majuna/app/terraform/proxy/__init__.py

import os.path
from abc import abstractmethod
from collections import defaultdict
import datetime
import math
import string
import random
from typing import Dict, Optional, Any, List

from sqlalchemy import text
from tldextract import tldextract

from app import app
from app.extensions import db
from app.models.base import Group
from app.models.mirrors import Proxy, Origin, SmartProxy
from app.terraform.proxy.lib import all_cdn_prefixes
from app.terraform.terraform import TerraformAutomation


def update_smart_proxy_instance(group_id: int,
                                provider: str,
                                region: str,
                                instance_id: str) -> None:
    instance = SmartProxy.query.filter(
        SmartProxy.group_id == group_id,
        SmartProxy.region == region,
        SmartProxy.provider == provider,
        SmartProxy.destroyed.is_(None)
    ).first()
    if instance is None:
        instance = SmartProxy()
        instance.added = datetime.datetime.utcnow()
        instance.group_id = group_id
        instance.provider = provider
        instance.region = region
        db.session.add(instance)
    instance.updated = datetime.datetime.utcnow()
    instance.instance_id = instance_id


def sp_trusted_prefixes() -> str:
    return "\n".join([f"geoip2_proxy {p};" for p in all_cdn_prefixes()])


class ProxyAutomation(TerraformAutomation):
    subgroup_max = math.inf
    """
    Maximum number of proxies to deploy per sub-group. This is required for some providers
    where the number origins per group may exceed the number of proxies that can be configured
    in a single "configuration block", e.g. Azure CDN's profiles.
    """

    template: str
    """
    Terraform configuration template using Jinja 2.
    """

    template_parameters: List[str]
    """
    List of parameters to be read from the application configuration for use
    in the templating of the Terraform configuration.
    """

    smart_proxies = False
    """
    Whether this provider supports "smart" proxies.
    """

    def get_subgroups(self) -> Dict[int, Dict[int, int]]:
        conn = db.engine.connect()
        result = conn.execute(text("""
        SELECT origin.group_id, proxy.psg, COUNT(proxy.id) FROM proxy, origin
        WHERE proxy.origin_id = origin.id
            AND proxy.destroyed IS NULL
            AND proxy.provider = :provider
        GROUP BY origin.group_id, proxy.psg;
        """), provider=self.provider)
        subgroups: Dict[int, Dict[int, int]] = defaultdict(lambda: defaultdict(lambda: 0))
        for row in result:
            subgroups[row[0]][row[1]] = row[2]
        return subgroups

    def create_missing_proxies(self) -> None:
        groups = Group.query.all()
        subgroups = self.get_subgroups()
        for group in groups:
            subgroup = 0
            for origin in group.origins:
                if origin.destroyed is not None:
                    continue
                while True:
                    if subgroups[group.id][subgroup] >= self.subgroup_max:
                        subgroup += 1
                    else:
                        break
                proxies = [
                    x for x in origin.proxies
                    if x.provider == self.provider and x.deprecated is None and x.destroyed is None
                ]
                if not proxies:
                    subgroups[group.id][subgroup] += 1
                    proxy = Proxy()
                    proxy.origin_id = origin.id
                    proxy.provider = self.provider
                    proxy.psg = subgroup
                    # The random usage below is good enough for its purpose: to create a slug that
                    # hasn't been used before.
                    proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join(
                        random.choices(string.ascii_lowercase, k=12))  # nosec
                    proxy.added = datetime.datetime.utcnow()
                    proxy.updated = datetime.datetime.utcnow()
                    db.session.add(proxy)
        db.session.commit()

    def deprecate_orphaned_proxies(self) -> None:
        proxies = Proxy.query.filter(
            Proxy.deprecated.is_(None),
            Proxy.destroyed.is_(None),
            Proxy.provider == self.provider
        ).all()
        for proxy in proxies:
            if proxy.origin.destroyed is not None:
                proxy.deprecate(reason="origin_destroyed")
        db.session.commit()

    def destroy_expired_proxies(self) -> None:
        cutoff = datetime.datetime.utcnow() - datetime.timedelta(days=3)
        proxies = Proxy.query.filter(
            Proxy.destroyed.is_(None),
            Proxy.provider == self.provider,
            Proxy.deprecated < cutoff
        ).all()
        for proxy in proxies:
            proxy.destroyed = datetime.datetime.utcnow()
            proxy.updated = datetime.datetime.utcnow()
        db.session.commit()

    @abstractmethod
    def import_state(self, state: Any) -> None:
        raise NotImplementedError()

    def tf_prehook(self) -> Optional[Any]:  # pylint: disable=useless-return
        self.create_missing_proxies()
        self.deprecate_orphaned_proxies()
        self.destroy_expired_proxies()
        return None

    def tf_posthook(self, *, prehook_result: Any = None) -> None:
        self.import_state(self.tf_show())

    def tf_generate(self) -> None:
        groups = Group.query.all()
        self.tf_write(
            self.template,
            groups=groups,
            proxies=Proxy.query.filter(
                Proxy.provider == self.provider, Proxy.destroyed.is_(None)).all(), subgroups=self.get_subgroups(),
            global_namespace=app.config['GLOBAL_NAMESPACE'], bypass_token=app.config['BYPASS_TOKEN'],
            terraform_modules_path=os.path.join(*list(os.path.split(app.root_path))[:-1], 'terraform-modules'),
            backend_config=f"""backend "http" {{
              lock_address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"
              unlock_address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"
              address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"
            }}""",
            **{k: app.config[k.upper()] for k in self.template_parameters})
        if self.smart_proxies:
            for group in groups:
                self.sp_config(group)

    def sp_config(self, group: Group) -> None:
        group_origins: List[Origin] = Origin.query.filter(
            Origin.group_id == group.id,
            Origin.destroyed.is_(None),
            Origin.smart.is_(True)
        ).all()
        self.tmpl_write(f"smart_proxy.{group.id}.conf", """
        geoip2 /usr/share/GeoIP/GeoIP2-City.mmdb {
            auto_reload 5m;
            $geoip2_metadata_country_build metadata build_epoch;
            $geoip2_data_country_code default=US country iso_code;
        }
        """ + sp_trusted_prefixes() + """
        geoip2_proxy_recursive on;
        map $geoip2_data_country_code $redirect_country {
          default yes;
          """ + "\n".join([f"  {cc} no;" for cc in app.config['CENSORED_COUNTRIES']]) + """
        }

