enh: plugins: add --protocol to handle scp, sftp, rsync

Replace --sftp --scpup --scpdown by --protocol PROTOCOL.
Also take the opportunity to replace --user-any by --user * and --port-any by --port *.
All the legacy options are still supported but are now undocumented.

bin/plugin/group-aclkeeper/groupAddServer

@@ -15,34 +15,41 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
     userAllowWildcards => 1,
     options            => {
         "group=s"          => \my $group,
-        "user-any"         => \my $userAny,
-        "port-any"         => \my $portAny,
-        "scpup"            => \my $scpUp,
-        "scpdown"          => \my $scpDown,
-        "sftp"             => \my $sftp,
+        "protocol=s"       => \my $protocol,
         "force"            => \my $force,           # for slashes, and/or for servers that are down (no connection test)
         "force-key=s"      => \my $forceKey,
         "force-password=s" => \my $forcePassword,
         "ttl=s"            => \my $ttl,
         "comment=s"        => \my $comment,
+        # undocumented/compatibility:
+        "user-any" => \my $userAny,
+        "port-any" => \my $portAny,
+        "scpup"    => \my $scpUp,
+        "scpdown"  => \my $scpDown,
+        "sftp"     => \my $sftp,
     },
     helptext => <<'EOF',
 Add an IP or IP block to a group's servers list
 
-Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS]
+Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER|* --port PORT|* [OPTIONS]
 
   --group GROUP            Specify which group this machine should be added to
   --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
                              or an IP, or a whole network using the NET/CIDR notation
-  --user USER              Specify which remote user should be allowed to connect as.
+  --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
-  --user-any               Synonym of '--user *', allows connecting as any remote user.
-  --port PORT              Remote port allowed to connect to
-  --port-any               Allow access to any remote port
-  --scpup                  Allow SCP upload, you--bastion-->server (omit --user in this case)
-  --scpdown                Allow SCP download, you<--bastion--server (omit --user in this case)
-  --sftp                   Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
+                             To allow any user, use '--user *' (you might need to escape '*' from your shell)
+  --port PORT|*            Remote port allowed to connect to
+                             To allow any port, use '--port *' (you might need to escape '*' from your shell)
+  --protocol PROTO         Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you
+                              must not specify --user in that case. However, for this protocol to be usable under a given
+                              remote user, access to the USER@HOST:PORT tuple must also be allowed.
+                              PROTO must be one of:
+                              scpup    allow SCP upload, you--bastion-->server
+                              scpdown  allow SCP download, you<--bastion--server
+                              sftp     allow usage of the SFTP subsystem, through the bastion
+                              rsync    allow usage of rsync, through the bastion
   --force                  Don't try the ssh connection, just add the host to the group blindly
   --force-key FINGERPRINT  Only use the key with the specified fingerprint to connect to the server (cf groupInfo)
   --force-password HASH    Only use the password with the specified hash to connect to the server (cf groupListPasswords)
@@ -51,8 +58,13 @@ Usage: --osh SCRIPT_NAME --group GROUP [OPTIONS]
 
 Examples::
 
-  --osh SCRIPT_NAME --group grp1 --host 203.0.113.0/24 --user-any --port-any --force --comment '"a whole network"'
-  --osh SCRIPT_NAME --group grp2 --host srv1.example.org --user root --port 22
+  --osh SCRIPT_NAME --group grp1 --host 203.0.113.0/24 --user '*' --port '*' --force --ttl 1d12h --comment '"a whole network"'
+  --osh SCRIPT_NAME --group grp2 --host srv1.example.org --user data --port 22
+  --osh SCRIPT_NAME --group grp2 --host srv1.example.org --user file --port 22
+
+Example to allow using sftp to srv1.example.org using remote user 'data' or 'file', in addition to the above commands::
+
+  --osh SCRIPT_NAME --group grp2 --host srv1.example.org --port 22 --protocol sftp
 EOF
 );
 
