From d88d9fb42805757211da8265b373729a876ab74a Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <rdannecker@gmail.com>
Date: Thu, 13 Jul 2023 15:44:17 +0200
Subject: [PATCH] restrict upload to role teacher

---
 roles/lmn_vm/files/lmn-upload-vm |  1 +
 roles/lmn_vm/files/sync-vm.sh    | 47 ++-----------------------
 roles/lmn_vm/files/upload-vm.sh  | 59 ++++++++++++++++++++++++++++++++
 roles/lmn_vm/tasks/main.yml      |  2 ++
 4 files changed, 65 insertions(+), 44 deletions(-)
 create mode 100644 roles/lmn_vm/files/lmn-upload-vm
 create mode 100755 roles/lmn_vm/files/upload-vm.sh

diff --git a/roles/lmn_vm/files/lmn-upload-vm b/roles/lmn_vm/files/lmn-upload-vm
new file mode 100644
index 0000000..599e9d8
--- /dev/null
+++ b/roles/lmn_vm/files/lmn-upload-vm
@@ -0,0 +1 @@
+%role-teacher ALL=(root) NOPASSWD: /usr/local/bin/upload-vm.sh
diff --git a/roles/lmn_vm/files/sync-vm.sh b/roles/lmn_vm/files/sync-vm.sh
index 681178f..b2ab12d 100755
--- a/roles/lmn_vm/files/sync-vm.sh
+++ b/roles/lmn_vm/files/sync-vm.sh
@@ -4,51 +4,14 @@ set -eu
 
 show_help() {
     cat << EOF >&2
-Usage: $(basename "$0") [-u vmname] [-d vmname] [-a] [-t]"
-When using option -u (upload), the disk from VM vmname will be synced on server.
-Otherwise the images from images.list and xml-directory will be synced from server.
+Usage: $(basename "$0") [-d vmname] [-a] [-t]"
+The images from images.list and xml-directory will be synced from server.
 Using flag -t all torrents and xml-VM-Definitions will be synced
 EOF
 }
 
 VM_DIR="/tmp/${SUDO_UID}/vmimages"
 
-upload_image() {
-    # check if VM-Diskimage exists
-    if [[ ! (-f "/var/lib/libvirt/images/${VM_NAME}.qcow2" || -f "${VM_DIR}/${VM_NAME}.qcow2") ]]; then
-        echo "File not found ${VM_NAME}.qcow2" >&2
-        exit 1
-    fi
-    # link private VM-Diskimage to system-Dir
-    if [[ -f "${VM_DIR}/${VM_NAME}.qcow2" \
-          &&   ( -f "/var/lib/libvirt/images/${VM_NAME}.qcow2" && ("${VM_DIR}/${VM_NAME}.qcow2" -nt "/var/lib/libvirt/images/${VM_NAME}.qcow2") \
-          || ! -f "/var/lib/libvirt/images/${VM_NAME}.qcow2") ]]; then
-      echo "copy private VM-Diskimage to system-dir"
-      ln -f "${VM_DIR}/${VM_NAME}.qcow2" "/var/lib/libvirt/images/${VM_NAME}.qcow2"
-    fi
-    # check if VM-Machine-Definition XML exists
-    if [[ ! (-f "/var/lib/libvirt/images/xml/${VM_NAME}.xml" || -f "${VM_DIR}/xml/${VM_NAME}.xml") ]]; then
-        echo "File not found ${VM_NAME}.xml" >&2
-        exit 1
-    fi
-    # copy private VM-Maschine-Definition XML to system-Dir
-    if [[ -f "${VM_DIR}/xml/${VM_NAME}.xml" \
-          &&   ( -f "/var/lib/libvirt/images/xml/${VM_NAME}.xml" && $(cmp -s "${VM_DIR}/xml/${VM_NAME}.xml" "/var/lib/libvirt/images/xml/${VM_NAME}.xml") \
-          || ! -f "/var/lib/libvirt/images/xml/${VM_NAME}.xml") ]]; then
-      echo "copy private VM-Maschine-Definition XML to system-dir"
-      cp "${VM_DIR}/xml/${VM_NAME}.xml" "/var/lib/libvirt/images/xml/"
-    fi
-    # (re-) create torrent file
-    /usr/local/bin/vmimage-torrent create "${VM_NAME}.qcow2"
-    # Upload Torrent, qcow2 and machine-definition-XML
-    [[ -f "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" ]] && rsync -av --password-file=/etc/rsync.secret \
-	  "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" rsync://vmuser@server:/vmimages-upload/
-    rsync -av --password-file=/etc/rsync.secret "/var/lib/libvirt/images/${VM_NAME}.qcow2" \
-	  rsync://vmuser@server:/vmimages-upload/
-    rsync -av --password-file=/etc/rsync.secret "/var/lib/libvirt/images/xml/${VM_NAME}.xml" \
-	  rsync://vmuser@server:/vmimages-upload/xml/
-}
-
 download_image() {
     if [[ -f "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" ]]; then
       cd /var/lib/libvirt/images
@@ -78,12 +41,8 @@ sync_all_torrents() {
 	  /var/lib/libvirt/images/
 }
 
