Initial auth key implementation (#57)

* Initial auth key implementation

* Parametrized things a bit

* Root is only really needed for nginx deployment

* Update deployment scripts to deploy various configuration files,
do so on service updates, and to easier make local/dev deployments.

* Moved some things out of the service and into config and secrets files.

* Fixed sample sdk url

* TARGET_VERSION is only valid after the command line is processed

* Added bcrypt as dependency

* ... and requests

* Overwrite files on deployment (we may be dealing with installation defaults),
but back them up

* Use the upgrade script to do post-deploy updates, since that process got a bit more complex.

* Docker COPY does not work the way you think it does!

* Make sure secrets are copied on deployment

* Allow a fallback admin email to be specified in the config file.

* Copy all possibly customized files on deployment

* Added reCaptchaSiteKey in sdk customization

* Apparently there's a PEP for versioning and "-testingX" is not approved

* Also deploy customization files

* Allow frames from google to make recaptcha work

* Updated deployment readme

* pip seems to behave differently on different machines. Sometimes it
installs all files in the source, sometimes it doesn't. Make sure we
always specify email templates as data files.

* Update deployment customization files. There's a bit of confusion with
these since, initially, they were meant to be mapped using nginx
configuration, but ended up in the source tree. TBD

* Move things to docker/fs rather than copying individual files manually

* Make sure error messages are logged immediately.

* Add hostname parameter to container

* Fixed copy commands

* Postfix work...

* Some upgrade fixes

* OOMs can happen if we don't let started services settle a bit

* May need a relay, such as AWS SES

* Moved customized jss

* We don't really access the sites collection when checking the new key, and
it wasn't that necessary before either, so remove it.

RELEASE

@@ -1 +1 @@
-0.3.3
+0.4.0

deployment/config

@@ -1,14 +1,15 @@
 #!/bin/bash
 
-GIT_BASE=https://github.com/ExaWorks/psij-testing-service/archive/refs/tags
+PACKAGE_NAME=psij-testing-service
+GIT_BASE=https://github.com/ExaWorks/$PACKAGE_NAME/archive/refs/tags
 VERSION=`cat ../../RELEASE`
 
 # The service version to build the docker container with or use for
 # deployment
 SERVICE_VERSION=$VERSION
 
 # Docker image to use
-IMAGE=hategan/psij-testing-service
+IMAGE=hategan/$PACKAGE_NAME
 
 # If DEV is not 0, the deployment script will install the service from
 # the parent directory

deployment/deploy/deploy.sh

@@ -38,9 +38,10 @@ run() {
     echo -n "Running $@..."
     echo "> $@" >>deploy.log
     OUT=`"$@" 2>&1`
+    EC=$?
     # `
-    if [ "$?" != "0" ]; then
-        echo "FAILED"
+    if [ "$EC" != "0" ]; then
+        echo "FAILED ($EC)"
         echo $OUT
         exit 2
     fi
@@ -53,9 +54,22 @@ getId() {
     run docker ps -f "name=service-$TYPE" --format "{{.ID}}"
 }
 
