Merge branch 'baserock/richardipsum/gitano_http'

This series contains the changes needed
to let trove use gitano's new http services

The main changes:
    * trove-early-setup now generates an ssl certificate
    so we can do https

    * there are two lighttpd processes: one for gitano
    and one for morph cache server. We do this because
    gitano needs to run as the git user and morph
    cache server needs to run as the cache user

The ruleset has also been updated to allow
anonymous clones over http

Reviewed by:
    Richard Maw

11 files changed, 115 insertions, 17 deletions

diff --git a/Makefile b/Makefile
index 34996f6..453c01e 100644
--- a/Makefile
+++ b/Makefile
@@ -6,8 +6,7 @@ install:
 	for I in $$(cd units; ls); do \
 		ln -sf ../$$I "${DESTDIR}/usr/lib/systemd/system/multi-user.target.wants/$$I"; \
 	done
-	mkdir -p "${DESTDIR}/etc"
-	cp etc/* "${DESTDIR}/etc"
+	cp -r etc "${DESTDIR}"
 	mkdir -p "${DESTDIR}/var/www/htdocs"
 	cp http-assets/* "${DESTDIR}/var/www/htdocs"
 	ln -s cgit "${DESTDIR}/var/www/htdocs/cgi-bin"
@@ -18,3 +17,9 @@ install:
 	cp bins/* "${DESTDIR}/usr/bin/"
 	mkdir -p "${DESTDIR}/usr/share/trove-setup"
 	cp -r share/* "${DESTDIR}/usr/share/trove-setup/"
+
+	ln -s /usr/lib/gitano/bin/gitano-command.cgi \
+		"${DESTDIR}/var/www/htdocs/gitano-command.cgi"
+
+	ln -s /usr/lib/gitano/bin/gitano-smart-http.cgi \
+		"${DESTDIR}/var/www/htdocs/gitano-smart-http.cgi"
diff --git a/bins/trove-early-setup b/bins/trove-early-setup
index 6d7f9ef..eea068d 100755
--- a/bins/trove-early-setup
+++ b/bins/trove-early-setup
@@ -18,7 +18,7 @@
 # -*- Make -*-
 
 
-all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured
+all: substitutions-done gitano-configured lorry-configured cache-configured mason-configured nfs-configured cert-generated
 
 USERS := git lorry cache mason
 
@@ -134,3 +134,13 @@ mason-configured: /home/git/.mason-setup
 
 .PHONY: nfs-configured
 nfs-configured: /etc/exports
+
+/home/git/.cert-generated:
+	mkdir -p /etc/lighttpd/certs
+	echo -ne '\n\n\n\n\n\n\n' | openssl req -new -x509 \
+		-keyout /etc/lighttpd/certs/lighttpd.pem \
+		-out /etc/lighttpd/certs/lighttpd.pem -days 36525 -nodes
+	touch $@
+
+.PHONY: cert-generated
+cert-generated: /home/git/.cert-generated
diff --git a/etc/gitano-setup.clod b/etc/gitano-setup.clod
index 96377c2..b63aeb6 100644
--- a/etc/gitano-setup.clod
+++ b/etc/gitano-setup.clod
@@ -13,4 +13,6 @@ admin.keyname "trove"
 site.name "##TROVE_TITLE## for ##TROVE_COMPANY##"
 log.prefix "##TROVE_LOG_PREFIX##"
 
+use.htpasswd "yes"
+
 setup.batch = true
diff --git a/etc/lighttpd/git-auth.conf b/etc/lighttpd/git-auth.conf
new file mode 100644
index 0000000..9b7a010
--- /dev/null
+++ b/etc/lighttpd/git-auth.conf
@@ -0,0 +1,10 @@
+auth.require = (
+	"/" => (
+		"method" => "basic",
+		"realm" => "Git Access",
+		"require" => "valid-user"
+	       )
+)
+
+auth.backend = "htpasswd"
+auth.backend.htpasswd.userfile = "/home/git/htpasswd"
diff --git a/etc/lighttpd/git-httpd.conf b/etc/lighttpd/git-httpd.conf
new file mode 100644
index 0000000..94e9c26
--- /dev/null
+++ b/etc/lighttpd/git-httpd.conf
@@ -0,0 +1,67 @@
+server.document-root = "/var/www/htdocs"
+
+server.port = 80
+
+server.username = "git"
+server.groupname = "git"
+
+server.modules = (
+    "mod_access",
+    "mod_alias",
+    "mod_compress",
+    "mod_redirect",
+    "mod_cgi",
+    "mod_auth",
+    "mod_setenv",
+)
+
+$SERVER["socket"] == ":443" {
+  ssl.engine = "enable" ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
+}
+
+index-file.names = ("index.html")
+
+cgi.assign = ("gitano-command.cgi" => "/usr/bin/lua5.1",
+	"gitano-smart-http.cgi" => "/usr/bin/lua5.1",
+	"cgit.cgi" => ""
+)
+cgi.execute-x-only = "enable"
+
+mimetype.assign = (
+  ".html" => "text/html",
+  ".txt" => "text/plain",
+  ".jpg" => "image/jpeg",
+  ".png" => "image/png",
+  ".css" => "text/css"
+)
+
+$HTTP["url"] =~ ".*/gitano-command.cgi$" {
+        setenv.add-environment = (
+                "HOME" => "/home/git",
+                "GITANO_ROOT" => "/home/git/repos"
+        )
+}
+
+$HTTP["url"] =~ "^/git/.*$" {
+        alias.url += ( "/git" => "/var/www/htdocs/gitano-smart-http.cgi" )
+
+        cgi.assign = ("" => "")
+        setenv.add-environment = (
+                "GIT_HTTP_EXPORT_ALL" => "",
+                "GIT_PROJECT_ROOT" => "/home/git/repos",
+                "HOME" => "/home/git",
+                "GITANO_ROOT" => "/home/git/repos"
+        )
+}
+
+$HTTP["scheme"] == "https" {
+        include "git-auth.conf"
+
+        $HTTP["querystring"] =~ "service=git-receive-pack" {
+                include "git-auth.conf"
+        }
+
+        $HTTP["url"] =~ "^/git/.*/git-receive-pack$" {
+                include "git-auth.conf"
+        }
+}
diff --git a/etc/lighttpd.conf b/etc/lighttpd/morph-cache-httpd.conf
index a69407f..65b9b22 100644
--- a/etc/lighttpd.conf
+++ b/etc/lighttpd/morph-cache-httpd.conf
@@ -1,16 +1,12 @@
 server.document-root = "/var/www/htdocs"
 
