From 2cc2ab48b8a56a19f044b69ab2818de80f5ca9b0 Mon Sep 17 00:00:00 2001 From: Dict Xiong Date: Tue, 30 May 2023 13:43:25 +0800 Subject: [PATCH] [dev] enhance riot; ddns avoid burst (#38) * riot: add . for .ibd and non for proxied * riot: 'user@..' to overwrite username, '...:22' to overwrite port, treat the arg as server name if it doesn't match any preset, sshl can accept only a port number and default to use localhost * update.sh: ddns sleep for random seconds to avoid burst * riot: support zssh and sftp, and set ssh options according to trust settings * riot: add scp * riot: support jump servers, sep by commas * common.sh: argparser supports -d/--dev and -D/--dry-run * install.sh: remove -s/--secure because of no use * riot: if remote ends with dot, treat it as a full-hostname; add tests * sagent.sh: refuse to work on windows --------- Co-authored-by: xiongdian.me --- .update.sh | 5 ++ install.sh | 2 - scripts/riot | 190 +++++++++++++++++++++++++++++++++++++++--------- tools/common.sh | 5 +- tools/sagent.sh | 4 + tools/test.zsh | 1 + 6 files changed, 168 insertions(+), 39 deletions(-) diff --git a/.update.sh b/.update.sh index 40012b5..a06f8dc 100644 --- a/.update.sh +++ b/.update.sh @@ -13,6 +13,11 @@ apost_beacon "sys.online" # update dns if [[ "$DFS_DDNS_ENABLE" == "1" ]]; then fmt_info "updating dns ..." + if ! is_tty; then + time_to_sleep=$((RANDOM%600)) + fmt_note "sleep for $time_to_sleep seconds" + sleep $time_to_sleep + fi "$THIS_DIR/tools/frigg-client.sh" ddns || (fmt_error "failed to update dns" && apost_beacon "dfs.ddns.fail") fi diff --git a/install.sh b/install.sh index 04717cf..c155690 100755 --- a/install.sh +++ b/install.sh @@ -319,9 +319,7 @@ for i in ${GOT_OPTS[@]}; do case $i in -i ) FUNC=install ;; -r ) FUNC=uninstall ;; - -d|--dev ) export DFS_DEV=1; set -x ;; -a|--auto ) INSTALL_DEP=1 ;; - -s|--secure ) export DFS_DEV=0 ;; -H|--hist|--history ) store_hist=1 ;; -x ) store_config=1 ;; * ) fmt_fatal "unknown option \"$i\"" ;; diff --git a/scripts/riot b/scripts/riot index 941fb73..a742801 100755 --- a/scripts/riot +++ b/scripts/riot @@ -2,57 +2,141 @@ # connect to iot services THIS_DIR=$( cd "$( dirname "${BASH_SOURCE[0]:-${(%):-%x}}" )" && pwd ) source "$THIS_DIR/../tools/common.sh" +RIOT_TRUST_CLIENT=${RIOT_TRUST_CLIENT:-${DFS_TRUST:-0}} +RIOT_TRUST_SERVER=${RIOT_TRUST_SERVER:-0} -# get target settings -# provides: -SERVER="" -PORT="" -SSH_USERNAME="" -SSH_OPTIONS="" -get_server_meta() -{ - local domain=${1##*.} - local host=${1%.*} +# get single server setting +# may be called more than once +get_server_meta() { + # returns: + RET_HOSTNAME="" + RET_TRUST_SERVER=0 + RET_PORT="" # optional + RET_USERNAME="" # optional + RET_JUMP_SERVER="" # optional + # body + local remote="$1" + # if in the form user@... + if [[ "$remote" == *@* ]]; then + RET_USERNAME=${remote%%@*} + remote=${remote#*@} + fi + # if in the form ...:22 + if [[ "$remote" == *:* ]]; then + RET_PORT=${remote##*:} + remote=${remote%:*} + fi + # presets -- match domain + local domain=${remote##*.} + local host=${remote%.*} + # if there's no dot if [[ "$host" == "$domain" ]]; then - domain="" + domain="ibd" fi case $domain in ibd|ebd ) - SERVER=$host.$domain.ink - PORT=12022 - SSH_USERNAME=root + RET_HOSTNAME=$host.