@@ -65,19 +77,21 @@ if (not $group or not $ip) {
 }
 
 $fnret = OVH::Bastion::Plugin::ACL::check(
-    user    => $user,
-    userAny => $userAny,
-    port    => $port,
-    portAny => $portAny,
-    scpUp   => $scpUp,
-    scpDown => $scpDown,
-    sftp    => $sftp
+    user     => $user,
+    userAny  => $userAny,
+    port     => $port,
+    portAny  => $portAny,
+    scpUp    => $scpUp,
+    scpDown  => $scpDown,
+    sftp     => $sftp,
+    protocol => $protocol,
 );
 if (!$fnret) {
     help();
     osh_exit($fnret);
 }
 $user = $fnret->value->{'user'};
+$port = $fnret->value->{'port'};
 
 $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key");
 $fnret or osh_exit($fnret);
@@ -127,7 +141,6 @@ if (not $force) {
         forcePassword => $forcePassword
     );
     if ($fnret->is_ok and $fnret->err ne 'OK') {
-
         # we have something to say, say it
         osh_info $fnret->msg;
     }

bin/plugin/group-aclkeeper/groupDelServer

@@ -14,31 +14,37 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
     header             => "removing a server from a group",
     userAllowWildcards => 1,
     options            => {
-        "group=s"  => \my $group,
+        "group=s"    => \my $group,
+        "protocol=s" => \my $protocol,
+        "force"      => \my $force,
+        # undocumented/compatibility:
         "user-any" => \my $userAny,
         "port-any" => \my $portAny,
         "scpup"    => \my $scpUp,
         "scpdown"  => \my $scpDown,
         "sftp"     => \my $sftp,
-        "force"    => \my $force,
     },
     helptext => <<'EOF',
 Remove an IP or IP block from a group's server list
 
-Usage: --osh SCRIPT_NAME --group GROUP --host HOST [OPTIONS]
+Usage: --osh SCRIPT_NAME --group GROUP --host HOST --user USER --port PORT [OPTIONS]
 
   --group GROUP            Specify which group this machine should be removed from
   --host HOST|IP|NET/CIDR  Host(s) to remove access from, either a HOST which will be resolved to an IP immediately,
                              or an IP, or a whole network using the NET/CIDR notation
-  --user USER              Specify which remote user was allowed to connect as.
+  --user USER|PATTERN|*    Specify which remote user was allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
-  --user-any               Synonym of '--user *', allowed connecting as any remote user.
-  --port PORT              Remote port that was allowed to connect to
-  --port-any               Use when access was allowed to any remote port
-  --scpup                  Remove SCP upload right, you--bastion-->server (omit --user in this case)
-  --scpdown                Remove SCP download right, you<--bastion--server (omit --user in this case)
-  --sftp                   Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
+                             If any user was allowed, use '--user *' (you might need to escape '*' from your shell)
+  --port PORT|*            Remote port that was allowed to connect to
+                             If any port was allowed, use '--port *' (you might need to escape '*' from your shell)
+  --protocol PROTO         Specify that a special protocol allowance should be removed from this HOST:PORT tuple, note that you
+                              must not specify --user in that case.
+                              PROTO must be one of:
+                              scpup    allow SCP upload, you--bastion-->server
+                              scpdown  allow SCP download, you<--bastion--server
+                              sftp     allow usage of the SFTP subsystem, through the bastion
+                              rsync    allow usage of rsync, through the bastion
 
 This command adds, to an existing bastion account, access to a given server, using the
 egress keys of the group. The list of eligible servers for a given group is given by ``groupListServers``
@@ -60,19 +66,21 @@ if (not $group or not $ip) {
 }
 
 $fnret = OVH::Bastion::Plugin::ACL::check(
-    user    => $user,
-    userAny => $userAny,
-    port    => $port,
-    portAny => $portAny,
-    scpUp   => $scpUp,
-    scpDown => $scpDown,
-    sftp    => $sftp
+    user     => $user,
+    userAny  => $userAny,
+    port     => $port,
+    portAny  => $portAny,
+    scpUp    => $scpUp,
+    scpDown  => $scpDown,
+    sftp     => $sftp,
+    protocol => $protocol,
 );
 if (!$fnret) {
     help();
     osh_exit($fnret);
 }
 $user = $fnret->value->{'user'};
+$port = $fnret->value->{'port'};
 
