mirror of
https://github.com/ovh/the-bastion.git
synced 2025-01-08 16:27:52 +08:00
206 lines
7.4 KiB
Perl
Executable file
206 lines
7.4 KiB
Perl
Executable file
#! /usr/bin/env perl
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
use Term::ANSIColor;
|
|
use POSIX qw{ strftime };
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
use OVH::Bastion::Plugin qw( :DEFAULT help );
|
|
|
|
my ($group);
|
|
my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|
argv => \@ARGV,
|
|
header => "group info",
|
|
options => {'group=s' => \$group},
|
|
helptext => <<'EOF',
|
|
Print some basic information about a group
|
|
|
|
Usage: --osh SCRIPT_NAME --group GROUP
|
|
|
|
--group GROUP specify the group to display the infos of
|
|
EOF
|
|
);
|
|
|
|
#
|
|
# code
|
|
#
|
|
my $fnret;
|
|
|
|
#
|
|
# params check
|
|
#
|
|
if (!$group) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER', "Missing 'group' parameter";
|
|
}
|
|
|
|
$fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key");
|
|
$fnret or osh_exit($fnret);
|
|
|
|
# get returned untainted value
|
|
$group = $fnret->value->{'group'};
|
|
my $shortGroup = $fnret->value->{'shortGroup'};
|
|
|
|
my %roles;
|
|
foreach my $role (qw{ member aclkeeper gatekeeper owner }) {
|
|
$fnret = OVH::Bastion::is_group_existing(group => $group . ($role eq 'member' ? '' : "-$role"));
|
|
if (!$fnret) {
|
|
osh_exit($fnret) if $role eq 'member'; # critical
|
|
$roles{$role} = [];
|
|
}
|
|
else {
|
|
$roles{$role} = [grep { $_ ne 'allowkeeper' } @{$fnret->value->{'members'} || []}];
|
|
}
|
|
}
|
|
|
|
my $result_hash = {group => $shortGroup};
|
|
$result_hash->{'owners'} = $roles{'owner'};
|
|
$result_hash->{'aclkeepers'} = $roles{'aclkeeper'};
|
|
$result_hash->{'gatekeepers'} = $roles{'gatekeeper'};
|
|
|
|
osh_info "Group " . $shortGroup . "'s Owners are: " . colored(@{$roles{'owner'}} ? join(" ", sort @{$roles{'owner'}}) : '-', "red");
|
|
osh_info "Group "
|
|
. $shortGroup
|
|
. "'s GateKeepers (managing the members/guests list) are: "
|
|
. colored(@{$roles{'gatekeeper'}} ? join(" ", sort @{$roles{'gatekeeper'}}) : '-', "red");
|
|
if ( OVH::Bastion::is_group_owner(group => $shortGroup, account => $self, superowner => 1)
|
|
|| OVH::Bastion::is_group_gatekeeper(group => $shortGroup, account => $self)
|
|
|| OVH::Bastion::is_group_aclkeeper(group => $shortGroup, account => $self)
|
|
|| OVH::Bastion::is_group_member(group => $shortGroup, account => $self)
|
|
|| OVH::Bastion::is_auditor(account => $self))
|
|
{
|
|
|
|
osh_info "Group "
|
|
. $shortGroup
|
|
. "'s ACLKeepers (managing the group servers list) are: "
|
|
. colored(@{$roles{'aclkeeper'}} ? join(" ", sort @{$roles{'aclkeeper'}}) : '-', "red");
