chiark / gitweb /
infra: New script dgit-mirror-ssh-wrap
authorIan Jackson <ijackson@chiark.greenend.org.uk>
Fri, 13 Sep 2019 15:02:22 +0000 (16:02 +0100)
committerIan Jackson <ijackson@chiark.greenend.org.uk>
Fri, 13 Sep 2019 15:46:27 +0000 (16:46 +0100)
Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
Makefile
infra/dgit-mirror-ssh-wrap [new file with mode: 0755]

index c4f1673..87cff8b 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -65,7 +65,7 @@ GDR_MAN5PAGES=git-debrebase.5
 GDP_PROGRAMS=git-debpush
 GDP_MAN1PAGES=git-debpush.1
 
-INFRA_PROGRAMS=dgit-repos-server dgit-ssh-dispatch \
+INFRA_PROGRAMS=dgit-repos-server dgit-ssh-dispatch dgit-mirror-ssh-wrap \
        dgit-repos-policy-debian dgit-repos-admin-debian \
        dgit-repos-policy-trusting dgit-mirror-rsync
 INFRA_EXAMPLES=get-dm-txt ssh-wrap drs-cron-wrap get-suites
diff --git a/infra/dgit-mirror-ssh-wrap b/infra/dgit-mirror-ssh-wrap
new file mode 100755 (executable)
index 0000000..4d0dcc9
--- /dev/null
@@ -0,0 +1,37 @@
+#!/usr/bin/perl -w
+
+# Intended to be used as a restricted command.
+# Usage:
+#    command="/path/to/dgit-mirror-ssh-wrap /srv/repos/ .git --"
+# or similar.  The two substantive arguments are literals.
+# The example permits writes to directories
+#    /srv/repos/$PACKAGE.git
+# where $PACKAGE has the syntax of a Debian package name.
+
+use strict;
+
+die 'bad usage' unless @ARGV==3 && $ARGV[2] eq '--';
+our ($prefix, $suffix) = @ARGV;
+
+$prefix =~ s/\W/\\$&/g;
+$suffix =~ s/\W/\\$&/g;
+
+my $package = qr{[0-9a-z][-+0-9a-z]*};
+my $d = qr{$prefix$package$suffix};
+
+my $command = $ENV{SSH_ORIGINAL_COMMAND}
+    // die "missing SSH_ORIGINAL_COMMAND";
+
+#print STDERR ">$d<\n";
+
+$command =~
+
+m{^rsync --server -lHtre\.iLsfxC --timeout=\d+ --delete --safe-links \. $d$}
+
+# To add a new command pattern, add || m{^ ... $} above.
+# The pattern should contain $d where the per-package destination
+# directory would go.
+
+or die "unexpected command $command\n";
+
+exec $& or die $!;