mga-advisories: Add configuration for running mgaadv in a way which moves packages.

This adds an appropriate wrapper script to run the move script as
root (which is needed) while keeping the rest running as the mga-advisories
user.

Disable the cron script for now as we will move over to running the
full process but we should test it a bit first.

5 files changed, 32 insertions, 7 deletions

diff --git a/modules/mga-advisories/manifests/init.pp b/modules/mga-advisories/manifests/init.pp
index 714e947b..59b3fd4e 100644
--- a/modules/mga-advisories/manifests/init.pp
+++ b/modules/mga-advisories/manifests/init.pp
@@ -8,6 +8,8 @@ class mga-advisories(
   $advisories_dir = "${mgaadv_homedir}/advisories"
   $status_dir = "${mgaadv_homedir}/status"
   $update_script = '/usr/local/bin/update_mga-advisories'
+  $move_script = '/root/tmp/mgatools-new/mga-move-pkg'
+  $move_wrapper_script = '/usr/local/bin/mga-adv-move-pkg'
 
   group { $mgaadv_login:
     ensure => present,
@@ -73,12 +75,25 @@ class mga-advisories(
     content => template('mga-advisories/update_script'),
   }
 
-  cron { $update_script:
-    command => $update_script,
-    user    => $mgaadv_login,
-    hour    => '*',
-    minute  => '10',
-    require => Subversion::Snapshot[$advisories_dir],
+  file { $move_wrapper_script:
+    ensure  => present,
+    owner   => root,
+    group   => root,
+    mode    => '0755',
+    content => template('mga-advisories/adv-move-pkg'),
+  }
+
+  sudo::sudoers_config { 'mga-adv-move-pkg':
+    content => template('mga-advisories/sudoers.adv-move-pkg')
   }
+
+  # Disable for now... we may re-instate once it's been a little more tested.
+  #cron { $update_script:
+  #  command => $update_script,
+  #  user    => $mgaadv_login,
+  #  hour    => '*',
+  #  minute  => '10',
+  #  require => Subversion::Snapshot[$advisories_dir],
+  #}
 }
 # vim: sw=2
diff --git a/modules/mga-advisories/templates/adv-move-pkg b/modules/mga-advisories/templates/adv-move-pkg
new file mode 100644
index 00000000..39d246ec
--- /dev/null
+++ b/modules/mga-advisories/templates/adv-move-pkg
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$USER" != "<%= @mgaadv_login %>" ]; then
+	echo "This script must be run as the <%= @mgaadv_login %> user." >&2
+	exit 1
+fi
+
+exec sudo <%= @move_script %> "$@"
diff --git a/modules/mga-advisories/templates/mga-advisories.conf b/modules/mga-advisories/templates/mga-advisories.conf
index 1503b310..caf09a6c 100644
--- a/modules/mga-advisories/templates/mga-advisories.conf
+++ b/modules/mga-advisories/templates/mga-advisories.conf
@@ -1,5 +1,6 @@
 mode: site
 send_adv_mail: yes
+move_pkg_cmd: <%= @move_wrapper_script %>
 send_report_mail: yes
 out_dir: <%= @vhostdir %>
 advisories_dir: <%= @advisories_dir %>
diff --git a/modules/mga-advisories/templates/sudoers.adv-move-pkg b/modules/mga-advisories/templates/sudoers.adv-move-pkg
new file mode 100644
index 00000000..5d9618a9
--- /dev/null
+++ b/modules/mga-advisories/templates/sudoers.adv-move-pkg
@@ -0,0 +1 @@
+<%= @mgaadv_login %> ALL=(root) NOPASSWD:<%= @move_script %> *
diff --git a/modules/mga-advisories/templates/update_script b/modules/mga-advisories/templates/update_script
index cdd20ea2..71d8d1d4 100644
--- a/modules/mga-advisories/templates/update_script
+++ b/modules/mga-advisories/templates/update_script
@@ -13,4 +13,4 @@ fi
 
 cd <%= @advisories_dir %>
 svn up
-exec /usr/bin/mgaadv mksite
+exec /usr/bin/mgaadv process