From f3726080234c97b026fb8d1ad46b522bd99359f3 Mon Sep 17 00:00:00 2001
From: Julien Muchembled <jm@nexedi.com>
Date: Sun, 21 Mar 2021 04:53:21 +0100
Subject: [PATCH] re6stnet: remove SSL support for registry

The re6st registry is designed to work with plain HTTP
because it does authentication & encryption internally.
---
 software/re6stnet/apache.conf.in           | 17 --------
 software/re6stnet/buildout.hash.cfg        |  4 +-
 software/re6stnet/instance-re6stnet.cfg.in | 51 +---------------------
 software/re6stnet/test/test.py             | 33 --------------
 4 files changed, 4 insertions(+), 101 deletions(-)

diff --git a/software/re6stnet/apache.conf.in b/software/re6stnet/apache.conf.in
index e72c46f70..424b236f8 100644
--- a/software/re6stnet/apache.conf.in
+++ b/software/re6stnet/apache.conf.in
@@ -8,7 +8,6 @@ LoadModule version_module modules/mod_version.so
 LoadModule proxy_module modules/mod_proxy.so
 LoadModule proxy_http_module modules/mod_proxy_http.so
 LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
-LoadModule ssl_module modules/mod_ssl.so
 LoadModule mime_module modules/mod_mime.so
 #LoadModule dav_module modules/mod_dav.so
 #LoadModule dav_fs_module modules/mod_dav_fs.so
@@ -31,17 +30,6 @@ ErrorLog "{{ error_log }}"
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
 CustomLog "{{ access_log }}" combined
 
-{% if uri_scheme == 'https'  -%}
-# SSL Configuration
-SSLCertificateFile {{ certificate }}
-SSLCertificateKeyFile {{ key }}
-SSLRandomSeed startup builtin
-SSLRandomSeed connect builtin
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:HIGH:!aNULL:!MD5
-SSLHonorCipherOrder on
-{% endif -%}
-
 <Directory />
   Options FollowSymLinks
   AllowOverride None
@@ -50,10 +38,5 @@ SSLHonorCipherOrder on
 
 Listen {{ ipv6 }}:{{ apache_port }}
 <VirtualHost *:{{ apache_port }}>
-{% if uri_scheme == 'https'  -%}
-  SSLEngine On
-  SSLProxyEngine On
-{% endif -%}
-
   ProxyPass / http://{{ re6st_ipv4 }}:{{ re6st_port }}/
 </VirtualHost>
diff --git a/software/re6stnet/buildout.hash.cfg b/software/re6stnet/buildout.hash.cfg
index bf71d0e20..9deda93d7 100644
--- a/software/re6stnet/buildout.hash.cfg
+++ b/software/re6stnet/buildout.hash.cfg
@@ -18,11 +18,11 @@ md5sum = eea691b0919812b9717f17005f06681d
 
 [template-re6stnet]
 filename = instance-re6stnet.cfg.in
-md5sum = 7074948c958220e39a44f2c6cb56a0bb
+md5sum = 066c1e4e0b97a39bd40da56622921791
 
 [template-apache-conf]
 filename = apache.conf.in
-md5sum = 2ed3c4e9b9d58d2e57cda227bdd454d2
+md5sum = 3d55f7c9c4fc7279f06bfe6313a78a4b
 
 [template-re6st-registry-conf]
 filename = re6st-registry.conf.in
diff --git a/software/re6stnet/instance-re6stnet.cfg.in b/software/re6stnet/instance-re6stnet.cfg.in
index 950d901b2..a1ef0e2ba 100644
--- a/software/re6stnet/instance-re6stnet.cfg.in
+++ b/software/re6stnet/instance-re6stnet.cfg.in
@@ -1,11 +1,8 @@
 {% set bin_directory = parameter_dict['bin-directory'] -%}
 {% set python_bin = parameter_dict['python-executable'] -%}
 {% set publish_dict = {} -%}
-{% set part_list = [] -%}
 {% set ipv6 = (ipv6_set | list)[0] -%}
 {% set ipv4 = (ipv4_set | list)[0] -%}
-{% set uri_scheme = slapparameter_dict.get('uri-scheme', 'http') -%}
-{% macro section(name) %}{% do part_list.append(name) %}{{ name }}{% endmacro -%}
 
 [directory]
 recipe = slapos.cookbook:mkdirectory
@@ -17,12 +14,6 @@ log = ${:var}/log
 services = ${:etc}/service
 script = ${:etc}/run
 run = ${:var}/run
-ca-dir = ${:etc}/ssl
-requests = ${:ca-dir}/requests
-private = ${:ca-dir}/private
-certs = ${:ca-dir}/certs
-newcerts = ${:ca-dir}/newcerts
-crl = ${:ca-dir}/crl
 re6st = ${:srv}/res6stnet
 
 [re6stnet-dirs]
@@ -34,18 +25,6 @@ ssl = ${:conf}/ssl
 token = ${:conf}/token
 run = ${directory:run}/re6stnet
 
