Merge pull request #313 from mendix/DEP-2467_Extend_PBAR_configuration

DEP-2467: Configuration of Nginx. Configuring location access by cert…

.travis.yml

@@ -6,7 +6,7 @@ dist: bionic
 
 language: python
 
-python: 3.6.8
+python: 3.6.9
 
 env:
   global:

DEVELOPING.md

@@ -21,6 +21,16 @@ For developing the buildpack, `pyenv` must be set up, and the dependencies for t
 
 Beware that an older file system is also supported which includes Python 3.4, so please take that into account while introducing additional dependencies or new dependency version.
 
+### Developing in `Docker`
+As an alternative to running Python on your host you can run it in Docker container.
+* set up required environment variables
+* go to `./dev` folder
+* execute `bash run-locally.sh`
+
+This will start the Docker container with preinstalled Python and "ssh" you into it.
+The project folder will be mapped to the current folder in the Docker container, so if you edit files on you host 
+the changes will be immediately available in the container.
+
 ### Installing testing and linting requirements
 The buildpack makes use of the `make` system. For dependency management, `pip-compile` is used under the hood.
 
@@ -91,3 +101,9 @@ If your tests fail, be sure to clean up the Cloud Foundry environment with:
 ```
 make clean_cf
 ```
+
+To run a one separate test do:
+
+```
+nosetests --nocapture --verbosity=3 --processes=10 --process-timeout=3600 --with-timer --timer-no-color tests/integration/test-file-name.py
+```

README.md

@@ -390,7 +390,7 @@ export HOME=$HOME/app # this should not be needed but for now it is
 export DEBUG_CONTAINER=false # while we are in the container turn it off, we could try to make this optional by detecting other environment variables that are present over ssh but not regular start
 export PORT=1234 # so that nginx can start correctly
 cd app
-python3 start.py
+PYTHONPATH=:buildpack:lib python3 buildpack/start.py
 ```
 
 After you are done, you can disable debug mode with:

buildpack/nginx.py

@@ -146,6 +146,7 @@ def get_path_config():
     %s
     %s
     %s
+    %s
 }
 """
     root_template = """
@@ -164,6 +165,7 @@ def get_path_config():
 %s
 %s
 %s
+%s
 """
 
     restrictions = json.loads(os.environ.get("ACCESS_RESTRICTIONS", "{}"))
@@ -219,13 +221,28 @@ def get_path_config():
         if config.get("client-cert") or config.get("client_cert"):
             client_cert = "auth_request /client-cert-check-internal;"
 
+        # This scenario isn't covered by integration tests. Please test manually if Nginx is properly matching the
+        # SSL-Client-I-DN HTTP header with the configuration in the ACCESS_RESTRICTIONS environment variable.
+        issuer_dn = ""
+        if "issuer_dn" in config:
+            issuer_dn_regex = ""
+            for i in config["issuer_dn"]:
+                issuer = i.replace(" ", "\\040")
+                issuer = issuer.replace(".", "\\.")
+                issuer_dn_regex += "{}|".format(issuer)
+            issuer_dn_regex = issuer_dn_regex[:-1]
+            issuer_dn = "if ($http_ssl_client_i_dn ~* ^(?!({})$)(\w*)) {{ \n        return 403;\n    }}".format(
+                issuer_dn_regex
+            )
+
         template = root_template if path == "/" else location_template
         indent = "\n" + " " * (0 if path == "/" else 4)
         result += template % (
             path,
             proxy_intercept_errors,
             satisfy,
             indent.join(ipfilter),
+            issuer_dn,
             client_cert,
             indent.join(basic_auth),
         )

buildpack/start.py

@@ -27,7 +27,7 @@
 from buildpack.runtime_components import security
 from lib.m2ee import M2EE as m2ee_class
 
-BUILDPACK_VERSION = "4.5.3"
+BUILDPACK_VERSION = "4.5.4"
 
 m2ee = None
 app_is_restarting = False

dev/Dockerfile

@@ -0,0 +1,24 @@
+FROM python:3.6.9
+
+WORKDIR /home/vcap/app
+
+COPY ./requirements.in ./
+COPY ./requirements-lint.in ./
+COPY ./requirements-test.in ./
+COPY ./Makefile ./
+
+RUN make install_piptools \
+ && pip-compile requirements.in \
+ && pip-compile requirements-lint.in \
+ && pip-compile requirements-test.in \
+ && pip3 install -r requirements.txt \
+ && pip3 install -r requirements-lint.txt \
+ && pip3 install -r requirements-test.txt \
+ && pip3 install nose \
+ && pip3 install nose-timer \
+ && pip-sync requirements.txt requirements-test.txt requirements-lint.txt
+
+RUN wget -q -O - https://packages.cloudfoundry.org/debian/cli.cloudfoundry.org.key | apt-key add - \
+ && echo "deb https://packages.cloudfoundry.org/debian stable main" | tee /etc/apt/sources.list.d/cloudfoundry-cli.list \
+ && apt-get update \
+ && apt-get install cf-cli

dev/docker-compose.yml

@@ -0,0 +1,20 @@
+version: '3'
+
+services:
+  buildpack:
+    build:
+      context: ../
+      dockerfile: ./dev/Dockerfile
+    volumes:
+    - ../:/home/vcap/app
+    environment:
+      CF_ENDPOINT: ${CF_ENDPOINT}
+      CF_USER: ${CF_USER}
+      CF_PASSWORD: ${CF_PASSWORD}
+      CF_ORG: ${CF_ORG}
+      CF_SPACE: ${CF_SPACE}
+      CF_DOMAIN: ${CF_DOMAIN}
+      MX_PASSWORD: ${MX_PASSWORD}
+      TEST_PREFIX: ${TEST_PREFIX}
+      BUILDPACK: ${BUILDPACK}
+    entrypoint: /bin/bash

dev/run-locally.sh

@@ -0,0 +1,3 @@
+docker-compose build
+docker-compose run buildpack
+docker-compose down