stack/erp5: implement Zope's rewrite rules in ERP5 balancer partition

The strategy for compatibility is that: - haproxy still listen on the same port as before, without rewrite rule. This is called "legacy" port. - for each frontend from request parameters, we introduce an haproxy frontend with a rewrite for the corresponding `internal-path` parameter. - the shared frontend instance is updated to use this new frontend entry from haproxy. This will cause a small downtime until the shared frontend is updated to the new URL on ERP5, but since this feature was not used, it's OK. Technical details are that we: - split haproxy config to have frontends and backends. - introduce one frontend in haproxy for each frontend from request parameters. - routing-rule-list argument is still honored the same way, globally and after path from frontend. - change the shared frontend requests to use "" type, no longer "zope" type. - we don't do automatic detection of /VirtualHostRoot in URL but always add it, because it could be used to trick zope into thinking it serves requests for an arbitrary host and do open redirects - before using the request's host header in virtualhost path, we check that it does not contain /, to prevent injection of virutalhost path elements through the host header. - we don't use the "path" parameter from shared frontend, because we want the frontend to be simple, so we don't want it to rewrite the request path (which is also the reason why we deprecated "zope" type) - the tests have changed a lot, because they were using what's now the "legacy" URL types, so we updated it to use the new URL types with all the /VirtualHostRoot/../ in path and also because they use IPv6 URL, no longer IPv4

stack/erp5: implement Zope's rewrite rules in ERP5 balancer partition
The strategy for compatibility is that: - haproxy still listen on the same port as before, without rewrite rule. This is called "legacy" port. - for each frontend from request parameters, we introduce an haproxy frontend with a rewrite for the corresponding `internal-path` parameter. - the shared frontend instance is updated to use this new frontend entry from haproxy. This will cause a small downtime until the shared frontend is updated to the new URL on ERP5, but since this feature was not used, it's OK. Technical details are that we: - split haproxy config to have frontends and backends. - introduce one frontend in haproxy for each frontend from request parameters. - routing-rule-list argument is still honored the same way, globally and after path from frontend. - change the shared frontend requests to use "" type, no longer "zope" type. - we don't do automatic detection of /VirtualHostRoot in URL but always add it, because it could be used to trick zope into thinking it serves requests for an arbitrary host and do open redirects - before using the request's host header in virtualhost path, we check that it does not contain /, to prevent injection of virutalhost path elements through the host header. - we don't use the "path" parameter from shared frontend, because we want the frontend to be simple, so we don't want it to rewrite the request path (which is also the reason why we deprecated "zope" type) - the tests have changed a lot, because they were using what's now the "legacy" URL types, so we updated it to use the new URL types with all the /VirtualHostRoot/../ in path and also because they use IPv6 URL, no longer IPv4
6e735808 · Jérome Perrin · 5b3fc1f2 · 6e735808 · 6e735808 · 6e735808
Commit 6e735808 authored Jan 10, 2024 by Jérome Perrin
10 changed files
--- a/software/erp5/instance-erp5-input-schema.json
+++ b/software/erp5/instance-erp5-input-schema.json
@@ -5,7 +5,7 @@
  "additionalProperties": false,
  "definitions": {
    "routing-rule-list": {
-      "description": "Maps the path received in requests to given zope path. Rules are applied in the order they are given. This requires the path received from the outside world (typically: frontend) to have its root correspond to Zope's root (for frontend: 'path' parameter must be empty), with the customary VirtualHostMonster construct (for frontend: 'type' must be 'zope').",
+      "description": "Maps the path received in requests to given zope path. Rules are applied in the order they are given, after 'internal-path' from 'frontend' parameter. This also supports legacy frontends, using Rapid CDN with \"zope\" type.",
      "type": "array",
      "default": [
        [

--- a/software/erp5/test/test/__init__.py
+++ b/software/erp5/test/test/__init__.py
@@ -314,7 +314,7 @@ class CaucaseCertificate(ManagedResource):
    )
    return os.path.join(software_release_root_path, 'bin', 'caucase')

-  def request(self, common_name: str, caucase: CaucaseService) -> None:
+  def request(self, common_name: str, caucase: CaucaseService, san: x509.SubjectAlternativeName=None) -> None:
    """Generate certificate and request signature to the caucase service.

