-#!/bin/bash
-
-# This is a wrapper script for ssh access on Debian's static mirroring infrastructure.
-#
-# It limits the commands the master can run on static-mirroring mirrors (i.e.
-# the things running apache) on one hand, and also on static-mirroring sources,
-# that is the things that create the data.
-
-# Copyright (c) 2009, 2010, 2012 Peter Palfrader
-#
-# Permission is hereby granted, free of charge, to any person obtaining
-# a copy of this software and associated documentation files (the
-# "Software"), to deal in the Software without restriction, including
-# without limitation the rights to use, copy, modify, merge, publish,
-# distribute, sublicense, and/or sell copies of the Software, and to
-# permit persons to whom the Software is furnished to do so, subject to
-# the following conditions:
-#
-# The above copyright notice and this permission notice shall be
-# included in all copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
-# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
-# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
-# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
-# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
-# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-
-set -e
-set -u
-
-MYLOGNAME="`basename "$0"`[$$]"
-COMPONENTLIST=/etc/static-components.conf
-
-usage() {
- echo "local Usage: $0 <basedir> <host>"
- echo "via ssh orig command:"
- echo " mirror <component> <serial>"
- echo " rsync ..."
- do_rsync "$remote_host" "$@"
-}
-
-one_more_arg() {
- if [ "$#" -lt 1 ]; then
- usage >&2
- exit 1
- fi
-}
-
-info() {
- logger -p daemon.info -t "$MYLOGNAME" "$1"
-}
-
-croak() {
- logger -s -p daemon.warn -t "$MYLOGNAME" "$1"
- exit 1
-}
-
-do_mirror() {
- local basedir="$1"; shift
- local remote_host="$1"; shift
- one_more_arg "$@"
- local component="$1"; shift
- one_more_arg "$@"
- local serial="$1"; shift
-
- masterhost="$(awk -v component="$component" '$2 == component {print $1; exit}' "$COMPONENTLIST")"
- if [ -z "$masterhost" ]; then
- croak "Did not find master for component $component."
- elif [ "$masterhost" != "$remote_host" ]; then
- croak "$remote_host is not master for $component."
- else
- info "Host $remote_host triggered a mirror run for $component, serial $serial"
- exec /usr/local/bin/static-mirror-run "$basedir/mirrors/$component" "$remote_host:$component/-new-" "$serial"
- echo >&2 "Exec failed"
- croak "exec failed"
- fi
-}
-
-do_rsync() {
- local remote_host="$1"
- shift
-
- local allowed_rsyncs
- allowed_rsyncs=()
-
- if [ -e "$COMPONENTLIST" ]; then
- for path in $(awk -v host="$(hostname -f)" '$3 == host {print $4}' $COMPONENTLIST); do
- allowed_rsyncs+=("--server --sender -lHtrze.iLsf --safe-links . $path/.")
- done
- fi
- for cmd_idx in ${!allowed_rsyncs[*]}; do
- allowed="${allowed_rsyncs[$cmd_idx]}"
- if [ "$*" = "$allowed" ]; then
- info "Running for host $remote_host: rsync $*"
- exec rsync "$@"
- echo >&2 "Exec failed"
- exit 1
- fi
- done
-
- info "NOT allowed for $remote_host: rsync $*"
- echo >&2 "This rsync command ($*) not allowed."
- exit 1
-}
-
-
-if [ "${1:-}" = "-h" ] || [ "${1:-}" = "--help" ]; then
- usage
- exit 0
-fi
-
-one_more_arg "$@"
-basedir="$1"
-shift
-
-one_more_arg "$@"
-remote_host="$1"
-shift
-
-
-# check/parse remote command line
-if [ -z "${SSH_ORIGINAL_COMMAND:-}" ] ; then
- croak "Did not find SSH_ORIGINAL_COMMAND"
-fi
-set "dummy" ${SSH_ORIGINAL_COMMAND}
-shift
-
-one_more_arg "$@"
-action="$1"
-shift
-
-case "$action" in
- mirror)
- do_mirror "$basedir" "$remote_host" "$@"
- ;;
- rsync)
- do_rsync "$remote_host" "$@"
- ;;
- *)
- croak "Invalid operation '$action'"
- ;;
-esac