mirror of https://github.com/ovh/the-bastion
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
117 lines
4.4 KiB
117 lines
4.4 KiB
#! /usr/bin/env perl
|
|
# vim: set filetype=perl ts=4 sw=4 sts=4 et:
|
|
use common::sense;
|
|
|
|
use File::Basename;
|
|
use lib dirname(__FILE__) . '/../../../lib/perl';
|
|
use OVH::Result;
|
|
use OVH::Bastion;
|
|
use OVH::Bastion::Plugin qw( :DEFAULT help );
|
|
use OVH::Bastion::Plugin::ACL;
|
|
|
|
my $remainingOptions = OVH::Bastion::Plugin::begin(
|
|
argv => \@ARGV,
|
|
header => "adding personal access to a server on an account",
|
|
options => {
|
|
"account=s" => \my $account,
|
|
"user-any" => \my $userAny,
|
|
"port-any" => \my $portAny,
|
|
"scpup" => \my $scpUp,
|
|
"scpdown" => \my $scpDown,
|
|
"sftp" => \my $sftp,
|
|
"force-key=s" => \my $forceKey,
|
|
"force-password=s" => \my $forcePassword,
|
|
"ttl=s" => \my $ttl,
|
|
"comment=s" => \my $comment,
|
|
},
|
|
helptext => <<'EOF',
|
|
Add a personal server access to an account
|
|
|
|
Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS]
|
|
|
|
--account Bastion account to add the access to
|
|
--host IP|HOST|IP/MASK Server to add access to
|
|
--user USER Remote login to use, if you want to allow any login, use --user-any
|
|
--user-any Allow access with any remote login
|
|
--port PORT Remote SSH port to use, if you want to allow any port, use --port-any
|
|
--port-any Allow access to all remote ports
|
|
--scpup Allow SCP upload, you--bastion-->server (omit --user in this case)
|
|
--scpdown Allow SCP download, you<--bastion--server (omit --user in this case)
|
|
--sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
|
|
--force-key FINGERPRINT Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
|
|
--force-password HASH Only use the password with the specified hash to connect to the server (cf accountListPasswords)
|
|
--ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
|
|
--comment "'ANY TEXT'" Add a comment alongside this server. Quote it twice as shown if you're under a shell.
|
|
|
|
The access will work only if one of the account's personal egress public key has been copied to the remote server.
|
|
To get the list of an account's personal egress public keys, see ``accountListEgressKeyss`` and ``selfListEgressKeys``.
|
|
EOF
|
|
);
|
|
|
|
my $fnret;
|
|
|
|
if (!$ip) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER', "Missing parameter 'host' or didn't resolve correctly";
|
|
}
|
|
|
|
$fnret = OVH::Bastion::Plugin::ACL::check(
|
|
user => $user,
|
|
userAny => $userAny,
|
|
port => $port,
|
|
portAny => $portAny,
|
|
scpUp => $scpUp,
|
|
scpDown => $scpDown,
|
|
sftp => $sftp
|
|
);
|
|
if (!$fnret) {
|
|
help();
|
|
osh_exit($fnret);
|
|
}
|
|
$user = $fnret->value->{'user'};
|
|
|
|
if (defined $ttl) {
|
|
$fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);
|
|
$fnret or osh_exit $fnret;
|
|
$ttl = $fnret->value->{'seconds'};
|
|
}
|
|
|
|
if (not $account) {
|
|
help();
|
|
osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'account'";
|
|
}
|
|
|
|
$fnret = OVH::Bastion::is_bastion_account_valid_and_existing(account => $account);
|
|
$fnret or osh_exit $fnret;
|
|
$account = $fnret->value->{'account'};
|
|
|
|
if ($forceKey) {
|
|
$fnret = OVH::Bastion::is_valid_fingerprint(fingerprint => $forceKey);
|
|
$fnret or osh_exit $fnret;
|
|
$forceKey = $fnret->value->{'fingerprint'};
|
|
}
|
|
|
|
if ($forcePassword) {
|
|
$fnret = OVH::Bastion::is_valid_hash(hash => $forcePassword);
|
|
$fnret or osh_exit $fnret;
|
|
$forcePassword = $fnret->value->{'hash'};
|
|
}
|
|
|
|
osh_info "Can't verify whether $account\'s personal key has been installed to the remote server, "
|
|
. "as you don't have access to their private keys, adding the access blindly";
|
|
|
|
my @command = qw{ sudo -n -u allowkeeper -- /usr/bin/env perl -T };
|
|
push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess';
|
|
push @command, '--target', 'any';
|
|
push @command, '--action', 'add';
|
|
push @command, '--account', $account;
|
|
push @command, '--ip', $ip;
|
|
push @command, '--user', $user if $user;
|
|
push @command, '--port', $port if $port;
|
|
push @command, '--force-key', $forceKey if $forceKey;
|
|
push @command, '--force-password', $forcePassword if $forcePassword;
|
|
push @command, '--ttl', $ttl if $ttl;
|
|
push @command, '--comment', $comment if $comment;
|
|
|
|
osh_exit OVH::Bastion::helper(cmd => \@command);
|