    This overwrite any previously requested certificate for this instance.
@@ -345,11 +345,10 @@ class CaucaseCertificate(ManagedResource):
                NameOID.COMMON_NAME,
                common_name,
            ),
-        ])).sign(
-            key,
-            hashes.SHA256(),
-            default_backend(),
-        )
+        ]))
+    if san:
+      csr = csr.add_extension(san, critical=True)
+    csr = csr.sign(key, hashes.SHA256(), default_backend())
    with open(self.csr_file, 'wb') as f:
      f.write(csr.public_bytes(serialization.Encoding.PEM))


--- a/software/erp5/test/test/test_balancer.py
+++ b/software/erp5/test/test/test_balancer.py
--- a/software/erp5/test/test/test_erp5.py
+++ b/software/erp5/test/test/test_erp5.py
--- a/software/slapos-master/buildout.hash.cfg
+++ b/software/slapos-master/buildout.hash.cfg
@@ -14,7 +14,7 @@
 # not need these here).
 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = ba46a66da1c834df14a80a20b21e4a96
+md5sum = 6db19ee819a960a34012308e29c5bbfb

 [template-balancer]
 filename = instance-balancer.cfg.in

--- a/software/slapos-master/instance-erp5.cfg.in
+++ b/software/slapos-master/instance-erp5.cfg.in
@@ -435,6 +435,7 @@ return =
 {% endfor -%}
 {% do monitor_base_url_dict.__setitem__('request-balancer', '${' ~ 'request-balancer' ~ ':connection-monitor-base-url}') -%}
 config-zope-family-dict = {{ dumps(zope_family_parameter_dict) }}
+config-frontend-parameter-dict = {{ dumps({}) }}
 config-tcpv4-port = {{ dumps(balancer_dict.get('tcpv4-port', 2150)) }}
 {% for zope_section_id, name in zope_address_list_id_dict.items() -%}
 config-{{ name }} = {{ ' ${' ~ zope_section_id ~ ':connection-zope-address-list}' }}

--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -74,7 +74,7 @@ md5sum = 55463b0abdbe0118ef1c27e6b71c3324

 [template-erp5]
 filename = instance-erp5.cfg.in
-md5sum = 855fdc8ed0b2671f9e2c74d127cc6858
+md5sum = ae9c380ae04dde4f20e139c66ef7c22a

 [template-zeo]
 filename = instance-zeo.cfg.in
@@ -90,11 +90,11 @@ md5sum = 6178ba7b42848f9e2412ab898a7b026c

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 42cb68905f92e7df38cc5c64b94be3de
+md5sum = 0fad9497da12ed0186dca5236c23f3a7

 [template-haproxy-cfg]
 filename = haproxy.cfg.in
-md5sum = 9988a14c4108e3bce3f871e34673cdd5
+md5sum = 2cd76971b64b0bf7771978ad07bfc2e5