 $fnret = OVH::Bastion::is_valid_group_and_existing(group => $group, groupType => "key");
 $fnret or osh_exit($fnret);

bin/plugin/group-gatekeeper/groupAddGuestAccess

@@ -22,6 +22,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
         "scpup"     => \my $scpUp,
         "scpdown"   => \my $scpDown,
         "sftp"      => \my $sftp,
+        "rsync"     => \my $rsync,
         "ttl=s"     => \my $ttl,
         "comment=s" => \my $comment,
     },
@@ -44,6 +45,7 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
   --scpup                  Allow SCP upload, you--bastion-->server (omit --user in this case)
   --scpdown                Allow SCP download, you<--bastion--server (omit --user in this case)
   --sftp                   Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
+  --rsync                  Allow usage of rsync through the bastion
   --ttl SECONDS|DURATION  specify a number of seconds after which the access will automatically expire
   --comment '"ANY TEXT"'  add a comment alongside this access.
                             If omitted, we'll use the closest preexisting group access' comment as seen in groupListServers
@@ -76,7 +78,8 @@ $fnret = OVH::Bastion::Plugin::ACL::check(
     portAny => $portAny,
     scpUp   => $scpUp,
     scpDown => $scpDown,
-    sftp    => $sftp
+    sftp    => $sftp,
+    rsync   => $rsync,
 );
 if (!$fnret) {
     help();

bin/plugin/group-gatekeeper/groupDelGuestAccess

@@ -22,6 +22,7 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
         "scpup"     => \my $scpUp,
         "scpdown"   => \my $scpDown,
         "sftp"      => \my $sftp,
+        "rsync"     => \my $rsync,
     },
     helptext => <<'EOF',
 Remove a specific group server access from an account
@@ -41,6 +42,7 @@ Usage: --osh SCRIPT_NAME --group GROUP --account ACCOUNT [OPTIONS]
   --scpup                  Remove SCP upload right, you--bastion-->server (omit --user in this case)
   --scpdown                Remove SCP download right, you<--bastion--server (omit --user in this case)
   --sftp                   Remove usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
+  --rsync                  Remove usage of rsync through the bastion
 
 This command removes, from an existing bastion account, access to a given server, using the
 egress keys of the group. The list of such servers is given by ``groupListGuestAccesses``
@@ -69,7 +71,8 @@ $fnret = OVH::Bastion::Plugin::ACL::check(
     portAny => $portAny,
     scpUp   => $scpUp,
     scpDown => $scpDown,
-    sftp    => $sftp
+    sftp    => $sftp,
+    rsync   => $rsync,
 );
 if (!$fnret) {
     help();

bin/plugin/restricted/accountAddPersonalAccess

@@ -16,34 +16,41 @@ my $remainingOptions = OVH::Bastion::Plugin::begin(
     userAllowWildcards => 1,
     options            => {
         "account=s"        => \my $account,
-        "user-any"         => \my $userAny,
-        "port-any"         => \my $portAny,
-        "scpup"            => \my $scpUp,
-        "scpdown"          => \my $scpDown,
-        "sftp"             => \my $sftp,
+        "protocol=s"       => \my $protocol,
         "force-key=s"      => \my $forceKey,
         "force-password=s" => \my $forcePassword,
         "ttl=s"            => \my $ttl,
         "comment=s"        => \my $comment,
+        # undocumented/compatibility:
+        "user-any" => \my $userAny,
+        "port-any" => \my $portAny,
+        "scpup"    => \my $scpUp,
+        "scpdown"  => \my $scpDown,
+        "sftp"     => \my $sftp,
     },
     helptext => <<'EOF',
 Add a personal server access to an account
 
-Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST [OPTIONS]
+Usage: --osh SCRIPT_NAME --account ACCOUNT --host HOST --user USER --port PORT [OPTIONS]
 
