serve: add --restrict-to-repository

src/borg/archiver.py

@@ -215,6 +215,7 @@ class Archiver:
         """Start in server mode. This command is usually not used manually."""
         return RepositoryServer(
             restrict_to_paths=args.restrict_to_paths,
+            restrict_to_repositories=args.restrict_to_repositories,
             append_only=args.append_only,
             storage_quota=args.storage_quota,
         ).serve()
@@ -2339,6 +2340,14 @@ class Archiver:
                                metavar='PATH', help='restrict repository access to PATH. '
                                                     'Can be specified multiple times to allow the client access to several directories. '
                                                     'Access to all sub-directories is granted implicitly; PATH doesn\'t need to directly point to a repository.')
+        subparser.add_argument('--restrict-to-repository', dest='restrict_to_repositories', action='append',
+                               metavar='PATH', help='restrict repository access. Only the repository located at PATH (no sub-directories are considered) '
+                                                    'is accessible. '
+                                                    'Can be specified multiple times to allow the client access to several repositories. '
+                                                    'Unlike --restrict-to-path sub-directories are not accessible; '
+                                                    'PATH needs to directly point at a repository location. '
+                                                    'PATH may be an empty directory or the last element of PATH may not exist, in which case '
+                                                    'the client may initialize a repository there.')
         subparser.add_argument('--append-only', dest='append_only', action='store_true',
                                help='only allow appending to repository segment files')
         subparser.add_argument('--storage-quota', dest='storage_quota', default=None,

src/borg/remote.py

@@ -178,9 +178,10 @@ class RepositoryServer:  # pragma: no cover
         'inject_exception',
     )
 
-    def __init__(self, restrict_to_paths, append_only, storage_quota):
+    def __init__(self, restrict_to_paths, restrict_to_repositories, append_only, storage_quota):
         self.repository = None
         self.restrict_to_paths = restrict_to_paths
+        self.restrict_to_repositories = restrict_to_repositories
         # This flag is parsed from the serve command line via Archiver.do_serve,
         # i.e. it reflects local system policy and generally ranks higher than
         # whatever the client wants, except when initializing a new repository
@@ -348,17 +349,24 @@ class RepositoryServer:  # pragma: no cover
         logging.debug('Resolving repository path %r', path)
         path = self._resolve_path(path)
         logging.debug('Resolved repository path to %r', path)
+        path_with_sep = os.path.join(path, '')  # make sure there is a trailing slash (os.sep)
         if self.restrict_to_paths:
             # if --restrict-to-path P is given, we make sure that we only operate in/below path P.
             # for the prefix check, it is important that the compared pathes both have trailing slashes,
             # so that a path /foobar will NOT be accepted with --restrict-to-path /foo option.
-            path_with_sep = os.path.join(path, '')  # make sure there is a trailing slash (os.sep)
             for restrict_to_path in self.restrict_to_paths:
                 restrict_to_path_with_sep = os.path.join(os.path.realpath(restrict_to_path), '')  # trailing slash
                 if path_with_sep.startswith(restrict_to_path_with_sep):
                     break
             else:
                 raise PathNotAllowed(path)
+        if self.restrict_to_repositories:
+            for restrict_to_repository in self.restrict_to_repositories:
+                restrict_to_repository_with_sep = os.path.join(os.path.realpath(restrict_to_repository), '')
+                if restrict_to_repository_with_sep == path_with_sep:
+                    break
+            else:
+                raise PathNotAllowed(path)
         # "borg init" on "borg serve --append-only" (=self.append_only) does not create an append only repo,
         # while "borg init --append-only" (=append_only) does, regardless of the --append-only (self.append_only)
         # flag for serve.

src/borg/testsuite/archiver.py

@@ -2861,6 +2861,15 @@ class RemoteArchiverTestCase(ArchiverTestCase):
         with patch.object(RemoteRepository, 'extra_test_args', ['--restrict-to-path', '/foo', '--restrict-to-path', path_prefix]):
             self.cmd('init', '--encryption=repokey', self.repository_location + '_3')
 
+    def test_remote_repo_restrict_to_repository(self):
+        # restricted to repo directory itself:
+        with patch.object(RemoteRepository, 'extra_test_args', ['--restrict-to-repository', self.repository_path]):
+            self.cmd('init', '--encryption=repokey', self.repository_location)
+        parent_path = os.path.join(self.repository_path, '..')
+        with patch.object(RemoteRepository, 'extra_test_args', ['--restrict-to-repository', parent_path]):
+            with pytest.raises(PathNotAllowed):
+                self.cmd('init', '--encryption=repokey', self.repository_location)
+
     @unittest.skip('only works locally')
     def test_debug_put_get_delete_obj(self):
         pass