chore: update tasks

.vscode/tasks.json

@@ -17,6 +17,14 @@
       "problemMatcher": [],
       "detail": "build podman image using buildah"
     },
+    {
+      "label": "GitOps(Build): all images",
+      "type": "shell",
+      "command": ".bin/gitops build all",
+      "group": "build",
+      "problemMatcher": [],
+      "detail": "build podman image using buildah"
+    },
     {
       "label": "GitOps: Clean dangling images",
       "type": "shell",
@@ -25,20 +33,12 @@
       "detail": "Clean podman images"
     },
     {
-      "label": "Gitops(Update): build-base.sh",
+      "label": "GitOps(Update): Containerfile",
       "type": "shell",
-      "command": ".bin/gitops update base",
+      "command": ".bin/gitops update containerfile",
       "group": "build",
       "problemMatcher": [],
-      "detail": "Copy build-base.sh to /home/infilytics/.local/bin/"
-    },
-    {
-      "label": "GitOps(Update): build-workspace.sh",
-      "type": "shell",
-      "command": ".bin/gitops update workspace",
-      "group": "build",
-      "problemMatcher": [],
-      "detail": "Copy build-workspace.sh to /home/infilytics/.local/bin/"
+      "detail": "Copy Containerfile to $HOME/"
     },
     {
       "label": "GitOps(Update): ssh_router.sh",
@@ -46,15 +46,7 @@
       "command": ".bin/gitops update ssh_router",
       "group": "build",
       "problemMatcher": [],
-      "detail": "Copy ssh_router.sh to /home/infilytics/.local/bin/"
-    },
-    {
-      "label": "GitOps(Update): access.yml",
-      "type": "shell",
-      "command": ".bin/gitops update access",
-      "group": "build",
-      "problemMatcher": [],
-      "detail": "Copy access.yml to /home/infilytics/"
+      "detail": "Copy ssh_router.sh to $HOME/.local/bin/"
     },
     {
       "label": "GitOps(Update): gitops_router.sh",
@@ -62,7 +54,7 @@
       "command": ".bin/gitops update gitops_router",
       "group": "build",
       "problemMatcher": [],
-      "detail": "Copy gitops_router.sh to /home/infilytics/.local/bin"
+      "detail": "Copy gitops_router.sh to $HOME/.local/bin"
     },
     {
       "label": "GitOps(Update): home.tar.gz",
@@ -70,7 +62,7 @@
       "command": ".bin/gitops update home_tar",
       "group": "build",
       "problemMatcher": [],
-      "detail": "Copy home.tar.gz to /home/infilytics/"
+      "detail": "Copy home.tar.gz to $HOME/"
     },
     {
       "label": "GitOps(Update): gitconfig.template",
@@ -78,7 +70,15 @@
       "command": ".bin/gitops update gitconfig",
       "group": "build",
       "problemMatcher": [],
-      "detail": "Copy gitconfig.template to /home/infilytics/"
+      "detail": "Copy gitconfig.template to $HOME/"
+    },
+    {
+      "label": "GitOps(Update): validate_command_access.sh",
+      "type": "shell",
+      "command": ".bin/gitops update validate_command",
+      "group": "build",
+      "problemMatcher": [],
+      "detail": "Copy validate_command_access.sh to $HOME/.local/bin"
     },
     {
       "label": "Create home tarball",

access.yml

@@ -1,48 +0,0 @@
-pallav:
-  name: Pallav Vasa
-  email: pallav@infilytics.in
-  commands:
-    build:
-      - base
-      - workspace
-      - all
-    update:
-      - access
-      - ssh_router
-      - gitops_router
-      - home_tar
-      - gitconfig
-      - containerfile
-    clean:
-    status:
-    remove:
-      - palak
-      - param
-      - darshan
-  rw:
-    - darshan
-    - param
-    - palak
-
-darshan:
-  name: Darshan Parmar
-  email: darshan@infilytics.in
-  rw:
-    - param
-  ro:
-    - pallav
-
-param:
-  name: Param Makawana
-  email: param@infilytics.in
-  ro:
-    - pallav
-    - darshan
-
-palak:
-  name: Palak Vasa
-  email: pakak@infilytics.in
-  ro:
-    - pallav
-    - param
-    - darshan

