X-Git-Url: http://git.rot13.org/?p=bak-git.git;a=blobdiff_plain;f=bak-git-server.pl;h=fac76b7e78445bc26d3cff6e80e5cf8f94cc2fed;hp=1c8efc1303b5560ad340f3564bd7736bba45827b;hb=HEAD;hpb=b3e5588a5f136f8c1c72f693327c39c8937ef9c1 diff --git a/bak-git-server.pl b/bak-git-server.pl index 1c8efc1..3bd5f63 100755 --- a/bak-git-server.pl +++ b/bak-git-server.pl @@ -11,25 +11,37 @@ Start server, install on remote-host or upgrade with: [--install remote-host] [--upgrade] -You will want to add following to C<~/.ssh/config> +C traffic is always transfered over ssh, but C or C can +still leak sensitive information if C shell client connects directly +to server host. - RemoteForward 9001 localhost:9001 +Add following line to C<~/.ssh/config> under C for which you want encrypted +controll channel (or to pass through server ssh hops using C) -bak command overview: + RemoteForward 9001 192.168.42.42:9001 + +bak command, overview: bak add /path bak commit [/path [message]] bak diff [host:][/path] bak status [/path] bak log [/path] + bak log-grep pattern + bak grep pattern + bak show bak ch[anges] bak revert [host:]/path bak cat [host:]/path + bak grep pattern + bak find filename-pattern bak - push all changed files to server + bak add,commit /path + See L for more information =cut @@ -53,19 +65,54 @@ my ( $dir, $server_ip ) = @ARGV; die "usage: $0 /backup/directory 127.0.0.1\n" unless $dir; $server_ip ||= '127.0.0.1'; -my $shell_client = <<__SHELL_CLIENT__; -#!/bin/sh -echo \$USER/\$SUDO_USER `hostname` `pwd` \$* | nc $server_ip 9001 -__SHELL_CLIENT__ +# parse ssh config +my $ssh_tunnel; +open(my $ssh_fd, '<', "$ENV{HOME}/.ssh/config"); +my $host; +while(<$ssh_fd>) { + chomp; + next unless length($_) > 0; + next if m/^\s*#/; + + if ( /^Host\s+(.+)/i ) { + $host = $1; + } elsif ( /^\s+(\S+)\s+(.+)/ ) { + $ssh_tunnel->{$host}++ if lc($1) eq 'remoteforward' && $2 =~ m/9001/; + } elsif ( /^\s+$/ ) { + # nop + } else { + warn "can't parse [$_]"; + } +} + +sub shell_client { + my ( $hostname ) = @_; + my $path = '/tmp/bak'; + my $server = $server_ip; + $server = '127.0.0.1' if $ssh_tunnel->{$hostname}; +warn "# ssh_client $hostname $server"; + open(my $fh, '>', $path); + print $fh "#!/bin/sh\n"; + print $fh "echo \$USER/\$SUDO_USER $hostname `pwd` \$* | nc $server 9001\n"; + close($fh); + chmod 0755, $path; + return $path; +} + +sub _kill_ssh { + while ( my($host,$pid) = each %$ssh_tunnel ) { + warn "$host kill TERM $pid"; + eval { kill 15, $pid; } # TERM + } +} + +#$SIG{INT}; +$SIG{TERM} = &_kill_ssh; chdir $dir; system 'git init' unless -e '.git'; if ( $upgrade || $install ) { - open(my $fh, '>', '/tmp/bak'); - print $fh $shell_client; - close($fh); - chmod 0755, '/tmp/bak'; my @hosts = grep { -d $_ } glob '*'; @hosts = ( $install ) if $install; @@ -73,23 +120,46 @@ if ( $upgrade || $install ) { foreach my $hostname ( @hosts ) { warn "install on $hostname\n"; system 'ssh-copy-id', "root\@$hostname" if ! -d $hostname; - system "scp /tmp/bak root\@$hostname:/usr/local/bin/"; - system "ssh root\@$hostname apt-get install -y rsync"; + my $path = shell_client( $hostname ); + system "scp $path root\@$hostname:/usr/local/bin/"; + system "ssh root\@$hostname apt-get install -y netcat rsync"; + } +} else { + my $ssh = $ENV{SSH} || 'ssh'; + warn "# start $ssh tunnels..."; + foreach my $host ( keys %$ssh_tunnel ) { +last; # FIXME disabled + warn "## $host\n"; + my $pid = fork; + if ( ! defined $pid ) { + die "fork: $!"; + } elsif ( $pid ) { +# waitpid $pid, 0; + warn "FIXME: waitpid $pid"; + } else { + warn "EXEC $ssh $host"; + exec "$ssh -N root\@$host"; + } + + $ssh_tunnel->{$host} = $pid; } } +warn "dir: $dir listen: $server_ip:9001\n"; + my $server = IO::Socket::INET->new( Proto => 'tcp', - LocalAddr => $server_ip, +# LocalAddr => $server_ip, LocalPort => 9001, Listen => SOMAXCONN, Reuse => 1 ) || die $!; -warn "dir: $dir listen: $server_ip:9001\n" - , $shell_client -; +sub rsync { + warn "# rsync ",join(' ', @_), "\n"; + system 'rsync', @_; +} sub pull_changes { my $hostname = shift; @@ -99,13 +169,27 @@ sub pull_changes { print $files "$_\n" foreach @_; close($files); } - system "rsync -avv --files-from /tmp/$hostname.list root\@$hostname:/ $hostname/" + rsync split / /, "-avv --files-from /tmp/$hostname.list root\@$hostname:/ $hostname/"; +} + +sub mkbasedir { + my $path = shift; + $path =~ s{/[^/]+$}{}; + warn "# mkpath $path\n"; + mkpath $path || die $!; } while (my $client = $server->accept()) { my $line = <$client>; chomp($line); - warn "<<< $line\n"; + + my $peerhost = $client->peerhost; + if ( $peerhost !