mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-08 00:12:10 +08:00
383f2a011c
If no comment is set, the comment is inherited from the group ACL, as seen in groupListServers. selfAddPersonalAccess now also return details about the added server in the returned JSON. Closes #18 Closes #17
85 lines
2.5 KiB
Perl
Executable file
85 lines
2.5 KiB
Perl
Executable file
#! /usr/bin/perl -T
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
# KEYSUDOERS # as a gatekeeper, to be able to add the servers to /home/allowkeeper/ACCOUNT/allowed.partial.%GROUP% file
|
|
# KEYSUDOERS SUPEROWNERS, %%GROUP%-gatekeeper ALL=(allowkeeper) NOPASSWD: /usr/bin/env perl -T %BASEPATH%/bin/helper/osh-accountAddGroupServer --group %GROUP% *
|
|
# FILEMODE 0750
|
|
# FILEOWN 0 allowkeeper
|
|
|
|
#>HEADER
|
|
use common::sense;
|
|
use Getopt::Long;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../lib/perl';
|
|
use OVH::Bastion;
|
|
local $| = 1;
|
|
|
|
#
|
|
# Globals
|
|
#
|
|
$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/pkg/bin';
|
|
my ($self) = $ENV{'SUDO_USER'} =~ m{^([a-zA-Z0-9._-]+)$};
|
|
if (not defined $self) {
|
|
if ($< == 0) {
|
|
$self = 'root';
|
|
}
|
|
else {
|
|
HEXIT('ERR_SUDO_NEEDED', msg => 'This command must be run under sudo');
|
|
}
|
|
}
|
|
|
|
# Fetch command options
|
|
my $fnret;
|
|
my ($result, @optwarns);
|
|
my ($account, $group, $ip, $user, $port, $action, $ttl, $comment, $forceKey);
|
|
eval {
|
|
local $SIG{__WARN__} = sub { push @optwarns, shift };
|
|
$result = GetOptions(
|
|
"account=s" => sub { $account //= $_[1] },
|
|
"group=s" => sub { $group //= $_[1] },
|
|
"ip=s" => sub { $ip //= $_[1] },
|
|
"user=s" => sub { $user //= $_[1] },
|
|
"port=i" => sub { $port //= $_[1] },
|
|
"action=s" => sub { $action //= $_[1] },
|
|
"ttl=i" => sub { $ttl //= $_[1] },
|
|
"comment=s" => sub { $comment //= $_[1] },
|
|
"force-key=s" => sub { $forceKey //= $_[1] },
|
|
);
|
|
};
|
|
if ($@) { die $@ }
|
|
|
|
if (!$result) {
|
|
local $" = ", ";
|
|
HEXIT('ERR_BAD_OPTIONS', msg => "Error parsing options: @optwarns");
|
|
}
|
|
|
|
if (not $action or not $ip or not $account or not $group) {
|
|
HEXIT('ERR_MISSING_PARAMETER', msg => "Missing argument 'action' or 'ip' or 'account' or 'group'");
|
|
}
|
|
|
|
#<HEADER
|
|
|
|
not defined $account and $account = $self;
|
|
|
|
#>PARAMS:ACTION
|
|
if (not grep { $action eq $_ } qw{ add del }) {
|
|
return R('ERR_INVALID_PARAMETER', msg => "expected 'add' or 'del' as an action");
|
|
}
|
|
|
|
#<PARAMS:ACTION
|
|
|
|
#>CODE
|
|
# access_modify validates all its parameters, don't do it ourselves here for clarity
|
|
$fnret = OVH::Bastion::access_modify(
|
|
way => 'groupguest',
|
|
account => $account,
|
|
group => $group,
|
|
action => $action,
|
|
user => $user,
|
|
ip => $ip,
|
|
port => $port,
|
|
ttl => $ttl,
|
|
comment => $comment,
|
|
forceKey => $forceKey
|
|
);
|
|
HEXIT($fnret);
|