immutable-key'       => sub { $immutableKey    //= $_[1] },
+        'ttl=i'               => sub { $ttl             //= $_[1] },
     );
 };
 if ($@) { die $@ }
@@ -129,6 +130,10 @@ elsif ($uidAuto) {
 
 #<PARAMS:UID
 
+if (defined $maxInactiveDays && $maxInactiveDays < 0) {
+    HEXIT('ERR_INVALID_PARAMETER', msg => "Expected a >= 0 amount of days for --max-inactive-days");
+}
+
 #>PARAMS
 my $ttygroup = "$account-tty";
 $fnret = OVH::Bastion::is_group_existing(group => $ttygroup);
@@ -377,6 +382,12 @@ if ($oshOnly) {
     $fnret or HEXIT($fnret);
 }
 
+# specific expiration policy. Note that 0 is a valid value (means "never").
+if (defined $maxInactiveDays) {
+    $fnret = OVH::Bastion::account_config(account => $account, %{OVH::Bastion::OPT_ACCOUNT_MAX_INACTIVE_DAYS()}, value => $maxInactiveDays);
+    $fnret or HEXIT($fnret);
+}
+
 # chown to root so user can no longer touch it
 if ($immutableKey) {
     chown 0, -1, $akfile;
diff --git a/bin/plugin/restricted/accountCreate b/bin/plugin/restricted/accountCreate
index 9964a03..854cd09 100755
--- a/bin/plugin/restricted/accountCreate
+++ b/bin/plugin/restricted/accountCreate
@@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
         'comment=s'           => \my $comment,
         'uid-auto'            => \my $uidAuto,
         'osh-only'            => \my $oshOnly,
+        'max-inactive-days=i' => \my $maxInactiveDays,
         'immutable-key'       => \my $immutableKey,
         'no-key'              => \my $noKey,
         'ttl=s'               => \my $ttl,
@@ -28,18 +29,20 @@ Create a new bastion account
 
 Usage: --osh SCRIPT_NAME --account ACCOUNT <--uid UID|--uid-auto> [OPTIONS]
 
-  --account NAME          Account name to create, NAME must contain only valid UNIX account name characters
-  --uid UID               Account system UID, also see --uid-auto
-  --uid-auto              Auto-select an UID from the allowed range (the upper available one will be used)
-  --always-active         This account's activation won't be challenged on connection, even if the bastion is globally
-                            configured to check for account activation
-  --osh-only              This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
-  --immutable-key         Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
-  --comment '"STRING"'    An optional comment when creating the account. Quote it twice as shown if you're under a shell.
-  --public-key '"KEY"'    Account public SSH key to deposit on the bastion, if not present,
-                            you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
-  --no-key                Don't prompt for an SSH key, no ingress public key will be installed
-  --ttl SECONDS|DURATION  Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
+  --account NAME            Account name to create, NAME must contain only valid UNIX account name characters
+  --uid UID                 Account system UID, also see --uid-auto
+  --uid-auto                Auto-select an UID from the allowed range (the upper available one will be used)
+  --always-active           This account's activation won't be challenged on connection, even if the bastion is globally
+                              configured to check for account activation
+  --osh-only                This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
+  --max-inactive-days DAYS  Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
+                              setting this option to zero disables account expiration.
+  --immutable-key           Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
+  --comment '"STRING"'      An optional comment when creating the account. Quote it twice as shown if you're under a shell.
+  --public-key '"KEY"'      Account public SSH key to deposit on the bastion, if not present,
+                              you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
+  --no-key                  Don't prompt for an SSH key, no ingress public key will be installed
+  --ttl SECONDS|DURATION    Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
 EOF
 );
 
@@ -93,6 +96,11 @@ if (defined $pubKey && $noKey) {
     osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --public-key and --no-key at the same time";
 }
 