~ m/^(10\.13\.37\.|10\.60\.0\.|10\.200\.100\.)/ ) { + print $client "$peerhost not allowed\n"; + next; + } + + warn "<<< $peerhost $line\n"; my ($user,$hostname,$pwd,$command,$rel_path,$message) = split(/\s+/,$line,6); $hostname =~ s/\..+$//; @@ -120,6 +204,8 @@ while (my $client = $server->accept()) { } my $path = $rel_path =~ m{^/} ? $rel_path : "$pwd/$rel_path"; + foreach my $command ( split /,/, $command ) { # XXX command loop + warn "$hostname [$command] $on_host:$path | $message\n"; my $args_message = $message; @@ -145,7 +231,7 @@ while (my $client = $server->accept()) { } elsif ( $command eq 'add' ) { mkpath "$hostname/$dir" unless -e "$hostname/$dir"; while ( $path ) { - system 'rsync', '-avv', "root\@$hostname:$path", "$hostname/$path"; + rsync( '-avv', "root\@$hostname:$path", "$hostname/$path" ); print $client git 'add', "$hostname/$path"; $args_message =~ s/^(.+)\b// || last; @@ -162,8 +248,9 @@ while (my $client = $server->accept()) { $command = 'log --patch-with-stat' if $command =~ m/^ch/; pull_changes( $hostname ) if $command eq 'diff'; if ( $on_host ) { - system 'rsync', '-avv', "root\@$hostname:$path", "$hostname/$path"; - system 'rsync', '-avv', "root\@$on_host:$path", "$on_host/$path"; + mkpath $_ foreach grep { ! -e $_ } ( "$hostname/$dir", "$on_host/$dir" ); + rsync( '-avv', "root\@$hostname:$path", "$hostname/$path" ); + rsync( '-avv', "root\@$on_host:$path", "$on_host/$path" ); open(my $diff, '-|', "diff -Nuw $hostname$path $on_host$path"); while(<$diff>) { print $client $_; @@ -178,21 +265,49 @@ while (my $client = $server->accept()) { } } elsif ( $command eq 'revert' ) { if ( $on_host ) { - system 'rsync', '-avv', "$on_host/$path", "root\@$hostname:$path"; + rsync( '-avv', "$on_host/$path", "root\@$hostname:$path" ); } else { print $client git "checkout -- $hostname/$path"; - system 'rsync', '-avv', "$hostname/$path", "root\@$hostname:$path"; + rsync( '-avv', "$hostname/$path", "root\@$hostname:$path" ); } } elsif ( $command eq 'cat' ) { my $file_path = ( $on_host ? $on_host : $hostname ) . "/$path"; - open(my $file, '<', $file_path) || warn "ERROR $file_path: $!"; - while(<$file>) { - print $client $_; + if ( -r $file_path ) { + open(my $file, '<', $file_path) || warn "ERROR $file_path: $!"; + while(<$file>) { + print $client $_; + } + close($file); + } else { + print $client "ERROR: $file_path: $!\n"; + } + } elsif ( $command eq 'ls' ) { + my $file_path = ( $on_host ? $on_host : $hostname ) . "/$path"; + print $client `ls $file_path 2>&1`; + } elsif ( $command eq 'show' ) { + print $client `git show $rel_path`; + } elsif ( $command eq 'log-grep' ) { + #print $client `git log -g --grep=$rel_path`; + } elsif ( $command eq 'grep' ) { + print $client `git grep $rel_path`; + } elsif ( $command eq 'find' ) { + print $client `find . -iname '*$rel_path*' | sed -e 's,^./,,' -e 's,/,:/,'` + } elsif ( $command eq 'link' ) { + if ( $on_host ) { + mkbasedir "$on_host/$path"; + rsync( '-avv', "root\@$on_host:$path", "$on_host/$path" ); + mkbasedir "$hostname/$path"; + link "$on_host/$path", "$hostname/$path"; + rsync( '-avv', "$hostname/$path", "root\@$hostname:$path" ); + } else { + print $client "ERROR: link requires host:/path\n"; } - close($file); } else { - print $client "Unknown command: $command\n"; + print $client "ERROR: unknown command: $command\n"; } + } # XXX command, loop + + close($client); }