-while getopts ':u:d:at' OPTION; do
+while getopts ':d:at' OPTION; do
     case "$OPTION" in
-        u)
-            VM_NAME=$OPTARG
-            upload_image
-            ;;
         d)
             VM_NAME=$OPTARG
             download_image
diff --git a/roles/lmn_vm/files/upload-vm.sh b/roles/lmn_vm/files/upload-vm.sh
new file mode 100755
index 0000000..5f981a9
--- /dev/null
+++ b/roles/lmn_vm/files/upload-vm.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/bash
+# Push VM-Disk-Image on server
+set -eu
+
+show_help() {
+    cat << EOF >&2
+Usage: $(basename "$0") vmname"
+Create torrent and upload disk, torrent and xml-VM-Definiton on server.
+EOF
+}
+
+VM_DIR="/tmp/${SUDO_UID}/vmimages"
+
+upload_image() {
+    # check if VM-Diskimage exists
+    if [[ ! (-f "/var/lib/libvirt/images/${VM_NAME}.qcow2" || -f "${VM_DIR}/${VM_NAME}.qcow2") ]]; then
+        echo "File not found ${VM_NAME}.qcow2" >&2
+        exit 1
+    fi
+    # link private VM-Diskimage to system-Dir
+    if [[ -f "${VM_DIR}/${VM_NAME}.qcow2" \
+          &&   ( -f "/var/lib/libvirt/images/${VM_NAME}.qcow2" && ("${VM_DIR}/${VM_NAME}.qcow2" -nt "/var/lib/libvirt/images/${VM_NAME}.qcow2") \
+          || ! -f "/var/lib/libvirt/images/${VM_NAME}.qcow2") ]]; then
+      echo "copy private VM-Diskimage to system-dir"
+      ln -f "${VM_DIR}/${VM_NAME}.qcow2" "/var/lib/libvirt/images/${VM_NAME}.qcow2"
+    fi
+    # check if VM-Machine-Definition XML exists
+    if [[ ! (-f "/var/lib/libvirt/images/xml/${VM_NAME}.xml" || -f "${VM_DIR}/xml/${VM_NAME}.xml") ]]; then
+        echo "File not found ${VM_NAME}.xml" >&2
+        exit 1
+    fi
+    # copy private VM-Maschine-Definition XML to system-Dir
+    if [[ -f "${VM_DIR}/xml/${VM_NAME}.xml" \
+          &&   ( -f "/var/lib/libvirt/images/xml/${VM_NAME}.xml" && $(cmp -s "${VM_DIR}/xml/${VM_NAME}.xml" "/var/lib/libvirt/images/xml/${VM_NAME}.xml") \
+          || ! -f "/var/lib/libvirt/images/xml/${VM_NAME}.xml") ]]; then
+      echo "copy private VM-Maschine-Definition XML to system-dir"
+      cp "${VM_DIR}/xml/${VM_NAME}.xml" "/var/lib/libvirt/images/xml/"
+    fi
+    cd /var/lib/libvirt/images
+    # (re-) create torrent file
+    /usr/local/bin/vmimage-torrent create "${VM_NAME}.qcow2"
+    # Upload Torrent, qcow2 and machine-definition-XML
+    [[ -f "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" ]] && rsync -av --password-file=/etc/rsync.secret \
+	  "/var/lib/libvirt/images/${VM_NAME}.qcow2.torrent" rsync://vmuser@server:/vmimages-upload/
+    rsync -av --password-file=/etc/rsync.secret "/var/lib/libvirt/images/${VM_NAME}.qcow2" \
+	  rsync://vmuser@server:/vmimages-upload/
+    rsync -av --password-file=/etc/rsync.secret "/var/lib/libvirt/images/xml/${VM_NAME}.xml" \
+	  rsync://vmuser@server:/vmimages-upload/xml/
+}
+
+# if less than one arguments supplied, display usage
+if [[  $# -ne 1 ]] ; then
+    show_help
+    exit 1
+fi
+
+VM_NAME=$1
+
+upload_image
diff --git a/roles/lmn_vm/tasks/main.yml b/roles/lmn_vm/tasks/main.yml
index 7454a43..ebf9609 100644
--- a/roles/lmn_vm/tasks/main.yml
+++ b/roles/lmn_vm/tasks/main.yml
@@ -60,6 +60,7 @@
   loop:
     - lmn-mounthome
     - lmn-sync-vm
+    - lmn-upload-vm
     - lmn-link-images
     - lmn-startvirtiofsd
 
@@ -76,6 +77,7 @@
     - rebase-vm.sh
     - create-clone.sh
     - run-vm.sh
+    - upload-vm.sh
     - sync-vm.sh
     - link-images.sh
     - start-virtiofsd.sh