#! /usr/bin/env perl # vim: set filetype=perl ts=4 sw=4 sts=4 et: use common::sense; use File::Basename; use lib dirname(__FILE__) . '/../../../lib/perl'; use OVH::Result; use OVH::Bastion; use OVH::Bastion::Plugin qw( :DEFAULT help ); use OVH::Bastion::Plugin::ACL; my $remainingOptions = OVH::Bastion::Plugin::begin( argv => \@ARGV, header => "removing a server from a group", userAllowWildcards => 1, options => { "group=s" => \my $group, "protocol=s" => \my $protocol, "force" => \my $force, # undocumented/compatibility: "user-any" => \my $userAny, "port-any" => \my $portAny, "scpup" => \my $scpUp, "scpdown" => \my $scpDown, "sftp" => \my $sftp, }, helptext => <<'EOF', Remove an IP or IP block from a group's server list Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER --port PORT [OPTIONS] --group GROUP Specify which group this machine should be removed from --host HOST|IP|PREFIX/SIZE Host(s) to remove access from, either a HOST which will be resolved to an IP immediately, or an IP, or a whole netblock using the PREFIX/SIZE notation --user USER|PATTERN|* Specify which remote user was allowed to connect as. Globbing characters '*' and '?' are supported, so you can specify a pattern that will be matched against the actual remote user name. If any user was allowed, use '--user *' (you might need to escape '*' from your shell) --port PORT|* Remote port that was allowed to connect to If any port was allowed, use '--port *' (you might need to escape '*' from your shell) --protocol PROTO Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you must not specify --user in that case. PROTO must be one of: scpup allow SCP upload, you--bastion-->server scpdown allow SCP download, you<--bastion--server sftp allow usage of the SFTP subsystem, through the bastion rsync allow usage of rsync, through the bastion This command adds, to an existing bastion account, access to a given server, using the egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers`` If you want to add member access to an account to all the present and future servers of the group, using the group key, please use ``groupAddMember`` instead. If you want to add access to an account to a group server but using their personal bastion key instead of the group key, please use ``accountAddPersonalAccess`` instead. EOF ); my $fnret; if (not $group or not $ip) { help(); osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'host' or 'group' (or host didn't resolve correctly)"; } $fnret = OVH::Bastion::Plugin::ACL::check( user => $user, userAny => $userAny, port => $port, portAny => $portAny, scpUp => $scpUp, scpDown => $scpDown, sftp => $sftp, protocol => $protocol, ); if (!$fnret) { help(); osh_exit($fnret); } $user = $fnret->value->{'user'}; $port = $fnret->value->{'port'}; $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key"); $fnret or osh_exit($fnret); # get returned untainted value $group = $fnret->value->{'group'}; my $shortGroup = $fnret->value->{'shortGroup'}; # # Now do it # $fnret = OVH::Bastion::is_group_aclkeeper(account => $self, group => $shortGroup, superowner => 1); $fnret or osh_exit 'ERR_NOT_GROUP_ACLKEEPER', "Sorry, you must be an aclkeeper of group $shortGroup to be able to delete servers from it"; my @command = qw{ sudo -n -u }; push @command, ($group, '--', '/usr/bin/env', 'perl', '-T', $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupAddServer'); push @command, '--group', $group; push @command, '--action', 'del'; push @command, '--ip', $ip; push @command, '--user', $user if $user; push @command, '--port', $port if $port; osh_exit OVH::Bastion::helper(cmd => \@command);