From de8219ff3cbb9a67cc7bfa31b270cc1bbb2c5f56 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Wed, 17 Aug 2022 09:28:40 -0400
Subject: [PATCH 1/9] Use dynamic resolver from /etc/resolv.conf

---
 .env.example                   |  1 +
 .pre-commit-config.yaml        |  2 +-
 dev-backends.yml               |  9 +++++++++
 nginx/backend_template.conf.j2 |  6 ++++--
 nginx/build_config.py          | 14 +++++++++++++-
 5 files changed, 28 insertions(+), 4 deletions(-)

diff --git a/.env.example b/.env.example
index db9ede0..7075643 100644
--- a/.env.example
+++ b/.env.example
@@ -4,3 +4,4 @@ SECRET_KEY=
 FLASK_ENV=development
 MULTI_VALUE_SAML_ATTRS=Role
 AUTH_DEBUG=1
+TURNPIKE_ALLOWED_ORIGIN_DOMAINS=web,echo-server,foo,host.docker.internal
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 52b91ea..4de1e4c 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -2,7 +2,7 @@ default_language_version:
   python: python3.8
 repos:
 - repo: https://github.com/psf/black
-  rev: 19.3b0
+  rev: 22.3.0
   hooks:
   - id: black
     args: ["-l", "119", "-t", "py38"]
diff --git a/dev-backends.yml b/dev-backends.yml
index 68af266..ede10cd 100644
--- a/dev-backends.yml
+++ b/dev-backends.yml
@@ -4,6 +4,12 @@
   auth:
     saml: "True"
     x509: "True"
+- name: rbac
+  route: /api/rbac
+  origin: http://host.docker.internal:8000/_private/api
+  auth:
+    saml: "True"
+    x509: "True"
 - name: healthcheck
   route: /public/healthcheck/
   origin: http://web.svc.cluster.local:5000/_healthcheck/
@@ -19,3 +25,6 @@
   origin: http://echo-server.svc.cluster.local:8080/
   source_ip:
     - 240.0.0.0/4
+- name: nginx_regression_test
+  route: /api/does_not_exist/
+  origin: http://foo:5000/does_not_exist/
diff --git a/nginx/backend_template.conf.j2 b/nginx/backend_template.conf.j2
index 9b4a60f..78838be 100644
--- a/nginx/backend_template.conf.j2
+++ b/nginx/backend_template.conf.j2
@@ -1,10 +1,12 @@
-    location {{ route }} {
+    location ~ {{ route }}(.*)$ {
+        resolver {{ resolver }} valid=30s;
+        set $upstream  {{ origin }};
         auth_request     /auth/;
         auth_request_set $login_url $upstream_http_login_url;
         {% for header in headers %}
         auth_request_set $turnpike_{{ header.lower().replace("-", "_") }} $upstream_http_{{ header.lower().replace("-", "_") }};
         {% endfor %}
-        proxy_pass              {{ origin }};
+        proxy_pass              $upstream$1;
         proxy_set_header        X-Original-URI $request_uri;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-Host $proxy_host;
diff --git a/nginx/build_config.py b/nginx/build_config.py
index 3d8d674..112abcc 100644
--- a/nginx/build_config.py
+++ b/nginx/build_config.py
@@ -3,6 +3,7 @@
 import argparse
 import json
 import os
+import re
 import time
 from urllib import parse, request, error
 import warnings
@@ -47,6 +48,16 @@ def validate_route(backend):
     return True
 
 
+def get_resolver():
+    file = open("/etc/resolv.conf", "r")
+    match = re.search("(?<=nameserver )(.*)(?=\\n)", file.read())
+    if match:
+        resolver = match.group()
+    else:
+        resolver = "127.0.0.11"
+    print(f"Using resolver: {resolver}")
+
+
 def main(args):
     try:
         with open(args.config_map_path) as ifs:
@@ -77,6 +88,7 @@ def main(args):
     headers_to_upstream = nginx_config["to_upstream"]
     headers_to_policy_service = nginx_config["to_policy_service"]
     blueprints = nginx_config["blueprints"]
+    resolver = get_resolver()
 
     with open("/etc/nginx/api_gateway.conf.j2") as ifs:
         template = jinja2.Template(ifs.read())
@@ -90,7 +102,7 @@ def main(args):
         print(f"Processing backend configuration for {name}")
         if validate_route(backend):
             with open(f"/etc/nginx/api_conf.d/{name}.conf", "w") as ofs:
-                ofs.write(template.render(headers=headers_to_upstream, **backend))
+                ofs.write(template.render(headers=headers_to_upstream, resolver=resolver, **backend))
     print("Done.")
 
