BackTunnel/scripts/backtunnel-share

#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-3.0-or-later
# Copyright (c) 2025 LUXIM d.o.o., Slovenia
# Author: Matjaž Mozetič
#
# Name: backtunnel-share
# Summary: Time-bounded reverse-SSH tunnel to expose the local SSH service for remote, temporary SFTP-based access.
# Description:
#   Sets up a reverse SSH tunnel (ssh -R) from a remote host back to the local sshd, for a fixed duration.
#   Prints an optional “invite” command that the remote side can run to mount a given local folder over SFTP
#   using a companion tool. Optionally and temporarily adds a restricted public key entry to authorized_keys,
#   scoped to localhost and internal-sftp only, and removes it on exit.
#
# Usage:
#   backtunnel-share /path/to/folder with remoteuser:remotehost for <duration> [options]
#
# Examples:
#   backtunnel-share ~/projects with alice:vps.example.com for 2h
#   backtunnel-share ~/projects with alice@vps.example.com for 1d -p 4422 -l 2222
#   backtunnel-share ~/projects with @work for 2h -i --qr --allow-known alice
#
# Dependencies:
#   - bash >= 4.x
#   - ssh, timeout, tail
#   - optional: qrencode (for --qr)
#
# Configuration:
#   Profiles file precedence (high → low):
#     - ${XDG_CONFIG_HOME:-$HOME/.config}/backtunnel/profiles.ini
#     - /etc/backtunnel/profiles.ini
#     - /usr/share/backtunnel/profiles.ini
#   Sections:
#     - [default]    global defaults
#     - [name]       referenced via @name → expands to user@host and overrides select defaults
#
# Exit codes:
#   0    success (including duration reached)
#   1    invalid usage/arguments or validation failure
#   124  timeout reached (handled and normalized to 0 when expected)
#   2+   other runtime errors (from commands like ssh/timeout/tail)
#
# Security:
#   - Reverse tunnel binds on remote loopback only (127.0.0.1:PORT).
#   - Temporary authorized_keys entries (if enabled) are restricted with:
#       from="127.0.0.1",command="internal-sftp",restrict
#     and are removed on exit via trap.
#   - ~/.ssh perms are enforced (700 dir, 600 authorized_keys).
#
# Portability/Assumptions:
#   - Uses bash arrays, [[ ]] tests, and bash-specific parameter expansions.
#   - Uses awk for INI parsing (best-effort).
#
# Notes:
#   - set -euo pipefail: stop on error/undefined vars; treat pipeline errors as failures.
#   - Traps ensure SSH child is terminated and temporary keys are cleaned up.

# backtunnel-share: Share a folder using reverse SSH for a limited duration
# Syntax:
#   backtunnel-share /path/to/folder with remoteuser:remotehost for 2h [options]
#
# Options:
#   -p|--tunnel-port <PORT>     Remote port to expose with -R (default: 2222)
#   -l|--local-ssh-port <PORT>  Local sshd port to forward to (default: 22)
#   -i|--invite                 Print an invite command (and/or QR) for chat
#      --invite-mount <PATH>    Suggested mount point in invite (default: $HOME/remote-rssh)
#      --invite-file <FILE>     Also write invite text (with unmount hint) to FILE
#      --qr                     Also render the invite command as a QR code (qrencode)
#   --allow-key <FILE>          Temporarily authorize accessor's public key for this session
#   --allow-known <NAME>        Temporarily authorize ~/.config/backtunnel/authorized/NAME.pub
#   -h|--help                   Show help
#
# Profiles: ~/.config/backtunnel/profiles.ini (overrides /etc/backtunnel/profiles.ini then /usr/share/backtunnel/profiles.ini)
#   [default] tunnel_port=2222 local_ssh_port=22 invite_mount=$HOME/remote-rssh invite=true qr=false
#   [alice]   user=alice host=vps.example.com tunnel_port=4422

