#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;

use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );

my $remainingOptions = OVH::Bastion::Plugin::begin(
    argv    => \@ARGV,
    header  => "access list of a bastion account",
    options => {
        "account=s"   => \my $account,
        "hide-groups" => \my $hideGroups,
        "reverse-dns" => \my $reverse,
        "include=s"   => \my @includes,
        "exclude=s"   => \my @excludes,
    },
    helptext => <<'EOF',
View the expanded access list of a given bastion account

Usage: --osh SCRIPT_NAME --account ACCOUNT [--hide-groups] [--reverse-dns]

  --account ACCOUNT  The account to work on
  --hide-groups      Don't show the machines the accouns has access to through group rights.
                       In other words, list only the account's personal accesses.
  --reverse-dns      Attempt to resolve the reverse hostnames (SLOW!)
  --include PATTERN  Only include accesses matching the given PATTERN (see below)
                        This option can be used multiple times to refine results
  --exclude PATTERN  Omit accesses matching the given PATTERN (see below)
                        This option can be used multiple times.
                        Note that --exclude takes precedence over --include

**Note:** PATTERN supports the ``*`` and ``?`` wildcards.
If PATTERN is a simple string without wildcards, then names containing this string will be considered.
The matching is done on the text output of the command.
EOF
);

my $fnret;

if (not $account) {
    help();
    osh_exit 'ERR_MISSING_PARAMETER', "missing mandatory parameter account";
}

$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account);
$fnret or osh_exit $fnret;
$account = $fnret->value->{'account'};

$fnret = OVH::Bastion::get_acls(account => $account);
$fnret or osh_exit $fnret;

if (!OVH::Bastion::is_auditor(account => $self)) {
    osh_info "NOTE: you're not a bastion auditor, hence you won't be able to";
    osh_info "see access lists of groups you're not yourself a member of.";
    osh_info ' ';
}

if (not @{$fnret->value}) {
    osh_ok R('OK_EMPTY', msg => "This account has no registered accesses to machines through this bastion yet");
}

osh_info "This account has access to the following servers:";
osh_info ' ';

OVH::Bastion::print_acls(
    acls       => $fnret->value,
    reverse    => $reverse,
    hideGroups => $hideGroups,
    includes   => \@includes,
    excludes   => \@excludes
);
osh_ok($fnret);