authorized_keys

@@ -1,5 +0,0 @@
-command="cd %h && ./local/bin/ssh_router.sh pallav",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK0il/OJiXygyPWYBt05+OQYjJPxgGuP3kP9hLsD/C7x phoenix@sphinx
-command="cd %h && ./local/bin/ssh_router.sh pallav",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIArjJAFfhq8LFJX0aqlhUbUNDglmshEJVeLbfXgdo2mU palla@Sphinx
-command="cd %h && ./local/bin/ssh_router.sh param",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDo3+p2DNLONpS2xsw5bSSrB+OA3a+MZqK29c0AutP63R8iDsrzFnea+Zz4L1Lcl8gFoPft3iL0ASYNeVZBHosQVL4lJc1qk/V6kD1h72oPZHNWBboZN1TKAG023L81if6xeIZu9x8Fzc/LWp487PHsjrI0wvK1ngqKwXiD1hUfIg3fjJMENx4TzFllaG4TA6Kd35rAes6exHwauC+9UALTz1Hns891S8j8j1Mlv52Ujadkc49jFcmsiWMBgGjZo3SnDANFqp9LPcCWNNI7W3H9oQ1A6jxmMf0sQN8i2Xks8mNEPzr41VJksq7WPWlclXLVH6ME+ZVR2gsQGnaz7WhA8oaG9q/2SPJRbluZG15GWsUPZ/fOEPZgU+eFwV8MThQzFY2N495S+L1zyeUDYJtfTMDkjCCzT0Rnd0Pv/afGnmz8AfbmO4+o8aTAUpvHZEibqIWzAuC6gruFKYQQEjr8Jev7kfDaWBCVtLaWII965HFtwUtmGql/1tXyixOiAes= param@param
-command="cd %h && ./local/bin/ssh_router.sh palak",no-port-forwarding,no-agent-forwarding,no-X14-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINNwPgVHczFkb32aW/bNS6XMLKh3YXNUoKHXYdtj5X5B infilytics\palak@Palakv
-command="cd %h && ./local/bin/gitops_router.sh pallav",no-port-forwarding,no-agent-forwarding,no-X11-forwarding ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcfbbXNTsoXO+tNwYFsFbz/qkvv5OWH1/TNHaKJb0r3 "pallav@infilytics.in"

gitops_router.sh

@@ -159,11 +159,12 @@ update)
   case "${args[0]}" in
   containerfile) update 0 Containerfile . 500 ;;
   access) update 1 access.yml . 400 ;;
+  authorized_keys) update 1 access.yml . 400 ;;
   ssh_router) update 0 ssh_router.sh .local/bin 500 ;;
   gitops_router) update 0 gitops_router.sh .local/bin 500 ;;
-  validate_command) update 1 validate_command_access.sh .local/bin 500 ;;
+  validate_command) update 0 validate_command_access.sh .local/bin 500 ;;
   home_tar) update 0 home.tar.gz . 500 media ;;
-  gitconfig) update 1 gitconfig.template . 500 ;;
+  gitconfig) update 0 gitconfig.template . 500 ;;
   *) log ERROR "update: invalid arg '${args[0]}'" ;;
   esac
   ;;

tests/test_validate_command_access.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+set -e
+
+cat >access.yml <<EOF
+pallav:
+  fixedArgsCommands:
+    build:
+      - base
+      - workspace
+      - all
+    clean:
+    status:
+  multiArgsCommands:
+    remove:
+      - palak
+      - param
+      - darshan
+EOF
+
+source ./validate_command_access.sh
+
+testcase() {
+  local desc="$1"
+  shift
+  if validate_command pallav "$@"; then
+    echo "PASS: $desc"
+  else
+    echo "FAIL: $desc"
+  fi
+}
+
+testcase "build base (valid)" build base
+testcase "build all (valid)" build all
+testcase "build base workspace (invalid)" build base workspace || true
+testcase "build (no arg, invalid)" build || true
+testcase "clean (zero-arg, valid)" clean
+testcase "clean with arg (invalid)" clean foo || true
+
+testcase "remove palak (valid)" remove palak
+testcase "remove param palak (valid, any order)" remove param palak
+testcase "remove palak param darshan (valid, any order)" remove palak param darshan
+testcase "remove (no arg, invalid)" remove || true
+testcase "remove foo (invalid)" remove foo || true
+testcase "remove palak palak (duplicate, invalid)" remove palak palak || true
+
+testcase "status (zero-arg, valid)" status
+testcase "status foo (invalid)" status foo || true