+waitForContainer() {
+    ID=$1
+    echo "Waiting for container $ID..."
+    while true; do
+        STATUS=`docker inspect -f '{{.State.Status}}' $ID`
+        if [ "$STATUS" == "running" ]; then
+            break
+        fi
+        sleep 1
+    done
+}
+
 deployContainer() {
     TYPE=$1
     PORT=$2
+    HOST_NAME=$3
     getId $TYPE
     ID=$OUT
     echo "ID: $OUT"
@@ -71,34 +85,51 @@ deployContainer() {
         mkdir -p $DATA_DIR/$TYPE/mongodb
         mkdir -p $DATA_DIR/$TYPE/web
         cp $ROOT/web/$TYPE/* $DATA_DIR/$TYPE/web
+
         run docker run \
-            -d -p $PORT:9909 --name "service-$TYPE" \
+            -d -p $PORT:9909 --name "service-$TYPE" -h $HOST_NAME \
             --restart=on-failure:3 \
             --volume=$DATA_DIR/$TYPE/mongodb:/var/lib/mongodb \
             --volume=$DATA_DIR/$TYPE/web:/var/www/html \
+            --volume=/etc/letsencrypt:/etc/letsencrypt \
             $EXTRA_VOL \
-            $IMAGE:latest
+            $IMAGE:$SERVICE_VERSION
         UPDATE_CONTAINER=1
-    fi
-    if [ "$UPDATE_CONTAINER" != "0" ]; then
         getId $TYPE
         ID=$OUT
+        sleep 5
+        waitForContainer $ID
+        run docker exec -it $ID bash -c "echo $HOST_NAME > /etc/hostname"
+
+        if [ ! -f ../docker/fs/etc/psij-testing-service/secrets.json ]; then
+            error "No secrets.json found. Please edit/create secrets.json in ../docker/fs/etc/psij-testing-service"
+        fi
+        run docker cp ../docker/fs/. $ID:/
+        run docker exec -it $ID sed -i "s/\$myhostname/$HOST_NAME/g" /etc/postfix/main.cf
+        run docker exec -it $ID sed -i "s/\$mydomain/$DOMAIN_NAME/g" /etc/postfix/main.cf
+        run docker exec -it $ID postmap -v hash:/etc/postfix/sasl_passwd
+        run docker exec -it $ID bash -c "pip show $PACKAGE_NAME | grep 'Location: ' | sed 's/Location: //' | tr -d '\n'"
+        PACKAGE_LOC=$OUT
+        run docker cp ../web/. "$ID:$PACKAGE_LOC/psij/web/"
+    fi
+    if [ "$UPDATE_CONTAINER" != "0" ]; then
         if [ "$DEV" == "1" ]; then
-            run docker exec -it $ID update-psi-j-testing-service -y $TYPE /psi-j-testing-service-dev
+            ./upgrade.sh -y --force --component $TYPE /psi-j-testing-service-dev
         else
-            run docker exec -it $ID update-psi-j-testing-service -y $TYPE $SERVICE_VERSION
+            ./upgrade.sh -y --force --component $TYPE $SERVICE_VERSION
         fi
     fi
 }
 
-if [ "$USER" != "root" ]; then
-    error "You need root permissions to run this script."
-fi
 
 if service nginx status >/dev/null 2>&1; then
     echo "Nginx is already running. Skipping deployment."
     UPDATE_NGINX=$FORCED_UPDATE
 else
+    if [ "$USER" != "root" ]; then
+        error "You need root permissions to run this script."
+    fi
+
     run apt-get update
     run apt-get install -y nginx
     UPDATE_NGINX=1
@@ -111,12 +142,13 @@ filterConf() {
     PROXY_REDIRECT="$4"
     INTERNAL_PORT="$5"
 
-    if [ ! -f "$DST" ]; then
-        sed -e "s/\${DOMAIN_NAME}/${DOMAIN_NAME}/g" "$SRC" | \
-        sed -e "s/\${SERVER_NAME}/${SERVER_NAME}/g" | \
-        sed -e "s/\${PROXY_REDIRECT}/${PROXY_REDIRECT}/g" | \
-        sed -e "s/\${INTERNAL_PORT}/${INTERNAL_PORT}/g" >"$DST"
+    if [ -f "$DST" ]; then
+        cp "$DST" "$DST.bk"
     fi
+    sed -e "s/\${DOMAIN_NAME}/${DOMAIN_NAME}/g" "$SRC" | \
+    sed -e "s/\${SERVER_NAME}/${SERVER_NAME}/g" | \
+    sed -e "s/\${PROXY_REDIRECT}/${PROXY_REDIRECT}/g" | \
+    sed -e "s/\${INTERNAL_PORT}/${INTERNAL_PORT}/g" >"$DST"
 }
 
 deploySite() {
@@ -130,8 +162,9 @@ deploySite() {
     ln -f -s "/etc/nginx/sites-available/$NAME" "/etc/nginx/sites-enabled/$NAME"
 }
 
