|
|
|
|
@ -4,7 +4,7 @@ set -euo pipefail
|
|
|
|
|
PERSON="${1:?Missing PERSON argument}"
|
|
|
|
|
HOST="alps:3222"
|
|
|
|
|
PROTOCOL="http"
|
|
|
|
|
REPO="babbarc/workspaces"
|
|
|
|
|
REPO=("babbarc/workspaces" "babbarc/workspaces-sec-alps-infilytics")
|
|
|
|
|
BRANCH="master"
|
|
|
|
|
LOG_FILE="/tmp/.gitops-router-${PERSON}.log"
|
|
|
|
|
|
|
|
|
|
@ -39,9 +39,9 @@ log() {
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
# Build the raw URL for fetching files
|
|
|
|
|
geturl() {
|
|
|
|
|
local type="$1" file="$2"
|
|
|
|
|
local repo="$1" type="$2" file="$3"
|
|
|
|
|
printf '%s://%s/%s/%s/branch/%s/%s\n' \
|
|
|
|
|
"$PROTOCOL" "$HOST" "$REPO" "$type" "$BRANCH" "$file"
|
|
|
|
|
"$PROTOCOL" "$HOST" "${REPO[$repo]}" "$type" "$BRANCH" "$file"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
@ -53,13 +53,13 @@ run() {
|
|
|
|
|
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
# Download & install an artifact
|
|
|
|
|
# update <file> <target-dir> <mode> [<type>]
|
|
|
|
|
# update <repo> <file> <target-dir> <mode> [<type>]
|
|
|
|
|
update() {
|
|
|
|
|
local file="$1" dir="$2" mode="$3" type="${4:-raw}"
|
|
|
|
|
local repo="$1" file="$2" dir="$3" mode="$4" type="${5:-raw}"
|
|
|
|
|
local url out
|
|
|
|
|
|
|
|
|
|
out="$HOME/$dir/$(basename "$file")"
|
|
|
|
|
url="$(geturl "$type" "$file")"
|
|
|
|
|
url="$(geturl "$repo" "$type" "$file")"
|
|
|
|
|
|
|
|
|
|
[[ -f "$out" ]] && chmod 700 "$out"
|
|
|
|
|
|
|
|
|
|
@ -127,69 +127,8 @@ remove_containers() {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
# validate_command <cmd> [<tok1> <tok2> …]
|
|
|
|
|
validate_command() {
|
|
|
|
|
local cmd="$1"
|
|
|
|
|
shift
|
|
|
|
|
local tokens=("$@")
|
|
|
|
|
local yaml="$HOME/access.yml"
|
|
|
|
|
|
|
|
|
|
# 1) Is command allowed at all?
|
|
|
|
|
if [[ "$(yq e ".\"$PERSON\".commands | has(\"$cmd\")" "$yaml")" != "true" ]]; then
|
|
|
|
|
log ERROR "Unauthorized command: '$cmd'"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# 2) Load allowed args for this cmd (may be empty array)
|
|
|
|
|
mapfile -t allowed < <(yq e ".\"$PERSON\".commands.${cmd}[]" "$yaml")
|
|
|
|
|
|
|
|
|
|
if [[ "${#allowed[@]}" -eq 0 ]]; then
|
|
|
|
|
log ERROR "No allowed arguments for command '$cmd' in $yaml"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
# 3) Extract just the non-flag tokens
|
|
|
|
|
local args=()
|
|
|
|
|
for tok in "${tokens[@]}"; do
|
|
|
|
|
[[ "$tok" == -* ]] && continue
|
|
|
|
|
args+=("$tok")
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
if [[ "$cmd" == "remove" ]]; then
|
|
|
|
|
# ─ remove: must have at least one arg
|
|
|
|
|
if ((${#args[@]} == 0)); then
|
|
|
|
|
log ERROR "Command '$cmd' requires at least one argument: ${allowed[*]}"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
# Validate each against allowed[]
|
|
|
|
|
for a in "${args[@]}"; do
|
|
|
|
|
local ok=false
|
|
|
|
|
for want in "${allowed[@]}"; do
|
|
|
|
|
[[ "$a" == "$want" ]] && ok=true && break
|
|
|
|
|
done
|
|
|
|
|
if ! $ok; then
|
|
|
|
|
log ERROR "Invalid argument '$a' for '$cmd'; allowed: ${allowed[*]}"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
else
|
|
|
|
|
# ─ all other cmds: must have exactly one arg
|
|
|
|
|
if ((${#args[@]} != 1)); then
|
|
|
|
|
log ERROR "Command '$cmd' requires exactly one argument: ${allowed[*]}"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
# And that single arg must be allowed
|
|
|
|
|
local a="${args[0]}"
|
|
|
|
|
local ok=false
|
|
|
|
|
for want in "${allowed[@]}"; do
|
|
|
|
|
[[ "$a" == "$want" ]] && ok=true && break
|
|
|
|
|
done
|
|
|
|
|
if ! $ok; then
|
|
|
|
|
log ERROR "Invalid argument '$a' for '$cmd'; allowed: ${allowed[*]}"
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
fi
|
|
|
|
|
}
|
|
|
|
|
# validate_command <workspace> <cmd> [<tok1> <tok2> …]
|
|
|
|
|
source "$HOME"/.local/bin/validate_command_access.sh
|
|
|
|
|
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
# Entry & command parsing
|
|
|
|
|
@ -203,7 +142,7 @@ read -ra parts <<<"$SSH_ORIGINAL_COMMAND"
|
|
|
|
|
cmd="${parts[0]}"
|
|
|
|
|
args=("${parts[@]:1}")
|
|
|
|
|
|
|
|
|
|
validate_command "$cmd" "${args[@]}"
|
|
|
|
|
validate_command "$PERSON" "$cmd" "${args[@]}"
|
|
|
|
|
|
|
|
|
|
# ─────────────────────────────────────────────
|
|
|
|
|
# Dispatch
|
|
|
|
|
@ -218,12 +157,13 @@ build)
|
|
|
|
|
;;
|
|
|
|
|
update)
|
|
|
|
|
case "${args[0]}" in
|
|
|
|
|
containerfile) update Containerfile . 500 ;;
|
|
|
|
|
access) update access.yml . 400 ;;
|
|
|
|
|
ssh_router) update ssh_router.sh .local/bin 500 ;;
|
|
|
|
|
gitops_router) update gitops_router.sh .local/bin 500 ;;
|
|
|
|
|
home_tar) update home.tar.gz . 500 media ;;
|
|
|
|
|
gitconfig) update gitconfig.template . 500 ;;
|
|
|
|
|
containerfile) update 0 Containerfile . 500 ;;
|
|
|
|
|
access) update 1 access.yml . 400 ;;
|
|
|
|
|
ssh_router) update 0 ssh_router.sh .local/bin 500 ;;
|
|
|
|
|
gitops_router) update 0 gitops_router.sh .local/bin 500 ;;
|
|
|
|
|
validate_command) update 1 validate_command_access.sh .local/bin 500 ;;
|
|
|
|
|
home_tar) update 0 home.tar.gz . 500 media ;;
|
|
|
|
|
gitconfig) update 1 gitconfig.template . 500 ;;
|
|
|
|
|
*) log ERROR "update: invalid arg '${args[0]}'" ;;
|
|
|
|
|
esac
|
|
|
|
|
;;
|
|
|
|
|
|