$domain.ink + RET_PORT=${RET_PORT:-12022} + RET_USERNAME=${RET_USERNAME:-root} + RET_TRUST_SERVER=1 ;; nasp ) - SERVER=$host - PORT=12022 - SSH_USERNAME=dictxiong - SSH_OPTIONS='-o ProxyJump="ssh@nasp.ob.ac.cn:36022"' + RET_HOSTNAME=$host + RET_PORT=${RET_PORT:-12022} + RET_USERNAME=${RET_USERNAME:-dictxiong} + RET_JUMP_SERVER="ssh@nasp.ob.ac.cn:36022" + RET_TRUST_SERVER=1 ;; - "" ) - SERVER=proxy.beardic.cn + x|proxied ) + RET_HOSTNAME=proxy.beardic.cn local tmp=$(sha256sum <<< "$host" | tr -cd "[:digit:]") tmp=${tmp:0:4} - PORT=$((10#$tmp+36000)) - SSH_USERNAME=root + RET_PORT=$((10#$tmp+36000)) + RET_USERNAME=root + RET_TRUST_SERVER=1 ;; * ) - fmt_fatal "unknown domain: $domain" + test -z "$domain" || fmt_warning "unknown domain: \"$domain\". will try as host name" + RET_HOSTNAME="$remote" esac } +# remote setting, including jump servers +# will be called only once +# provides: +SERVER="" +TRUST_SERVER=1 +PORT="" # optional +USERNAME="" # optional +SSH_OPTIONS="" # optional +if [[ "$RIOT_TRUST_CLIENT" == "1" ]]; then + SSH_OPTIONS='-o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes' +fi +parse_remote() { + local remote="$1" + local jump_servers="" + # loop for jump servers + while [[ -n $remote ]]; do + local server=${remote%%,*} + remote=${remote#*,} + get_server_meta "$server" + if [[ -n "$RET_JUMP_SERVER" ]]; then + jump_servers="$jump_servers${jump_servers:+,}$RET_JUMP_SERVER" + fi + # only if all servers are trusted + TRUST_SERVER=$((TRUST_SERVER*RET_TRUST_SERVER)) + if [[ "$server" == "$remote" || -z "$remote" ]]; then + SERVER="$RET_HOSTNAME" + PORT="$RET_PORT" + USERNAME="$RET_USERNAME" + remote="" + else + jump_servers="$jump_servers${jump_servers:+,}$RET_USERNAME${RET_USERNAME:+@}$RET_HOSTNAME${RET_PORT:+:}$RET_PORT" + fi + done + # construct cmd + if [[ "$RIOT_TRUST_SERVER" == "1" || "$TRUST_SERVER" == "1" ]]; then + SSH_OPTIONS="$SSH_OPTIONS -o ForwardX11=yes -o ForwardAgent=yes" + fi + if [[ -n "$jump_servers" ]]; then + SSH_OPTIONS="$SSH_OPTIONS -o ProxyJump=$jump_servers" + fi +} + +eval_or_echo() { + if [[ "$DFS_DRY_RUN" == "1" ]]; then + echo $@ + else + eval $@ + fi +} + +# ssh series +prepare_ssh_cmd() { + local ssh_bin="${1:-ssh}" + if [[ "$ssh_bin" == "scp" || "$ssh_bin" == "sftp" ]]; then + local port_param='-P' + else + local port_param='-p' + fi + echo "$ssh_bin ${PORT:+$port_param} $PORT $SSH_OPTIONS $SCP_SRC $USERNAME${USERNAME:+@}$SERVER $SCP_DST" +} + # ssh run_ssh() { - CMD="ssh -p $PORT $SSH_OPTIONS $SSH_USERNAME@$SERVER" - fmt_note "-->" $CMD - eval $CMD + local cmd="$(prepare_ssh_cmd $1)" + fmt_note "-->" $cmd + eval_or_echo $cmd } # sshl run_sshl() { - if [[ -z "$1" || "$1" != *":"* ]]; then - fmt_fatal "invalid remote address: $1" + local arg="$1" + if [[ "$arg" != *":"* ]]; then + # treat as a port number + arg=localhost:$arg fi while local port=$(shuf -n 1 -i 49152-65535) @@ -60,26 +144,50 @@ run_sshl() do continue done - CMD="ssh -p $PORT $SSH_OPTIONS -NC -L $port:$1 $SSH_USERNAME@$SERVER" - fmt_note "-->" $CMD + + SSH_OPTIONS="$SSH_OPTIONS -NC -L $port:$arg" + local cmd="$(prepare_ssh_cmd ssh)" + fmt_note "-->" $cmd fmt_note " > please access localhost:$port" - eval $CMD + eval_or_echo $cmd +} + +# scp +run_scp() { + local src="$1" + local dst="$2" + local dst_is_remote=1 + # whoever is ./*, it can't be the