From c536eb7cb1371abe74792d34d689f7132650653a Mon Sep 17 00:00:00 2001
From: Eric Zheng <eric.zheng@nexedi.com>
Date: Mon, 26 Jul 2021 12:59:20 -0400
Subject: [PATCH] stack/monitor: change frontend url promise to use
 username/password

---
 stack/monitor/buildout.hash.cfg              |  2 +-
 stack/monitor/instance-monitor.cfg.jinja2.in | 21 +++++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/stack/monitor/buildout.hash.cfg b/stack/monitor/buildout.hash.cfg
index 16cda66f4..db28e6e39 100644
--- a/stack/monitor/buildout.hash.cfg
+++ b/stack/monitor/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [monitor2-template]
 filename = instance-monitor.cfg.jinja2.in
-md5sum = 191e111f34df5c8e3214714bbb0de341
+md5sum = be2953358a3af37c6e1e0846a18f44ec
 
 [monitor-httpd-conf]
 _update_hash_filename_ = templates/monitor-httpd.conf.in
diff --git a/stack/monitor/instance-monitor.cfg.jinja2.in b/stack/monitor/instance-monitor.cfg.jinja2.in
index d976d223b..381ff2c88 100644
--- a/stack/monitor/instance-monitor.cfg.jinja2.in
+++ b/stack/monitor/instance-monitor.cfg.jinja2.in
@@ -127,9 +127,9 @@ recipe = slapos.recipe.template:jinja2
 template = {{ monitor_conf_template }}
 rendered = ${directory:etc}/${:filename}
 filename = monitor.conf
-context = section parameter_dict           monitor-conf-parameters
+context = section parameter_dict          monitor-conf-parameters
           section promise_parameter_dict  monitor-promise-conf
-          section monitor_base_urls        monitor-base-url-dict
+          section monitor_base_urls       monitor-base-url-dict
 
 [start-monitor]
 recipe = slapos.cookbook:wrapper
@@ -326,7 +326,7 @@ monitor-title = ${slap-configuration:instance-title}
 monitor-httpd-ipv6 = ${slap-configuration:ipv6-random}
 monitor-httpd-port = 8196
 # XXX - Set monitor-base-url = ${monitor-httpd-conf-parameter:url} => https://[ipv6]:port
-monitor-base-url = ${monitor-frontend-promise:url}
+monitor-base-url = ${monitor-frontend:connection-secure_access}
 #monitor-base-url = ${monitor-httpd-conf-parameter:url}
 root-instance-title = ${slap-configuration:root-instance-title}
 monitor-url-list =
@@ -356,6 +356,19 @@ config-https-only = true
 #software-type = custom-personal
 return = domain secure_access
 
+# Requests to the frontend URL should succeed with the correct
+# credentials.
+[check-monitor-password-promise]
+<= monitor-promise-base
+module = check_url_available
+name = check-monitor-frontend-password.py
+url = ${monitor-frontend:connection-secure_access}
+config-url = ${:url}
+config-username = ${monitor-instance-parameter:username}
+config-password = ${monitor-instance-parameter:username}
+
+# Requests to the frontend URL should fail when no credentials are
+# supplied.
 [monitor-frontend-promise]
 <= monitor-promise-base
 module = check_url_available
@@ -402,6 +415,8 @@ depends =
   ${start-monitor:wrapper-path}
   ${ca-monitor-httpd-service:wrapper-path}
   ${monitor-httpd-promise:name}
+  ${monitor-frontend-promise:name}
+  ${check-monitor-password-promise:name}
   ${monitor-bootstrap-promise:name}
   ${monitor-symlink:recipe}
   ${promise-check-slapgrid:recipe}
-- 
2.30.9