From 4842b79d07902270b3485ecf3ed63af6c2e94fd7 Mon Sep 17 00:00:00 2001
From: Christian Berendt <berendt@osism.tech>
Date: Wed, 25 Sep 2024 16:34:16 +0200
Subject: [PATCH] manager: run update wrappers always with the operator user
 (#1620)

Signed-off-by: Christian Berendt <berendt@osism.tech>
---
 roles/manager/templates/wrapper/osism-update-docker.j2  | 5 +++++
 roles/manager/templates/wrapper/osism-update-manager.j2 | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/roles/manager/templates/wrapper/osism-update-docker.j2 b/roles/manager/templates/wrapper/osism-update-docker.j2
index 01d0ef2ed..ec3f43cc5 100644
--- a/roles/manager/templates/wrapper/osism-update-docker.j2
+++ b/roles/manager/templates/wrapper/osism-update-docker.j2
@@ -13,6 +13,11 @@ INSTALL_ANSIBLE_ROLES=${INSTALL_ANSIBLE_ROLES:-true}
 VENV_PATH=${VENV_PATH:-.venv}
 VENV_PYTHON_BIN=${VENV_PYTHON_BIN:-python3}
 
+if [[ $(whoami) != "{{ operator_user }}" ]]; then
+    echo "This script must be executed directly with the OSISM operator user {{ operator_user }}."
+    exit 1
+fi
+
 pushd $CONFIGURATION_DIRECTORY/environments/manager > /dev/null
 
 # If the versions for the Ansible collections are available in the manager environment,
diff --git a/roles/manager/templates/wrapper/osism-update-manager.j2 b/roles/manager/templates/wrapper/osism-update-manager.j2
index a73a721c7..297211e04 100644
--- a/roles/manager/templates/wrapper/osism-update-manager.j2
+++ b/roles/manager/templates/wrapper/osism-update-manager.j2
@@ -22,6 +22,11 @@ CONTAINER_IMAGE=${CONTAINER_IMAGE:-osism/seed}
 CONTAINER_REGISTRY=${CONTAINER_REGISTRY:-quay.io}
 CONTAINER_TAG=${CONTAINER_TAG:-latest}
 
+if [[ $(whoami) != "{{ operator_user }}" ]]; then
+    echo "This script must be executed directly with the OSISM operator user {{ operator_user }}."
+    exit 1
+fi
+
 if [[ $CONTAINER == "true" ]]; then
     docker run --rm -v $CONFIGURATION_DIRECTORY:/opt/configuration:ro -it $CONTAINER_REGISTRY/$CONTAINER_IMAGE:$CONTAINER_TAG $PLAYBOOK
     exit 0