From 73955d55b7faa29959fd49c0c88512da05e0aba0 Mon Sep 17 00:00:00 2001 From: Jeremy Stanley Date: Fri, 8 Mar 2019 15:27:42 +0000 Subject: [PATCH] Set up legacy git redirect sites As part of the move to Gitea, we're creating compatibility redirects from our old Cgit and Git HTTP backend sites to opendev.org. This introduces Apache vhosts for each of git.airshipit.org, git.openstack.org, git.starlingx.io and git.zuul-ci.org which all serve the same docroot on the files.openstack.org server. This docroot houses a single .htaccess file with the relevant redirect rules. Change-Id: I729fe39bcbe0a0cae237e9036ed8fa980f897e68 Co-Authored-By: James E. Blair Task: #29705 --- manifests/site.pp | 28 ++- .../files/git-redirect.htaccess | 148 +++++++++++++++ modules/openstack_project/manifests/files.pp | 178 ++++++++++++++++++ .../templates/git-redirect.vhost.erb | 49 +++++ 4 files changed, 395 insertions(+), 8 deletions(-) create mode 100644 modules/openstack_project/files/git-redirect.htaccess create mode 100644 modules/openstack_project/templates/git-redirect.vhost.erb diff --git a/manifests/site.pp b/manifests/site.pp index 952c2f5500..c92a0e96ed 100644 --- a/manifests/site.pp +++ b/manifests/site.pp @@ -505,14 +505,26 @@ node /^files\d*\.open.*\.org$/ { } class { 'openstack_project::files': - vhost_name => 'files.openstack.org', - developer_cert_file_contents => hiera('developer_cert_file_contents'), - developer_key_file_contents => hiera('developer_key_file_contents'), - developer_chain_file_contents => hiera('developer_chain_file_contents'), - docs_cert_file_contents => hiera('docs_cert_file_contents'), - docs_key_file_contents => hiera('docs_key_file_contents'), - docs_chain_file_contents => hiera('docs_chain_file_contents'), - require => Class['Openstack_project::Server'], + vhost_name => 'files.openstack.org', + developer_cert_file_contents => hiera('developer_cert_file_contents'), + developer_key_file_contents => hiera('developer_key_file_contents'), + developer_chain_file_contents => hiera('developer_chain_file_contents'), + docs_cert_file_contents => hiera('docs_cert_file_contents'), + docs_key_file_contents => hiera('docs_key_file_contents'), + docs_chain_file_contents => hiera('docs_chain_file_contents'), + git_airship_cert_file_contents => hiera('git_airship_cert_file_contents'), + git_airship_key_file_contents => hiera('git_airship_key_file_contents'), + git_airship_chain_file_contents => hiera('git_airship_chain_file_contents'), + git_openstack_cert_file_contents => hiera('git_openstack_cert_file_contents'), + git_openstack_key_file_contents => hiera('git_openstack_key_file_contents'), + git_openstack_chain_file_contents => hiera('git_openstack_chain_file_contents'), + git_starlingx_cert_file_contents => hiera('git_starlingx_cert_file_contents'), + git_starlingx_key_file_contents => hiera('git_starlingx_key_file_contents'), + git_starlingx_chain_file_contents => hiera('git_starlingx_chain_file_contents'), + git_zuul_cert_file_contents => hiera('git_zuul_cert_file_contents'), + git_zuul_key_file_contents => hiera('git_zuul_key_file_contents'), + git_zuul_chain_file_contents => hiera('git_zuul_chain_file_contents'), + require => Class['Openstack_project::Server'], } # Temporary for evaluating htaccess rules diff --git a/modules/openstack_project/files/git-redirect.htaccess b/modules/openstack_project/files/git-redirect.htaccess new file mode 100644 index 0000000000..a72f6b5ca8 --- /dev/null +++ b/modules/openstack_project/files/git-redirect.htaccess @@ -0,0 +1,148 @@ +# Unescape any slashes in the branch portion of the query string so +# that we don't have to worry about whether or not they are encoded +# later. This is a recursive rule to handle multiple slashes. +RewriteCond %{QUERY_STRING} "^(.*)h=([^&]+)%2F([^&]+)(.*)$" +RewriteRule "^(.*)$" "/$1?%1h=%2/%3%4" [N] + +################################### +# summary +# ignore all args + +RewriteRule "^cgit/([^/]+)/([^/]+)/?$" "https://opendev.org/$1/$2/" [L,QSD] + +################################### +# refs tab -> branches tab +# ignore all args +# The cgit refs tab shows tags+branches, the branches tab in gitea is +# the closest linkable url + +RewriteRule "^cgit/([^/]+)/([^/]+)/refs/?" "https://opendev.org/$1/$2/branches" [L,QSD] + +################################### +# log tab (with file) -> commits tab +# h= + +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD] + +# no args + +RewriteRule "^cgit/([^/]+)/([^/]+)/log/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD] + +##################################################### +# tree tab (with file) -> tree tab +# id= +# h=&id= (id) +# if there's a commit, it takes precedence +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD] + +# h= +# if there's no commit, but a branch: +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD] + +# if there's no args: +RewriteRule "^cgit/(.*?)/(.*?)/tree/?(.