#!/bin/bash
set -eu

# Copyright (C) 2015, Benjamin Drung <benjamin.drung@profitbricks.com>
#
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
# "Software"), to deal in the Software without restriction, including
# without limitation the rights to use, copy, modify, merge, publish,
# distribute, sublicense, and/or sell copies of the Software, and to
# permit persons to whom the Software is furnished to do so, subject to
# the following conditions:
#
# The above copyright notice and this permission notice shall be included
# in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
# IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
# CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
# SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

# Note: Matching the regular expressions requires bash

log() {
    msg="$1"
    echo "${0##*/}: $msg" >&2
    logger -t ${0##*/} -- "$msg"
}

config="${1-}"
if test -z "$config"; then
    if test -n "${USER-}"; then
        config="$USER"
    else
        config=$(id -u -n)
    fi
fi

config_file="/etc/restricted-ssh-commands/$config"
if test ! -f "$config_file"; then
    log "No configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
    exit 125
fi

num_rules=0
while IFS='' read -r line; do
    # Skip empty lines and lines starting with hashes
    if ! [[ "$line" =~ ^[[:space:]]*(#|$) ]]; then
        if [[ "${SSH_ORIGINAL_COMMAND-}" =~ $line ]]; then
            if test -n "${RSC_VERBOSE-}"; then
                log "${0##*/}: \"${SSH_ORIGINAL_COMMAND-}\" matches \"$line\""
            fi
            found=1
            break
        else
            ((num_rules+=1))
            if test -n "${RSC_VERBOSE-}"; then
                log "${0##*/}: Regular expression does not match: \"$line\""
            fi
        fi
    elif test -n "${RSC_VERBOSE-}"; then
        log "${0##*/}: Skipping commented/empty configuration line: \"$line\""
    fi
done < "$config_file"

if test -z "${found-}"; then
    if test "$num_rules" -eq 0; then
        log "Empty configuration in $config_file. All commands including \"${SSH_ORIGINAL_COMMAND-}\" are denied."
        exit 125
    else
        if test "$num_rules" -eq 1; then
            msg="the one allow rule"
        else
            msg="any of the $num_rules allow rules"
        fi
        log "Rejecting command \"${SSH_ORIGINAL_COMMAND-}\". It does not match $msg in $config_file."
        exit 124
    fi
fi

exec ${SHELL:-/bin/sh} -c "${SSH_ORIGINAL_COMMAND-}"
