start figuring out :SUDO connection type

Signed-off-by: Sean Whitton <spwhitton@spwhitton.name>

5 files changed, 90 insertions, 3 deletions

diff --git a/doc/data.rst b/doc/data.rst
index d30eab8..be2d98c 100644
--- a/doc/data.rst
+++ b/doc/data.rst
@@ -23,8 +23,16 @@ other purposes.
 - ``(HOSTNAME . PATH)`` means the data that should be uploaded to ``PATH`` on
   ``HOSTNAME`` (and nowhere else)
 
-- ``("lisp-system" . SYSTEM)`` means the data is Lisp code which, when loaded,
-  defines the packages and symbols contained in the ASDF system ``SYSTEM``.
+- ``("--lisp-system" . SYSTEM)`` means the data is Lisp code which, when
+  loaded, defines the packages and symbols contained in the ASDF system
+  ``SYSTEM``
+
+- ``("--user-passwd--HOSTNAME" . USER)`` means the data is the password for
+  user ``USER`` on ``HOSTNAME``.
+
+(Proposed convention: Except for the first item above, these reserved names
+should start with ``--`` and use ``--`` to separate parameter values within
+the string.  Hostnames cannot start with a hyphen.)
 
 Mechanics
 ---------
diff --git a/src/connection.lisp b/src/connection.lisp
index ce1bdda..00924a3 100644
--- a/src/connection.lisp
+++ b/src/connection.lisp
@@ -39,6 +39,17 @@ returns a object suitable to be the value of *CONNECTION*.
 Any implementation which hands over to a remote Lisp image will need to
 upload any prerequisite data required by the deployment."))
 
+(defgeneric preprocess-connection-args (type &key)
+  (:documentation
+   "Hook to allow connection types to do work in the root Lisp before
+Consfigurator begins the attempt to establish the connection chain.  The
+return value is used as replacement keyword arguments to the connection.
+
+For an example of usage, see the :SUDO connection type."))
+
+(defmethod preprocess-connection-args ((type symbol) &key)
+  (values))
+
 (defclass connection ()
   ((parent
     :initform *connection*
diff --git a/src/connection/sudo.lisp b/src/connection/sudo.lisp
new file mode 100644
index 0000000..8a69a61
--- /dev/null
+++ b/src/connection/sudo.lisp
@@ -0,0 +1,63 @@
+;;; Consfigurator -- Lisp declarative configuration management system
+
+;;; Copyright (C) 2021  Sean Whitton <spwhitton@spwhitton.name>
+
+;;; This file is free software; you can redistribute it and/or modify
+;;; it under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3, or (at your option)
+;;; any later version.
+
+;;; This file is distributed in the hope that it will be useful,
+;;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+
+;;; You should have received a copy of the GNU General Public License
+;;; along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+(in-package :consfigurator.connection.sudo)
+
+;; Note that a password needed to sudo is technically not a piece of
+;; prerequisite data required by a deployment, because it is not used in
+;; deploying properties in the context of a connection chain which has already
+;; been fully established.  Nevertheless, we can query sources of prerequisite
+;; data to obtain passwords by following the conventions for having
+;; prerequisite data sources provide them.
+
+;; Passing :as implies using a password, not passing it means assume NOPASSWD.
+;; We only support querying prerequisite data sources for passwords.
+
+;; Be aware that if any connection types which start up remote Lisp images
+;; occur before a :sudo entry in your connection chain, ESTABLISH-CONNECTION
+;; will need to inform the newly-started remote Lisp image of any sudo
+;; passwords needed for establishing the remaining hops.  Depending on how the
+;; connection type feeds instructions to the remote Lisp image, this may
+;; involve writing your sudo password to a file under ~/.cache on the machine
+;; which runs the remote Lisp image.  At least :debian-sbcl avoids this by
+;; sending your password in on stdin.
+
+(defmethod preprocess-connection-args ((type (eql :sudo)) &key as to)
+  (list :sudo
+	:user to
+	:password (and
+		   as
+		   (destructuring-bind (user host)
+		       (split-string as :separator "@")
+		     (get-data-string (strcat "-user-passwd--" host) user)))))
+
+(defmethod establish-connection ((type (eql :sudo))
+				 remaining
+				 &key
+				   user
+				   password)
+  (declare (ignore remaining))
+  (make-instance 'sudo-connection :user user :password password))
+
+(defclass sudo-connection (posix-connection)
+  ((user
+    :initarg :user)
+   (password
+    :initarg :password)))
+
+;; always wrap in sh -c so that we can be sure that a password will be
+;; consistently asked for or not asked for.
diff --git a/src/deployment.lisp b/src/deployment.lisp
index b7bc68d..cf6d0ae 100644
--- a/src/deployment.lisp
+++ b/src/deployment.lisp
@@ -138,7 +138,8 @@ DEFHOST forms can override earlier entries (see DEFHOST's docstring)."
 	     (error "Cannot apply :lisp properties using :posix connection"))
 	   (eval-propspec propspec)))
       (connect (loop for connection in (ensure-cons connections)
-		     collect (ensure-cons connection))))))
+		     collect (mapcar #'preprocess-connection-args
+				     (ensure-cons connection)))))))
 
 (defprop deploys :posix (connection host &rest additional-properties)
   "Execute a Consfigurator deployment.
diff --git a/src/package.lisp b/src/package.lisp
index 8c0162b..7bc7135 100644
--- a/src/package.lisp
+++ b/src/package.lisp
@@ -57,6 +57,7 @@
 
 	   ;; connection.lisp
 	   #:establish-connection
+	   #:preprocess-connection-args
 	   #:connection
 	   #:lisp-connection
 	   #:posix-connection
@@ -121,6 +122,9 @@
 (defpackage :consfigurator.connection.ssh
   (:use #:cl #:consfigurator #:alexandria))
 
+(defpackage :consfigurator.connection.sudo
+  (:use #:cl #:consfigurator #:alexandria))
+
 (defpackage :consfigurator.connection.local
   (:use #:cl #:consfigurator #:alexandria)
   (:export #:local-connection))