 

From 29ca58d0951f8aa26adf2be07765055703a626d2 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Wed, 17 Aug 2022 09:54:34 -0400
Subject: [PATCH 2/9] Temp PR image build for deploying to stage without revert
 churn

---
 pr_check.sh | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/pr_check.sh b/pr_check.sh
index f7cd670..f46e667 100755
--- a/pr_check.sh
+++ b/pr_check.sh
@@ -2,6 +2,9 @@
 
 export CONTAINER_NAME="turnpike-pr-check"
 export IMAGE_TAG="turnpike:pr-check"
+export NGINX_IMAGE="quay.io/cloudservices/turnpike-nginx"
+export WEB_IMAGE="quay.io/cloudservices/turnpike-web"
+export PR_IMAGE_TAG=PR-$(git rev-parse --short=7 HEAD)
 
 function teardown_podman() {
     podman rm -f $CONTAINER_NAME || true
@@ -29,6 +32,16 @@ podman build --no-cache -f Dockerfile-pr-check --tag $IMAGE_TAG
 
 # Build PR_Check Container
 podman create --name $CONTAINER_NAME $IMAGE_TAG
+podman push "${IMAGE_TAG}:${IMAGE_TAG}"
+
+# Build a PR image to deploy
+podman login -u="$QUAY_USER" -p="$QUAY_TOKEN" quay.io
+
+podman build -t "${NGINX_IMAGE}:${PR_IMAGE_TAG}" nginx
+podman push "${NGINX_IMAGE}:${PR_IMAGE_TAG}"
+
+podman build -t "${WEB_IMAGE}:${PR_IMAGE_TAG}" .
+podman push "${WEB_IMAGE}:${PR_IMAGE_TAG}"
 
 # Run PR_CHECK Container (attached with standard output)
 # and reports if the Containerized PR_Check fails

From 91dc771301b57b19b86d5a81e51f4323eae7d3b5 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Wed, 17 Aug 2022 09:59:27 -0400
Subject: [PATCH 3/9] Fix image tag

---
 pr_check.sh | 1 -
 1 file changed, 1 deletion(-)

diff --git a/pr_check.sh b/pr_check.sh
index f46e667..eba20be 100755
--- a/pr_check.sh
+++ b/pr_check.sh
@@ -32,7 +32,6 @@ podman build --no-cache -f Dockerfile-pr-check --tag $IMAGE_TAG
 
 # Build PR_Check Container
 podman create --name $CONTAINER_NAME $IMAGE_TAG
-podman push "${IMAGE_TAG}:${IMAGE_TAG}"
 
 # Build a PR image to deploy
 podman login -u="$QUAY_USER" -p="$QUAY_TOKEN" quay.io

From f2b92db9b5009119563503ac6a1bdc252d29ea29 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Wed, 17 Aug 2022 11:57:10 -0400
Subject: [PATCH 4/9] Update PR image tag

---
 pr_check.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pr_check.sh b/pr_check.sh
index eba20be..beaba40 100755
--- a/pr_check.sh
+++ b/pr_check.sh
@@ -4,7 +4,7 @@ export CONTAINER_NAME="turnpike-pr-check"
 export IMAGE_TAG="turnpike:pr-check"
 export NGINX_IMAGE="quay.io/cloudservices/turnpike-nginx"
 export WEB_IMAGE="quay.io/cloudservices/turnpike-web"
-export PR_IMAGE_TAG=PR-$(git rev-parse --short=7 HEAD)
+export PR_IMAGE_TAG=$(git rev-parse --short=7 HEAD)
 
 function teardown_podman() {
     podman rm -f $CONTAINER_NAME || true

From 5bdc38bf03455e6449696d485ecc4d27029ba14e Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Wed, 17 Aug 2022 15:12:22 -0400
Subject: [PATCH 5/9] Remove validity override

---
 nginx/backend_template.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/backend_template.conf.j2 b/nginx/backend_template.conf.j2
index 78838be..871bf4e 100644
--- a/nginx/backend_template.conf.j2
+++ b/nginx/backend_template.conf.j2
@@ -1,5 +1,5 @@
     location ~ {{ route }}(.*)$ {
-        resolver {{ resolver }} valid=30s;
+        resolver {{ resolver }};
         set $upstream  {{ origin }};
         auth_request     /auth/;
         auth_request_set $login_url $upstream_http_login_url;

From 60fd9a291cbb5e3c68a733df6183afe4991c5718 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Thu, 18 Aug 2022 11:53:48 -0400
Subject: [PATCH 6/9] Fix return statement for resolver

