Skip to content

Commit

Permalink
chore: adapt help messages for wildcard --user support
Browse files Browse the repository at this point in the history
  • Loading branch information
speed47 committed Jul 2, 2024
1 parent 927f8dc commit 7bb412f
Show file tree
Hide file tree
Showing 16 changed files with 197 additions and 130 deletions.
19 changes: 10 additions & 9 deletions bin/plugin/group-aclkeeper/groupAddServer
Original file line number Diff line number Diff line change
Expand Up @@ -31,22 +31,23 @@ Add an IP or IP block to a group's servers list
Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS]
--group GROUP Specify which group this machine should be added to (it should have the public group key of course)
--host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP,
or a whole network using the NET/CIDR notation
--user USER Specify which remote user should be allowed (root, run, etc...).
Globbing characters '*' and '?' are supported.
--user-any Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases)
--port PORT Only allow access to this port (e.g. 22)
--port-any Allow access to any port
--group GROUP Specify which group this machine should be added to
--host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allows connecting as any remote user.
--port PORT Remote port allowed to connect to
--port-any Allow access to any remote port
--scpup Allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown Allow SCP download, you<--bastion--server (omit --user in this case)
--sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--force Don't try the ssh connection, just add the host to the group blindly
--force-key FINGERPRINT Only use the key with the specified fingerprint to connect to the server (cf groupInfo)
--force-password HASH Only use the password with the specified hash to connect to the server (cf groupListPasswords)
--ttl SECONDS|DURATION Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
--comment '"ANY TEXT'" Add a comment alongside this server
--comment "'ANY TEXT'" Add a comment alongside this server. Quote it twice as shown if you're under a shell.
Examples::
Expand Down
24 changes: 18 additions & 6 deletions bin/plugin/group-aclkeeper/groupDelServer
Original file line number Diff line number Diff line change
Expand Up @@ -25,17 +25,29 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
helptext => <<'EOF',
Remove an IP or IP block from a group's server list
Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS]
Usage: --osh SCRIPT_NAME --group GROUP --host HOST [OPTIONS]
--group GROUP Specify which group this machine should be removed from
--host HOST|IP|NET/CIDR Host(s) we want to remove access to
--user USER Remote user that was allowed, if any user was allowed, use --user-any
--user-any Use if any remote login was allowed
--port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any
--port-any Use if any remote port was allowed
--host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allowed connecting as any remote user.
--port PORT Remote port that was allowed to connect to
--port-any Use when access was allowed to any remote port
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
This command adds, to an existing bastion account, access to a given server, using the
egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers``
If you want to add member access to an account to all the present and future servers
of the group, using the group key, please use ``groupAddMember`` instead.
If you want to add access to an account to a group server but using their personal bastion
key instead of the group key, please use ``accountAddPersonalAccess`` instead.
EOF
);

Expand Down
24 changes: 14 additions & 10 deletions bin/plugin/group-gatekeeper/groupAddGuestAccess
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,20 @@ Add a specific group server access to an account
Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
--group GROUP group to add guest access to
--account ACCOUNT name of the other bastion account to add access to, they'll be given access to the GROUP key
--host HOST|IP add access to this HOST (which must belong to the GROUP)
--user USER allow connecting to HOST only with remote login USER
--user-any allow connecting to HOST with any remote login
--port PORT allow connecting to HOST only to remote port PORT
--port-any allow connecting to HOST with any remote port
--scpup allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown allow SCP download, you<--bastion--server (omit --user in this case)
--sftp allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--account ACCOUNT Name of the other bastion account to add access to, they'll be given access to the GROUP key
--group GROUP Group to add the guest access to, note that this group should already have access
to the USER/HOST/PORT tuple you'll specify with the options below.
--host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allows connecting as any remote user.
--port PORT Remote port allowed to connect to
--port-any Allow access to any remote port
--scpup Allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown Allow SCP download, you<--bastion--server (omit --user in this case)
--sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--ttl SECONDS|DURATION specify a number of seconds after which the access will automatically expire
--comment '"ANY TEXT"' add a comment alongside this access.
If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers
Expand Down
25 changes: 14 additions & 11 deletions bin/plugin/group-gatekeeper/groupDelGuestAccess
Original file line number Diff line number Diff line change
Expand Up @@ -28,24 +28,27 @@ Remove a specific group server access from an account
Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
--group GROUP group to remove guest access from
--account ACCOUNT name of the other bastion account to remove access from
--host HOST|IP remove access from this HOST (which must belong to the GROUP)
--user USER allow connecting to HOST only with remote login USER
--user-any allow connecting to HOST with any remote login
--port PORT allow connecting to HOST only to remote port PORT
--port-any allow connecting to HOST with any remote port
--scpup allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown allow SCP download, you<--bastion--server (omit --user in this case)
--sftp allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--group GROUP Specify which group to remove the guest access to ACCOUNT from
--account ACCOUNT Bastion account remove the guest access from
--host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allowed connecting as any remote user.
--port PORT Remote port that was allowed to connect to
--port-any Use when access was allowed to any remote port
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
This command removes, from an existing bastion account, access to a given server, using the
egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``
If you want to remove member access from an account to all the present and future servers
of the group, using the group key, please use ``groupDelMember`` instead.
If you want to remove access from an account from a group server but using his personal bastion
If you want to remove access from an account from a group server but using their personal bastion
key instead of the group key, please use ``accountDelPersonalAccess`` instead.
This command is the opposite of ``groupAddGuestAccess``.
Expand Down
13 changes: 8 additions & 5 deletions bin/plugin/restricted/accountAddPersonalAccess
Original file line number Diff line number Diff line change
Expand Up @@ -32,11 +32,14 @@ Add a personal server access to an account
Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS]
--account Bastion account to add the access to
--host IP|HOST|IP/MASK Server to add access to
--user USER Remote login to use, globbing characters '?' and '*' are supported
--user-any Allow access with any remote login (synonym of ``--user *``)
--port PORT Remote SSH port to use, if you want to allow any port, use --port-any
--port-any Allow access to all remote ports
--host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allows connecting as any remote user.
--port PORT Remote port allowed to connect to
--port-any Allow access to any remote port
--scpup Allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown Allow SCP download, you<--bastion--server (omit --user in this case)
--sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
Expand Down
21 changes: 12 additions & 9 deletions bin/plugin/restricted/accountDelPersonalAccess
Original file line number Diff line number Diff line change
Expand Up @@ -26,15 +26,18 @@ Remove a personal server access from an account
Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS]
--account Bastion account to remove access from
--host IP|HOST|IP/MASK Server to remove access from
--user USER Remote user that was allowed, if any user was allowed, use --user-any
--user-any Use if any remote login was allowed
--port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any
--port-any Use if any remote port was allowed
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--account Bastion account to remove access from
--host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allowed connecting as any remote user.
--port PORT Remote port that was allowed to connect to
--port-any Use when access was allowed to any remote port
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
EOF
);

