pushsync.py

#!/usr/bin/env python3

import os
import sys
import time
import datetime

# 1. Create Push User and Place This Program into Home
# sudo useradd -rmd /home/pushsync -s /home/pushsync/pushsync.py pushsync
if 'SSH_CLIENT' not in os.environ:
    print('Must invoke by SSH.')
    exit(1)

# 2. Add Upstream Key with "command" to /home/pushsync/.ssh/authorized_keys
# Example: restrict,command="anthon" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMdaEqzUKWP7kqmLp9DG61sfJvD09oU98tu/eSjAdXh4 root@JunkO.aosc.io
if len(sys.argv) < 3 or sys.argv[1] != '-c':
    print('Must invoke with force command.')
    exit(1)

auth = sys.argv[2].split('|')
cmd = os.environ.get('SSH_ORIGINAL_COMMAND', auth[0]).split()

with open('pushsync.log', 'a') as log:
    log.write(f'{os.environ["SSH_CLIENT"].split()[0]} ({sys.argv[2]}) [{datetime.datetime.now().isoformat()}] {" ".join(cmd)}\n')

task = cmd[0]
if not ((task in auth) or ('ANY' in auth)):
    print('Repo not allowed.')
    exit(2)

try:
    sched_t = int(cmd[1])
except (IndexError, ValueError) as exc:
    sched_t = int(time.time())


# 3. Change the Invoking Command, Add sudo Rules if Needed (use visudo)
# Example: pushsync ALL=(mirrors) NOPASSWD: /usr/local/bin/shine -s /home/mirrors/shine/instance/shined.sock sched *
try:
    if os.system(f'sudo -n -u mirrors /usr/local/bin/shine -s /home/mirrors/shine/instance/shined.sock sched {task} {sched_t}') != 0:
        raise OSError
except OSError:
	print('Failed to schedule the task.')
	exit(3)