From 5b10def43d134e5735bfcec1237c04cf66e8610b Mon Sep 17 00:00:00 2001
From: Micah Anderson <micah@riseup.net>
Date: Tue, 19 Sep 2017 15:36:06 -0400
Subject: Feat: Refactor tor services

In order to refactor the tor services, we need to split them out into three
different services. This adds the hidden service class that is necessary to
support the previous commits. Fixes #8864.
---
 provider_base/services/hidden_service.json             | 11 -----------
 provider_base/services/hidden_service.rb               |  4 ----
 provider_base/services/tor_exit.rb                     |  4 ++--
 provider_base/services/tor_hidden_service.json         | 11 +++++++++++
 provider_base/services/tor_hidden_service.rb           |  4 ++++
 provider_base/services/tor_relay.rb                    |  4 ++--
 puppet/manifests/site.pp                               |  2 +-
 puppet/modules/site_static/manifests/hidden_service.pp |  6 ++++--
 puppet/modules/site_static/manifests/init.pp           | 13 +++++++------
 puppet/modules/site_tor/manifests/hidden_service.pp    | 13 +++++++++++++
 puppet/modules/site_webapp/manifests/hidden_service.pp |  3 ++-
 puppet/modules/site_webapp/manifests/init.pp           |  3 ++-
 tests/platform-ci/ci-build.sh                          | 17 +++++++++++++----
 tests/platform-ci/provider/nodes/catalogtest.json      |  2 +-
 14 files changed, 62 insertions(+), 35 deletions(-)
 delete mode 100644 provider_base/services/hidden_service.json
 delete mode 100644 provider_base/services/hidden_service.rb
 create mode 100644 provider_base/services/tor_hidden_service.json
 create mode 100644 provider_base/services/tor_hidden_service.rb
 create mode 100644 puppet/modules/site_tor/manifests/hidden_service.pp

diff --git a/provider_base/services/hidden_service.json b/provider_base/services/hidden_service.json
deleted file mode 100644
index 137932fa..00000000
--- a/provider_base/services/hidden_service.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  "tor": {
-    "hidden_service": {
-      "key_type": "RSA",
-      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)",
-      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)",
-      "address": "=> onion_address(:node_tor_pub_key)",
-      "single_hop": false
-    }
-  }
-}
diff --git a/provider_base/services/hidden_service.rb b/provider_base/services/hidden_service.rb
deleted file mode 100644
index 50701681..00000000
--- a/provider_base/services/hidden_service.rb
+++ /dev/null
@@ -1,4 +0,0 @@
-if self.services.include?("tor_exit") || self.services.include?("tor_relay")
-  LeapCli.log :error, "service `hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})."
-end
-self.tor['type'] = "hidden_service"
\ No newline at end of file
diff --git a/provider_base/services/tor_exit.rb b/provider_base/services/tor_exit.rb
index 05c67438..bd801a3d 100644
--- a/provider_base/services/tor_exit.rb
+++ b/provider_base/services/tor_exit.rb
@@ -1,5 +1,5 @@
-if self.services.include?("hidden_service") || self.services.include?("tor_relay")
-  LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or hidden_service (node #{self.name})."
+if self.services.include?("tor_hidden_service") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `tor_exit` is not compatible with tor_relay or tor_hidden_service (node #{self.name})."
   exit(1)
 end
 apply_partial("_tor_common")
diff --git a/provider_base/services/tor_hidden_service.json b/provider_base/services/tor_hidden_service.json
new file mode 100644
index 00000000..137932fa
--- /dev/null
+++ b/provider_base/services/tor_hidden_service.json
@@ -0,0 +1,11 @@
+{
+  "tor": {
+    "hidden_service": {
+      "key_type": "RSA",
+      "public_key": "= tor_public_key_path(:node_tor_pub_key, tor.hidden_service.key_type)",
+      "private_key": "= tor_private_key_path(:node_tor_priv_key, tor.hidden_service.key_type)",
+      "address": "=> onion_address(:node_tor_pub_key)",
+      "single_hop": false
+    }
+  }
+}
diff --git a/provider_base/services/tor_hidden_service.rb b/provider_base/services/tor_hidden_service.rb
new file mode 100644
index 00000000..8b8eb24d
--- /dev/null
+++ b/provider_base/services/tor_hidden_service.rb
@@ -0,0 +1,4 @@
+if self.services.include?("tor_exit") || self.services.include?("tor_relay")
+  LeapCli.log :error, "service `tor_hidden_service` is not compatible with tor_exit or tor_relay (node #{self.name})."
+end
+self.tor['type'] = "hidden_service"
diff --git a/provider_base/services/tor_relay.rb b/provider_base/services/tor_relay.rb
index 42bafb94..7fce6ae4 100644
--- a/provider_base/services/tor_relay.rb
+++ b/provider_base/services/tor_relay.rb
@@ -1,6 +1,6 @@
 