validate_command_access.sh

@@ -0,0 +1,83 @@
+#!/usr/bin/env bash
+
+validate_command() {
+  local PERSON="$1"
+  local cmd="$2"
+  shift 2
+  local tokens=("$@")
+  local yaml="access.yml"
+
+  # Check if fixedArgsCommands.<cmd> exists
+  local is_fixed
+  is_fixed="$(yq e ".\"$PERSON\".fixedArgsCommands | has(\"$cmd\")" "$yaml")"
+  # Check if multiArgsCommands.<cmd> exists
+  local is_multi
+  is_multi="$(yq e ".\"$PERSON\".multiArgsCommands | has(\"$cmd\")" "$yaml")"
+
+  if [[ "$is_fixed" != "true" && "$is_multi" != "true" ]]; then
+    echo "ERROR: Command '$cmd' not allowed for $PERSON" >&2
+    return 1
+  fi
+
+  # Exclude flags from positional args
+  local args=()
+  for tok in "${tokens[@]}"; do
+    [[ "$tok" == -* ]] && continue
+    args+=("$tok")
+  done
+
+  if [[ "$is_fixed" == "true" ]]; then
+    mapfile -t allowed < <(yq e ".\"$PERSON\".fixedArgsCommands.\"$cmd\"[]" "$yaml" 2>/dev/null)
+    local n_allowed="${#allowed[@]}"
+    if [[ $n_allowed -eq 0 ]]; then
+      # zero-arg command
+      if [[ ${#args[@]} -ne 0 ]]; then
+        echo "ERROR: Command '$cmd' takes no arguments" >&2
+        return 1
+      fi
+    else
+      # depth is 1: only one of the allowed choices must be present
+      if [[ ${#args[@]} -ne 1 ]]; then
+        echo "ERROR: Command '$cmd' requires exactly 1 argument: (${allowed[*]})" >&2
+        return 1
+      fi
+      local found=0
+      for want in "${allowed[@]}"; do
+        [[ "${args[0]}" == "$want" ]] && found=1 && break
+      done
+      if [[ $found -eq 0 ]]; then
+        echo "ERROR: Invalid argument '${args[0]}' for '$cmd'; allowed: (${allowed[*]})" >&2
+        return 1
+      fi
+    fi
+    return 0
+  fi
+
+  if [[ "$is_multi" == "true" ]]; then
+    mapfile -t allowed < <(yq e ".\"$PERSON\".multiArgsCommands.\"$cmd\"[]" "$yaml" 2>/dev/null)
+    local n_allowed="${#allowed[@]}"
+    if [[ ${#args[@]} -lt 1 || ${#args[@]} -gt $n_allowed ]]; then
+      echo "ERROR: Command '$cmd' requires 1 to $n_allowed arguments: (${allowed[*]})" >&2
+      return 1
+    fi
+
+    # Order doesn't matter, but all must be unique and from allowed.
+    # Build a set of allowed args.
+    declare -A allowed_set=()
+    for want in "${allowed[@]}"; do allowed_set["$want"]=1; done
+
+    declare -A seen=()
+    for a in "${args[@]}"; do
+      [[ -z "${allowed_set[$a]}" ]] && {
+        echo "ERROR: Invalid argument '$a' for '$cmd'; allowed: (${allowed[*]})" >&2
+        return 1
+      }
+      [[ -n "${seen[$a]}" ]] && {
+        echo "ERROR: Duplicate argument '$a' for '$cmd'" >&2
+        return 1
+      }
+      seen["$a"]=1
+    done
+    return 0
+  fi
+}