Also add the merged files/templates

[dsa-puppet.git] / modules / roles / files / static-mirroring / staticsync-ssh-wrap

#!/bin/bash

# Copyright (c) 2009, 2010, 2012 Peter Palfrader
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be
# included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

set -e
set -u

MYLOGNAME="`basename "$0"`[$$]"
BASEDIR="/home/staticsync/static-master"
COMPONENTLIST=/etc/static-components.conf

usage() {
        echo "local Usage: $0 <host>"
        echo "via ssh orig command:"
        echo "                      mirror <component> <serial>"
        echo "                      rsync <stuff>"
        echo "                      static-master-update-component <component>"
}

one_more_arg() {
        if [ "$#" -lt 1 ]; then
                usage >&2
                exit 1
        fi
}

info() {
        logger -p daemon.info -t "$MYLOGNAME" "$1"
}

croak() {
        logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
        exit 1
}

do_mirror() {
        local remote_host="$1"; shift
        one_more_arg "$@"
        local component="$1"; shift
        one_more_arg "$@"
        local serial="$1"; shift

        masterhost="$(awk -v component="$component" '$2 == component {print $1; exit}' "$COMPONENTLIST")"
        if [ -z "$masterhost" ]; then
                croak "Did not find master for component $component."
        elif [ "$masterhost" != "$remote_host" ]; then
                croak "$remote_host is not master for $component."
        else
                info "Host $remote_host triggered a mirror run for $component, serial $serial"
                exec /usr/local/bin/static-mirror-run "$BASEDIR/mirrors/$component" "$remote_host:$component/-new-" "$serial"
                echo >&2 "Exec failed"
                croak "exec failed"
        fi
}

do_rsync_on_master() {
        local remote_host="$1"; shift
        local args="--server --sender -vlHtrze.iLsf --safe-links ."

        for component in $(awk -v this_host="$(hostname -f)" '$1 == this_host {print $2}' $COMPONENTLIST); do
                if [ "$*" = "$args $component/-new-/" ] || [ "$*" = "$args ./$component/-new-/" ] ; then
                        local path="$BASEDIR/master/$component-current-push"
                        info "serving $remote_host with $path"
                        exec rsync $args "$path/."
                        croak "Exec failed"
                elif [ "$*" = "$args $component/-live-/" ] || [ "$*" = "$args ./$component/-live-/" ] ; then
                        local path="$BASEDIR/master/$component-current-live"
                        info "host $remote_host wants $path, acquiring lock"
                        exec 200< "$path"
                        if ! flock -s -w 0 200; then
                        echo >&2 "Cannot acquire shared lock on $path - this should mean an update is already underway anyway."
                        exit 1
                        fi
                        exec rsync $args "$path/."
                        croak "Exec failed"
                fi
        done
}

do_rsync_on_source() {
        local remote_host="$1"
        shift

        local allowed_rsyncs
        allowed_rsyncs=()

        if [ -e "$COMPONENTLIST" ]; then
                for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do
                        allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.")
                done
        fi
        for cmd_idx in ${!allowed_rsyncs[*]}; do
                allowed="${allowed_rsyncs[$cmd_idx]}"
                if [ "$*" = "$allowed" ]; then
                        info "Running for host $remote_host: rsync $*"
                        exec rsync "$@"
                        croak "Exec failed"
                fi
        done
}

do_rsync() {
        do_rsync_on_master "$@"
        do_rsync_on_source "$@"

        info "NOT allowed for $remote_host: rsync $*"
        echo >&2 "This rsync command ($@) not allowed."
        exit 1
}

do_update_component() {
        local remote_host="$1"; shift

        one_more_arg "$@"
        component="$1"
        shift

        hit="$(
                awk -v this_host="$(hostname -f)" -v component="$component" -v host="$remote_host" '
                        $1 == this_host && $2 == component {
                                if ($3 == host) {
                                        print $4
                                        exit
                                }
                                split($5,extra,",")
                                for (i in extra) {
                                        if (host == extra[i]) {
                                                printf "%s:%s\n", $3, $4
                                                exit
                                        }
                                }
                                exit
                        }' "$COMPONENTLIST"
                )"
        if [ -n "$hit" ]; then
                exec static-master-update-component "$component"
                echo >&2 "Exec failed"
                croak "exec failed"
        else
                info "Not whitelisted: $remote_host update $component"
                echo >&2 "Not whitelisted: $remote_host update $component"
                exit 1
        fi
}


if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
        usage
        exit 0
fi

one_more_arg "$@"
remote_host="$1"
shift


# check/parse remote command line
if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
        croak "Did not find SSH_ORIGINAL_COMMAND"
fi
set "dummy" ${SSH_ORIGINAL_COMMAND}
shift

info "host $remote_host called with $*"

one_more_arg "$@"
action="$1"
shift

case "$action" in
        # on a static mirror, update a component from its master
        mirror)
                do_mirror "$remote_host" "$@"
                ;;
        # on a static source, allow fetching from the master,
        # on a master, allow fetching from a component's mirrors
        rsync)
                do_rsync "$remote_host" "$@"
                ;;
        # on a master, initiate an update of a component
        static-master-update-component)
                do_update_component "$remote_host" "$@"
                ;;
        *)
                croak "Invalid operation '$action'"
                ;;
esac