From 9affe193dbcaa830386d899dc07de5044b4d02b5 Mon Sep 17 00:00:00 2001
From: Evan Cordell <cordell.evan@gmail.com>
Date: Mon, 13 Feb 2017 14:14:44 -0500
Subject: [PATCH] Add support for tuf metadata endpoints

---
 Dockerfile                                    |  1 +
 conf/init/nginx_conf_create.sh                | 46 +++++++++++++++++++
 conf/init/service/nginx/run                   |  9 +---
 conf/nginx/nginx-nossl.conf                   | 16 -------
 conf/nginx/{nginx.conf => nginx.conf.jnj}     | 19 ++++++++
 ...{server-base.conf => server-base.conf.jnj} |  6 +++
 config.py                                     |  7 ++-
 7 files changed, 78 insertions(+), 26 deletions(-)
 create mode 100755 conf/init/nginx_conf_create.sh
 delete mode 100644 conf/nginx/nginx-nossl.conf
 rename conf/nginx/{nginx.conf => nginx.conf.jnj} (88%)
 rename conf/nginx/{server-base.conf => server-base.conf.jnj} (97%)

diff --git a/Dockerfile b/Dockerfile
index 35f530518..3963d6495 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -129,6 +129,7 @@ ADD conf/init/doupdatelimits.sh /etc/my_init.d/
 ADD conf/init/copy_syslog_config.sh /etc/my_init.d/
 ADD conf/init/certs_create.sh /etc/my_init.d/
 ADD conf/init/certs_install.sh /etc/my_init.d/
+ADD conf/init/nginx_conf_create.sh /etc/my_init.d/
 ADD conf/init/runmigration.sh /etc/my_init.d/
 ADD conf/init/syslog-ng.conf /etc/syslog-ng/
 ADD conf/init/zz_boot.sh /etc/my_init.d/
diff --git a/conf/init/nginx_conf_create.sh b/conf/init/nginx_conf_create.sh
new file mode 100755
index 000000000..557a03d66
--- /dev/null
+++ b/conf/init/nginx_conf_create.sh
@@ -0,0 +1,46 @@
+#!/venv/bin/python
+
+import os.path
+
+import yaml
+import jinja2
+
+
+def generate_nginx_config():
+  """
+  Generates nginx config from the app config
+  """
+  use_https = os.path.exists('conf/stack/ssl.key')
+
+  with open("conf/nginx/nginx.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      use_https=use_https,
+    )
+
+  with open('conf/nginx/nginx.conf', 'w') as f:
+    f.write(rendered)
+
+
+def generate_server_config(config):
+  """
+  Generates server config from the app config
+  """
+  tuf_server = config.get('TUF_SERVER', None)
+  signing_enabled = tuf_server is not None
+
+  with open("conf/nginx/server-base.conf.jnj") as f:
+    template = jinja2.Template(f.read())
+    rendered = template.render(
+      signing_enabled=signing_enabled,
+      tuf_server=tuf_server,
+    )
+
+  with open('conf/nginx/server-base.conf', 'w') as f:
+    f.write(rendered)
+
+
+if __name__ == "__main__":
+  config = yaml.load(file('conf/stack/config.yaml', 'r'))
+  generate_server_config(config)
+  generate_nginx_config()
diff --git a/conf/init/service/nginx/run b/conf/init/service/nginx/run
index 16bf0a13e..04e2634e7 100755
--- a/conf/init/service/nginx/run
+++ b/conf/init/service/nginx/run
@@ -5,13 +5,6 @@ echo 'Starting nginx'
 NAMESERVER=`cat /etc/resolv.conf | grep "nameserver" | awk '{print $2}' | tr '\n' ' '`
 echo "resolver $NAMESERVER valid=10s;" > /conf/nginx/resolver.conf
 
-if [ -f /conf/stack/ssl.key ]
-then
-  echo "Using HTTPS"
-  /usr/sbin/nginx -c /conf/nginx/nginx.conf
-else
-  echo "No SSL key provided, using HTTP"
-  /usr/sbin/nginx -c /conf/nginx/nginx-nossl.conf
-fi
+/usr/sbin/nginx -c /conf/nginx/nginx.conf
 
 echo 'Nginx exited'
diff --git a/conf/nginx/nginx-nossl.conf b/conf/nginx/nginx-nossl.conf
deleted file mode 100644
index 4799bf4aa..000000000
--- a/conf/nginx/nginx-nossl.conf
+++ /dev/null
@@ -1,16 +0,0 @@
-# vim: ft=nginx
-
-include root-base.conf;
-
-http {
-    include http-base.conf;
-    include rate-limiting.conf;
-
-    server {
-        include server-base.conf;
-
-        listen 80 default;
-
-        access_log /dev/stdout lb_logs;
-    }
-}
diff --git a/conf/nginx/nginx.conf b/conf/nginx/nginx.conf.jnj
similarity index 88%
rename from conf/nginx/nginx.conf
rename to conf/nginx/nginx.conf.jnj
index fcb9f01e2..3f5a1aef0 100644
--- a/conf/nginx/nginx.conf
+++ b/conf/nginx/nginx.conf.jnj
@@ -2,6 +2,8 @@
 
 include root-base.conf;
 
+{% if use_https %}
+
 http {
     include http-base.conf;
     include hosted-http-base.conf;
@@ -48,3 +50,20 @@ http {
         access_log /dev/stdout lb_logs;
     }
 }
+
+{% else %}
+
+http {
+    include http-base.conf;
+    include rate-limiting.conf;
+
+    server {
+        include server-base.conf;
+
+        listen 80 default;
+
+        access_log /dev/stdout lb_logs;
+    }
+}
+
+{% endif %}
diff --git a/conf/nginx/server-base.conf b/conf/nginx/server-base.conf.jnj
similarity index 97%
rename from conf/nginx/server-base.conf
rename to conf/nginx/server-base.conf.jnj
index f55981641..f67372967 100644
--- a/conf/nginx/server-base.conf
+++ b/conf/nginx/server-base.conf.jnj
@@ -79,6 +79,12 @@ location /secscan/ {
     proxy_pass http://jwtproxy_secscan;
 }
 
+{% if signing_enabled %}
+location ~ ^/v2/(.+)/_trust/tuf/(.*)$ {
+    proxy_pass {{ tuf_server }};
+}
+{% endif %}
+
 location ~ ^/v2 {
     # If we're being accessed via v1.quay.io, pretend we don't support v2.
     if ($host = "v1.quay.io") {
diff --git a/config.py b/config.py
index a65134cc1..6d06f7f23 100644
--- a/config.py
+++ b/config.py
@@ -165,10 +165,10 @@ class DefaultConfig(object):
   # Feature Flag: Whether Google login is supported.
   FEATURE_GOOGLE_LOGIN = False
 
-  # Feature Flag: Whther Dex login is supported.
+  # Feature Flag: Whether Dex login is supported.
   FEATURE_DEX_LOGIN = False
 
-  # Feature flag, whether to enable support chat
+  # Feature flag: whether to enable support chat
   FEATURE_SUPPORT_CHAT = False
 
   # Feature Flag: Whether to support GitHub build triggers.
@@ -414,3 +414,6 @@ class DefaultConfig(object):
   FEATURE_RECAPTCHA = False
   RECAPTCHA_SITE_KEY = None
   RECAPTCHA_SECRET_KEY = None
+
+  # Server where TUF metadata can be found
+  TUF_SERVER = None