set -euo pipefail

# ----------------------------
# Config discovery
# Purpose: choose the highest-precedence profiles.ini available.
# ----------------------------
CONFIG_USER="${XDG_CONFIG_HOME:-$HOME/.config}/backtunnel/profiles.ini"
CONFIG_SYS="/etc/backtunnel/profiles.ini"
CONFIG_PKG="/usr/share/backtunnel/profiles.ini"
if [[ -f "$CONFIG_USER" ]]; then
  CONFIG_FILE="$CONFIG_USER"
elif [[ -f "$CONFIG_SYS" ]]; then
  CONFIG_FILE="$CONFIG_SYS"
else
  CONFIG_FILE="$CONFIG_PKG"
fi

# ----------------------------
# INI helpers
# ----------------------------
# shellcheck disable=SC2317
# ini_get: read a value from CONFIG_FILE INI [SECTION] key=value
# Arguments:
#   $1: section name
#   $2: key
# Env:
#   CONFIG_FILE (read)
# Returns:
#   prints the value on success; empty string if not found
# Notes:
#   - Best-effort parsing; trims spaces around '=' and the value.
ini_get() { # ini_get SECTION KEY -> value
  local sec="$1" key="$2"
  awk -v s="[""$sec""]" -v k="$key" '
    $0==s {ok=1; next}
    /^\[/ {ok=0}
    ok && $0 ~ /^[[:alnum:]_.-]+[[:space:]]*=/ {
      line=$0
      sub(/[[:space:]]*=[[:space:]]*/, "=", line)
      split(line,a,"=")
      if (a[1]==k) {
        val=substr(line, index(line,"=")+1)
        gsub(/^[[:space:]]+|[[:space:]]+$/,"",val)
        print val
        exit
      }
    }' "${CONFIG_FILE}" 2>/dev/null || true
}

# shellcheck disable=SC2317
# profile_expand_remote: expand @name -> user@host based on profiles.ini, else pass through.
# Arguments:
#   $1: input remote spec (e.g., @work or user@host or user:host)
# Returns:
#   prints expanded remote (user@host) if @name is resolvable; otherwise returns input unchanged
profile_expand_remote() { # "@name" -> user@host, otherwise pass through
  local in="$1"
  if [[ "$in" == @* ]]; then
    local name="${in#@}" user host
    user="$(ini_get "$name" user)"
    host="$(ini_get "$name" host)"
    if [[ -n "$user" && -n "$host" ]]; then
      printf '%s@%s\n' "$user" "$host"
      return 0
    fi
  fi
  printf '%s\n' "$in"
}

# shellcheck disable=SC2317
# profile_apply_defaults: set global defaults from [default], then override from named profile.
# Arguments:
#   $1: profile name (without '@'), may be empty
# Side effects:
#   - Modifies global variables: TUNNEL_PORT, LOCAL_SSH_PORT, INVITE_MOUNT, INVITE, QR, DURATION
# Notes:
#   - Only applies default values if globals still hold built-in defaults.
profile_apply_defaults() { # set globals if unset; named overrides default
  local name="$1" v
  # defaults
  v="$(ini_get default tunnel_port)";    [[ -n "$v" && "${TUNNEL_PORT}" == "2222" ]] && TUNNEL_PORT="$v"
  v="$(ini_get default local_ssh_port)"; [[ -n "$v" && "${LOCAL_SSH_PORT}" == "22"  ]] && LOCAL_SSH_PORT="$v"
  v="$(ini_get default invite_mount)";   [[ -n "$v" && "${INVITE_MOUNT}" == "$HOME/remote-rssh" ]] && INVITE_MOUNT="$v"
  v="$(ini_get default invite)";         [[ "${v,,}" == "true" ]] && INVITE=true
  v="$(ini_get default qr)";             [[ "${v,,}" == "true" ]] && QR=true
  if [[ -z "$DURATION" ]]; then
    v="$(ini_get default duration)";     [[ -n "$v" ]] && DURATION="$v"
  fi
  # named section
  if [[ -n "$name" ]]; then
    v="$(ini_get "$name" tunnel_port)";    [[ -n "$v" ]] && TUNNEL_PORT="$v"
    v="$(ini_get "$name" local_ssh_port)"; [[ -n "$v" ]] && LOCAL_SSH_PORT="$v"
    v="$(ini_get "$name" invite_mount)";   [[ -n "$v" ]] && INVITE_MOUNT="$v"
  fi
}

