ovh/the-bastion
1
1
Fork 0
mirror of https://github.com/ovh/the-bastion.git synced 2024-12-29 11:41:27 +08:00
Code Issues Projects Releases Packages Wiki Activity
the-bastion/bin/helper/osh-accountModifyPersonalAccess
Stéphane Lesimple 383f2a011c enh: guests: groupAddGuestAccess now supports setting a comment 
If no comment is set, the comment is inherited from the group ACL,
as seen in groupListServers.

selfAddPersonalAccess now also return details
about the added server in the returned JSON.

Closes #18
Closes #17
2021-02-22 11:56:19 +01:00

124 lines
4.1 KiB
Perl
Executable file
Raw Blame History

#! /usr/bin/perl -T
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
# NEEDGROUP osh-selfAddPersonalAccess
# SUDOERS %osh-selfAddPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target self --action add *
# FILEMODE 0750
# FILEOWN 0 allowkeeper
#
# NEEDGROUP osh-accountAddPersonalAccess
# SUDOERS %osh-accountAddPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target any --action add *
# FILEMODE 0750
# FILEOWN 0 allowkeeper
#
# NEEDGROUP osh-selfDelPersonalAccess
# SUDOERS %osh-selfDelPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target self --action del *
# FILEMODE 0750
# FILEOWN 0 allowkeeper
#
# NEEDGROUP osh-accountDelPersonalAccess
# SUDOERS %osh-accountDelPersonalAccess ALL=(allowkeeper) NOPASSWD:/usr/bin/env perl -T /opt/bastion/bin/helper/osh-accountModifyPersonalAccess --target any --action del *
# FILEMODE 0750
# FILEOWN 0 allowkeeper
#>HEADER
use common::sense;
use Getopt::Long;
use File::Basename;
use lib dirname(__FILE__) . '/../../lib/perl';
use OVH::Bastion;
local $| = 1;
#
# Globals
#
$ENV{'PATH'} = '/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/pkg/bin';
my ($self) = $ENV{'SUDO_USER'} =~ m{^([a-zA-Z0-9._-]+)$};
if (not defined $self) {
if ($< == 0) {
$self = 'root';
}
else {
HEXIT('ERR_SUDO_NEEDED', msg => 'This command must be run under sudo');
}
}
# Fetch command options
my $fnret;
my ($result, @optwarns);
my ($account, $ip, $user, $port, $action, $ttl, $forceKey, $target, $comment);
eval {
local $SIG{__WARN__} = sub { push @optwarns, shift };
$result = GetOptions(
"account=s" => sub { $account //= $_[1] },
"ip=s" => sub { $ip //= $_[1] },
"user=s" => sub { $user //= $_[1] },
"port=i" => sub { $port //= $_[1] },
"action=s" => sub { $action //= $_[1] },
"ttl=i" => sub { $ttl //= $_[1] },
"force-key=s" => sub { $forceKey //= $_[1] },
"target=s" => sub { $target //= $_[1] },
"comment=s" => sub { $comment //= $_[1] },
);
};
if ($@) { die $@ }
if (!$result) {
local $" = ", ";
HEXIT('ERR_BAD_OPTIONS', msg => "Error parsing options: @optwarns");
}
if (not $action or not $ip or not $account or not $target) {
HEXIT('ERR_MISSING_PARAMETER', msg => "Missing argument 'action' or 'ip' or 'account' or 'target'");
}
#<HEADER
not defined $account and $account = $self;
#>RIGHTSCHECK
if ($target eq 'self' && $self ne $account) {
HEXIT('ERR_SECURITY_VIOLATION', msg => "Attempted to modify another account while you're only allowed to do it on yourself");
}
#<RIGHTSCHECK
#>PARAMS:ACTION
if (not grep { $action eq $_ } qw{ add del }) {
return R('ERR_INVALID_PARAMETER', msg => "expected 'add' or 'del' as an action");
}
#<PARAMS:ACTION
#>CODE
my $machine = $ip;
$port and $machine .= ":$port";
$user and $machine = $user . '@' . $machine;
# access_modify validates all its parameters, don't do it ourselves here for clarity
$fnret = OVH::Bastion::access_modify(
way => 'personal',
account => $account,
action => $action,
user => $user,
ip => $ip,
port => $port,
ttl => $ttl,
forceKey => $forceKey,
comment => $comment,
);
if ($fnret->err eq 'OK') {
my $ttlmsg = $ttl ? ' (expires in ' . OVH::Bastion::duration2human(seconds => $ttl)->value->{'human'} . ')' : '';
HEXIT(
'OK',
value => {action => $action, account => $account, ip => $ip, user => $user, port => $port, ttl => $ttl, comment => $comment},
msg => $action eq 'add' ? "Access to $machine was added to account $account$ttlmsg" : "Access to $machine was removed from account $account$ttlmsg"
);
}
elsif ($fnret->err eq 'OK_NO_CHANGE') {
HEXIT('OK_NO_CHANGE',
msg => $action eq 'add'
? "Access to $machine was already granted to account $account, nothing done"
: "Access to $machine was not granted to account $account, nothing done");
}
HEXIT($fnret);
Reference in a new issue View git blame Copy permalink