XXX

software/caddy-frontend/instance-apache-replicate.cfg.in

 {% if instance_parameter_dict['slap-software-type'] in software_type %}
-{% set aibcc_enabled = True %}
 {% import "caucase" as caucase with context %}
 {#- SERVER_POLLUTED_KEY_LIST is a list of keys which comes from various SlapOS Master implementations, which mix request and publish keys on each slave information -#}
 {%- set SERVER_POLLUTED_KEY_LIST = ['connection-parameter-hash', 'timestamp', 'slave_title', 'slap_software_type'] -%}
@@ -25,7 +24,6 @@
     ]
 %}
 {% set aikc_enabled = slapparameter_dict.get('automatic-internal-kedifa-caucase-csr', 'true').lower() in TRUE_VALUES %}
-{% set aibcc_enabled = slapparameter_dict.get('automatic-internal-backend-client-caucase-csr', 'true').lower() in TRUE_VALUES %}
 {# Ports 8401, 8402 and 8410+1..N are reserved for monitor ports on various partitions #}
 {% set master_partition_monitor_monitor_httpd_port = 8401 %}
 {% set kedifa_partition_monitor_httpd_port = 8402 %}
@@ -310,7 +308,7 @@ warning-list = {{ dumps(json_module.dumps(warning_list, sort_keys=True)) }}
 {# sort_keys are important in order to avoid shuffling parameters on each run #}
 warning-slave-dict = {{ dumps(json_module.dumps(warning_slave_dict, sort_keys=True)) }}
 {% endif %}
-{% if not aikc_enabled or not aibcc_enabled %}
+{% if not aikc_enabled %}
 {% for frontend in frontend_list %}
   {% set section_part = '${request-' + frontend %}
 {{ frontend }}-csr_id-certificate = {{ section_part }}:connection-csr_id-certificate}
@@ -328,12 +326,6 @@ kedifa-csr_id-certificate = ${request-kedifa:connection-csr_id-certificate}
   {% set section_part = '${request-' + frontend %}
 {{ frontend }}-backend-haproxy-statistic-url = {{ section_part }}:connection-backend-haproxy-statistic-url}
 {% endfor %}
-{% if not aibcc_enabled %}
-{% for frontend in frontend_list %}
-  {% set section_part = '${request-' + frontend %}
-{{ frontend }}-backend-client-csr_id-url = {{ section_part }}:connection-backend-client-csr_id-url}
-{% endfor %}
-{% endif %}
 
 #----------------------------
 #--
@@ -569,142 +561,6 @@ update-command = ${:command}
 {% endfor %}
 {% endif %} {# if aikc_enabled #}
 
