ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2025-01-08 00:12:10 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/bin/cron/osh-piv-grace-reaper.pl
Thomas SOËTE 2a51a78b54 fix: Enable perl-tidy.sh test 
* Move to ubuntu-20.04 runner
* Remove check in dockers tests
2020-11-22 21:37:34 +00:00

105 lines
3.8 KiB
Perl
Executable file
Raw Blame History

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../lib/perl';
use OVH::Bastion;
use OVH::Result;
use OVH::SimpleLog;
my $fnret;
$fnret = OVH::Bastion::load_configuration_file(
file => OVH::Bastion::main_configuration_directory() . "/osh-piv-grace-reaper.conf",
secure => 1,
keywords => [qw{ SyslogFacility }],
);
my $config;
if (not $fnret) {
_err "Error while loading configuration, continuing anyway with default values...";
}
else {
$config = $fnret->value;
if (ref $config ne 'HASH') {
_err "Invalid data returned while loading configuration, continuing anyway with default values...";
}
}
# logging
if ($config && $config->{'SyslogFacility'}) {
OVH::SimpleLog::setSyslog($config->{'SyslogFacility'});
}
_log "Looking for accounts with a PIV grace...";
# loop through all the accounts, and only work on those that have a grace period set
$fnret = OVH::Bastion::get_account_list();
if (!$fnret) {
_err "Couldn't get account list: " . $fnret->msg;
exit 1;
}
# this'll be used in syslog
$ENV{'UNIQID'} = OVH::Bastion::generate_uniq_id()->value;
foreach my $account (%{$fnret->value}) {
# if account doesn't have PIV grace, don't bother
$fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE);
next if !$fnret;
# we have PIV grace set for this account
my $expiry = $fnret->value;
my $human = OVH::Bastion::duration2human(seconds => ($expiry - time()))->value;
_log "Account $account has PIV grace expiry set to $expiry (" . $human->{'human'} . ")";
# is PIV grace TTL expired?
if (time() > $expiry) {
# it is, but if current policy is not set to enforce, it's useless
_log "... grace for $account is expired, is current policy set to enforced?";
$fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_POLICY);
if (!$fnret || $fnret->value ne 'yes') {
# PIV grace expired but current policy is already relaxed, so just remove the grace flag
_log "... grace for $account is expired, but current policy is not set to enforced, removing grace...";
$fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE, delete => 1);
if (!$fnret) {
_err "... couldn't remove grace flag for $account";
next;
}
# grace removed for this account, no change needed on keys because it wasn't set to enforced
next;
}
# PIV grace expired, we need to remove the non-PIV keys from the account's authorized_keys2 file
_log "... grace for $account is expired, enforcing PIV-keys only...";
OVH::SimpleLog::closeSyslog();
$fnret = OVH::Bastion::ssh_ingress_keys_piv_apply(action => "enable", account => $account);
if (!$fnret) {
_err "... failed to re-enforce PIV policy for $account ($fnret->msg)";
next;
}
if ($config && $config->{'SyslogFacility'}) {
OVH::SimpleLog::setSyslog($config->{'SyslogFacility'});
}
_log "... re-enforced PIV policy for $account";
# ok, now remove grace flag
$fnret = OVH::Bastion::account_config(account => $account, public => 1, key => OVH::Bastion::OPT_ACCOUNT_INGRESS_PIV_GRACE, delete => 1);
if (!$fnret) {
_err "... couldn't remove grace flag for $account";
}
else {
_log "... grace flag removed for $account";
}
}
else {
_log "... grace for $account is not expired yet, skipping...";
}
}
_log "Done";
Reference in a new issue View git blame Copy permalink