 [template-rsyslogd-cfg]
 filename = rsyslogd.cfg.in

--- a/stack/erp5/haproxy.cfg.in
+++ b/stack/erp5/haproxy.cfg.in
@@ -18,11 +18,11 @@
 #       "stats-socket": "<file_path>",
 #
 #       #  IPv4 to listen on
- #       #  All backends from `backend-dict` will listen on this IP.
+ #       #  All frontends from `frontend-dict` will listen on this IP.
 #       "ipv4": "0.0.0.0",
 #
 #       #  IPv6 to listen on
- #       #  All backends from `backend-dict` will listen on this IP.
+ #       #  All frontends from `frontend-dict` will listen on this IP.
 #       "ipv6": "::1",
 #
 #       #  Certificate and key in PEM format. All ports will serve TLS using
@@ -41,34 +41,59 @@
 #       #  Path to use for HTTP health check on backends from `backend-dict`.
 #       "server-check-path": "/",
 #
+ #       #  The mapping of frontend, keyed by frontend name
+ #       "frontend-dict": {
+ #         "frontend-default": {
+ #            "port": 8080,
+ #            "client-cert-required": False,
+ #            "backend-name": "family-default",
+ #            "request-path-prepend": "/erp5",
+ #         }
+ #         "legacy-frontend-family-secure": {
+ #            "port": 8000,
+ #            "client-cert-required": False,
+ #            "backend-name": "family-secure",
+ #            "request-path-prepend": None, # None means do not rewrite the request path
+ #         }
+ #         "legacy-frontend-family-default": {
+ #            "port": 8002,
+ #            "client-cert-required": False,
+ #            "backend-name": "family-default",
+ #            "request-path-prepend": None, # None means do not rewrite the request path
+ #         }
+ #       }
 #       #  The mapping of backends, keyed by family name
 #       "backend-dict": {
- #          "family-secure": {
- #            (  8000, # port int
- #               True, # ssl_required bool
- #               None,  # timeout (in seconds) int | None
- #               [  # backends
- #                  '10.0.0.10:8001', # netloc str
- #                   1, # max_connection_count int
- #                   False, # is_web_dav bool
- #               ],
- #            ),
- #          },
- #          "family-default": {
- #            (  8002, # port int
- #               False, # ssl_required bool
- #               None,  # timeout (in seconds) int | None
- #               [  # backends
- #                  '10.0.0.10:8003', # netloc str
- #                   1, # max_connection_count int
- #                   False, # is_web_dav bool
- #               ],
- #            ),
+ #           "family-secure": {
+ #               "timeout": None,  # in seconds
+ #               "backend-list": [
+ #                   [
+ #                       '10.0.0.10:8001', # netloc str
+ #                        1, # max_connection_count int
+ #                        False, # is_web_dav bool
+ #                   ]
+ #               ]
+ #           },
+ #           "family-default": {
+ #               "timeout": None,  # in seconds
+ #               "backend-list": [
+ #                   [
+ #                      '10.0.0.10:8003', # netloc str
+ #                       1, # max_connection_count int
+ #                       False, # is_web_dav bool
+ #                   ],
+ #                   [
+ #                      '10.0.0.10:8004', # netloc str
+ #                       1, # max_connection_count int
+ #                       False, # is_web_dav bool
+ #                   ],
+ #               ]
 #          },
 #
 #       # The mapping of zope paths.
- #       # This is a Zope specific feature.
- #       # `enable_authentication` has same meaning as for `backend-list`.
+ #       # This is a Zope specific feature used only to provide https while running
+ #       # ERP5 "unit test" suite.
+ #       # `enable_authentication` has same meaning as for `backend-dict`.
 #       "zope-virtualhost-monster-backend-dict": {
 #          # {(ip, port): ( enable_authentication, {frontend_path: ( internal_url ) }, ) }
 #          ('[::1]', 8004): (
@@ -81,15 +106,20 @@
 #     }
 #
 #  This sample of `parameter_dict` will make haproxy listening to :
- #  From to `backend-list`:
- #  For "family-secure":
+ #  For "frontend-default":
+ #   - 0.0.0.0:8080 redirecting internaly to http://10.0.0.10:8003 or http://10.0.0.10:8004
+ #   - [::1]:8080 redirecting internaly to http://10.0.0.10:8003 or http://10.0.0.10:8004
+ #  accepting requests from any client and rewriting the path to add a Zope rewrite rule
+ #  so that the a request on https://0.0.0.0:8080/path is rewritten to serve a Zope object at
+ #  path /erp5/path , visible as /path.
+ #  For "legacy-frontend-family-secure":
 #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
 #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
 #  only accepting requests from clients providing a verified TLS certificate
 #  emitted by a CA from `ca-cert` and not revoked in `crl`.
- #  For "family-default":
- #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
- #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
+ #  For "legacy-frontend-family-default":
+ #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003 or http://10.0.0.10:8004
+ #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003 or http://10.0.0.10:8004
 #  accepting requests from any client.
 #
 #  For both families, X-Forwarded-For header will be stripped unless
@@ -102,7 +132,7 @@
 #   with some VirtualHostMonster rewrite rules so zope writes URLs with
 #  [::1]:8004 as server name.
 #  For more details, refer to
- #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
+ #  https://zope.readthedocs.io/en/latest/zopebook/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}

 {% set server_check_path = parameter_dict['server-check-path'] -%}
@@ -148,26 +178,17 @@ defaults
 {% set family_path_routing_dict = parameter_dict['family-path-routing-dict'] %}
 {% set path_routing_list = parameter_dict['path-routing-list'] %}

-{% for name, (port, certificate_authentication, timeout, backend_list) in sorted(six.iteritems(parameter_dict['backend-dict'])) -%}
-listen family_{{ name }}
+
+{% for name, frontend in sorted(six.iteritems(parameter_dict['frontend-dict'])) %}
+listen {{ name }}
+
 {%-  if parameter_dict.get('ca-cert') -%}
-{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if certificate_authentication else ' optional crt-ignore-err all' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
+{%-    set ssl_auth = ' ca-file ' ~ parameter_dict['ca-cert'] ~ ' verify' ~ ( ' required' if frontend['client-cert-required'] else ' optional crt-ignore-err all' ) ~ ' crl-file ' ~ parameter_dict['crl'] %}
 {%-  else %}
 {%-    set ssl_auth = '' %}
 {%-  endif %}
-  bind {{ parameter_dict['ipv4'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
-  bind {{ parameter_dict['ipv6'] }}:{{ port }} {{ bind_ssl_crt }} {{ ssl_auth }}
-  cookie SERVERID rewrite
-  http-request set-header X-Balancer-Current-Cookie SERVERID
-
-{% if timeout %}
-  {#
-    Apply a slightly longer timeout than the zope timeout so that clients can see the
-    TimeoutReachedError from zope, that is a bit more informative than the 504 error
-    page from haproxy.
-  #}
-  timeout server {{ timeout + 3 }}s
-{%-  endif %}
+  bind {{ parameter_dict['ipv4'] }}:{{ frontend['port'] }} {{ bind_ssl_crt }} {{ ssl_auth }}
+  bind {{ parameter_dict['ipv6'] }}:{{ frontend['port'] }} {{ bind_ssl_crt }} {{ ssl_auth }}

