/
v-check-access-key
executable file
·114 lines (91 loc) · 3.33 KB
/
v-check-access-key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/bin/bash
# info: check access key
# options: ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT]
#
# example: v-check-access-key key_id secret v-purge-nginx-cache 127.0.0.1 json
#
# * Checks if the key exists;
# * Checks if the secret belongs to the key;
# * Checks if the key user is suspended;
# * Checks if the key has permission to run the command.
#----------------------------------------------------------#
# Variables & Functions #
#----------------------------------------------------------#
access_key_id="$(basename "$1")"
secret_access_key=$2
hst_command=$3
ip=${4-127.0.0.1}
format=${5-shell}
# Includes
# shellcheck source=/etc/hestiacp/hestia.conf
source /etc/hestiacp/hestia.conf
# shellcheck source=/usr/local/hestia/func/main.sh
source $HESTIA/func/main.sh
# load config file
source_conf "$HESTIA/conf/hestia.conf"
# Perform verification if read-only mode is enabled
check_hestia_demo_mode
time_n_date=$(date +'%T %F')
time=$(echo "$time_n_date" |cut -f 1 -d \ )
date=$(echo "$time_n_date" |cut -f 2 -d \ )
# JSON list function
json_list() {
echo -n '{"USER": "'$user'"';
if [[ -n "$user_arg_pos" ]]; then
echo -n ', "USER_ARG_POSITION": '$user_arg_pos''
fi
echo '}'
}
# SHELL list function
shell_list() {
echo "USER: $user"
if [[ -n "$user_arg_pos" ]]; then
echo "USER_ARG_POSITION: $user_arg_pos"
fi
}
# Callback to intercept invalid result validation
abort_missmatch() {
echo "Error: $2"
echo "$date $time ${access_key_id:-api} $ip failed to login" >> $HESTIA/log/auth.log
# Add a log for user
if [[ "$1" == "$E_PASSWORD" && -n "$user" ]]; then
log_history "[$ip] $access_key_id $2" "Error" "$user" "API"
fi
if [[ "$1" == "$E_FORBIDEN" ]]; then
exit "$1"
fi
exit "$E_PASSWORD"
}
#----------------------------------------------------------#
# Verifications #
#----------------------------------------------------------#
# Add a callback to intercept invalid "check_result" results
CHECK_RESULT_CALLBACK="abort_missmatch"
check_args '3' "$#" 'ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT]'
is_format_valid 'access_key_id' 'ip' 'command'
is_object_valid 'key' 'KEY' "$access_key_id"
is_format_valid 'secret_access_key'
check_access_key_secret "$access_key_id" "$secret_access_key" user
check_access_key_cmd "$access_key_id" "$hst_command" user_arg_pos
# Check if key owner is active
is_format_valid 'user'
is_object_valid 'user' 'USER' "$user"
export USER_DATA=$HESTIA/data/users/$user
is_object_unsuspended 'user' 'USER' "$user"
# Remove the check_result callback
CHECK_RESULT_CALLBACK=""
#----------------------------------------------------------#
# Action #
#----------------------------------------------------------#
# Listing data
case $format in
json) json_list ;;
shell) shell_list ;;
esac
#----------------------------------------------------------#
# Hestia #
#----------------------------------------------------------#
# Logging
log_history "[$ip] Access key $access_key_id successfully launched with command $hst_command" "Info" "$user" "API"
echo "$date $time $access_key_id $ip $hst_command successfully launched" >> $HESTIA/log/auth.log
exit