remote; whoever not exists on local, it's possible the remote. + # it is suggested to use ./* for local files. + if [[ "$src" != "./"* && ( "$dst" == "./"* || ( ! -e "$src" && -e "$dst" ) ) ]]; then + dst_is_remote=0 + fi + if [[ "$dst_is_remote" == "1" ]]; then + SCP_SRC=\""$src"\" + SERVER="$SERVER":\""$dst"\" + else + SERVER="$SERVER":\""$src"\" + SCP_DST=\""$dst"\" + fi + SSH_OPTIONS="$SSH_OPTIONS -r" + local cmd="$(prepare_ssh_cmd scp)" + fmt_note "-->" $cmd + eval_or_echo $cmd } # main print_help() { fmt_info "usage: $0 [command] [options]" - echo "available commands: ssh (default), sshl (ssh -L)" + echo "available commands: ssh (default), sshl (ssh -L), zssh, sftp" } -router() -{ +router() { if [[ -z "$1" || "$1" == "-h" || "$1" == "--help" ]]; then print_help exit fi - get_server_meta "$1" + parse_remote "$1" case $2 in -h|--help) print_help @@ -88,9 +196,21 @@ router() ssh|"" ) run_ssh ;; + zssh ) + run_ssh zssh + ;; + sftp ) + run_ssh sftp + ;; sshl ) + test -n "$3" || fmt_fatal "no target address provided" run_sshl "$3" ;; + scp ) + test -n "$3" || fmt_fatal "no source path specified" + test -n "$4" || fmt_fatal "no destination path specified" + run_scp "$3" "$4" + ;; * ) print_help fmt_fatal "unknown command: $2" diff --git a/tools/common.sh b/tools/common.sh index a1d091b..4cc6c6b 100755 --- a/tools/common.sh +++ b/tools/common.sh @@ -3,7 +3,7 @@ set -e THIS_DIR_COMMON_SH=$( cd "$( dirname "${BASH_SOURCE[0]:-${(%):-%x}}" )" && pwd ) export DOTFILES=$( cd "$THIS_DIR_COMMON_SH/.." && pwd ) if [[ -f ~/.config/dotfiles/env ]]; then set -a; source ~/.config/dotfiles/env; set +a; fi -if [[ "$DFS_DEBUG" == "1" ]]; then set -x; fi +if [[ "$DFS_DEV" == "1" ]]; then set -x; fi DFS_CURL_OPTIONS="--retry 2 --max-time 20" # parse args and set env, when it is sourced @@ -17,8 +17,9 @@ if [[ "${BASH_SOURCE[0]}" != "${0}" ]]; then case $ARG in -q*|--quite ) export DFS_QUIET=1 ;; -l*|--lite ) export DFS_LITE=1 ;; + -d*|--dev ) export DFS_DEV=1; set -x ;; + -D*|--dry-run ) export DFS_DRY_RUN=1 ;; --color ) export DFS_COLOR=1 ;; - --dry-run ) export DFS_DRY_RUN=1 ;; # TODO!!! --*=* ) GOT_OPTS+=("${ARG%%=*}" "${ARG#*=}") ;; --* ) GOT_OPTS+=("$ARG") ;; -* ) GOT_OPTS+=("${ARG:0:2}") ;; diff --git a/tools/sagent.sh b/tools/sagent.sh index dd524bf..24e5024 100755 --- a/tools/sagent.sh +++ b/tools/sagent.sh @@ -79,6 +79,10 @@ all() route() { + os_type="$(get_os_type)" + if [[ "$os_type" == "msys" || "$os_type" == "cygwin" ]]; then + fmt_fatal "unsupported platform: $os_type. you may use WinCryptSSHAgent." + fi if [[ $# -eq 0 ]]; then all return diff --git a/tools/test.zsh b/tools/test.zsh index 5a0b3f2..039d7c6 100644 --- a/tools/test.zsh +++ b/tools/test.zsh @@ -31,6 +31,7 @@ test $(echo n | tools/common.sh ask_for_yN "test") = "0" test $(echo | tools/common.sh ask_for_yN "test") = "0" test $(echo | tools/common.sh ask_for_Yn "test") = "1" test $(DFS_QUIET=1 tools/common.sh ask_for_Yn "test") = "1" +test "$(DFS_TRUST=1 riot time@is.impt:2222,yes@you-r.right,you@are.really.recht.,ibd.,try@it scp /tmp/ ./tmp -D 2>/dev/null)" = 'scp -P 12022 -o ControlMaster=auto -o ControlPath=/tmp/sshcm-%C -o PermitLocalCommand=yes -o ProxyJump=time@is.impt:2222,yes@you-r.right,you@are.really.recht.,ibd. -r try@it.ibd.ink:"/tmp/" "./tmp"' # check alias alias p114