the-bastion/bin/plugin/restricted/accountPIV
Stéphane Lesimple fde20136ef
Initial commit
2020-10-20 14:30:27 +00:00

91 lines
3.3 KiB
Perl
Executable file

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => "modify the PIV policy of an account",
options => {
"account=s" => \my $account,
"policy=s" => \my $policy,
"ttl=s" => \my $ttl,
},
helptext => <<'EOF',
Modify the PIV policy for the ingress keys of an account
Usage: --osh SCRIPT_NAME --account ACCOUNT --policy <none|enforce|grace --ttl SECONDS|DURATION>
Options:
--account ACCOUNT Bastion account to work on
--policy none|enforce|grace Changes the PIV policy of account. 'none' disables the PIV enforcement, any SSH key can be used
as long as it respects the bastion policy. 'enforce' enables the PIV enforcement, only PIV keys
can be added as ingress SSH keys. 'grace' enables temporary deactivation of PIV enforcement on
an account, only meaningful when policy is already set to 'enforce' for this account, 'grace'
requires the use of the --ttl option to specify how much time the policy will be relaxed for this
account before going back to 'enforce' automatically.
--ttl SECONDS|DURATION For the 'grace' policy, amount of time after which the account will automatically go back to 'enforce'
policy (amount of seconds, or duration string such as "4d12h15m")
EOF
);
my $fnret;
if (!$account) {
help();
osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'account'";
}
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account, localOnly => 1);
$fnret or osh_exit $fnret;
$account = $fnret->value->{'account'};
if (not grep { $policy eq $_ } qw{ none enforce grace }) {
help();
osh_exit 'ERR_INVALID_PARAMETER', "Expected either 'none,' enforce' of 'grace' as a parameter to --policy";
}
if ($policy eq 'grace' && !defined $ttl) {
help();
osh_exit 'ERR_MISSING_PARAMETER', "The use of 'grace' requires to specify the --ttl parameter as well";
}
if (defined $ttl) {
$fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);
$fnret or osh_exit $fnret;
$ttl = $fnret->value->{'seconds'};
}
my @command;
osh_info "Changing account configuration...";
@command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountPIV';
push @command, '--step', '1';
push @command, '--account', $account;
push @command, '--policy', $policy;
push @command, '--ttl', $ttl if defined $ttl;
$fnret = OVH::Bastion::helper(cmd => \@command);
$fnret or osh_exit $fnret;
osh_info $fnret->msg;
osh_info "Applying change to keys...";
@command = qw{ sudo -n -u };
push @command, $account;
push @command, qw{ -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountPIV';
push @command, '--step', '2';
push @command, '--account', $account;
push @command, '--policy', $policy;
push @command, '--ttl', $ttl if defined $ttl;
$fnret = OVH::Bastion::helper(cmd => \@command);
osh_exit $fnret;