feat: groupList/accountList: add --include --exclude

5 years ago · efe3710e4c
parent 3aa6e343fd
commit efe3710e4c
3 changed files with 61 additions and 7 deletions
--- a/bin/plugin/open/groupList
+++ b/bin/plugin/open/groupList
@ -9,17 +9,24 @@ use OVH::Result;
 use OVH::Bastion;
 use OVH::Bastion::Plugin qw( :DEFAULT help );

-my ($all);
 my $remainingOptions = OVH::Bastion::Plugin::begin(
-    argv     => \@ARGV,
-    header   => "group list",
-    options  => {'all' => \$all},
+    argv    => \@ARGV,
+    header  => "group list",
+    options => {
+        'all'       => \my $all,
+        'exclude=s' => \my @excludes,
+        'include=s' => \my @includes,
+    },
    helptext => <<'EOF',
 List the groups available on this bastion

-Usage: --osh SCRIPT_NAME [--all]
+Usage: --osh SCRIPT_NAME [--all] [--exclude|--include WILDCARD [--exclude|--include WILDCARD ..]]

-  --all  List all groups, even those to which you don't have access
+  --all               List all groups, even those to which you don't have access
+  --include WILDCARD  Only list groups that match the given WILDCARD string, '*' and '?' are recognized,
+                        this option can be used multiple times to refine results.
+  --exclude WILDCARD  Omit groups that match the given WILDCARD string, '*' and '?' are recognized,
+                        can be used multiple times. Note that --exclude takes precedence over --include
 EOF
 );

@ -28,8 +35,18 @@ my $fnret;
 $fnret = OVH::Bastion::get_group_list(groupType => "key");
 $fnret or osh_exit $fnret;

+my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes)->value;
+my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes)->value;
+
 my $result_hash = {};
 foreach my $name (sort keys %{$fnret->value}) {
+
+    # if we have excludes, match name against the built regex
+    next if ($excludere && $name =~ $excludere);
+
+    # same for includes
+    next if ($includere && $name !~ $includere);
+
    my @flags;
    push @flags, 'owner' if OVH::Bastion::is_group_owner(group => $name, cache => 1);
    push @flags, 'gatekeeper' if OVH::Bastion::is_group_gatekeeper(group => $name, cache => 1);
--- a/bin/plugin/restricted/accountList
+++ b/bin/plugin/restricted/accountList
@ -17,6 +17,8 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
        "realm-only"    => \my $realmOnly,
        "account=s"     => \my $account,
        "audit"         => \my $audit,
+        'exclude=s'     => \my @excludes,
+        'include=s'     => \my @includes,
    },
    helptext => <<'EOF',
 List the bastion accounts
@ -26,6 +28,10 @@ Usage: --osh SCRIPT_NAME [--account ACCOUNT] [--inactive-only] [--audit]
  --account ACCOUNT  Only list the specified account. This is an easy way to check whether the account exists
  --inactive-only    Only list inactive accounts
  --audit            Show more verbose information (SLOW!), you need to be a bastion auditor
+  --include WILDCARD  Only list accounts that match the given WILDCARD string, '*' and '?' are recognized,
+                        this option can be used multiple times to refine results.
+  --exclude WILDCARD  Omit accounts that match the given WILDCARD string, '*' and '?' are recognized,
+                        can be used multiple times. Note that --exclude takes precedence over --include
 EOF
 );

@ -63,10 +69,20 @@ if ($audit) {
    $fnretPassword = OVH::Bastion::helper(cmd => \@command);
 }

+# if we have excludes and/or includes, transform those into regexes
+my $includere = OVH::Bastion::build_re_from_wildcards(wildcards => \@includes)->value;
+my $excludere = OVH::Bastion::build_re_from_wildcards(wildcards => \@excludes)->value;
+
 my $result_hash = {};
 foreach my $account (sort keys %$accounts) {
-    my %states;

+    # if we have excludes, match name against the built regex
+    next if ($excludere && $account =~ $excludere);
+
+    # same for includes
+    next if ($includere && $account !~ $includere);
+
+    my %states;
    $states{'is_active'} = undef;
    $fnret = OVH::Bastion::is_account_active(account => $account);
    if ($fnret->is_ok) {
--- a/lib/perl/OVH/Bastion/allowkeeper.inc
+++ b/lib/perl/OVH/Bastion/allowkeeper.inc
@ -1046,4 +1046,25 @@ sub is_valid_ttl {
    return R('KO_INVALID_PARAMETER', msg => "Invalid TTL ($ttl), expected an amount of seconds, or a duration string such as '2d8h15m'");
 }

+# used by groupList and accountList
+sub build_re_from_wildcards {
+    my %params    = @_;
+    my $wildcards = $params{'wildcards'};
+
+    # to avoid modifying the caller's array
+    my @relist = @$wildcards;
+
+    # qr// is true, so return undef if there's nothing to build
+    return R('OK', value => undef) if !@relist;
+
+    for (@relist) {
+        $_ = quotemeta;
+        s/\\\*/.*/g;
+        s/\\\?/./g;
+        $_ = '^' . $_ . '$';
+    }
+    my $stringified = join("|", @relist);
+    return R('OK', value => qr/$stringified/);
+}
+
 1;