# ----------------------------
# Defaults
# Purpose: initialize built-in defaults before applying profiles and flags.
# ----------------------------
TUNNEL_PORT=2222        # remote-side port exposed via -R
LOCAL_SSH_PORT=22       # local sshd port to forward to
DURATION=""             # required: e.g. 30m, 2h, 1d

INVITE=false            # print a ready-to-copy access command
INVITE_MOUNT="$HOME/remote-rssh"
INVITE_FILE=""
QR=false                # render invite as terminal QR (requires qrencode)

# Accessor authorization (session-scoped)
ALLOW_KEY_FILE=""
ALLOW_KNOWN_NAME=""
AUTHORIZED_STORE="${XDG_CONFIG_HOME:-$HOME/.config}/backtunnel/authorized"
ADDED_MARKER_ID=""      # unique ID for cleanup removal

usage() {
  cat >&2 <<EOF
Usage:
  $(basename "$0") /path/to/folder with remoteuser:remotehost for <duration> [options]

Positional (required, in order):
  /path/to/folder         Informational only (the actual folder is mounted by backtunnel-access)
  with                    Literal keyword
  remoteuser:remotehost   Or remoteuser@remotehost (or @profile)
  for                     Literal keyword
  <duration>              e.g. 30m, 2h, 1d (passed to 'timeout')

Options:
  -p, --tunnel-port N       Remote tunnel port (default: ${TUNNEL_PORT})
  -l, --local-ssh-port N    Local sshd port to expose (default: ${LOCAL_SSH_PORT})
  -i, --invite              Print a ready-to-copy access command for the remote side
      --invite-mount PATH   Mount point suggested in invite (default: ${INVITE_MOUNT})
      --invite-file FILE    Also write the invite text (with unmount hint) to FILE
      --qr                  Also print a QR code (requires 'qrencode')

  --allow-key FILE          Authorize this public key for this session (restricted SFTP-only, tunnel-only)
  --allow-known NAME        Authorize ~/.config/backtunnel/authorized/NAME.pub

  -h, --help                Show this help

Examples:
  $(basename "$0") ~/projects with alice:vps.example.com for 2h
  $(basename "$0") ~/projects with alice@vps.example.com for 1d -p 4422 -l 2222
  $(basename "$0") ~/projects with @work for 2h -i --qr --allow-known alice
EOF
  exit 1
}

# ----------------------------
# Positional parsing
# Purpose: enforce command grammar and capture the five required positionals.
# ----------------------------
[[ $# -lt 5 ]] && usage

FOLDER=$1
KW1=$2
REMOTE=$3
KW2=$4
DURATION=$5
shift 5 || true

[[ "$KW1" != "with" ]] && usage
[[ "$KW2" != "for"  ]] && usage

# Apply [default] + named profile (if REMOTE is @name) before flag overrides
profile_name=""
if [[ "$REMOTE" == @* ]]; then
  profile_name="${REMOTE#@}"
fi
profile_apply_defaults "$profile_name"
# Expand @name -> user@host for actual ssh use
REMOTE="$(profile_expand_remote "$REMOTE")"

