#!/bin/bash # info: check access key # options: ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT] # # example: v-check-access-key key_id secret v-purge-nginx-cache 127.0.0.1 json # # * Checks if the key exists; # * Checks if the secret belongs to the key; # * Checks if the key user is suspended; # * Checks if the key has permission to run the command. #----------------------------------------------------------# # Variables & Functions # #----------------------------------------------------------# access_key_id="$(basename "$1")" secret_access_key=$2 hst_command=$3 ip46=${4-127.0.0.1} format=${5-shell} # Includes # shellcheck source=/etc/hestiacp/hestia.conf source /etc/hestiacp/hestia.conf # shellcheck source=/usr/local/hestia/func/main.sh source $HESTIA/func/main.sh # load config file source_conf "$HESTIA/conf/hestia.conf" # Perform verification if read-only mode is enabled check_hestia_demo_mode time_n_date=$(date +'%T %F') time=$(echo "$time_n_date" | cut -f 1 -d \ ) date=$(echo "$time_n_date" | cut -f 2 -d \ ) # JSON list function json_list() { echo -n '{"USER": "'$user'"' if [[ -n "$user_arg_pos" ]]; then echo -n ', "USER_ARG_POSITION": '$user_arg_pos'' fi echo '}' } # SHELL list function shell_list() { echo "USER: $user" if [[ -n "$user_arg_pos" ]]; then echo "USER_ARG_POSITION: $user_arg_pos" fi } # Callback to intercept invalid result validation abort_missmatch() { echo "Error: $2" echo "$date $time ${access_key_id:-api} $ip46 failed to login" >> $HESTIA/log/auth.log # Add a log for user if [[ "$1" == "$E_PASSWORD" && -n "$user" ]]; then log_history "[$ip46] $access_key_id $2" "Error" "$user" "API" fi if [[ "$1" == "$E_FORBIDEN" ]]; then exit "$1" fi exit "$E_PASSWORD" } #----------------------------------------------------------# # Verifications # #----------------------------------------------------------# # Add a callback to intercept invalid "check_result" results CHECK_RESULT_CALLBACK="abort_missmatch" check_args '3' "$#" 'ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT]' is_format_valid 'access_key_id' 'ip46' 'command' is_object_valid 'key' 'KEY' "$access_key_id" is_format_valid 'secret_access_key' check_access_key_secret "$access_key_id" "$secret_access_key" user check_access_key_cmd "$access_key_id" "$hst_command" user_arg_pos # Check if key owner is active is_format_valid 'user' is_object_valid 'user' 'USER' "$user" export USER_DATA=$HESTIA/data/users/$user is_object_unsuspended 'user' 'USER' "$user" # Remove the check_result callback CHECK_RESULT_CALLBACK="" #----------------------------------------------------------# # Action # #----------------------------------------------------------# # Listing data case $format in json) json_list ;; shell) shell_list ;; esac #----------------------------------------------------------# # Hestia # #----------------------------------------------------------# # Logging log_history "[$ip46] Access key $access_key_id successfully launched with command $hst_command" "Info" "$user" "API" echo "$date $time $access_key_id $ip46 $hst_command successfully launched" >> $HESTIA/log/auth.log exit