#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::ACL;

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv               => \@ARGV,
    header             => "removing personal access to a server from an account",
    userAllowWildcards => 1,
    options            => {
        "account=s"  => \my $account,
        "protocol=s" => \my $protocol,
        # undocumented/compatibility:
        "user-any" => \my $userAny,
        "port-any" => \my $portAny,
        "scpup"    => \my $scpUp,
        "scpdown"  => \my $scpDown,
        "sftp"     => \my $sftp,
    },
    helptext => <<'EOF',
Remove a personal server access from an account

Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [OPTIONS]

  --account                Bastion account to remove access from
  --host HOST|IP|SUBNET    Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
                             or an IP, or a whole subnet using the PREFIX/SIZE notation
  --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                             Globbing characters '*' and '?' are supported, so you can specify a pattern
                             that will be matched against the actual remote user name.
                             If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
  --port PORT|*            Remote port that was allowed to connect to
                             If any port was allowed, use '--port *' (you might need to escape '*' from your shell)
  --protocol PROTO         Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you
                              must not specify --user in that case.
                              PROTO must be one of:
                              scpupload    allow SCP upload, you--bastion-->server
                              scpdownload  allow SCP download, you<--bastion--server
                              sftp         allow usage of the SFTP subsystem, through the bastion
                              rsync        allow usage of rsync, through the bastion
EOF
);

my $fnret;

if (!$ip) {
    help();
    osh_exit 'ERR_MISSING_PARAMETER', "Missing parameter 'host' or didn't resolve correctly";
}

$fnret = OVH::Bastion::Plugin::ACL::check(
    user     => $user,
    userAny  => $userAny,
    port     => $port,
    portAny  => $portAny,
    scpUp    => $scpUp,
    scpDown  => $scpDown,
    sftp     => $sftp,
    protocol => $protocol,
);
if (!$fnret) {
    help();
    osh_exit($fnret);
}
$user = $fnret->value->{'user'};
$port = $fnret->value->{'port'};

if (not $account) {
    help();
    osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'account'";
}

$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account);
$fnret or osh_exit $fnret;
$account = $fnret->value->{'account'};

my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess';
push @command, '--target',  'any';
push @command, '--action',  'del';
push @command, '--account', $account;
push @command, '--ip',      $ip;
push @command, '--user',    $user if $user;
push @command, '--port',    $port if $port;

osh_exit OVH::Bastion::helper(cmd => \@command);
