fix : changelog plus readme a jour

RecetteScripts/rebuild-bdd-recette.sh

@@ -65,8 +65,10 @@ set +a
 ###############################################################################
 LOCAL_RESTORE_DIR="${LOCAL_RESTORE_DIR:-${SCRIPT_DIR}/restore_tmp}"
 REMOTE_ROLES_DIR_NAME="${REMOTE_ROLES_DIR_NAME:-user}"
+BACKUP_REMOTE_SSH_PORT="${BACKUP_REMOTE_SSH_PORT:-22}"
 SSH_CONNECT_TIMEOUT="${SSH_CONNECT_TIMEOUT:-8}"
 DISCORD_WEBHOOK_URL="${DISCORD_WEBHOOK_URL:-}"
+EXCLUDED_RESTORE_ROLES="${EXCLUDED_RESTORE_ROLES:-postgres}"
 
 ###############################################################################
 # Préparation des dossiers locaux
@@ -115,6 +117,35 @@ require_cmd() {
   command -v "$1" >/dev/null 2>&1
 }
 
+sql_escape_literal() {
+  local s="${1:-}"
+  s="${s//\'/\'\'}"
+  printf "%s" "$s"
+}
+
+validate_db_name() {
+  local db_name="$1"
+
+  [[ -n "$db_name" ]] || fail "nom de base vide"
+  [[ "$db_name" =~ ^[A-Za-z0-9_]+$ ]] || \
+    fail "nom de base invalide : seuls les lettres, chiffres et underscores sont autorisés"
+}
+
+build_excluded_roles_regex() {
+  local role regex=""
+
+  for role in $EXCLUDED_RESTORE_ROLES; do
+    [[ -z "$role" ]] && continue
+    [[ "$role" =~ ^[a-zA-Z_][a-zA-Z0-9_-]*$ ]] || fail "rôle exclu invalide : ${role}"
+    if [[ -n "$regex" ]]; then
+      regex+="|"
+    fi
+    regex+="$role"
+  done
+
+  printf '%s' "$regex"
+}
+
 ###############################################################################
 # Envoi Discord
 #
@@ -151,15 +182,28 @@ send_discord_message() {
 ###############################################################################
 [[ -f "$SSH_KEY" ]] || fail "clé SSH introuvable : $SSH_KEY"
 [[ -r "$SSH_KEY" ]] || fail "clé SSH non lisible : $SSH_KEY"
+[[ "$PGPORT" =~ ^[0-9]+$ ]] || fail "PGPORT invalide"
+[[ "$BACKUP_REMOTE_SSH_PORT" =~ ^[0-9]+$ ]] || fail "BACKUP_REMOTE_SSH_PORT invalide"
+[[ "$PGUSER" =~ ^[a-zA-Z0-9_][a-zA-Z0-9_-]*$ ]] || fail "PGUSER invalide"
 
 export PGPASSWORD
 
 SSH_OPTS=(
   -i "$SSH_KEY"
+  -p "$BACKUP_REMOTE_SSH_PORT"
   -o IdentitiesOnly=yes
   -o BatchMode=yes
   -o ConnectTimeout="$SSH_CONNECT_TIMEOUT"
-  -o StrictHostKeyChecking=accept-new
+  -o StrictHostKeyChecking=yes
+)
+
+SCP_OPTS=(
+  -i "$SSH_KEY"
+  -P "$BACKUP_REMOTE_SSH_PORT"
+  -o IdentitiesOnly=yes
+  -o BatchMode=yes
+  -o ConnectTimeout="$SSH_CONNECT_TIMEOUT"
+  -o StrictHostKeyChecking=yes
 )
 
 REMOTE_SSH="${BACKUP_REMOTE_USER}@${BACKUP_REMOTE_HOST}"
@@ -217,7 +261,7 @@ if [[ "$POSTGRES_INSTALLED" == "true" ]]; then
   log "Création du rôle PostgreSQL ${PGUSER} suite à une installation neuve..."
 
   sudo -u postgres psql -d postgres -c \
-    "CREATE ROLE \"${PGUSER}\" WITH LOGIN SUPERUSER CREATEDB CREATEROLE PASSWORD '${PGPASSWORD}';" \
+    "CREATE ROLE \"${PGUSER}\" WITH LOGIN SUPERUSER CREATEDB CREATEROLE PASSWORD '$(sql_escape_literal "$PGPASSWORD")';" \
     >>"$LOG_FILE" 2>&1 || fail "échec de création du rôle ${PGUSER}"
 
   log "Rôle PostgreSQL ${PGUSER} créé."
@@ -251,9 +295,10 @@ if [[ "${USE_LIST,,}" == "oui" || "${USE_LIST,,}" == "o" ]]; then
   DB="${DBS_ARRAY[$((DB_INDEX - 1))]}"
 else
   read -r -p "Nom exact de la base à restaurer : " DB
-  [[ -n "$DB" ]] || fail "nom de base vide"
 fi
 