*)" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD] + +##################################################### +# plain link without file -> tree tab +# id= +# h=&id= (id) +# if there's a commit, it takes precedence +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/commit/%1/$3" [L,QSD] + +# h= +# if there's no commit, but a branch: +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/%1/$3" [L,QSD] + +# if there's no args: +RewriteRule "^cgit/(.*?)/(.*?)/plain/?$" "https://opendev.org/$1/$2/src/branch/master/$3" [L,QSD] + +##################################################### +# plain link (with file) -> raw +# same as tree +# id= +# h=&id= (id) +# if there's a commit, it takes precedence +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/commit/%1/$3" [L,QSD] + +# h= +# if there's no commit, but a branch: +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/%1/$3" [L,QSD] + +# if there's no args: +RewriteRule "^cgit/(.*?)/(.*?)/plain/?(.*)" "https://opendev.org/$1/$2/raw/branch/master/$3" [L,QSD] + +###################### +# commit tab (with file) -> commit screen (without file) +# id= +# id=&h= +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD] + +# h= +# The commit tab in cgit will show the branch-tip commit in this case. +# There is not a comprable page in gitea, so we redirect to the branch +# log (which has the branch-tip commit at the top of the list). We +# include the file if it's there to further restrict the list of +# commits +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD] + +# no args +# Same, but with master branch +RewriteRule "^cgit/(.*?)/(.*?)/commit/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD] + +###################### +# diff (with file) -> commit screen (without file) +# Gitea doesn't handle arbitrary diffs, so just show the commit page for id. +# We do the same thing as for the commit tab. +# id=&id2= +# id= +# id=&h= +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD] + +# h= +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD] + +# no args +RewriteRule "^cgit/(.*?)/(.*?)/diff/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD] + +###################### +# patch (with file) +# Gitea doesn't handle generating patch files, so just show the commit page. +# We do the same thing as for the commit tab. +# id= +# id=&h= +RewriteCond %{QUERY_STRING} id=([\w]+) +RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commit/%1" [L,QSD] + +# h= +RewriteCond %{QUERY_STRING} h=([\w/]+) +RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/%1/$3" [L,QSD] + +# no args +RewriteRule "^cgit/(.*?)/(.*?)/patch/?(.*)" "https://opendev.org/$1/$2/commits/branch/master/$3" [L,QSD] + +##################### +# tag +# Gitea doesn't have a dedicated tag page, but if you click a tag in +# gitea, it takes you to the source tree view for that tag, which has +# the tagged commit at the top of the table. +RewriteCond %{QUERY_STRING} h=([\w/\.]+) +RewriteRule "^cgit/(.*?)/(.*?)/tag/?" "https://opendev.org/$1/$2/src/tag/%1" [L,QSD] + +##################### +# Any other unknown cgit url, redirect to / +RewriteRule "^cgit" "https://opendev.org/" [L,QSD] + +##################### +# Non cgit URLs +RewriteRule "^(.*)$" "https://opendev.org/$1" [L] diff --git a/modules/openstack_project/manifests/files.pp b/modules/openstack_project/manifests/files.pp index 21c7d69da8..acb61c137c 100644 --- a/modules/openstack_project/manifests/files.pp +++ b/modules/openstack_project/manifests/files.pp @@ -8,6 +8,18 @@ class openstack_project::files ( $docs_cert_file_contents, $docs_key_file_contents, $docs_chain_file_contents, + $git_airship_cert_file_contents, + $git_airship_key_file_contents, + $git_airship_chain_file_contents, + $git_openstack_cert_file_contents, + $git_openstack_key_file_contents, + $git_openstack_chain_file_contents, + $git_starlingx_cert_file_contents, + $git_starlingx_key_file_contents, + $git_starlingx_chain_file_contents, + $git_zuul_cert_file_contents, + $git_zuul_key_file_contents, + $git_zuul_chain_file_contents, ) { $afs_root = '/afs/openstack.org/' @@ -30,6 +42,24 @@ class openstack_project::files ( require => File["${www_base}"], } + ##################################################### + # Git Redirects Webroot + file { "${www_base}/git-redirect": + ensure => directory, + owner => root, + group => root, + require => File["${www_base}"], + } + + file { "${www_base}/git-redirect/.htaccess": + ensure => present, + owner => 'root', + group => 'root', + mode => '0444', + source => 'puppet:///modules/openstack_project/git-redirect.htaccess', + require => File["${www_base}/git-redirect"], + } + ##################################################### # Set up directories needed by HTTPS certs/keys file { '/etc/ssl/certs': @@ -189,4 +219,152 @@ class openstack_project::files ( require => File['/etc/ssl/certs'], before => File['/etc/ssl/certs/developer.openstack.org.pem'], } + + + ########################################################### + # git.airshipit.org + + ::httpd::vhost { 'git.airshipit.org': + port => 443, # Is required despite not being used. + docroot => "${www_base}/git-redirect", + priority => '50', + template => 'openstack_project/git-redirect.vhost.erb', + require => File["${www_base}/git-redirect"], + } + file { '/etc/ssl/certs/git.airshipit.