+DOMAIN_NAME=`cat DOMAIN_NAME | tr -d '\n'`
+
 if [ "$UPDATE_NGINX" != "0" ]; then
-    DOMAIN_NAME=`cat DOMAIN_NAME | tr -d '\n'`
     filterConf nginx/headers.conf /etc/nginx/snippets/headers.conf
     filterConf nginx/nginx.conf /etc/nginx/nginx.conf
     filterConf nginx/ssl.conf /etc/nginx/ssl.conf
@@ -147,5 +180,5 @@ if [ "$UPDATE_NGINX" != "0" ]; then
     run service nginx restart
 fi
 
-deployContainer psij 9901
-deployContainer sdk 9902
+deployContainer psij 9901 "psij.$DOMAIN_NAME"
+deployContainer sdk 9902 "sdk.$DOMAIN_NAME"

deployment/deploy/nginx/headers.conf

@@ -20,5 +20,5 @@ add_header Referrer-Policy same-origin;
 # to switch to fullscreen
 add_header Permissions-Policy fullscreen=(self);
 
-add_header Content-Security-Policy "img-src *; frame-src 'none'; media-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'";
+add_header Content-Security-Policy "img-src *; frame-src https://www.google.com; media-src 'none'; object-src 'none'; base-uri 'self'; form-action 'self'";
 

deployment/deploy/upgrade.sh

@@ -1,18 +1,55 @@
 #!/bin/bash
 
+set -e
+
 error() {
     echo "$@"
     exit 1
 }
 
+usage() {
+    echo "Usage:"
+    echo "    upgrade.sh [-h|--help] [-f|--force] [-c | --component] [-y | --assume-yes]"
+    exit 1
+}
+
+
+FORCE=""
+DONTASK=""
+COMPONENTS="psij sdk"
+DOMAIN_NAME=`cat DOMAIN_NAME | tr -d '\n'`
+
+while [ "$1" != "" ]; do
+    case "$1" in
+        -h | --help)
+            usage
+            ;;
+        -f | --force)
+            FORCE="--force"
+            shift
+            ;;
+        -y | --assume-yes)
+            DONTASK="-y"
+            shift
+            ;;
+        -c | --component)
+            COMPONENTS="$2"
+            shift
+            shift
+            ;;
+        *)
+            TARGET_VERSION=$1
+            shift
+            ;;
+    esac
+done
+
 if [ ! -f ../config ]; then
     error "This script must be run from the deploy directory"
 fi
 
 source ../config
 
-TARGET_VERSION=$1
-
 
 getId() {
     TYPE=$1
@@ -23,11 +60,28 @@ update() {
     TYPE=$1
     ID=`docker ps -f "name=service-$TYPE" --format "{{.ID}}"`
     if [ "$ID" != "" ]; then
-        docker exec -it $ID update-psi-j-testing-service $TYPE $TARGET_VERSION
+        # Make sure everything is up to date
+        docker exec -it $ID apt-get update
+        docker exec -it $ID apt-get upgrade -y
+        # Make sure that all files are there if needed
+        docker cp ../docker/fs/. $ID:/tmp/fs/
+        docker exec -it $ID bash -c "echo $TYPE.$DOMAIN_NAME > /etc/hostname"
+        if [ "$DEV" == "1" ]; then
+            pushd ../..
+            python setup.py sdist
+            popd
+            docker cp ../../dist/$PACKAGE_NAME-$SERVICE_VERSION.tar.gz $ID:/tmp/$PACKAGE_NAME-$SERVICE_VERSION.tar.gz
+            docker exec -it $ID update-psi-j-testing-service $DONTASK $FORCE --src /tmp/$PACKAGE_NAME-$SERVICE_VERSION.tar.gz $TYPE $TARGET_VERSION
+        else
+            # Actual update
+            docker exec -it $ID update-psi-j-testing-service $DONTASK $FORCE $TYPE $TARGET_VERSION
+        fi
     else
         echo "Service $TYPE not running."
     fi
 }
 