+validate_db_name "$DB"
+
 log "Environnement : $ENV_NAME"
 log "Base cible sélectionnée : $DB"
 
@@ -312,7 +357,7 @@ LOCAL_DB_DUMP_FILE="${LOCAL_RESTORE_DIR}/$(basename "$LAST_REMOTE_DB_DUMP")"
 LOCAL_ROLES_FILE=""
 
 log "Téléchargement du dump..."
-scp "${SSH_OPTS[@]}" "${REMOTE_SSH}:${LAST_REMOTE_DB_DUMP}" "$LOCAL_DB_DUMP_FILE" \
+scp "${SCP_OPTS[@]}" "${REMOTE_SSH}:${LAST_REMOTE_DB_DUMP}" "$LOCAL_DB_DUMP_FILE" \
   >>"$LOG_FILE" 2>&1 || fail "échec du téléchargement du dump principal"
 
 ###############################################################################
@@ -322,7 +367,7 @@ if [[ -n "$LAST_REMOTE_ROLES_FILE" ]]; then
   LOCAL_ROLES_FILE="${LOCAL_RESTORE_DIR}/$(basename "$LAST_REMOTE_ROLES_FILE")"
 
   log "Téléchargement du fichier des rôles..."
-  scp "${SSH_OPTS[@]}" "${REMOTE_SSH}:${LAST_REMOTE_ROLES_FILE}" "$LOCAL_ROLES_FILE" \
+  scp "${SCP_OPTS[@]}" "${REMOTE_SSH}:${LAST_REMOTE_ROLES_FILE}" "$LOCAL_ROLES_FILE" \
     >>"$LOG_FILE" 2>&1 || fail "échec du téléchargement du fichier des rôles"
 else
   log "La restauration des rôles sera ignorée."
@@ -341,7 +386,7 @@ fi
 ###############################################################################
 DB_EXISTS="$(
   psql -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -d postgres -tAc \
-    "SELECT 1 FROM pg_database WHERE datname='${DB}'" 2>>"$LOG_FILE" || true
+    "SELECT 1 FROM pg_database WHERE datname='$(sql_escape_literal "$DB")'" 2>>"$LOG_FILE" || true
 )"
 
 if [[ "$DB_EXISTS" == "1" ]]; then
@@ -364,9 +409,14 @@ if [[ -n "$LOCAL_ROLES_FILE" ]]; then
   FILTERED_ROLES_FILE="${LOCAL_RESTORE_DIR}/filtered_$(basename "$LOCAL_ROLES_FILE")"
   ROLES_CREATE_LIST="${LOCAL_RESTORE_DIR}/roles_to_create_$(basename "$LOCAL_ROLES_FILE")"
   ROLES_APPLY_FILE="${LOCAL_RESTORE_DIR}/roles_apply_$(basename "$LOCAL_ROLES_FILE")"
+  EXCLUDED_ROLES_REGEX="$(build_excluded_roles_regex)"
 
-  grep -viE '^(CREATE ROLE|ALTER ROLE) (backup_liot|postgres)\b' "$LOCAL_ROLES_FILE" \
-    > "$FILTERED_ROLES_FILE" || true
+  if [[ -n "$EXCLUDED_ROLES_REGEX" ]]; then
+    grep -viE "^(CREATE ROLE|ALTER ROLE) (${EXCLUDED_ROLES_REGEX})\\b" "$LOCAL_ROLES_FILE" \
+      > "$FILTERED_ROLES_FILE" || true
+  else
+    cp "$LOCAL_ROLES_FILE" "$FILTERED_ROLES_FILE"
+  fi
 
   log "Fichier des rôles filtré généré : ${FILTERED_ROLES_FILE}"
 
@@ -383,7 +433,7 @@ if [[ -n "$LOCAL_ROLES_FILE" ]]; then
 
       ROLE_EXISTS="$(
         psql -h "$PGHOST" -p "$PGPORT" -U "$PGUSER" -d postgres -tAc \
-          "SELECT 1 FROM pg_roles WHERE rolname='${role_name}'" 2>>"$LOG_FILE" || true
+          "SELECT 1 FROM pg_roles WHERE rolname='$(sql_escape_literal "$role_name")'" 2>>"$LOG_FILE" || true
       )"
 
       if [[ "$ROLE_EXISTS" != "1" ]]; then
@@ -448,4 +498,4 @@ Hôte PostgreSQL : ${PGHOST}:${PGPORT}
 Dump utilisé : $(basename "$LAST_REMOTE_DB_DUMP")
 Log : ${LOG_FILE}"
 
-send_discord_message "$SUCCESS_MESSAGE"
+send_discord_message "$SUCCESS_MESSAGE"