enh: add --max-inactive-days to accountCreate

bin/helper/osh-accountCreate

@@ -34,7 +34,7 @@ if (not defined $self) {
 # Fetch command options
 my $fnret;
 my ($result, @optwarns);
-my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $immutableKey, $ttl);
+my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl);
 eval {
     local $SIG{__WARN__} = sub { push @optwarns, shift };
     $result = GetOptions(
@@ -47,6 +47,7 @@ eval {
         "comment=s"           => sub { $comment         //= $_[1] },
         'uid-auto'            => sub { $uidAuto         //= $_[1] },
         'osh-only'            => sub { $oshOnly         //= $_[1] },
+        'max-inactive-days=i' => sub { $maxInactiveDays //= $_[1] },
         'immutable-key'       => sub { $immutableKey    //= $_[1] },
         'ttl=i'               => sub { $ttl             //= $_[1] },
     );
@@ -129,6 +130,10 @@ elsif ($uidAuto) {
 
 #<PARAMS:UID
 
+if (defined $maxInactiveDays && $maxInactiveDays < 0) {
+    HEXIT('ERR_INVALID_PARAMETER', msg => "Expected a >= 0 amount of days for --max-inactive-days");
+}
+
 #>PARAMS
 my $ttygroup = "$account-tty";
 $fnret = OVH::Bastion::is_group_existing(group => $ttygroup);
@@ -377,6 +382,12 @@ if ($oshOnly) {
     $fnret or HEXIT($fnret);
 }
 
+# specific expiration policy. Note that 0 is a valid value (means "never").
+if (defined $maxInactiveDays) {
+    $fnret = OVH::Bastion::account_config(account => $account, %{OVH::Bastion::OPT_ACCOUNT_MAX_INACTIVE_DAYS()}, value => $maxInactiveDays);
+    $fnret or HEXIT($fnret);
+}
+
 # chown to root so user can no longer touch it
 if ($immutableKey) {
     chown 0, -1, $akfile;

bin/plugin/restricted/accountCreate

@@ -19,6 +19,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
         'comment=s'           => \my $comment,
         'uid-auto'            => \my $uidAuto,
         'osh-only'            => \my $oshOnly,
+        'max-inactive-days=i' => \my $maxInactiveDays,
         'immutable-key'       => \my $immutableKey,
         'no-key'              => \my $noKey,
         'ttl=s'               => \my $ttl,
@@ -34,6 +35,8 @@ Usage: --osh SCRIPT_NAME --account ACCOUNT <--uid UID|--uid-auto> [OPTIONS]
   --always-active           This account's activation won't be challenged on connection, even if the bastion is globally
                               configured to check for account activation
   --osh-only                This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
+  --max-inactive-days DAYS  Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
+                              setting this option to zero disables account expiration.
   --immutable-key           Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)
   --comment '"STRING"'      An optional comment when creating the account. Quote it twice as shown if you're under a shell.
   --public-key '"KEY"'      Account public SSH key to deposit on the bastion, if not present,
@@ -93,6 +96,11 @@ if (defined $pubKey && $noKey) {
     osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --public-key and --no-key at the same time";
 }
 
+if (defined $maxInactiveDays && $maxInactiveDays < 0) {
+    help();
+    osh_exit 'ERR_INVALID_PARAMETER', "Expected a >= 0 amount of days for --max-inactive-days";
+}
+
 if (!$pubKey && !$noKey) {
     $fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
     $fnret or osh_exit $fnret;
@@ -129,6 +137,7 @@ push @command, "--always-active" if $alwaysActive;
 push @command, "--comment",           $comment         if $comment;
 push @command, "--uid",               $uid             if defined $uid;
 push @command, "--osh-only",          $oshOnly         if $oshOnly;
+push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays;
 push @command, "--uid-auto"      if $uidAuto;
 push @command, "--immutable-key" if $immutableKey;
 push @command, '--ttl', $ttl if $ttl;

doc/sphinx/plugins/restricted/accountCreate.rst

@@ -35,6 +35,11 @@ Create a new bastion account
 
    This account will only be able to use ``--osh`` commands, and can't connect anywhere through the bastion
 
+.. option:: --max-inactive-days DAYS
+
+   Set account expiration policy, overriding the global bastion configuration 'accountMaxInactiveDays',
+
+                              setting this option to zero disables account expiration.
 .. option:: --immutable-key         
 
    Deny any subsequent modification of the account key (selfAddKey and selfDelKey are denied)

tests/functional/tests.d/325-accountinfo.sh

@@ -75,12 +75,23 @@ testsuite_accountinfo()
     success 325-accountinfo a1_accountinfo_a2_inactive_days_default $a1 --osh accountInfo --account $account2
     json .value.max_inactive_days null
 
+    # should work with accountcreate too
+    grant accountCreate
+    success 325-accountinfo a0_accountcreate_a4_max_inactive_days $a0 --osh accountCreate --account $account4 --uid $uid4 --max-inactive-days 42 --no-key
+    revoke accountCreate
+
+    grant auditor
+    success 325-accountinfo a0_accountinfo_a4_max_inactive_days $a0 --osh accountInfo --account $account4
+    json .value.max_inactive_days 42
+    revoke auditor
+
     revoke accountModify
 
     # delete account1 & account2
     grant accountDelete
     success 325-accountinfo a0_delete_a1 $a0 --osh accountDelete --account $account1 --no-confirm
     success 325-accountinfo a0_delete_a2 $a0 --osh accountDelete --account $account2 --no-confirm
+    success 325-accountinfo a0_delete_a4 $a0 --osh accountDelete --account $account4 --no-confirm
     revoke accountDelete
 }