You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
the-bastion/bin/plugin/group-aclkeeper/groupDelServer

110 lines
4.3 KiB

#! /usr/bin/env perl
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
use common::sense;
use File::Basename;
use lib dirname(__FILE__) . '/../../../lib/perl';
use OVH::Result;
use OVH::Bastion;
use OVH::Bastion::Plugin qw( :DEFAULT help );
use OVH::Bastion::Plugin::ACL;
my $remainingOptions = OVH::Bastion::Plugin::begin(
argv => \@ARGV,
header => "removing a server from a group",
userAllowWildcards => 1,
options => {
"group=s" => \my $group,
"protocol=s" => \my $protocol,
"force" => \my $force,
# undocumented/compatibility:
"user-any" => \my $userAny,
"port-any" => \my $portAny,
"scpup" => \my $scpUp,
"scpdown" => \my $scpDown,
"sftp" => \my $sftp,
},
helptext => <<'EOF',
Remove an IP or IP block from a group's server list
Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER --port PORT [OPTIONS]
--group GROUP Specify which group this machine should be removed from
--host HOST|IP|SUBNET Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole subnet using the PREFIX/SIZE notation
--user USER|PATTERN|* Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
--port PORT|* Remote port that was allowed to connect to
If any port was allowed, use '--port *' (you might need to escape '*' from your shell)
--protocol PROTO Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you
must not specify --user in that case.
PROTO must be one of:
scpup allow SCP upload, you--bastion-->server
scpdown allow SCP download, you<--bastion--server
sftp allow usage of the SFTP subsystem, through the bastion
rsync allow usage of rsync, through the bastion
This command adds, to an existing bastion account, access to a given server, using the
egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers``
If you want to add member access to an account to all the present and future servers
of the group, using the group key, please use ``groupAddMember`` instead.
If you want to add access to an account to a group server but using their personal bastion
key instead of the group key, please use ``accountAddPersonalAccess`` instead.
EOF
);
my $fnret;
if (not $group or not $ip) {
help();
osh_exit 'ERR_MISSING_PARAMETER',
"Missing mandatory parameter 'host' or 'group' (or host didn't resolve correctly)";
}
$fnret = OVH::Bastion::Plugin::ACL::check(
user => $user,
userAny => $userAny,
port => $port,
portAny => $portAny,
scpUp => $scpUp,
scpDown => $scpDown,
sftp => $sftp,
protocol => $protocol,
);
if (!$fnret) {
help();
osh_exit($fnret);
}
$user = $fnret->value->{'user'};
$port = $fnret->value->{'port'};
$fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key");
$fnret or osh_exit($fnret);
# get returned untainted value
$group = $fnret->value->{'group'};
my $shortGroup = $fnret->value->{'shortGroup'};
#
# Now do it
#
$fnret = OVH::Bastion::is_group_aclkeeper(account => $self, group => $shortGroup, superowner => 1);
$fnret
or osh_exit 'ERR_NOT_GROUP_ACLKEEPER',
"Sorry, you must be an aclkeeper of group $shortGroup to be able to delete servers from it";
my @command = qw{ sudo -n -u };
push @command, ($group, '--', '/usr/bin/env', 'perl', '-T', $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupAddServer');
push @command, '--group', $group;
push @command, '--action', 'del';
push @command, '--ip', $ip;
push @command, '--user', $user if $user;
push @command, '--port', $port if $port;
osh_exit OVH::Bastion::helper(cmd => \@command);