mirror of
https://github.com/ovh/the-bastion.git
synced 2025-02-26 16:43:03 +08:00
88 lines
2.9 KiB
Perl
Executable file
88 lines
2.9 KiB
Perl
Executable file
#! /usr/bin/env perl
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
use OVH::Bastion::Plugin qw( :DEFAULT help );
|
|
use OVH::Bastion::Plugin::ACL;
|
|
|
|
my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|
argv => \@ARGV,
|
|
header => "removing a server from a group",
|
|
options => {
|
|
"group=s" => \my $group,
|
|
"user-any" => \my $userAny,
|
|
"port-any" => \my $portAny,
|
|
"scpup" => \my $scpUp,
|
|
"scpdown" => \my $scpDown,
|
|
"sftp" => \my $sftp,
|
|
"force" => \my $force,
|
|
},
|
|
helptext => <<'EOF',
|
|
Remove an IP or IP block from a group's server list
|
|
|
|
Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS]
|
|
|
|
--group GROUP Specify which group this machine should be removed from
|
|
--host HOST|IP|NET/CIDR Host(s) we want to remove access to
|
|
--user USER Remote user that was allowed, if any user was allowed, use --user-any
|
|
--user-any Use if any remote login was allowed
|
|
--port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any
|
|
--port-any Use if any remote port was allowed
|
|
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
|
|
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
|
|
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
|
|
EOF
|
|
);
|
|
|
|
my $fnret;
|
|
|
|
if (not $group or not $ip) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER',
|
|
"Missing mandatory parameter 'host' or 'group' (or host didn't resolve correctly)";
|
|
}
|
|
|
|
$fnret = OVH::Bastion::Plugin::ACL::check(
|
|
user => $user,
|
|
userAny => $userAny,
|
|
port => $port,
|
|
portAny => $portAny,
|
|
scpUp => $scpUp,
|
|
scpDown => $scpDown,
|
|
sftp => $sftp
|
|
);
|
|
if (!$fnret) {
|
|
help();
|
|
osh_exit($fnret);
|
|
}
|
|
$user = $fnret->value->{'user'};
|
|
|
|
$fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key");
|
|
$fnret or osh_exit($fnret);
|
|
|
|
# get returned untainted value
|
|
$group = $fnret->value->{'group'};
|
|
my $shortGroup = $fnret->value->{'shortGroup'};
|
|
|
|
#
|
|
# Now do it
|
|
#
|
|
|
|
$fnret = OVH::Bastion::is_group_aclkeeper(account => $self, group => $shortGroup, superowner => 1);
|
|
$fnret
|
|
or osh_exit 'ERR_NOT_GROUP_ACLKEEPER',
|
|
"Sorry, you must be an aclkeeper of group $shortGroup to be able to delete servers from it";
|
|
|
|
my @command = qw{ sudo -n -u };
|
|
push @command, ($group, '--', '/usr/bin/env', 'perl', '-T', $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupAddServer');
|
|
push @command, '--group', $group;
|
|
push @command, '--action', 'del';
|
|
push @command, '--ip', $ip;
|
|
push @command, '--user', $user if $user;
|
|
push @command, '--port', $port if $port;
|
|
|
|
osh_exit OVH::Bastion::helper(cmd => \@command);
|