minor fixes for limited access cca-operator roles

Author: OriHoch

cca-operator/Dockerfile

@@ -16,6 +16,9 @@ RUN apk update && apk add openssh-server openssh-sftp-server &&\
     ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
 
 COPY *.sh /cca-operator/
+COPY *.py /cca-operator/
+
+RUN chmod +x /cca-operator/*.sh /cca-operator/*.py
 
 WORKDIR /cca-operator
 

cca-operator/add-server-authorized-key.sh

@@ -10,7 +10,7 @@ mkdir -p /etc/ckan-cloud/cca-operator && chmod 700 /etc/ckan-cloud && chmod 700
 if [ -z "${CCA_OPERATOR_ROLE}" ]; then
     cat
 else
-    echo 'command="export CCA_OPERATOR_ROLE='${CCA_OPERATOR_ROLE}'; ./cca-operator.py \"${SSH_ORIGINAL_COMMAND}\""' $(cat)
+    echo 'command="export CCA_OPERATOR_ROLE='${CCA_OPERATOR_ROLE}'; ./cca-operator.sh ./cca-operator.py \"${SSH_ORIGINAL_COMMAND}\""' $(cat)
 fi >> /etc/ckan-cloud/cca-operator/sshd_authorized_keys
 [ "$?" != "0" ] && exit 1
 

cca-operator/cca-operator.py

@@ -5,18 +5,16 @@
 CCA_OPERATOR_ROLE = os.environ['CCA_OPERATOR_ROLE']
 
 
+ADMIN_ROLES = ['', 'admin']
+CONTINUOUS_DEPLOYMENT_ROLES = ADMIN_ROLES + ['continuous-deployment']
+
+
 def print_stderr(*args):
     print(*args, file=sys.stderr)
 
 
-if sys.argv[1] == 'patch-deployment':
-    namespace = sys.argv[2]
-    deployment = sys.argv[3]
-    container = sys.argv[4]
-    values_file = sys.argv[5]
-    backup_dir = sys.argv[6]
-    image_attrib = sys.argv[7]
-    image = sys.argv[7]
+if sys.argv[1].startswith('patch-deployment ') and CCA_OPERATOR_ROLE in CONTINUOUS_DEPLOYMENT_ROLES:
+    _, namespace, deployment, container, values_file, backup_dir, image_attrib, image = sys.argv[1].split(' ')
     with open(values_file) as f:
         values = yaml.load(f)
     os.system(f'mkdir -p {backup_dir}')