-server.port = 80
+server.port = 8080
 
-server.username = "git"
-server.groupname = "git"
+server.username = "cache"
+server.groupname = "cache"
 
 server.modules += ("mod_cgi", "mod_fastcgi")
 
-index-file.names = ("index.html")
-
-cgi.assign = ("cgit.cgi" => "")
-
 mimetype.assign = (
   ".html" => "text/html",
   ".txt" => "text/plain",
@@ -19,7 +15,6 @@ mimetype.assign = (
   ".css" => "text/css"
 )
 
-
 $SERVER["socket"] == ":8080" {
     server.username = "cache"
     server.groupname = "cache"
@@ -37,11 +32,9 @@ $SERVER["socket"] == ":8080" {
     )
 }
 
-
 $SERVER["socket"] == ":8081" {
     server.username = "cache"
-    server.groupname = "cache"
-    fastcgi.server = (
+    server.groupname = "cache" fastcgi.server = (
         "" =>
         (
             "python-fcgi" =>
diff --git a/gitano-admin/rules/defines.lace b/gitano-admin/rules/defines.lace
index ab49034..380948a 100644
--- a/gitano-admin/rules/defines.lace
+++ b/gitano-admin/rules/defines.lace
@@ -13,13 +13,15 @@
 # User/group related
 define is_admin group gitano-admin
 define is_owner owner ${user}
+define is_anonymous user gitano/anonymous
 
 define if_asanother as_user ~.
 
 # Self-related operations
 define op_whoami operation whoami
 define op_sshkey operation sshkey
-define op_self anyof op_whoami op_sshkey
+define op_passwd operation passwd
+define op_self anyof op_whoami op_sshkey op_passwd
 
 # Admin-related operations
 
diff --git a/gitano-admin/rules/other-project.lace b/gitano-admin/rules/other-project.lace
index a42c06a..7bc80cc 100644
--- a/gitano-admin/rules/other-project.lace
+++ b/gitano-admin/rules/other-project.lace
@@ -12,7 +12,7 @@
 
 # There are two classes of accessors here.  Lorry and Others
 allow "Anyone may read here" op_read
-allow "Anyone may write here" op_write
+allow "Anyone may write here" op_write !is_anonymous
 
 # Lorry can do anything reffy which is not inside the local refs
 allow "Lorry may touch everything but refs/heads/##PREFIX##" op_is_reffy is_lorry !is_local_ref
diff --git a/gitano-admin/rules/selfchecks.lace b/gitano-admin/rules/selfchecks.lace
index 44e96bd..83ef778 100644
--- a/gitano-admin/rules/selfchecks.lace
+++ b/gitano-admin/rules/selfchecks.lace
@@ -11,3 +11,5 @@
 allow "You may ask who you are" op_whoami
 
 allow "You may manage your own ssh keys" op_sshkey
+
+allow "You may change your own password" op_passwd
diff --git a/units/lighttpd.service b/units/lighttpd-git.service
index 589a595..b2f6315 100644
--- a/units/lighttpd.service
+++ b/units/lighttpd-git.service
@@ -3,5 +3,5 @@ Description=Lighttpd Web Server
 After=network.target
 
 [Service]
-ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd.conf -D
+ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/git-httpd.conf -D
 Restart=always
diff --git a/units/lighttpd-morph-cache.service b/units/lighttpd-morph-cache.service
new file mode 100644
index 0000000..cedd071
--- /dev/null
+++ b/units/lighttpd-morph-cache.service
@@ -0,0 +1,7 @@
+[Unit]
+Description=Lighttpd Web Server
+After=network.target
+
+[Service]
+ExecStart=/usr/sbin/lighttpd -f /etc/lighttpd/morph-cache-httpd.conf -D
+Restart=always