---
 nginx/backend_template.conf.j2 | 2 +-
 nginx/build_config.py          | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/nginx/backend_template.conf.j2 b/nginx/backend_template.conf.j2
index 871bf4e..48ef10f 100644
--- a/nginx/backend_template.conf.j2
+++ b/nginx/backend_template.conf.j2
@@ -1,5 +1,5 @@
     location ~ {{ route }}(.*)$ {
-        resolver {{ resolver }};
+        resolver {{ resolver }} valid=60s;
         set $upstream  {{ origin }};
         auth_request     /auth/;
         auth_request_set $login_url $upstream_http_login_url;
diff --git a/nginx/build_config.py b/nginx/build_config.py
index 112abcc..a7214c8 100644
--- a/nginx/build_config.py
+++ b/nginx/build_config.py
@@ -56,6 +56,7 @@ def get_resolver():
     else:
         resolver = "127.0.0.11"
     print(f"Using resolver: {resolver}")
+    return resolver
 
 
 def main(args):

From 3a241fb7eef41a310cec1ab57bc0bcc344f24364 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Thu, 18 Aug 2022 14:02:12 -0400
Subject: [PATCH 7/9] Ensure we pass query params in proxy_pass

---
 nginx/backend_template.conf.j2 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nginx/backend_template.conf.j2 b/nginx/backend_template.conf.j2
index 48ef10f..0091c6e 100644
--- a/nginx/backend_template.conf.j2
+++ b/nginx/backend_template.conf.j2
@@ -6,7 +6,7 @@
         {% for header in headers %}
         auth_request_set $turnpike_{{ header.lower().replace("-", "_") }} $upstream_http_{{ header.lower().replace("-", "_") }};
         {% endfor %}
-        proxy_pass              $upstream$1;
+        proxy_pass              $upstream$1$is_args$args;
         proxy_set_header        X-Original-URI $request_uri;
         proxy_set_header        X-Real-IP $remote_addr;
         proxy_set_header        X-Forwarded-Host $proxy_host;

From ff49a761738d75381dcd279df428572f4b9f2319 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Thu, 18 Aug 2022 14:20:03 -0400
Subject: [PATCH 8/9] Fail when resolver can't be found to prevent rollout

---
 nginx/build_config.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/nginx/build_config.py b/nginx/build_config.py
index a7214c8..f3edd08 100644
--- a/nginx/build_config.py
+++ b/nginx/build_config.py
@@ -49,12 +49,13 @@ def validate_route(backend):
 
 
 def get_resolver():
-    file = open("/etc/resolv.conf", "r")
+    resolver_file_name = "/etc/resolv.conf"
+    file = open(resolver_file_name, "r")
     match = re.search("(?<=nameserver )(.*)(?=\\n)", file.read())
-    if match:
-        resolver = match.group()
-    else:
-        resolver = "127.0.0.11"
+    if not match:
+        raise Exception(f"Error getting resolver from {resolver_file_name}")
+
+    resolver = match.group()
     print(f"Using resolver: {resolver}")
     return resolver
 

From 289885cb82dcece2477c27bd733dc7593b3ebee1 Mon Sep 17 00:00:00 2001
From: Keith Walsh <kwalsh@redhat.com>
Date: Thu, 18 Aug 2022 14:48:02 -0400
Subject: [PATCH 9/9] Remove PR check build

---
 pr_check.sh | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/pr_check.sh b/pr_check.sh
index beaba40..f7cd670 100755
--- a/pr_check.sh
+++ b/pr_check.sh
@@ -2,9 +2,6 @@
 
 export CONTAINER_NAME="turnpike-pr-check"
 export IMAGE_TAG="turnpike:pr-check"
-export NGINX_IMAGE="quay.io/cloudservices/turnpike-nginx"
-export WEB_IMAGE="quay.io/cloudservices/turnpike-web"
-export PR_IMAGE_TAG=$(git rev-parse --short=7 HEAD)
 
 function teardown_podman() {
     podman rm -f $CONTAINER_NAME || true
@@ -33,15 +30,6 @@ podman build --no-cache -f Dockerfile-pr-check --tag $IMAGE_TAG
 # Build PR_Check Container
 podman create --name $CONTAINER_NAME $IMAGE_TAG
 
-# Build a PR image to deploy
-podman login -u="$QUAY_USER" -p="$QUAY_TOKEN" quay.io
-
-podman build -t "${NGINX_IMAGE}:${PR_IMAGE_TAG}" nginx
-podman push "${NGINX_IMAGE}:${PR_IMAGE_TAG}"
-
-podman build -t "${WEB_IMAGE}:${PR_IMAGE_TAG}" .
-podman push "${WEB_IMAGE}:${PR_IMAGE_TAG}"
-
 # Run PR_CHECK Container (attached with standard output)
 # and reports if the Containerized PR_Check fails
 if ! (podman start -a $CONTAINER_NAME); then