-{% if aibcc_enabled %}
-[directory]
-aibcc = ${:srv}/aibcc
-
-[aibcc-config]
-caucase-url = {{ caucase_url }}
-
-csr = ${directory:aibcc}/csr.pem
-key = ${directory:aibcc}/key.pem
-ca-certificate = ${directory:aibcc}/cas-ca-certificate.pem
-crl = ${directory:aibcc}/crl.pem
-user-ca-certificate = ${directory:aibcc}/user-ca-certificate.pem
-user-crl = ${directory:aibcc}/user-crl.pem
-user-created = ${directory:aibcc}/user-created
-csr_id = ${directory:aibcc}/csr_id
-
-[aibcc-user-csr]
-recipe = plone.recipe.command
-organization = {{ instance_parameter_dict['root-instance-title'] }}
-organizational_unit = Automatic Sign Backend Client Caucase CSR
-command =
-  if [ ! -f ${:csr} ] && [ ! -f ${:key} ]  ; then
-    {{ software_parameter_dict['openssl'] }} req -new -sha256 \
-      -newkey rsa:2048 -nodes -keyout ${:key} \
-      -subj "/O=${:organization}/OU=${:organizational_unit}" \
-      -out ${:csr}
-  fi
-update-command = ${:command}
-csr = ${aibcc-config:csr}
-key = ${aibcc-config:key}
-{#- Can be stopped on error, as does not rely on self provided service #}
-stop-on-error = True
-
-
-[aibcc-caucase-wrapper]
-{# jinja2 instead of wrapper is used with context to remove py'u' #}
-recipe = slapos.recipe.template:jinja2
-context =
-  key caucase_url aibcc-config:caucase-url
-template = inline:#!{{ software_parameter_dict['dash'] }}/bin/dash
-  exec {{ software_parameter_dict['bin_directory'] }}/caucase \
-{# raw block to use context #}
-{% raw %}
-  --ca-url {{ caucase_url }} \
-{% endraw %}
-  --ca-crt ${aibcc-config:ca-certificate} \
-  --user-ca-crt ${aibcc-config:user-ca-certificate} \
-  --user-crl ${aibcc-config:user-crl} \
-  --crl ${aibcc-config:crl} \
-  "$@"
-
-rendered = ${directory:bin}/aibcc-caucase-wrapper
-mode = 0700
-
-{% do part_list.append('aibcc-create-user') %}
-[aibcc-create-user]
-recipe = plone.recipe.command
-# the caucase for this part is provided in this profile, so we can't fail
-# as otherwise caucase will never be started...
-{#- XXX: Create promise #}
-stop-on-error = False
-update-command = ${:command}
-command =
-  if ! [ -f ${aibcc-config:user-created} ] ; then
-    ${aibcc-caucase-wrapper:rendered} --mode user --send-csr ${aibcc-user-csr:csr} > ${aibcc-config:csr_id} || exit 1
-    cut -d ' ' -f 1 ${aibcc-config:csr_id} || exit 1
-    csr_id=`cut -d ' ' -f 1 ${aibcc-config:csr_id}`
-    sleep 1
-    ${aibcc-caucase-wrapper:rendered} --mode user --get-crt $csr_id ${aibcc-config:key} || exit 1
-    touch ${aibcc-config:user-created}
-  fi
-
-{% do part_list.append('aibcc-user-caucase-updater') %}
-{% do part_list.append('aibcc-user-caucase-updater-promise') %}
-{{ caucase.updater(
-     prefix='aibcc-user-caucase-updater',
-     buildout_bin_directory=software_parameter_dict['bin_directory'],
-     updater_path='${directory:service}/aibcc-user-caucase-updater',
-     url='${aibcc-config:caucase-url}',
-     data_dir='${directory:srv}/caucase-updater',
-     crt_path='${aibcc-config:key}',
-     ca_path='${aibcc-config:user-ca-certificate}',
-     crl_path='${aibcc-config:user-crl}',
-     key_path='${aibcc-config:key}',
-     mode='user',
-)}}
-
-[aibcc-check-certificate]
-recipe = slapos.recipe.template:jinja2
-rendered = ${directory:bin}/aibcc-check-certificate
-template = inline:
-  import sys
-  import ssl
-  import urlparse
-  certificate = sys.argv[2]
-  parsed = urlparse.urlparse(sys.argv[1])
-  got_certificate = ssl.get_server_certificate((parsed.hostname, parsed.port))
-  sys.exit(0) if certificate.strip() == got_certificate.strip() else sys.exit(1)
-
-{% for csr in frontend_list %}
-[aibcc-{{ csr }}-wrapper]
-{# jinja2 instead of wrapper is used with context to remove py'u' #}
-recipe = slapos.recipe.template:jinja2
-context =
-  key csr_id_url request-{{ csr }}:connection-backend-client-csr_id-url
-  key csr_id_certificate request-{{ csr }}:connection-csr_id-certificate
-template = inline:#!{{ software_parameter_dict['dash'] }}/bin/dash
-  test -f ${directory:aibcc}/{{ csr }}-done && exit 0
-  ${buildout:executable} ${aibcc-check-certificate:rendered} \
-{# raw block to use context #}
-{% raw %}
-  {{ csr_id_url }} \
-  """{{ csr_id_certificate }}"""
-{% endraw %}
-  if [ $? = 0 ]; then
-    csr_id=`{{ software_parameter_dict['curl'] }}/bin/curl -s -k -g \
-{% raw %}
-  {{ csr_id_url }} \
-{% endraw %}
-  ` || exit 1
-    ${aibcc-caucase-wrapper:rendered} --user-key ${aibcc-config:key} --sign-csr $csr_id && touch ${directory:aibcc}/{{ csr }}-done
-  fi
-rendered = ${directory:bin}/aibcc-{{ csr }}-wrapper
-mode = 0700
-
-{% do part_list.append('aibcc-%s' % (csr,)) %}
-[aibcc-{{ csr }}]
-recipe = plone.recipe.command
-{#- The called command is smart enough to survive errors and retry #}
-stop-on-error = False
-command =
-  ${aibcc-{{ csr }}-wrapper:rendered}
-update-command = ${:command}
-{% endfor %}
-{% endif %} {# if aibcc_enabled #}
-
 [rejected-slave-json]
 recipe = slapos.recipe.template:jinja2
 filename = rejected-slave.json

software/caddy-frontend/instance-caddy-input-schema.json

@@ -88,16 +88,6 @@
       "title": "Automatic Internal KeDiFa's Caucase CSR",
       "type": "string"
     },
-    "automatic-internal-backend-client-caucase-csr": {
-      "default": "true",
-      "description": "Automatically signs CSRs sent to Backend Client's caucase, based on csr_id and matching certificate.",
-      "enum": [
-        "true",
-        "false"
-      ],
-      "title": "Automatic Internal Backend Client's Caucase CSR",
-      "type": "string"
-    },
     "ciphers": {
       "description": "List of ciphers. Empty defaults to Caddy list of ciphers. See https://caddyserver.com/docs/tls for more information.",
       "title": "Ordered space separated list of ciphers",