From e2649a1aba6961a019fd49d4461dedc76d996ed3 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 13 Aug 2021 16:59:10 +0000
Subject: [PATCH] Stop redirecting for the paste site

The pastebinit command-line tool hard-codes an allowed list of
pastebin URLs, one of which is "http://paste.openstack.org" so
redirecting to HTTPS and to other hostnames seems to break it.

It has a specific user-agent, so allow plain HTTP access for this
tool, but redirect others.

Change-Id: Ia7c983986e6e9c08299ded5282a83761448b35bb
---
 .../roles/lodgeit/templates/paste.vhost.j2    | 31 ++++++++++++++++++-
 testinfra/test_paste.py                       | 14 +++++++++
 tox.ini                                       |  1 +
 3 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/playbooks/roles/lodgeit/templates/paste.vhost.j2 b/playbooks/roles/lodgeit/templates/paste.vhost.j2
index ffa68099e6..c72a49fe38 100644
--- a/playbooks/roles/lodgeit/templates/paste.vhost.j2
+++ b/playbooks/roles/lodgeit/templates/paste.vhost.j2
@@ -2,13 +2,42 @@
   ServerName {{ inventory_hostname }}
   ServerAdmin webmaster@openstack.org
 
+  AllowEncodedSlashes On
+
   ErrorLog ${APACHE_LOG_DIR}/paste-error.log
 
   LogLevel warn
 
   CustomLog ${APACHE_LOG_DIR}/paste-access.log combined
 
-  Redirect / https://paste.opendev.org/
+  RewriteEngine On
+
+  # NOTE(fungi) 2021-08-13 : The pastebinit command-line tool
+  # hard-codes an allowed list of pastebin URLs, one of which is
+  # "http://paste.openstack.org" so redirecting to HTTPS and to other
+  # hostnames seems to break it.  We allow it to access the http site
+  # for compatability, but redirect anything that doesn't look like it
+  # over to the https site.
+  RewriteCond %{HTTP_USER_AGENT} !"Pastebinit" [NC]
+  RewriteRule ^(.*)$ https://paste.opendev.org$1 [R=301,L]
+
+  # NOTE(ianw) 2021-08-04 : block GET /json/?method=pastes.getRecent
+  # This a) gives Python 3 unicode errors we haven't looked into and b)
+  # is only used by bots as a vector for scraping things.  Just
+  # disable it.
+  RewriteCond %{QUERY_STRING} "method=pastes.getRecent"
+  RewriteRule .* - [F,L]
+
+  ProxyPass  / http://localhost:9000/ retry=0
+  ProxyPassReverse / http://localhost:9000/
+
+  <Location "/robots.txt">
+    ProxyPass !
+  </Location>
+  <Directory "/var/lib/lodgeit/www">
+    Require all granted
+  </Directory>
+  Alias /robots.txt /var/lib/lodgeit/www/robots.txt
 
 </VirtualHost>
 
diff --git a/testinfra/test_paste.py b/testinfra/test_paste.py
index 5124fa12eb..2bebcc6e27 100644
--- a/testinfra/test_paste.py
+++ b/testinfra/test_paste.py
@@ -12,6 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+import requests
 from selenium import webdriver
 from selenium.webdriver.support.ui import WebDriverWait
 from selenium.common.exceptions import TimeoutException
@@ -33,6 +34,19 @@ def test_paste(host):
                    'https://paste.opendev.org')
     assert 'New Paste' in cmd.stdout
 
+def test_paste_redirects(host):
+    # http site should redirect all agents but Pastebinit
+    r = requests.get(
+        'http://%s' % host.backend.get_hostname(), allow_redirects=False)
+    assert r.status_code == 301
+    assert r.headers['Location'] == 'https://paste.opendev.org/'
+
+    headers = {
+        'User-Agent': 'Pastebinit v1.2.3'
+    }
+    r = requests.get('http://%s' % (host.backend.get_hostname()))
+    assert r.status_code == 200
+
 def test_paste_robots(host):
     cmd = host.run('curl --insecure '
                    '--resolve paste.opendev.org:443:127.0.0.1 '
diff --git a/tox.ini b/tox.ini
index be91219445..bf3f4be3ff 100644
--- a/tox.ini
+++ b/tox.ini
@@ -41,6 +41,7 @@ deps =
   pytest-html # MPL-2.0
   pytest-testinfra>=6.0.0
   selenium
+  requests
 
 # This environment assumes a gate-hosts.yaml file has been written.
 passenv =