   --account                Bastion account to add the access to
   --host HOST|IP|NET/CIDR  Host(s) to add access to, either a HOST which will be resolved to an IP immediately,
                              or an IP, or a whole network using the NET/CIDR notation
-  --user USER              Specify which remote user should be allowed to connect as.
+  --user USER|PATTERN|*    Specify which remote user should be allowed to connect as.
                              Globbing characters '*' and '?' are supported, so you can specify a pattern
                              that will be matched against the actual remote user name.
-  --user-any               Synonym of '--user *', allows connecting as any remote user.
-  --port PORT              Remote port allowed to connect to
-  --port-any               Allow access to any remote port
-  --scpup                  Allow SCP upload, you--bastion-->server (omit --user in this case)
-  --scpdown                Allow SCP download, you<--bastion--server (omit --user in this case)
-  --sftp                   Allow usage of the SFTP subsystem, you<--bastion-->server (omit --user in this case)
-  --force-key FINGERPRINT  Only use the key with the specified fingerprint to connect to the server (cf selfListEgressKeys)
+                             To allow any user, use '--user *' (you might need to escape '*' from your shell)
+  --port PORT|*            Remote port allowed to connect to
+                             To allow any port, use '--port *' (you might need to escape '*' from your shell)
+  --protocol PROTO         Specify that a special protocol should be allowed for this HOST:PORT tuple, note that you
+                              must not specify --user in that case. However, for this protocol to be usable under a given
+                              remote user, access to the USER@HOST:PORT tuple must also be allowed.
+                              PROTO must be one of:
+                              scpup    allow SCP upload, you--bastion-->server
+                              scpdown  allow SCP download, you<--bastion--server
+                              sftp     allow usage of the SFTP subsystem, through the bastion
+                              rsync    allow usage of rsync, through the bastion
+  --force-key FINGERPRINT  Only use the key with the specified fingerprint to connect to the server (cf accountListEgressKeys)
   --force-password HASH    Only use the password with the specified hash to connect to the server (cf accountListPasswords)
   --ttl SECONDS|DURATION   Specify a number of seconds (or a duration string, such as "1d7h8m") after which the access will automatically expire
   --comment "'ANY TEXT'"   Add a comment alongside this server. Quote it twice as shown if you're under a shell.
@@ -88,26 +95,32 @@ if (!$ip) {
 }
 
 $fnret = OVH::Bastion::Plugin::ACL::check(
-    user    => $user,
-    userAny => $userAny,
-    port    => $port,
-    portAny => $portAny,
-    scpUp   => $scpUp,
-    scpDown => $scpDown,
-    sftp    => $sftp
+    user     => $user,
+    userAny  => $userAny,
+    port     => $port,
+    portAny  => $portAny,
+    scpUp    => $scpUp,
+    scpDown  => $scpDown,
+    sftp     => $sftp,
+    protocol => $protocol,
 );
 if (!$fnret) {
     help();
     osh_exit($fnret);
 }
 $user = $fnret->value->{'user'};
+$port = $fnret->value->{'port'};
 
 if (defined $ttl) {
     $fnret = OVH::Bastion::is_valid_ttl(ttl => $ttl);
     $fnret or osh_exit $fnret;
     $ttl = $fnret->value->{'seconds'};
 }
 
+if ($forceKey && $forcePassword) {
+    osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --force-key and --force-password at the same time";
+}
+
 if (not $account) {
     help();
     osh_exit 'ERR_MISSING_PARAMETER', "Missing mandatory parameter 'account'";
@@ -129,9 +142,9 @@ if ($forcePassword) {
     $forcePassword = $fnret->value->{'hash'};
 }
 
-if ($forceKey && $forcePassword) {
-    osh_exit 'ERR_INCOMPATIBLE_PARAMETERS', "Can't use --force-key and --force-password at the same time";
-}
+#
+# Now do it
+#
 
 # check plugin config
 if ($pluginConfig && $pluginConfig->{'self_remote_user_only'}) {