fix: groupDelGuestAccess: deleting a guest access returned an error on TTL-forced groups

2025-09-05 20:44:16 +08:00 · 2021-02-17 14:37:47 +00:00 · 2021-02-17 14:37:47 +00:00 · b480316386
commit b480316386
parent 9216e2db1b
2 changed files with 21 additions and 17 deletions
--- a/lib/perl/OVH/Bastion.pm
+++ b/lib/perl/OVH/Bastion.pm
@ -600,13 +600,14 @@ sub touch_file {
    }

    # else
+    warn_syslog(sprintf("Couldn't touch file '%s' with perms %o: %s", $file, $perms, $!));
    return R('KO', msg => "Couldn't create file $file: $!");
 }

 sub create_file_if_not_exists {
    my %params = @_;
    my $file   = $params{'file'};
-    my $perms  = $params{'perms'};     # must be an octal value (not a string)
+    my $perms  = $params{'perms'};    # must be an octal value (not a string)
    my $group  = $params{'group'};

    my $fh;
--- a/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
+++ b/lib/perl/OVH/Bastion/Plugin/groupSetRole.pm
@ -51,23 +51,26 @@ sub preconditions {
            return R('ERR_INVALID_PARAMETER', msg => "Invalid remote user ($user) specified");
        }

-        # policy check for guest accesses: if group forces ttl, the account creation must comply
-        $fnret = OVH::Bastion::group_config(group => $group, key => "guest_ttl_limit");
+        if ($action eq 'add') {

-        # if this config key is not set, no policy enforce has been requested, otherwise, check it:
-        if ($fnret) {
-            my $max = $fnret->value();
-            if (!$ttl) {
-                return R('ERR_INVALID_PARAMETER',
-                        msg => "This group requires guest accesses to have a TTL set, to a duration of "
-                      . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
-                      . " or less");
-            }
-            if ($ttl > $max) {
-                return R('ERR_INVALID_PARAMETER',
-                        msg => "The TTL you specified is invalid, this group requires guest accesses to have a TTL of "
-                      . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
-                      . " maximum");
+            # policy check for guest accesses: if group forces ttl, the account creation must comply
+            $fnret = OVH::Bastion::group_config(group => $group, key => "guest_ttl_limit");
+
+            # if this config key is not set, no policy enforce has been requested, otherwise, check it:
+            if ($fnret) {
+                my $max = $fnret->value();
+                if (!$ttl) {
+                    return R('ERR_INVALID_PARAMETER',
+                            msg => "This group requires guest accesses to have a TTL set, to a duration of "
+                          . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
+                          . " or less");
+                }
+                if ($ttl > $max) {
+                    return R('ERR_INVALID_PARAMETER',
+                            msg => "The TTL you specified is invalid, this group requires guest accesses to have a TTL of "
+                          . OVH::Bastion::duration2human(seconds => $max)->value->{'duration'}
+                          . " maximum");
+                }
            }
        }
    }