-if self.services.include?("tor_exit") || self.services.include?("hidden_service")
-  LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or hidden_service (node #{self.name})."
+if self.services.include?("tor_exit") || self.services.include?("tor_hidden_service")
+  LeapCli.log :error, "service `tor_relay` is not compatible with tor_exit or tor_hidden_service (node #{self.name})."
 end
 apply_partial("_tor_common")
 self.tor['type'] = "relay"
diff --git a/puppet/manifests/site.pp b/puppet/manifests/site.pp
index f3e752cc..1f80c47c 100644
--- a/puppet/manifests/site.pp
+++ b/puppet/manifests/site.pp
@@ -52,7 +52,7 @@ node default {
     include site_tor::relay
   }
 
-  if member($services, 'hidden_service') {
+  if member($services, 'tor_hidden_service') {
     include site_tor::hidden_service
   }
 
diff --git a/puppet/modules/site_static/manifests/hidden_service.pp b/puppet/modules/site_static/manifests/hidden_service.pp
index dcf3785e..f23727f7 100644
--- a/puppet/modules/site_static/manifests/hidden_service.pp
+++ b/puppet/modules/site_static/manifests/hidden_service.pp
@@ -1,13 +1,15 @@
 # create hidden service for static sites
 class site_static::hidden_service ( $single_hop = false ) {
+  Class['site_tor::hidden_service'] -> Class['site_static::hidden_service']
+  include site_tor::hidden_service
 
-  include site_tor
   tor::daemon::hidden_service { 'static':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $single_hop
   }
+
   file {
-    '/var/lib/tor/webapp/':
+    '/var/lib/tor/static/':
       ensure => directory,
       owner  => 'debian-tor',
       group  => 'debian-tor',
diff --git a/puppet/modules/site_static/manifests/init.pp b/puppet/modules/site_static/manifests/init.pp
index 4ddce5ed..40c6a28b 100644
--- a/puppet/modules/site_static/manifests/init.pp
+++ b/puppet/modules/site_static/manifests/init.pp
@@ -7,12 +7,13 @@ class site_static {
   include site_config::x509::key
   include site_config::x509::ca_bundle
 
-  $static         = hiera('static')
-  $domains        = $static['domains']
-  $formats        = $static['formats']
-  $bootstrap      = $static['bootstrap_files']
-  $tor            = hiera('tor', false)
-  if $tor and member($services, 'hidden_service') {
+  $services  = hiera('services', [])
+  $static    = hiera('static')
+  $domains   = $static['domains']
+  $formats   = $static['formats']
+  $bootstrap = $static['bootstrap_files']
+  $tor       = hiera('tor', false)
+  if $tor and member($services, 'tor_hidden_service') {
     $onion_active = true
   } else {
     $onion_active = false
diff --git a/puppet/modules/site_tor/manifests/hidden_service.pp b/puppet/modules/site_tor/manifests/hidden_service.pp
new file mode 100644
index 00000000..87a7b696
--- /dev/null
+++ b/puppet/modules/site_tor/manifests/hidden_service.pp
@@ -0,0 +1,13 @@
+# This class simply makes sure a base tor is installed and configured
+# It doesn't configure any specific hidden service functionality,
+# instead that is configured in site_webapp::hidden_service and
+# site_static::hidden_service.
+#
+# Those could be factored out to make them more generic.
+class site_tor::hidden_service {
+  tag 'leap_service'
+  Class['site_config::default'] -> Class['site_tor::hidden_service']
+
+  include site_config::default
+  include site_tor
+}
diff --git a/puppet/modules/site_webapp/manifests/hidden_service.pp b/puppet/modules/site_webapp/manifests/hidden_service.pp
index 658d62f9..1f87da6b 100644
--- a/puppet/modules/site_webapp/manifests/hidden_service.pp
+++ b/puppet/modules/site_webapp/manifests/hidden_service.pp
@@ -1,5 +1,7 @@
 # Configure tor hidden service for webapp
 class site_webapp::hidden_service {
+  Class['site_tor::hidden_service'] -> Class['site_webapp::hidden_service']
+  include site_tor::hidden_service
   $tor              = hiera('tor')
   $hidden_service   = $tor['hidden_service']
   $onion_domain     = "${hidden_service['address']}.onion"
@@ -10,7 +12,6 @@ class site_webapp::hidden_service {
   include apache::module::expires
   include apache::module::removeip
 