  # remove X-Forwarded-For unless client presented a verified certificate
  http-request del-header X-Forwarded-For unless { ssl_c_verify 0 } { ssl_c_used 1 }
@@ -175,18 +196,43 @@ listen family_{{ name }}
  http-request del-header Remote-User
  http-request set-header Remote-User %{+Q}[ssl_c_s_dn(cn)] if { ssl_c_verify 0 } { ssl_c_used 1 }

+  # reject invalid host header before using it in path
+  http-request deny deny_status 400 if { req.hdr(host) -m sub / }
+
  # logs
  capture request header Referer len 512
  capture request header User-Agent len 512
  log-format "%{+Q}o %{-Q}ci - - [%trg] %r %ST %B %{+Q}[capture.req.hdr(0)] %{+Q}[capture.req.hdr(1)] %Ta"

-{%   for outer_prefix, inner_prefix in family_path_routing_dict.get(name, []) + path_routing_list %}
+{% if frontend['request-path-prepend'] is not none %}
+  http-request replace-path ^/(.*) /VirtualHostBase/https/%[req.hdr(Host)]{{ frontend['request-path-prepend'] }}/VirtualHostRoot/\1
+{% endif %}
+
+{%   for outer_prefix, inner_prefix in family_path_routing_dict.get(frontend['backend-name'], []) + path_routing_list %}
  {%   set outer_prefix = outer_prefix.strip('/') -%}
  http-request replace-path ^(/+VirtualHostBase/+[^/]+/+[^/]+)/+VirtualHostRoot/+{% if outer_prefix %}{{ outer_prefix }}($|/.*){% else %}(.*){% endif %} \1/{{ inner_prefix.strip('/') }}/VirtualHostRoot/{% if outer_prefix %}_vh_{{ outer_prefix.replace('/', '/_vh_') }}{% endif %}\2
 {%  endfor %}

+  use_backend {{ frontend['backend-name'] }}
+{% endfor %}
+
+
+{% for name, backend in sorted(six.iteritems(parameter_dict['backend-dict'])) %}
+backend {{ name }}
+  cookie SERVERID rewrite
+  http-request set-header X-Balancer-Current-Cookie SERVERID
+
+{% if backend['timeout'] %}
+  {#
+    Apply a slightly longer timeout than the zope timeout so that clients can see the
+    TimeoutReachedError from zope, that is a bit more informative than the 504 error
+    page from haproxy.
+  #}
+  timeout server {{ backend['timeout'] + 3 }}s
+{%-  endif %}
+
 {%   set has_webdav = [] -%}
-{%   for address, connection_count, webdav in backend_list -%}
+{%   for address, connection_count, webdav in backend['backend-list'] -%}
 {%     if webdav %}{% do has_webdav.append(None) %}{% endif -%}
 {%     set server_name = name ~ '-' ~ loop.index0 %}
  server {{ server_name }} {{ address }} cookie {{ server_name }} check inter 3s rise 1 fall 2 maxqueue 5 maxconn {{ connection_count }}

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -257,7 +257,8 @@ init =
    port_dict[name] = port
    return port

