aherman
/
the-bastion
mirror of https://github.com/ovh/the-bastion
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'jsonvalidator'
${ noResults }
the-bastion/bin/plugin/restricted/realmCreate

86 lines
3.1 KiB
Raw Permalink Blame History

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => "declare a new trusted realm on this bastion",
options => {
'realm=s' => \my $realm,
'public-key=s' => \my $pubKey,
'from=s' => \my $from,
'comment=s' => \my $comment,
},
helptext => <<'EOF',
Declare and create a new trusted realm
Usage: --osh SCRIPT_NAME --realm REALM --from IP1,IP2 [OPTIONS]
--realm REALM Realm name to create
--comment STRING An optional comment when creating the realm. Double-quote if you're under a shell.
--from IP1,IP2 Comma-separated list of outgoing IPs used by the realm we're declaring (i.e. IPs used by the bastion(s) on the other side)
the expected format is the one used by the from="" directive on SSH keys (IP and prefixes are supported)
--public-key KEY Public SSH key to deposit on the bastion to access this realm. If not present,
you'll be prompted interactively for it. Use double-quoting if your're under a shell.
EOF
);
# ugly hack for space-enabled parameter
# XXX should be removed, double quoting fixes the problem, but keep it for compatibility
if (ref $remainingOptions eq 'ARRAY' and @$remainingOptions) {
$pubKey .= " " . join(" ", @$remainingOptions);
}
my $fnret;
# params check
if (not $realm or not $from) {
help();
osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'realm' or 'from'";
}
my $account = "realm_$realm";
$fnret = OVH::Bastion::is_account_valid(account => $account, accountType => "realm");
$fnret or osh_exit $fnret;
$fnret = OVH::Bastion::is_account_existing(account => $account);
if ($fnret) {
osh_exit 'ERR_ALREADY_EXISTING', "This realm already exists";
}
# TODO check $from
if (!$pubKey) {
osh_info("Please paste the SSH key you want to add, which should be the egress key ");
osh_info("of the group on the other side you want members to have access to this realm.");
osh_info("\nThis bastion supports the following algorithms:\n\n");
# don't display info about generating keys, as the public key is supposed to already exist
# skip fido algos as the key is supposed to be the egress key of another bastion
OVH::Bastion::print_accepted_key_algorithms(way => "ingress", fido => 0, generate => 0);
osh_info("\nNote that your paste won't be echoed:");
$pubKey = <STDIN>;
}
$fnret = OVH::Bastion::is_valid_public_key(pubKey => $pubKey, way => 'ingress');
$fnret or osh_exit $fnret;
#
# Now create it
#
my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountCreate';
push @command, "--type", "realm", "--account", $realm, "--pubKey", $pubKey, "--always-active", "--uid-auto";
push @command, "--from", $from if $from;
push @command, "--comment", $comment if $comment;
osh_exit OVH::Bastion::helper(cmd => \@command);
Reference in new issue View Git Blame Copy Permalink