-[certificate-authority]
-recipe = slapos.cookbook:certificate_authority
-openssl-binary = {{ openssl_bin }}/openssl
-ca-dir = ${directory:ca-dir}
-requests-directory = ${directory:requests}
-wrapper = ${directory:services}/certificate_authority
-ca-private = ${directory:private}
-ca-certs = ${directory:certs}
-ca-newcerts = ${directory:newcerts}
-ca-crl = ${directory:crl}
-
-
 [apache-conf]
 recipe = slapos.recipe.template:jinja2
 template = {{ parameter_dict['template-apache-conf'] }}
@@ -62,35 +41,12 @@ context =
   key access_log :access-log
   key error_log :error-log
   key pid_file :pid-file
-  raw certificate ${directory:certs}/apache.crt
-  raw key ${directory:private}/apache.key
   raw ipv6 {{ ipv6 }}
-  raw uri_scheme {{ uri_scheme }}
 
-{% set apache_wrapper = '${directory:services}/httpd' -%}
-{% if uri_scheme == 'https' -%}
-{% set apache_wrapper = '${directory:bin}/httpd_raw' -%}
-{% endif -%}
 [apache-httpd]
 recipe = slapos.cookbook:wrapper
-wrapper-path = {{ apache_wrapper }}
-command-line = "{{ parameter_dict['apache-location'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND
-
-{% if uri_scheme == 'https' %}
-[apache-ca]
-<= certificate-authority
-recipe = slapos.cookbook:certificate_authority.request
-executable = ${apache-httpd:wrapper-path}
-wrapper = ${directory:bin}/httpd
-key-file = ${certificate-authority:ca-private}/apache.key
-cert-file = ${certificate-authority:ca-certs}/apache.crt
-
-[{{ section('apache-ca-service') }}]
-recipe = slapos.cookbook:wrapper
-command-line = ${apache-ca:wrapper}
 wrapper-path = ${directory:services}/httpd
-hash-existing-files = ${buildout:directory}/software_release/buildout.cfg
-{% endif %}
+command-line = "{{ parameter_dict['apache-location'] }}/bin/httpd" -f "${apache-conf:rendered}" -DFOREGROUND
 
 [apache-httpd-graceful]
 recipe = slapos.recipe.template:jinja2
@@ -209,7 +165,7 @@ name = apache-re6st-registry.py
 config-hostname = ${apache-conf:ipv6}
 config-port = ${apache-conf:port}
 
-{% do publish_dict.__setitem__('re6stry-url', uri_scheme ~ '://[${apache-conf:ipv6}]:${apache-conf:port}') -%}
+{% do publish_dict.__setitem__('re6stry-url', 'http://[${apache-conf:ipv6}]:${apache-conf:port}') -%}
 {% do publish_dict.__setitem__('re6stry-local-url',  'http://${re6st-registry:ipv4}:${re6st-registry:port}/') -%}
 {% do publish_dict.__setitem__('slave-amount',  '${re6st-registry:slave-amount}') -%}
 [publish]
@@ -225,7 +181,6 @@ extends =
   {{ logrotate_cfg }}
 
 parts =
-  certificate-authority
   logrotate-apache
   logrotate-entry-re6stnet
   re6stnet-manage
@@ -239,8 +194,6 @@ parts =
   re6st-registry-promise
   apache-registry-promise
   monitor-base
-# Complete parts with sections
-  {{ part_list | join('\n  ') }}
 
 eggs-directory = {{ eggs_directory }}
 develop-eggs-directory = {{ develop_eggs_directory }}
diff --git a/software/re6stnet/test/test.py b/software/re6stnet/test/test.py
index 54fadd1bb..ccdc8a654 100644
--- a/software/re6stnet/test/test.py
+++ b/software/re6stnet/test/test.py
@@ -29,7 +29,6 @@ import os
 import requests
 import json
 
-from slapos.recipe.librecipe import generateHashFromFiles
 from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
 
 setUpModule, Re6stnetTestCase = makeModuleSetUpAndTestCaseClass(
@@ -57,35 +56,3 @@ class TestPortRedirection(Re6stnetTestCase):
             'srcPort': 9201,
             'destPort': 9201,
         }, portredir_config[0])
-
-
-
-class ServicesTestCase(Re6stnetTestCase):
-
-  @classmethod
-  def getInstanceParameterDict(cls):
-    return {'uri-scheme': 'https'}
-
-  def test_hashes(self):
-    hash_files = [
-        'software_release/buildout.cfg',
-    ]
-    expected_process_names = [
-        'httpd-{hash}-on-watch',
-    ]
-
-    with self.slap.instance_supervisor_rpc as supervisor:
-      process_names = [
-          process['name'] for process in supervisor.getAllProcessInfo()
-      ]
-
-    hash_files = [
-        os.path.join(self.computer_partition_root_path, path)
-        for path in hash_files
-    ]
-
-    for name in expected_process_names:
-      h = generateHashFromFiles(hash_files)
-      expected_process_name = name.format(hash=h)
-
-      self.assertIn(expected_process_name, process_names)
-- 
2.30.9