mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-08 00:12:10 +08:00
92 lines
3.4 KiB
Perl
Executable file
92 lines
3.4 KiB
Perl
Executable file
#! /usr/bin/env perl
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
use OVH::Bastion::Plugin qw( :DEFAULT help );
|
|
|
|
my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|
argv => \@ARGV,
|
|
header => "declare a new trusted realm on this bastion",
|
|
options => {
|
|
'realm=s' => \my $realm,
|
|
'public-key=s' => \my $pubKey,
|
|
'from=s' => \my $from,
|
|
'comment=s' => \my $comment,
|
|
},
|
|
helptext => <<'EOF',
|
|
Declare and create a new trusted realm
|
|
|
|
Usage: --osh SCRIPT_NAME --realm REALM --from IP1,IP2 [OPTIONS]
|
|
|
|
--realm REALM Realm name to create
|
|
--comment STRING An optional comment when creating the realm. Double-quote if you're under a shell.
|
|
--from IP1,IP2 Comma-separated list of outgoing IPs used by the realm we're declaring (i.e. IPs used by the bastion(s) on the other side)
|
|
the expected format is the one used by the from="" directive on SSH keys (IP and prefixes are supported)
|
|
--public-key KEY Public SSH key to deposit on the bastion to access this realm. If not present,
|
|
you'll be prompted interactively for it. Use double-quoting if your're under a shell.
|
|
EOF
|
|
);
|
|
|
|
# ugly hack for space-enabled parameter
|
|
# XXX should be removed, double quoting fixes the problem, but keep it for compatibility
|
|
if (ref $remainingOptions eq 'ARRAY' and @$remainingOptions) {
|
|
$pubKey .= " " . join(" ", @$remainingOptions);
|
|
}
|
|
|
|
my $fnret;
|
|
|
|
# params check
|
|
if (not $realm or not $from) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'realm' or 'from'";
|
|
}
|
|
|
|
my $account = "realm_$realm";
|
|
$fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm");
|
|
$fnret or osh_exit $fnret;
|
|
|
|
$fnret = OVH::Bastion::is_account_existing(account => $account);
|
|
if ($fnret) {
|
|
osh_exit 'ERR_ALREADY_EXISTING', "This realm already exists";
|
|
}
|
|
|
|
# TODO check $from
|
|
|
|
if (!$pubKey) {
|
|
$fnret = OVH::Bastion::get_supported_ssh_algorithms_list(way => 'ingress');
|
|
$fnret or osh_exit $fnret;
|
|
my @algoList = @{$fnret->value};
|
|
my $algos = join(' ', @algoList);
|
|
osh_info "Please paste the SSH key you want to add. This bastion supports the following algorithms:\n";
|
|
if (grep { 'ed25519' eq $_ } @algoList) {
|
|
osh_info "ED25519: strongness[#####] speed[#####], use `ssh-keygen -t ed25519' to generate one";
|
|
}
|
|
if (grep { 'ecdsa' eq $_ } @algoList) {
|
|
osh_info "ECDSA : strongness[####.] speed[#####], use `ssh-keygen -t ecdsa -b 521' to generate one";
|
|
}
|
|
if (grep { 'rsa' eq $_ } @algoList) {
|
|
osh_info "RSA : strongness[###..] speed[#....], use `ssh-keygen -t rsa -b 4096' to generate one";
|
|
}
|
|
osh_info
|
|
"\nThis should be the egress key of the group named 'realm' from the other side (your paste won't be echoed).";
|
|
$pubKey = <STDIN>;
|
|
## use critic
|
|
}
|
|
|
|
$fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress');
|
|
$fnret or osh_exit $fnret;
|
|
|
|
#
|
|
# Now create it
|
|
#
|
|
my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };
|
|
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountCreate';
|
|
push @command, "--type", "realm", "--account", $realm, "--pubKey", $pubKey, "--always-active", "--uid-auto";
|
|
push @command, "--from", $from if $from;
|
|
push @command, "--comment", $comment if $comment;
|
|
|
|
osh_exit OVH::Bastion::helper(cmd => \@command);
|