# ----------------------------
# Optional flags
# Purpose: parse options and override derived defaults.
# ----------------------------
while [[ $# -gt 0 ]]; do
  case "$1" in
    -p|--tunnel-port)
      [[ $# -lt 2 ]] && usage
      TUNNEL_PORT=$2
      shift 2
      ;;
    -l|--local-ssh-port)
      [[ $# -lt 2 ]] && usage
      LOCAL_SSH_PORT=$2
      shift 2
      ;;
    -i|--invite)
      INVITE=true
      shift
      ;;
    --invite-mount)
      [[ $# -lt 2 ]] && usage
      INVITE_MOUNT=$2
      shift 2
      ;;
    --invite-file)
      [[ $# -lt 2 ]] && usage
      INVITE_FILE=$2
      shift 2
      ;;
    --qr)
      QR=true
      shift
      ;;
    --allow-key)
      [[ $# -lt 2 ]] && usage
      ALLOW_KEY_FILE=$2
      shift 2
      ;;
    --allow-known)
      [[ $# -lt 2 ]] && usage
      ALLOW_KNOWN_NAME=$2
      shift 2
      ;;
    -h|--help)
      usage
      ;;
    *)
      echo "Unknown option: $1" >&2
      usage
      ;;
  esac
done

# ----------------------------
# Duration validation
# Purpose: accept forms like 30m, 2h, 1d (s/m/h/d).
# ----------------------------
if [[ ! "$DURATION" =~ ^[0-9]+[smhd]$ ]]; then
  echo "Invalid duration '$DURATION' (use forms like 30m, 2h, 1d)." >&2
  exit 1
fi

# ----------------------------
# Split remote user/host
# Purpose: support user:host or user@host; reject anything else (except @profile pre-expanded).
# ----------------------------
REMOTE_USER="" REMOTE_HOST=""
if [[ "$REMOTE" == *:* ]]; then
  REMOTE_USER=${REMOTE%%:*}
  REMOTE_HOST=${REMOTE#*:}
elif [[ "$REMOTE" == *"@"* ]]; then
  REMOTE_USER=${REMOTE%%@*}
  REMOTE_HOST=${REMOTE#*@}
else
  echo "Invalid remote format. Use remoteuser:remotehost or remoteuser@remotehost or @profile" >&2
  exit 1
fi

# ----------------------------
# Deps check
# Purpose: fail fast if mandatory tools are missing.
# ----------------------------
command -v ssh >/dev/null 2>&1 || { echo "ssh not found."; exit 1; }
command -v timeout >/dev/null 2>&1 || { echo "timeout not found."; exit 1; }
command -v tail >/dev/null 2>&1 || { echo "tail not found."; exit 1; }

# ----------------------------
# Accessor temporary authorization
# Purpose: optionally add and later remove a restricted authorized_keys entry.
# ----------------------------
# restrict_key_line: produce a hardened authorized_keys line for an OpenSSH public key.
# Arguments:
#   $1: public key text (one line, ssh-*)
# Returns:
#   prints a restricted options prefix + key; nonzero if key is invalid
restrict_key_line() { # usage: restrict_key_line <pubkey_text>
  local pk="$1"
  # Normalize
  pk="${pk//$'\r'/}"
  pk="${pk//$'\n'/}"
  if [[ "$pk" != ssh-* ]]; then
    echo "Provided key does not look like an OpenSSH public key." >&2
    return 1
  fi
  printf 'from="127.0.0.1",command="internal-sftp",restrict %s' "$pk"
}

# add_temp_authorized_key: append a uniquely marked restricted key block to ~/.ssh/authorized_keys.
# Arguments:
#   $1: public key text
# Side effects:
#   - Ensures ~/.ssh perms (700) and authorized_keys perms (600)
#   - Writes marker lines and sets ADDED_MARKER_ID for later removal
add_temp_authorized_key() {
  local pubkey_text="$1"
  local ak="$HOME/.ssh/authorized_keys"
  # SC2155: Declare and assign separately to avoid masking return values.
  # shellcheck disable=SC2155
  local marker
  marker="BACKTUNNEL-TEMP-$(date +%s)-$$-$RANDOM"
  local start="# ${marker} START"
  local end="# ${marker} END"

  mkdir -p "$HOME/.ssh"
  touch "$ak"
  chmod 700 "$HOME/.ssh"
  chmod 600 "$ak"

  local restricted
  restricted="$(restrict_key_line "$pubkey_text")" || return 1

  {
    echo "$start"
    echo "$restricted"
    echo "$end"
  } >> "$ak"