+if (defined $maxInactiveDays && $maxInactiveDays < 0) {
+    help();
+    osh_exit 'ERR_INVALID_PARAMETER', "Expected a >= 0 amount of days for --max-inactive-days";
+}
+
 if (!$pubKey && !$noKey) {
     $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
     $fnret or osh_exit $fnret;
@@ -126,9 +134,10 @@ push @command, "--type", "normal";
 push @command, "--account", $account;
 push @command, "--pubKey", $pubKey if !$noKey;
 push @command, "--always-active" if $alwaysActive;
-push @command, "--comment",  $comment if $comment;
-push @command, "--uid",      $uid     if defined $uid;
-push @command, "--osh-only", $oshOnly if $oshOnly;
+push @command, "--comment",           $comment         if $comment;
+push @command, "--uid",               $uid             if defined $uid;
+push @command, "--osh-only",          $oshOnly         if $oshOnly;
+push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays;
 push @command, "--uid-auto"      if $uidAuto;
 push @command, "--immutable-key" if $immutableKey;
 push @command, '--ttl', $ttl if $ttl;
diff --git a/doc/sphinx/plugins/restricted/accountCreate.rst b/doc/sphinx/plugins/restricted/accountCreate.rst
index 39b250e..8e91196 100644
--- a/doc/sphinx/plugins/restricted/accountCreate.rst
+++ b/doc/sphinx/plugins/restricted/accountCreate.rst
@@ -14,45 +14,50 @@ Create a new bastion account
 .. program:: accountCreate
 
 
-.. option:: --account NAME        
+.. option:: --account NAME          
 
    Account name to create, NAME must contain only valid UNIX account name characters
 
-.. option:: --uid UID             
+.. option:: --uid UID               
 
    Account system UID, also see --uid-auto
 
-.. option:: --uid-auto            
+.. option:: --uid-auto              
 
    Auto-select an UID from the allowed range (the upper available one will be used)
 
-.. option:: --always-active       
+.. option:: --always-active         
 
    This account's activation won't be challenged on connection, even if the bastion is globally
 
-                            configured to check for account activation
-.. option:: --osh-only            
+                              configured to check for account activation
+.. option:: --osh-only              
 
    This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
 
-.. option:: --immutable-key       
+.. option:: --max-inactive-days DAYS
+
+   Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
+
+                              setting this option to zero disables account expiration.
+.. option:: --immutable-key         
 
    Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
 
-.. option:: --comment '"STRING"'  
+.. option:: --comment '"STRING"'    
 
    An optional comment when creating the account. Quote it twice as shown if you're under a shell.
 
-.. option:: --public-key '"KEY"'  
+.. option:: --public-key '"KEY"'    
 
    Account public SSH key to deposit on the bastion, if not present,
 
-                            you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
-.. option:: --no-key              
+                              you'll be prompted interactively for it. Quote it twice as shown if your're under a shell.
+.. option:: --no-key                
 
    Don't prompt for an SSH key, no ingress public key will be installed
 
-.. option:: --ttl SECONDS|DURATION
+.. option:: --ttl SECONDS|DURATION  
 
    Time after which the account will be deactivated (amount of seconds, or duration string such as "4d12h15m")
 
diff --git a/tests/functional/tests.d/325-accountinfo.sh b/tests/functional/tests.d/325-accountinfo.sh
index 1eb9996..a14a692 100644
--- a/tests/functional/tests.d/325-accountinfo.sh
+++ b/tests/functional/tests.d/325-accountinfo.sh
@@ -75,12 +75,23 @@ testsuite_accountinfo()
     success 325-accountinfo a1_accountinfo_a2_inactive_days_default $a1 --osh accountInfo --account $account2
     json .value.max_inactive_days null
 
+    # should work with accountcreate too
+    grant accountCreate
+    success 325-accountinfo a0_accountcreate_a4_max_inactive_days $a0 --osh accountCreate --account $account4 --uid $uid4 --max-inactive-days 42 --no-key
+    revoke accountCreate
+
+    grant auditor
+    success 325-accountinfo a0_accountinfo_a4_max_inactive_days $a0 --osh accountInfo --account $account4
+    json .value.max_inactive_days 42
+    revoke auditor
+
     revoke accountModify
 
     # delete account1 & account2
     grant accountDelete
     success 325-accountinfo a0_delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
     success 325-accountinfo a0_delete_a2 $a0 --osh accountDelete --account $account2 --no-confirm
+    success 325-accountinfo a0_delete_a4 $a0 --osh accountDelete --account $account4 --no-confirm
     revoke accountDelete
 }