#! /usr/bin/env perl # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; use OVH::Result; use OVH::Bastion; use OVH::Bastion::Plugin qw( :DEFAULT help ); my $remainingOptions = OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "modify the configuration of a group", options => { "group=s" => \my $group, "mfa-required=s" => \my $mfaRequired, "idle-lock-timeout=s" => \my $idleLockTimeout, "idle-kill-timeout=s" => \my $idleKillTimeout, "guest-ttl-limit=s" => \my $ttl, }, helptext => <<'EOF', Modify the configuration of a group Usage: --osh SCRIPT_NAME --group GROUP [--mfa-required password|totp|any|none] [--guest-ttl-limit DURATION] --group GROUP Name of the group to modify --mfa-required password|totp|any|none Enforce UNIX password requirement, or TOTP requirement, or any MFA requirement, when connecting to a server of the group --idle-lock-timeout DURATION|0|-1 Overrides the global setting (`idleLockTimeout`), to the specified duration. If set to 0, disables `idleLockTimeout` for this group. If set to -1, remove this group override and use the global setting instead. --idle-kill-timeout DURATION|0|-1 Overrides the global setting (`idleKillTimeout`), to the specified duration. If set to 0, disables `idleKillTimeout` for this group. If set to -1, remove this group override and use the global setting instead. --guest-ttl-limit DURATION This group will enforce TTL setting, on guest access creation, to be set, and not to a higher value than DURATION, set to zero to allow guest accesses creation without any TTL set (default) Note that `--idle-lock-timeout` and `--idle-kill-timeout` will NOT be applied for catch-all groups (having 0.0.0.0/0 in their server list). If a server is in exactly one group an account is a member of, then its values of `--idle-lock-timeout` and `--idle-kill-timeout`, if set, will prevail over the global setting. The global setting can be seen with `--osh info`. Otherwise, the most restrictive setting (i.e. the one with the lower strictly positive duration) between all the considered groups and the global setting, will be used. EOF ); my $fnret; if (!$group) { help(); osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'group'"; } if (!$mfaRequired && !defined $ttl && !defined $idleLockTimeout && !defined $idleKillTimeout) { help(); osh_exit 'ERR_MISSING_PARAMETER', "Nothing to modify"; } foreach my $item (\$ttl, \$idleLockTimeout, \$idleKillTimeout) { if (defined $$item && $$item != -1) { $fnret = OVH::Bastion::is_valid_ttl(ttl => $$item); $fnret or osh_exit $fnret; $$item = $fnret->value->{'seconds'}; } } # ttl doesn't allow -1 as a valid value, check that if ($ttl == -1) { osh_exit 'ERR_INVALID_PARAMETER', "Invalid TTL (-1), expected an amount of seconds, or a duration string such as '2d8h15m'"; } $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => 'key'); $fnret or osh_exit $fnret; $group = $fnret->value->{'group'}; my $shortGroup = $fnret->value->{'shortGroup'}; $fnret = OVH::Bastion::is_group_owner(account => $self, group => $shortGroup, superowner => 1); if (!$fnret) { osh_exit 'ERR_NOT_GROUP_OWNER', "You must be an owner to modify this group"; } if (defined $mfaRequired && !grep { $mfaRequired eq $_ } qw{ password totp any none }) { help(); osh_exit 'ERR_INVALID_PARAMETER', "Expected 'password', 'totp', 'any' or 'none' as parameter to --mfa-required"; } my @command = qw{ sudo -n -u }; push @command, $group; push @command, qw{ -- /usr/bin/env perl -T }; push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupModify'; push @command, '--group', $group; push @command, '--mfa-required', $mfaRequired if $mfaRequired; push @command, '--guest-ttl-limit', $ttl if defined $ttl; push @command, '--idle-lock-timeout', $idleLockTimeout if defined $idleLockTimeout; push @command, '--idle-kill-timeout', $idleKillTimeout if defined $idleKillTimeout; osh_exit OVH::Bastion::helper(cmd => \@command);