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_airship_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/git.airshipit.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $git_airship_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/git.airshipit.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_airship_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/git.airshipit.org.pem'], + } + + + ########################################################### + # git.openstack.org + + ::httpd::vhost { 'git.openstack.org': + port => 443, # Is required despite not being used. + docroot => "${www_base}/git-redirect", + priority => '50', + template => 'openstack_project/git-redirect.vhost.erb', + require => File["${www_base}/git-redirect"], + } + file { '/etc/ssl/certs/git.openstack.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_openstack_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/git.openstack.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $git_openstack_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/git.openstack.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_openstack_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/git.openstack.org.pem'], + } + + + ########################################################### + # git.starlingx.io + + ::httpd::vhost { 'git.starlingx.io': + port => 443, # Is required despite not being used. + docroot => "${www_base}/git-redirect", + priority => '50', + template => 'openstack_project/git-redirect.vhost.erb', + require => File["${www_base}/git-redirect"], + } + file { '/etc/ssl/certs/git.starlingx.io.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_starlingx_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/git.starlingx.io.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $git_starlingx_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/git.starlingx.io_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_starlingx_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/git.starlingx.io.pem'], + } + + + ########################################################### + # git.zuul-ci.org + + ::httpd::vhost { 'git.zuul-ci.org': + port => 443, # Is required despite not being used. + docroot => "${www_base}/git-redirect", + priority => '50', + template => 'openstack_project/git-redirect.vhost.erb', + require => File["${www_base}/git-redirect"], + } + file { '/etc/ssl/certs/git.zuul-ci.org.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_zuul_cert_file_contents, + require => File['/etc/ssl/certs'], + } + file { '/etc/ssl/private/git.zuul-ci.org.key': + ensure => present, + owner => 'root', + group => 'root', + mode => '0600', + content => $git_zuul_key_file_contents, + require => File['/etc/ssl/private'], + } + file { '/etc/ssl/certs/git.zuul-ci.org_intermediate.pem': + ensure => present, + owner => 'root', + group => 'root', + mode => '0644', + content => $git_zuul_chain_file_contents, + require => File['/etc/ssl/certs'], + before => File['/etc/ssl/certs/git.zuul-ci.org.pem'], + } } diff --git a/modules/openstack_project/templates/git-redirect.vhost.erb b/modules/openstack_project/templates/git-redirect.vhost.erb new file mode 100644 index 0000000000..db6fbb9d8c --- /dev/null +++ b/modules/openstack_project/templates/git-redirect.vhost.erb @@ -0,0 +1,49 @@ +# ************************************ +# Managed by Puppet +# ************************************ + + + ServerName <%= @srvname %> + RewriteEngine On + DocumentRoot <%= @docroot %> + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + AllowOverrideList Redirect RedirectMatch + Satisfy Any + Require all granted + + LogLevel warn + ErrorLog /var/log/apache2/<%= @srvname %>_error.log + CustomLog /var/log/apache2/<%= @srvname %>_access.log combined + ServerSignature Off + + + + + ServerName <%= @srvname %> + RewriteEngine On + DocumentRoot <%= @docroot %> + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Once the machine is using something to terminate TLS that supports ECDHE + # then this should be edited to remove the RSA+AESGCM:RSA+AES so that PFS + # only is guarenteed. + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + SSLCertificateFile /etc/ssl/certs/<%= @srvname %>.pem + SSLCertificateKeyFile /etc/ssl/private/<%= @srvname %>.key + SSLCertificateChainFile /etc/ssl/certs/<%= @srvname %>_intermediate.pem + > + Options Indexes FollowSymLinks MultiViews + AllowOverride None + AllowOverrideList Redirect RedirectMatch + Satisfy Any + Require all granted + + LogLevel warn + ErrorLog /var/log/apache2/<%= @srvname %>_error.log + CustomLog /var/log/apache2/<%= @srvname %>_access.log combined + ServerSignature Off + +