fix: install: ensure that the healthcheck user can always connect from 127.0.0.1

Regardless of the bastion config about the ingressKeysFrom configuration

bin/admin/install

@@ -767,7 +767,7 @@ if [ "$nothing" = 0 ]; then
             action_error "Error while generating the SSH key"
         else
             chmod 0444 "$UID0HOME/id_healthcheck.pub"
-            USER="$UID0" HOME="$UID0HOME" "$basedir"/bin/plugin/restricted/accountCreate '' '' '' '' --account healthcheck --uid-auto --always-active --immutable-key --osh-only < "$UID0HOME/id_healthcheck.pub"
+            USER="$UID0" HOME="$UID0HOME" "$basedir"/bin/plugin/restricted/accountCreate '' '' '' '' --account healthcheck --uid-auto --always-active --immutable-key --osh-only --force-key-from "127.0.0.1" < "$UID0HOME/id_healthcheck.pub"
             if ! getent passwd healthcheck >/dev/null 2>&1; then
                 action_error "Couldn't create the healthcheck account"
             else

bin/helper/osh-accountCreate

@@ -20,10 +20,11 @@ use OVH::Bastion::Helper;
 # Fetch command options
 my $fnret;
 my ($result, @optwarns);
-my ($type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl);
+my ($forceKeyFrom, $type, $account, $realmFrom, $uid, @pubKeys, $comment, $alwaysActive, $uidAuto, $oshOnly, $maxInactiveDays, $immutableKey, $ttl);
 eval {
     local $SIG{__WARN__} = sub { push @optwarns, shift };
     $result = GetOptions(
+        "force-key-from=s"    => sub { $forceKeyFrom    //= $_[1] },    # only to be used by the install script
         "type=s"              => sub { $type            //= $_[1] },
         "from=s"              => sub { $realmFrom       //= $_[1] },
         "uid=s"               => sub { $uid             //= $_[1] },
@@ -180,7 +181,7 @@ if ($prefix) {
     }
 }
 
-$fnret = OVH::Bastion::get_from_for_user_key(userProvidedIpList => \@userProvidedIpList);
+$fnret = OVH::Bastion::get_from_for_user_key(userProvidedIpList => \@userProvidedIpList, forcedList => ($forceKeyFrom ? [$forceKeyFrom] : []));
 $fnret or HEXIT($fnret);
 
 my $from    = $fnret->value->{'from'};

bin/plugin/restricted/accountCreate

@@ -12,6 +12,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
     argv    => \@ARGV,
     header  => "create a new bastion account",
     options => {
+        'force-key-from=s'    => \my $forceKeyFrom,      # only to be used under root by the install script
         'uid=i'               => \my $uid,
         'account=s'           => \my $account,
         'always-active'       => \my $alwaysActive,
@@ -140,6 +141,7 @@ push @command, "--osh-only", if $oshOnly;
 push @command, "--max-inactive-days", $maxInactiveDays if defined $maxInactiveDays;
 push @command, "--uid-auto"      if $uidAuto;
 push @command, "--immutable-key" if $immutableKey;
-push @command, '--ttl', $ttl if $ttl;
+push @command, '--ttl',            $ttl          if $ttl;
+push @command, '--force-key-from', $forceKeyFrom if ($forceKeyFrom && $< == 0 && $> == 0);    # only to be used under root by the install script
 
 osh_exit OVH::Bastion::helper(cmd => \@command);

lib/perl/OVH/Bastion/ssh.inc

@@ -460,6 +460,7 @@ EOS
 sub get_from_for_user_key {
     my %params             = @_;
     my $userProvidedIpList = $params{'userProvidedIpList'} || [];    # arrayref
+    my $forcedList         = $params{'forcedList'} || [];            # arrayref
     my $key                = $params{'key'};
 
     my $ingressKeysFrom              = OVH::Bastion::config('ingressKeysFrom');
@@ -475,6 +476,11 @@ sub get_from_for_user_key {
         @ipList = @$userProvidedIpList;
     }
 
+    # if not empty, override everything by this list
+    if (@$forcedList) {
+        @ipList = @$forcedList;
+    }
+
     my @ipListVerified = grep { OVH::Bastion::is_valid_ip(ip => $_, allowPrefixes => 1) } @ipList;
 
     my $from = '';