ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-09-07 13:34:28 +08:00
Code Issues Projects Releases Packages Wiki Activity

feat: groupList/accountList: add --include --exclude

Browse source
This commit is contained in:
Stéphane Lesimple 2021-01-20 09:55:58 +00:00 committed by Stéphane Lesimple
parent 3aa6e343fd
commit efe3710e4c
3 changed files with 61 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
bin/plugin/open/groupList
View file

@ -9,17 +9,24 @@ use OVH::Result;
use OVH::Bastion; use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin qw( :DEFAULT help );
my ($all);
my $remainingOptions = OVH::Bastion::Plugin::begin( my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV, argv => \@ARGV,
header => "group list", header => "group list",
options => {'all' => \$all}, options => {
'all' => \my $all,
'exclude=s' => \my @excludes,
'include=s' => \my @includes,
},
helptext => <<'EOF', helptext => <<'EOF',
List the groups available on this bastion List the groups available on this bastion
Usage: --osh SCRIPT_NAME [--all] Usage: --osh SCRIPT_NAME [--all] [--exclude|--include WILDCARD [--exclude|--include WILDCARD ..]]
--all List all groups, even those to which you don't have access --all List all groups, even those to which you don't have access
--include WILDCARD Only list groups that match the given WILDCARD string, '*' and '?' are recognized,
this option can be used multiple times to refine results.
--exclude WILDCARD Omit groups that match the given WILDCARD string, '*' and '?' are recognized,
can be used multiple times. Note that --exclude takes precedence over --include
EOF EOF
); );
@ -28,8 +35,18 @@ my $fnret;
$fnret = OVH::Bastion::get_group_list(groupType => "key"); $fnret = OVH::Bastion::get_group_list(groupType => "key");
$fnret or osh_exit $fnret; $fnret or osh_exit $fnret;
my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes)->value;
my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes)->value;
my $result_hash = {}; my $result_hash = {};
foreach my $name (sort keys %{$fnret->value}) { foreach my $name (sort keys %{$fnret->value}) {
# if we have excludes, match name against the built regex
next if ($excludere && $name =~ $excludere);
# same for includes
next if ($includere && $name !~ $includere);
my @flags; my @flags;
push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, cache => 1); push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, cache => 1);
push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name, cache => 1); push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name, cache => 1);

18
bin/plugin/restricted/accountList
View file

@ -17,6 +17,8 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
"realm-only" => \my $realmOnly, "realm-only" => \my $realmOnly,
"account=s" => \my $account, "account=s" => \my $account,
"audit" => \my $audit, "audit" => \my $audit,
'exclude=s' => \my @excludes,
'include=s' => \my @includes,
}, },
helptext => <<'EOF', helptext => <<'EOF',
List the bastion accounts List the bastion accounts
@ -26,6 +28,10 @@ Usage: --osh SCRIPT_NAME [--account ACCOUNT] [--inactive-only] [--audit]
--account ACCOUNT Only list the specified account. This is an easy way to check whether the account exists --account ACCOUNT Only list the specified account. This is an easy way to check whether the account exists
--inactive-only Only list inactive accounts --inactive-only Only list inactive accounts
--audit Show more verbose information (SLOW!), you need to be a bastion auditor --audit Show more verbose information (SLOW!), you need to be a bastion auditor
--include WILDCARD Only list accounts that match the given WILDCARD string, '*' and '?' are recognized,
this option can be used multiple times to refine results.
--exclude WILDCARD Omit accounts that match the given WILDCARD string, '*' and '?' are recognized,
can be used multiple times. Note that --exclude takes precedence over --include
EOF EOF
); );
@ -63,10 +69,20 @@ if ($audit) {
$fnretPassword = OVH::Bastion::helper(cmd => \@command); $fnretPassword = OVH::Bastion::helper(cmd => \@command);
} }
# if we have excludes and/or includes, transform those into regexes
my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes)->value;
my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes)->value;
my $result_hash = {}; my $result_hash = {};
foreach my $account (sort keys %$accounts) { foreach my $account (sort keys %$accounts) {
my %states;
# if we have excludes, match name against the built regex
next if ($excludere && $account =~ $excludere);
# same for includes
next if ($includere && $account !~ $includere);
my %states;
$states{'is_active'} = undef; $states{'is_active'} = undef;
$fnret = OVH::Bastion::is_account_active(account => $account); $fnret = OVH::Bastion::is_account_active(account => $account);
if ($fnret->is_ok) { if ($fnret->is_ok) {

21
lib/perl/OVH/Bastion/allowkeeper.inc
View file

@ -1046,4 +1046,25 @@ sub is_valid_ttl {
return R('KO_INVALID_PARAMETER', msg => "Invalid TTL ($ttl), expected an amount of seconds, or a duration string such as '2d8h15m'"); return R('KO_INVALID_PARAMETER', msg => "Invalid TTL ($ttl), expected an amount of seconds, or a duration string such as '2d8h15m'");
} }
# used by groupList and accountList
sub build_re_from_wildcards {
my %params = @_;
my $wildcards = $params{'wildcards'};
# to avoid modifying the caller's array
my @relist = @$wildcards;
# qr// is true, so return undef if there's nothing to build
return R('OK', value => undef) if !@relist;
for (@relist) {
$_ = quotemeta;
s/\\\*/.*/g;
s/\\\?/./g;
$_ = '^' . $_ . '$';
}
my $stringified = join("|", @relist);
return R('OK', value => qr/$stringified/);
}
1; 1;