Expand Down
15 changes: 9 additions & 6 deletions bin/plugin/restricted/selfAddPersonalAccess
Original file line number Diff line number Diff line change
Expand Up @@ -27,15 +27,18 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
"comment=s" => \my $comment,
},
helptext => <<'EOF',
Add a personal server access on your account
Add a personal server access to your account
Usage: --osh SCRIPT_NAME --host HOST [OPTIONS]
--host IP|HOST|IP/MASK Server to add access to
--user USER Remote login to use, globbing characters '?' and '*' are supported
--user-any Allow access with any remote login (synonym of ``--user *``)
--port PORT Remote SSH port to use, if you want to allow any port, use --port-any
--port-any Allow access to all remote ports
--host HOST|IP|NET/CIDR Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user should be allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allows connecting as any remote user.
--port PORT Remote port allowed to connect to
--port-any Allow access to any remote port
--scpup Allow SCP upload, you--bastion-->server (omit --user in this case)
--scpdown Allow SCP download, you<--bastion--server (omit --user in this case)
--sftp Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
Expand Down
19 changes: 11 additions & 8 deletions bin/plugin/restricted/selfDelPersonalAccess
Original file line number Diff line number Diff line change
Expand Up @@ -25,14 +25,17 @@ Remove a personal server access from your account
Usage: --osh SCRIPT_NAME --host HOST [OPTIONS]
--host IP|HOST|IP/MASK Server to remove access from
--user USER Remote user that was allowed, if any user was allowed, use --user-any
--user-any Use if any remote login was allowed
--port PORT Remote SSH port that was allowed, if any port was allowed, use --port-any
--port-any Use if any remote port was allowed
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
--host HOST|IP|NET/CIDR Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
or an IP, or a whole network using the NET/CIDR notation
--user USER Specify which remote user was allowed to connect as.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
--user-any Synonym of '--user *', allowed connecting as any remote user.
--port PORT Remote port that was allowed to connect to
--port-any Use when access was allowed to any remote port
--scpup Remove SCP upload right, you--bastion-->server (omit --user in this case)
--scpdown Remove SCP download right, you<--bastion--server (omit --user in this case)
--sftp Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
EOF
);

Expand Down
21 changes: 11 additions & 10 deletions doc/sphinx/plugins/group-aclkeeper/groupAddServer.rst
Original file line number Diff line number Diff line change
Expand Up @@ -16,29 +16,30 @@ Add an IP or IP block to a group's servers list

.. option:: --group GROUP

Specify which group this machine should be added to (it should have the public group key of course)
Specify which group this machine should be added to

.. option:: --host HOST|IP|NET/CIDR

Host(s) to add access to, either a HOST which will be resolved to an IP immediately, or an IP,
Host(s) to add access to, either a HOST which will be resolved to an IP immediately,

or a whole network using the NET/CIDR notation
or an IP, or a whole network using the NET/CIDR notation
.. option:: --user USER

Specify which remote user should be allowed (root, run, etc...).
Specify which remote user should be allowed to connect as.

Globbing characters '*' and '?' are supported.
Globbing characters '*' and '?' are supported, so you can specify a pattern
that will be matched against the actual remote user name.
.. option:: --user-any

Synonym of '--user *', allows any remote user (the remote user should still have the public group key in all cases)
Synonym of '--user *', allows connecting as any remote user.
.. option:: --port PORT

Only allow access to this port (e.g. 22)
Remote port allowed to connect to

.. option:: --port-any

Allow access to any port
Allow access to any remote port

.. option:: --scpup

Expand Down Expand Up @@ -68,9 +69,9 @@ Add an IP or IP block to a group's servers list

Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire

.. option:: --comment '"ANY TEXT'"
.. option:: --comment "'ANY TEXT'"

Add a comment alongside this server
Add a comment alongside this server. Quote it twice as shown if you're under a shell.


Examples::
Expand Down
Loading

0 comments on commit 7bb412f

Please sign in to comment.