-  include site_tor
   tor::daemon::hidden_service { 'webapp':
     ports      => [ '80 127.0.0.1:80'],
     single_hop => $hidden_service['single_hop']
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 968859bf..605d71b3 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -1,6 +1,7 @@
 # configure webapp service
 class site_webapp {
   tag 'leap_service'
+  $services         = hiera('services', [])
   $definition_files = hiera('definition_files')
   $provider         = $definition_files['provider']
   $eip_service      = $definition_files['eip_service']
@@ -177,7 +178,7 @@ class site_webapp {
       notify  => Service['apache'];
   }
 
-  if $tor and member($services, 'hidden_service') {
+  if $tor and member($services, 'tor_hidden_service') {
     $hidden_service = $tor['hidden_service']
     include ::site_webapp::hidden_service
   }
diff --git a/tests/platform-ci/ci-build.sh b/tests/platform-ci/ci-build.sh
index 4710bc88..06af59ca 100755
--- a/tests/platform-ci/ci-build.sh
+++ b/tests/platform-ci/ci-build.sh
@@ -71,6 +71,13 @@ test() {
 }
 
 build_from_scratch() {
+  # allow passing into the function the services, use a default set if empty
+  SERVICES=$1
+  if [ -z "$SERVICES" ]
+  then
+      SERVICES='couchdb,soledad,mx,webapp,tor_relay,monitor'
+  fi
+
   # when using gitlab-runner locally, CI_JOB_ID is always 1 which
   # will conflict with running/terminating AWS instances in subsequent runs
   # therefore we pick a random number in this case
@@ -78,10 +85,7 @@ build_from_scratch() {
 
   # create node(s) with unique id so we can run tests in parallel
   NAME="citest${CI_JOB_ID:-0}"
-
-
   TAG='single'
-  SERVICES='couchdb,soledad,mx,webapp,tor,monitor'
 
   # leap_platform/tests/platform-ci/provider
   PROVIDERDIR="${ROOTDIR}/provider"
@@ -184,7 +188,7 @@ upgrade_test() {
 
   cd "$PROVIDERDIR"
 
-  build_from_scratch
+  build_from_scratch 'couchdb,soledad,mx,webapp,tor,monitor'
   deploy
   test
 
@@ -200,6 +204,11 @@ upgrade_test() {
   /usr/local/bin/bundle install
 
   cd "$PROVIDERDIR"
+
+  # due to the 'tor' service no longer being valid in 0.10, we need to change
+  # that service to 'tor_relay'. This is done by changing the services array
+  # with jq to be set to the full correct list of services
+  jq '.services = ["couchdb","soledad","mx","webapp","tor_relay","monitor"]' < nodes/${NAME}.json
   deploy
   test
 
diff --git a/tests/platform-ci/provider/nodes/catalogtest.json b/tests/platform-ci/provider/nodes/catalogtest.json
index 05703666..bbf79d9e 100644
--- a/tests/platform-ci/provider/nodes/catalogtest.json
+++ b/tests/platform-ci/provider/nodes/catalogtest.json
@@ -10,7 +10,7 @@
     "webapp",
     "monitor",
     "openvpn",
-    "tor",
+    "tor_relay",
     "obfsproxy",
     "static"
   ],
-- 
cgit v1.2.3