|
|
|
|
# now, who is member / guest ?
|
|
my (@members, @guests);
|
|
foreach my $account (@{$roles{'member'}}) {
|
|
osh_debug("what is $account?");
|
|
if ($account =~ /^realm_(.+)/) {
|
|
my $pRealm = $1;
|
|
$fnret = OVH::Bastion::get_remote_accounts_from_realm(realm => $pRealm);
|
|
if (!$fnret || !@{$fnret->value}) {
|
|
|
|
# we couldn't get the list, or the list is empty: at least show that the realm shared account is there
|
|
push @members, $user;
|
|
}
|
|
else {
|
|
foreach my $pRemoteaccount (@{$fnret->value}) {
|
|
if (OVH::Bastion::is_group_guest(group => $shortGroup, account => "$pRealm/$pRemoteaccount")) {
|
|
push @guests, "$pRealm/$pRemoteaccount";
|
|
}
|
|
else {
|
|
push @members, "$pRealm/$pRemoteaccount";
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
|
|
if (OVH::Bastion::is_group_guest(account => $account, group => $shortGroup)) {
|
|
push @guests, $account;
|
|
}
|
|
else {
|
|
push @members, $account;
|
|
}
|
|
}
|
|
}
|
|
osh_info "Group " . $shortGroup . "'s Members (with access to ALL the group servers) are: " . colored(@members ? join(" ", sort @members) : '-', "red");
|
|
|
|
my %guest_details;
|
|
my @guest_text;
|
|
my @filtered_guests;
|
|
foreach my $guest (sort @guests) {
|
|
$fnret = OVH::Bastion::get_acl_way(way => 'groupguest', group => $shortGroup, account => $guest);
|
|
|
|
# for realms, don't show remote accounts with zero accesses, this could be confusing
|
|
next if ($guest =~ m{/} && $fnret && @{$fnret->value} == 0);
|
|
$guest_details{$guest} = $fnret ? scalar(@{$fnret->value}) : '?';
|
|
push @guest_text, $guest . "[" . $guest_details{$guest} . "]";
|
|
push @filtered_guests, $guest;
|
|
}
|
|
osh_info "Group " . $shortGroup . "'s Guests (with access to SOME of the group servers) are: " . colored(@filtered_guests ? join(" ", @guest_text) : '-', "red");
|
|
|
|
# deprecated in v2.18.00+
|
|
$result_hash->{'full_members'} = \@members;
|
|
$result_hash->{'partial_members'} = \@filtered_guests;
|
|
|
|
# /deprecated
|
|
|
|
$result_hash->{'members'} = \@members;
|
|
$result_hash->{'guests'} = \@filtered_guests;
|
|
$result_hash->{'guests_accesses'} = \%guest_details;
|
|
|
|
my @inactive;
|
|
foreach my $account (@members) {
|
|
if (OVH::Bastion::is_account_active(account => $account)->is_ko) {
|
|
push @inactive, $account;
|
|
}
|
|
}
|
|
if (@inactive) {
|
|
osh_info "For your information, the following accounts are inactive: " . colored(join(" ", @inactive), "blue");
|
|
$result_hash->{'inactive'} = \@inactive;
|
|
}
|
|
|
|
# policies
|
|
$fnret = OVH::Bastion::group_config(group => $group, key => 'mfa_required');
|
|
if ($fnret && $fnret->value eq 'password') {
|
|
osh_warn "MFA Required: when connecting to servers of this group, users will be asked for an additional authentication factor (password)";
|
|
}
|
|
elsif ($fnret && $fnret->value eq 'totp') {
|
|
osh_warn "MFA Required: when connecting to servers of this group, users will be asked for an additional authentication factor (TOTP)";
|
|
}
|
|
elsif ($fnret && $fnret->value eq 'any') {
|
|
osh_warn "MFA Required: When connecting to servers of this group, users will be asked for an additional authentication factor";
|
|
}
|
|
if ($fnret && $fnret->value ne 'none') {
|
|
$result_hash->{'mfa_required'} = $fnret->value;
|
|
}
|
|
|
|
$fnret = OVH::Bastion::group_config(group => $group, key => 'guest_ttl_limit');
|
|
if ($fnret) {
|
|
osh_warn "Guest TTL enforced: guest accesses must have a TTL with a maximum duration of " . OVH::Bastion::duration2human(seconds => $fnret->value)->value->{'duration'};
|
|
$result_hash->{'guest_ttl_limit'} = $fnret->value;
|
|
}
|
|
}
|
|
else {
|
|
osh_info "You should ask him/her/them if you think you need access for your work tasks.";
|
|
}
|
|
|
|
# get pubkeys with the proper from='' and show them
|
|
|
|
$fnret = OVH::Bastion::get_bastion_ips();
|
|
my $from;
|
|
if ($fnret) {
|
|
my @ips = @{$fnret->value};
|
|
$from = 'from="' . join(',', @ips) . '"';
|
|
}
|
|
|
|
$fnret = OVH::Bastion::get_group_keys(group => $group);
|
|
if ($fnret and $from) {
|
|
osh_info ' ';
|
|
if ($fnret->value && !@{$fnret->value->{'sortedKeys'}}) {
|
|
osh_info "This group has no SSH egress key, the owner may use groupGenerateEgressKey to generate one.";
|
|
}
|
|
elsif (@{$fnret->value->{'sortedKeys'}} == 1) {
|
|
osh_info "The public key of this group is:";
|
|
}
|
|
else {
|
|
osh_info "The public keys of this group are:";
|
|
}
|
|
osh_info ' ';
|
|
foreach my $keyfile (@{$fnret->value->{'sortedKeys'}}) {
|
|
my $key = $fnret->value->{'keys'}{$keyfile};
|
|
$key->{'prefix'} = $from;
|
|
OVH::Bastion::print_public_key(key => $key);
|
|
$result_hash->{'keys'}{$key->{'fingerprint'}} = $key;
|
|
}
|
|
}
|
|
|
|
osh_ok $result_hash;
|