-  haproxy_dict = {}
+  backend_dict = {}
+  frontend_dict = {}
  zope_virtualhost_monster_backend_dict = {}
  for family_name, parameter_id_list in sorted(
      six.iteritems(slapparameter_dict['zope-family-dict'])):
@@ -290,17 +291,33 @@ init =
    # a port for monitoring promise (which port is not important, the promise checks
    # that haproxy is healthy enough to listen on a port)
    options['haproxy-promise-port'] = legacy_port
-    haproxy_dict[family_name] = (
-      legacy_port,
-      ssl_authentication,
-      slapparameter_dict['timeout-dict'][family_name],
-      zope_family_address_list,
-    )
+    frontend_dict['legacy-frontend-' + family_name] = {
+      'port': legacy_port,
+      'client-cert-required': ssl_authentication,
+      'backend-name': family_name,
+      'request-path-prepend': None,
+    }
+    backend_dict[family_name] = {
+      'timeout': slapparameter_dict['timeout-dict'][family_name],
+      'backend-list': zope_family_address_list,
+    }
    external_scheme = 'webdavs' if any(a[2] for a in zope_family_address_list) else 'https'
    self.buildout['publish'][family_name] = "{external_scheme}://{ipv4}:{legacy_port}".format(**locals())
    self.buildout['publish'][family_name + "-v6"] = "{external_scheme}://[{ipv6}]:{legacy_port}".format(**locals())

-  options['backend-dict'] = haproxy_dict
+  for frontend_name, frontend in six.iteritems(slapparameter_dict['frontend-parameter-dict']):
+    frontend_port = get_port('frontend-' + frontend_name)
+    family_name = frontend['zope-family']
+    frontend_dict['frontend-' + frontend_name] = {
+      'port': frontend_port,
+      'client-cert-required': slapparameter_dict['ssl-authentication-dict'][family_name],
+      'backend-name': family_name,
+      'request-path-prepend': frontend['internal-path'],
+    }
+    self.buildout['publish']['url-backend-' + frontend_name] = "https://[{ipv6}]:{frontend_port}".format(**locals())
+
+  options['backend-dict'] = backend_dict
+  options['frontend-dict'] = frontend_dict
  options['zope-virtualhost-monster-backend-dict'] = zope_virtualhost_monster_backend_dict

  if port_dict != previous_port_dict:

--- a/stack/erp5/instance-erp5.cfg.in
+++ b/stack/erp5/instance-erp5.cfg.in
@@ -388,13 +388,13 @@ return =
 {%   set request_frontend_name = 'request-frontend-' ~ frontend_name -%}
 {%   set frontend_software_url = frontend_parameters.get('software-url', 'http://git.erp5.org/gitweb/slapos.git/blob_plain/HEAD:/software/apache-frontend/software.cfg') -%}
 {%   set frontend_software_type = frontend_parameters.get('software-type', '') -%}
+{%   do frontend_parameters.__setitem__('internal-path', frontend_parameters.get('internal-path', '/%(site-id)s') % {'site-id': site_id}) %}
 {%   set frontend_instance_parameters = frontend_parameters.get('instance-parameters', {}) -%}
-{%   if frontend_instance_parameters.setdefault('type', 'zope') == 'zope' -%}
+{%   if frontend_instance_parameters.setdefault('type', '') == '' -%}
 {%     do frontend_instance_parameters.setdefault('authenticate-to-backend', 'true') -%}
 {%     set zope_family_name = frontend_parameters['zope-family'] -%}
 {%     do assert(zope_family_name in zope_family_dict, 'Unknown family %s for frontend %s' % (zope_family_name, frontend_name)) -%}
-{%     do frontend_instance_parameters.setdefault('url', '${request-balancer:connection-' ~ zope_family_name ~ '-v6}') -%}
-{%     do frontend_instance_parameters.setdefault('path', frontend_parameters.get('internal-path', '/%(site-id)s') % {'site-id': site_id}) -%}
+{%     do frontend_instance_parameters.setdefault('url', '${request-balancer:connection-url-backend-' ~ frontend_name ~ '}') -%}
 {%   endif %}
 [{{ request_frontend_name }}]
 <= request-frontend-base
@@ -446,6 +446,9 @@ config-allow-redirects = 0
 {%     do balancer_ret_dict.__setitem__(family + '-test-runner-url-list', False) -%}
 {%   endif -%}
 {% endfor -%}
+{% for frontend_name in frontend_parameter_dict -%}
+{%   do balancer_ret_dict.__setitem__('url-backend-' ~ frontend_name, False) -%}
+{% endfor -%}
 {% set balancer_key_config_dict = {
  'monitor-passwd': 'monitor-htpasswd:passwd',
 } -%}
@@ -467,6 +470,7 @@ config-allow-redirects = 0
  config_key='balancer',
  config={
    'zope-family-dict': zope_family_parameter_dict,
+    'frontend-parameter-dict': frontend_parameter_dict,
    'ssl-authentication-dict': ssl_authentication_dict,
    'timeout-dict': balancer_timeout_dict,
    'apachedex-promise-threshold': monitor_dict.get('apachedex-promise-threshold', 70),