#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::groupSetRole;
use OVH::Bastion::Plugin::ACL;

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv               => \@ARGV,
    header             => "remove access from one server of a group from an account",
    userAllowWildcards => 1,
    options            => {
        "group=s"    => \my $group,
        "protocol=s" => \my $protocol,
        "account=s"  => \my $account,
        # undocumented/compatibility:
        "user-any" => \my $userAny,
        "port-any" => \my $portAny,
        "scpup"    => \my $scpUp,
        "scpdown"  => \my $scpDown,
        "sftp"     => \my $sftp,
    },
    helptext => <<'EOF',
Remove a specific group server access from an account

Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]

  --account ACCOUNT        Bastion account remove the guest access from
  --group GROUP            Specify which group to remove the guest access to ACCOUNT from
  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
                             or an IP, or a whole subnet using the PREFIX/SIZE notation
  --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                             Globbing characters '*' and '?' are supported, so you can specify a pattern
                             that will be matched against the actual remote user name.
                             If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
  --port PORT|*            Remote port that was allowed to connect to
                             If any user was allowed, use '--port *' (you might need to escape '*' from your shell)
  --protocol PROTO         Specify that a special protocol was allowed for this HOST:PORT tuple, note that you
                              must not specify --user in that case. However, for this protocol to be usable under a given
                              remote user, access to the USER@HOST:PORT tuple must also be allowed.
                              PROTO must be one of:
                              scpupload    allow SCP upload, you--bastion-->server
                              scpdownload  allow SCP download, you<--bastion--server
                              sftp         allow usage of the SFTP subsystem, through the bastion
                              rsync        allow usage of rsync, through the bastion

This command removes, from an existing bastion account, access to a given server, using the
egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``

If you want to remove member access from an account to all the present and future servers
of the group, using the group key, please use ``groupDelMember`` instead.

If you want to remove access from an account from a group server but using their personal bastion
key instead of the group key, please use ``accountDelPersonalAccess`` instead.

This command is the opposite of ``groupAddGuestAccess``.
EOF
);

my $fnret;

if (not $ip and $host) {
    osh_exit 'ERR_INVALID_HOST',
      "Specified host ($host) didn't resolve correctly, fix your DNS or specify the IP instead";
}

$fnret = OVH::Bastion::Plugin::ACL::check(
    user     => $user,
    userAny  => $userAny,
    port     => $port,
    portAny  => $portAny,
    scpUp    => $scpUp,
    scpDown  => $scpDown,
    sftp     => $sftp,
    protocol => $protocol,
);
if (!$fnret) {
    help();
    osh_exit($fnret);
}
$user = $fnret->value->{'user'};
$port = $fnret->value->{'port'};

$fnret = OVH::Bastion::Plugin::groupSetRole::act(
    account        => $account,
    group          => $group,
    action         => 'del',
    type           => 'guest',
    user           => $user,
    port           => $port,
    host           => ($ip || $host),
    sudo           => 0,
    silentoverride => 0,
    self           => $self,
    scriptName     => $scriptName,
    savedArgs      => $savedArgs
);
help() if not $fnret;
osh_exit($fnret);