  ADDED_MARKER_ID="$marker"
}

# shellcheck disable=SC2317
# remove_temp_authorized_key: delete the previously added marked block from authorized_keys.
# Env:
#   ADDED_MARKER_ID (read)
# Notes:
#   No-op if no marker or authorized_keys missing. Best-effort; ignores errors.
remove_temp_authorized_key() {
  local ak="$HOME/.ssh/authorized_keys"
  [[ -z "${ADDED_MARKER_ID:-}" ]] && return 0
  [[ -f "$ak" ]] || return 0
  awk -v m="$ADDED_MARKER_ID" '
    $0 ~ "# " m " START" {skip=1; next}
    $0 ~ "# " m " END"   {skip=0; next}
    !skip {print}
  ' "$ak" > "${ak}.btnew" && mv "${ak}.btnew" "$ak"
}

ACCESSOR_PUBKEY_TEXT=""

if [[ -n "$ALLOW_KNOWN_NAME" ]]; then
  f="${AUTHORIZED_STORE}/${ALLOW_KNOWN_NAME}.pub"
  if [[ -f "$f" ]]; then
    ACCESSOR_PUBKEY_TEXT="$(cat "$f")"
  else
    echo "Known accessor key not found: $f" >&2
    exit 1
  fi
fi

if [[ -n "$ALLOW_KEY_FILE" ]]; then
  if [[ -f "$ALLOW_KEY_FILE" ]]; then
    ACCESSOR_PUBKEY_TEXT="$(cat "$ALLOW_KEY_FILE")"
  else
    echo "Given key file not found: $ALLOW_KEY_FILE" >&2
    exit 1
  fi
fi

if [[ -n "$ACCESSOR_PUBKEY_TEXT" ]]; then
  add_temp_authorized_key "$ACCESSOR_PUBKEY_TEXT"
fi

# ----------------------------
# Banner
# Purpose: inform the user what will happen and where to connect from the remote.
# ----------------------------
echo "⏳ Sharing '${FOLDER}' via reverse SSH:"
echo "    local sshd port     : ${LOCAL_SSH_PORT}"
echo "    remote bind port    : ${TUNNEL_PORT} (on ${REMOTE_HOST})"
echo "    remote user         : ${REMOTE_USER}"
echo "    duration            : ${DURATION}"
if [[ -n "$ACCESSOR_PUBKEY_TEXT" ]]; then
  echo "    accessor key        : temporarily authorized (restricted)"
fi
echo

# ----------------------------
# Invite (optional)
# Purpose: print a ready-to-copy command (and QR) for the remote side.
# Notes:
#   If a key was not pre-authorized, prepend an auth-setup step executed over the tunnel.
# ----------------------------
if $INVITE; then
  INVITE_CMD="backtunnel-access '${FOLDER}' from ${REMOTE_USER}@${REMOTE_HOST} -p ${TUNNEL_PORT} -m '${INVITE_MOUNT}'"

  if [[ -z "$ACCESSOR_PUBKEY_TEXT" ]]; then
    AUTH_CMD="backtunnel-auth-setup -p ${TUNNEL_PORT} ${REMOTE_USER}@localhost"
    INVITE_TEXT=$(
      cat <<EOT

# 1) (one-time) install a tunnel-only, SFTP-only key via the reverse tunnel:
${AUTH_CMD}

# 2) mount the share:
${INVITE_CMD}

# Unmount when done:
fusermount -u '${INVITE_MOUNT}' || fusermount3 -u '${INVITE_MOUNT}'
EOT
    )
  else
    AUTH_CMD=""
    INVITE_TEXT=$(
      cat <<EOT

