infra: New script dgit-mirror-ssh-wrap

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>

1 files changed, 37 insertions, 0 deletions

diff --git a/infra/dgit-mirror-ssh-wrap b/infra/dgit-mirror-ssh-wrap
new file mode 100755
index 0000000..4d0dcc9
--- /dev/null
+++ b/infra/dgit-mirror-ssh-wrap
@@ -0,0 +1,37 @@
+#!/usr/bin/perl -w
+
+# Intended to be used as a restricted command.
+# Usage:
+#    command="/path/to/dgit-mirror-ssh-wrap /srv/repos/ .git --"
+# or similar.  The two substantive arguments are literals.
+# The example permits writes to directories
+#    /srv/repos/$PACKAGE.git
+# where $PACKAGE has the syntax of a Debian package name.
+
+use strict;
+
+die 'bad usage' unless @ARGV==3 && $ARGV[2] eq '--';
+our ($prefix, $suffix) = @ARGV;
+
+$prefix =~ s/\W/\\$&/g;
+$suffix =~ s/\W/\\$&/g;
+
+my $package = qr{[0-9a-z][-+0-9a-z]*};
+my $d = qr{$prefix$package$suffix};
+
+my $command = $ENV{SSH_ORIGINAL_COMMAND}
+    // die "missing SSH_ORIGINAL_COMMAND";
+
+#print STDERR ">$d<\n";
+
+$command =~
+
+m{^rsync --server -lHtre\.iLsfxC --timeout=\d+ --delete --safe-links \. $d$}
+
+# To add a new command pattern, add || m{^ ... $} above.
+# The pattern should contain $d where the per-package destination
+# directory would go.
+
+or die "unexpected command $command\n";
+
+exec $& or die $!;