1. 20 Mar, 2024 7 commits
    • Jérome Perrin's avatar
      stack/erp5: implement Zope's rewrite rules in ERP5 balancer partition · bf82a6ab
      Jérome Perrin authored
      The strategy for compatibility is that:
       - haproxy still listen on the same port as before, without rewrite rule.
         This is called "legacy" port.
       - for each frontend from request parameters, we introduce an haproxy
         frontend with a rewrite for the corresponding `internal-path`
         parameter.
       - the shared frontend instance is updated to use this new frontend
         entry from haproxy. This will cause a small downtime until the shared
         frontend is updated to the new URL on ERP5, but since this feature
         was not used, it's OK.
      
      Technical details are that we:
       - split haproxy config to have frontends and backends.
       - introduce one frontend in haproxy for each frontend from request
         parameters.
       - routing-rule-list argument is still honored the same way, globally
         and after path from frontend.
       - change the shared frontend requests to use "" type, no longer "zope"
         type.
       - we don't do automatic detection of /VirtualHostRoot in URL but always
         add it, because it could be used to trick zope into thinking it
         serves requests for an arbitrary host and do open redirects
       - before using the request's host header in virtualhost path, we check
         that it does not contain /, to prevent injection of virutalhost path
         elements through the host header.
       - we don't use the "path" parameter from shared frontend, because we
         want the frontend to be simple, so we don't want it to rewrite the
         request path (which is also the reason why we deprecated "zope" type)
       - the tests have changed a lot, because they were using what's now the
         "legacy" URL types, so we updated it to use the new URL types with
         all the /VirtualHostRoot/../ in path and also because they use IPv6
         URL, no longer IPv4
      bf82a6ab
    • Jérome Perrin's avatar
      stack/erp5: use slapos.recipe.build to manage haproxy parameters · f6954f68
      Jérome Perrin authored
      and save the already allocated ports in a state file, so that requesting
      new families does not change already allocated ports.
      f6954f68
    • Jérome Perrin's avatar
      stack/erp5: remove not used "backend-path" · c9fa707f
      Jérome Perrin authored
      This is not documented in schema and has no effect in erp5 (but this is
      still used for slapos-master)
      c9fa707f
    • Jérome Perrin's avatar
    • Jérome Perrin's avatar
      ERP5: rework frontend instance parameter · 93f1e220
      Jérome Perrin authored
      This change the format or the (mostly) unused frontend parameter to
      support requesting more than one frontend and also enable the request of
      a frontend by default, so that requesting a frontend separately is no
      longer needed.
      
      The `frontend` parameter now also supports requesting frontends for
      specific paths on the ERP5 backend, the example below requests a
      frontend serving directly a web site, with the necessary rewrite rules:
      
      ```js
      {
        "frontend": {
          "default": {
            "internal-path": "/erp5/web_site_module/renderjs_runner/"
          }
        }
      }
      ```
      
      The example below requests a default frontend to the erp5 root, to
      access the ZMI or erp5_xhtml_style interface and two web sites:
      
      ```js
      {
        "frontend": {
          "default": {},
          "erp5js": {
            "internal-path": "/erp5/web_site_module/renderjs_runner/"
          },
          "crm": {
            "internal-path": "/erp5/web_site_module/erp5_officejs_support_request_ui/"
          }
        }
      }
      ```
      
      The example below has an explicit definition of the zope families using
      `zope-partition-dict` parameter, because there is more than one zope
      family, no frontend is requested by default:
      
      ```js
      {
        "zope-partition-dict": {
          "backoffice": {
            "family": "backoffice"
          },
          "web": {
            "family": "web"
          },
          "activities": {
            "family": "activities"
          }
        }
      }
      ```
      
      Continuing this example, to have frontends for backoffice and web
      families, the frontend request can specify the families, like it is
      demonstrated in the example below. In this example, we don't specify an
      entry for "activities" family, so no frontend will be requested for
      this family.
      
      ```js
      {
        "frontend": {
          "backoffice": {
            "zope-family": "backoffice"
          },
          "web": {
            "zope-family": "web",
            "internal-path": "/erp5/web_site_module/web_site/"
          }
        }
        "zope-partition-dict": {
          "backoffice": {
            "family": "backoffice"
          },
          "web": {
            "family": "web"
          },
          "activities": {
            "family": "activities"
          }
        }
      }
      ```
      93f1e220
    • Jérome Perrin's avatar
      stack/erp5: serve balancer requests when client certificate is not verified · 8fa7ec94
      Jérome Perrin authored
      We configure haproxy with "verify optional", which makes haproxy request
      a client certificate, but accept the case where client does not present
      a certificate, but as described in [1], if client present a certificate
      and this certificate can not be verified, handshake is aborted. This is
      not what we want, we want to treat the case of a non verified
      certificate same as the case of the absence of certificate.
      
      This configures haproxy accordingly, using "crt-ignore-err all" to allow
      handshake anyway.
      
      Once this was fixed, there was a remaining problem with
      client_cert_verified acl, haproxy acl are OR, but this rule was supposed
      to be a AND (client present a certificate AND it is verified), this was
      rewritten to use inline condition which are AND.
      
      [1]: https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-verify
      
      Also adjust test_x_forwarded_for_stripped_when_no_certificate to assert
      that there is no X-Forwarded-For header at all when no client
      certificate.
      8fa7ec94
    • Levin Zimmermann's avatar
      software/erp5/test: Run tests with ZEO & NEO · 361c990b
      Levin Zimmermann authored
      Before this patch all ERP5 SlapOS Integration tests only run with ZEO
      storage. We should also run them against NEO, because we are using
      ERP5 with NEO in SlapOS.
      
      In order to do so we implemented parameterized test classes for our ERP5
      integration tests. Each test case can be configured via its __test_matrix__
      attribute. A test matrix is a dict which maps the flavoured class name suffix to
      a tuple of parameters. A parameter is a function which receives the
      instance_parameter_dict and modifies it in place. You can use the
      'matrix' helper function to construct a test matrix. If .__test_matrix__
      is 'None' the test case is ignored.
      
      /reviewed-by @kirr & @jerome
      /reviewed-on nexedi/slapos!1306
      361c990b
  2. 23 Jun, 2022 1 commit
  3. 21 Jun, 2022 2 commits
  4. 20 Jun, 2022 3 commits
  5. 17 Jun, 2022 7 commits
  6. 16 Jun, 2022 3 commits
  7. 15 Jun, 2022 7 commits
  8. 14 Jun, 2022 2 commits
  9. 13 Jun, 2022 5 commits
  10. 10 Jun, 2022 3 commits