# Mount the share:
${INVITE_CMD}

# Unmount when done:
fusermount -u '${INVITE_MOUNT}' || fusermount3 -u '${INVITE_MOUNT}'
EOT
    )
  fi

  echo "🔗 Invite (copy to chat):"
  echo "------------------------------------------------------------"
  [[ -n "$AUTH_CMD" ]] && echo "${AUTH_CMD}"
  echo "${INVITE_CMD}"
  echo "------------------------------------------------------------"

  if [[ -n "${INVITE_FILE}" ]]; then
    printf "%s\n" "${INVITE_TEXT}" > "${INVITE_FILE}"
    echo "Saved invite to: ${INVITE_FILE}"
  fi
  if $QR; then
    if command -v qrencode >/dev/null 2>&1; then
      echo
      echo "📱 QR (scan to copy the command):"
      printf "%s" "${INVITE_CMD}" | qrencode -t ansiutf8
    else
      echo "⚠️  'qrencode' not installed; skipping QR."
    fi
  fi
  echo
fi

echo "Tip: On the remote side, mount with:"
echo "     backtunnel-access '${FOLDER}' from ${REMOTE_USER}@${REMOTE_HOST} -p ${TUNNEL_PORT}"
echo "Listener will appear on: ${REMOTE_HOST}:${TUNNEL_PORT} (run access there)."
echo "To stop sharing early: press Ctrl+C in this window."

# ----------------------------
# Pre-flight: warn if remote loopback port already in use (best-effort)
# Purpose: give an actionable warning before attempting the -R bind.
# ----------------------------
if ssh -o BatchMode=yes -o ConnectTimeout=5 "${REMOTE_USER}@${REMOTE_HOST}" \
     "command -v nc >/dev/null 2>&1 && nc -z 127.0.0.1 ${TUNNEL_PORT}"; then
  echo "⚠️  Port ${TUNNEL_PORT} on remote 127.0.0.1 appears in use; choose another with -p." >&2
  # You may 'exit 1' here if you prefer a hard failure
fi

# ----------------------------
# Cleanup & run SSH
# Purpose: start the tunnel, wait bounded by duration, and guarantee cleanup via trap.
# ----------------------------
SSH_PID=""

# shellcheck disable=SC2317
# cleanup: stop the background ssh process and remove any temporary authorized key.
# Notes:
#   - Invoked on INT/TERM/EXIT to ensure resources are released.
cleanup() {
  # stop ssh child if running
  if [[ -n "${SSH_PID:-}" ]] && kill -0 "$SSH_PID" 2>/dev/null; then
    echo "⏹️  Stopping share..."
    kill -TERM "$SSH_PID" 2>/dev/null || true
    wait "$SSH_PID" 2>/dev/null || true
  fi
  # remove temporary authorized key if we added one
  remove_temp_authorized_key
}
trap cleanup INT TERM EXIT

# Start reverse-tunnel ssh in background with keepalives + fast-fail on -R bind
ssh -N \
  -o ExitOnForwardFailure=yes \
  -o ServerAliveInterval=15 \
  -o ServerAliveCountMax=3 \
  -R "${TUNNEL_PORT}:localhost:${LOCAL_SSH_PORT}" \
  -- "${REMOTE_USER}@${REMOTE_HOST}" &
SSH_PID=$!

# Wait for ssh to exit, but bounded by duration:
# Rationale: use 'timeout … tail --pid=PID -f /dev/null' to avoid subshell/wait-loop complexity.
if timeout "$DURATION" tail --pid="$SSH_PID" -f /dev/null; then
  # ssh exited on its own before timeout
  exit 0
else
  rc=$?
  if [[ $rc -eq 124 ]]; then
    echo "⏹️  Sharing ended: reached duration (${DURATION})."
    # ensure the child is gone
    if kill -0 "$SSH_PID" 2>/dev/null; then
      kill -TERM "$SSH_PID" 2>/dev/null || true
      wait "$SSH_PID" 2>/dev/null || true
    fi
    exit 0
  fi
  # other error from timeout/tail
  exit "$rc"
fi