-update psij
-update sdk
+
+for COMPONENT in $COMPONENTS; do
+    update $COMPONENT
+done

deployment/docker/Dockerfile

@@ -1,23 +1,27 @@
 FROM ubuntu:20.04
 
-ARG SERVICE_VERSION
-ARG GIT_BASE=https://github.com/ExaWorks/psij-testing-service/archive/refs/tags
+ARG SERVICE_PACKAGE
 
 RUN useradd -ms /bin/bash testsrv
 
 RUN apt-get update
 RUN apt-get upgrade -y
 
-RUN DEBIAN_FRONTEND="noninteractive" TZ="UTC" apt-get install -y python3.9 python3-pip mongodb wget mc
+RUN DEBIAN_FRONTEND="noninteractive" TZ="UTC" apt-get install -y python3.9 python3-pip mongodb \
+    wget mc postfix procmail syslog-ng
 
 WORKDIR ~/
 
-RUN pip install $GIT_BASE/v$SERVICE_VERSION.tar.gz
+# needed to get syslog-ng to work inside the container
+RUN sed -i 's/system()/system(exclude-kmsg(yes))/g' /etc/syslog-ng/syslog-ng.conf
 
-COPY psi-j-testing-service /etc/init.d
-COPY entrypoint.sh /
-COPY update-psi-j-testing-service /usr/bin
+
+COPY $SERVICE_PACKAGE /tmp
+RUN pip install /tmp/$SERVICE_PACKAGE
+RUN rm /tmp/$SERVICE_PACKAGE
+
+COPY fs /
 RUN mkdir /var/log/psi-j-testing-service
 RUN chown testsrv:testsrv /var/log/psi-j-testing-service
 
-CMD /entrypoint.sh
+CMD /entrypoint.sh

deployment/docker/build.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
+set -e
+
 error() {
     echo "$@"
     exit 1
@@ -13,8 +15,19 @@ source ../config
 
 echo "Version: $VERSION"
 
+if [ "$DEV" == "1" ]; then
+    pushd ../..
+    python setup.py sdist
+    popd
+    cp ../../dist/$PACKAGE_NAME-$SERVICE_VERSION.tar.gz ./$PACKAGE_NAME-$SERVICE_VERSION.tar.gz
+else
+    wget $GIT_BASE/v$SERVICE_VERSION.tar.gz -O ./$PACKAGE_NAME-$SERVICE_VERSION.tar.gz
+fi
+
 
-docker build --build-arg SERVICE_VERSION=$SERVICE_VERSION --build-arg GIT_BASE="$GIT_BASE" -t $IMAGE:$VERSION .
-docker push $IMAGE:$VERSION
+docker build --build-arg SERVICE_PACKAGE=./$PACKAGE_NAME-$SERVICE_VERSION.tar.gz -t $IMAGE:$VERSION .
 docker image tag $IMAGE:$VERSION $IMAGE:latest
-docker push $IMAGE:latest
+if [ "$DEV" == "0" ]; then
+    docker push $IMAGE:$VERSION
+    docker push $IMAGE:latest
+fi

deployment/docker/entrypoint.sh → deployment/docker/fs/entrypoint.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 
+set -e
+
+service syslog-ng start
 chown -R mongodb:mongodb /var/lib/mongodb
 service mongodb start
+service postfix start
 
 service psi-j-testing-service start
 

deployment/docker/psi-j-testing-service → deployment/docker/fs/etc/init.d/psi-j-testing-service

@@ -31,9 +31,11 @@ start() {
         log_progress_msg "already running"
         errorcode=0
     else
+        # without this, errors get delayed in the log
+        export PYTHONUNBUFFERED=1
         start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
             --make-pidfile --chuid $DAEMONUSER \
-            --startas /bin/bash -- -c "exec psi-j-testing-service >>/var/log/psi-j-testing-service/service.log 2>&1"
+            --startas /bin/bash -- -c "exec psi-j-testing-service -c /etc/psij-testing-service/config.json -s /etc/psij-testing-service/secrets.json >>/var/log/psi-j-testing-service/service.log 2>&1"
         errorcode=$?
     fi
     return $errorcode