        {% for origin in origins %}
        server {
          listen 443 ssl;
          server_name origin-{{ origin.id }}.{{ provider }}.smart.{{ smart_zone[:-1] }};
          if ($redirect_country = yes) {
            set $redirect_test 1;
          }
          if ($arg_redirect = "false") {
            set $redirect_test 0;
          }
          if ($redirect_test = 2) {
            rewrite ^ https://{{ origin.domain_name }}$request_uri? break;
          }
          location / {
            proxy_set_header Accept-Encoding "";
            proxy_ssl_server_name on;
            proxy_pass https://{{ origin.domain_name }}/;
            subs_filter_types text/html text/css text/xml;
            subs_filter https://{{ origin.domain_name }}/ /;
            subs_filter "([^:]|)\\\"https://{{ origin.domain_name }}\\\"" \\1\\\"/\\\";
            {%- for asset_origin in origin.group.origins | selectattr("assets") -%}
            {%- for asset_proxy in asset_origin.proxies | selectattr("provider", "equalto", provider) | selectattr("deprecated", "none") | selectattr("destroyed", "none") -%}
            {%- if loop.first %}
            subs_filter https://{{ asset_origin.domain_name }}/ {{ asset_proxy.url }}/;
            {%- endif -%}
            {%- endfor -%}
            {%- endfor %}
          }
          ssl_certificate /etc/ssl/smart_proxy.crt;
          ssl_certificate_key /etc/ssl/private/smart_proxy.key;
        }
        {% endfor %}
        """,
                        provider=self.provider,
                        origins=group_origins,
                        smart_zone=app.config['SMART_ZONE'])
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`import os.path`
lots of typing fixes 2022-05-16 11:44:03 +01:00			`from abc import abstractmethod`
azure_cdn: use subgroups, attempt 2 2022-04-25 15:05:28 +01:00			`from collections import defaultdict`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`import datetime`
			`import math`
			`import string`
			`import random`
lots of typing fixes 2022-05-16 11:44:03 +01:00			`from typing import Dict, Optional, Any, List`
Initial import 2022-03-10 14:26:22 +00:00
azure_cdn: use subgroups, attempt 3 2022-04-25 15:06:24 +01:00			`from sqlalchemy import text`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`from tldextract import tldextract`
azure_cdn: use subgroups, attempt 3 2022-04-25 15:06:24 +01:00
Initial import 2022-03-10 14:26:22 +00:00			`from app import app`
			`from app.extensions import db`
models: big refactor 2022-04-22 14:01:16 +01:00			`from app.models.base import Group`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`from app.models.mirrors import Proxy, Origin, SmartProxy`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`from app.terraform.proxy.lib import all_cdn_prefixes`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`from app.terraform.terraform import TerraformAutomation`

Initial import 2022-03-10 14:26:22 +00:00
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`def update_smart_proxy_instance(group_id: int,`
			`provider: str,`
			`region: str,`
			`instance_id: str) -> None:`
			`instance = SmartProxy.query.filter(`
			`SmartProxy.group_id == group_id,`
			`SmartProxy.region == region,`
			`SmartProxy.provider == provider,`
			`SmartProxy.destroyed.is_(None)`
			`).first()`
			`if instance is None:`
			`instance = SmartProxy()`
			`instance.added = datetime.datetime.utcnow()`
			`instance.group_id = group_id`
			`instance.provider = provider`
			`instance.region = region`
			`db.session.add(instance)`
			`instance.updated = datetime.datetime.utcnow()`
			`instance.instance_id = instance_id`


terraform: generate conf with http backend 2022-08-30 10:05:12 +01:00			`def sp_trusted_prefixes() -> str:`
			`return "\n".join([f"geoip2_proxy {p};" for p in all_cdn_prefixes()])`


automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`class ProxyAutomation(TerraformAutomation):`
			`subgroup_max = math.inf`
lots of typing fixes 2022-05-16 11:44:03 +01:00			`"""`
			`Maximum number of proxies to deploy per sub-group. This is required for some providers`
			`where the number origins per group may exceed the number of proxies that can be configured`
			`in a single "configuration block", e.g. Azure CDN's profiles.`
			`"""`

			`template: str`
			`"""`
			`Terraform configuration template using Jinja 2.`
			`"""`

			`template_parameters: List[str]`
			`"""`
			`List of parameters to be read from the application configuration for use`
			`in the templating of the Terraform configuration.`
			`"""`
Initial import 2022-03-10 14:26:22 +00:00
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`smart_proxies = False`
			`"""`
			`Whether this provider supports "smart" proxies.`
			`"""`

auto/terraform: typing hints for base terraform module 2022-05-16 10:08:18 +01:00			`def get_subgroups(self) -> Dict[int, Dict[int, int]]:`
azure_cdn: use subgroups, attempt 2 2022-04-25 15:05:28 +01:00			`conn = db.engine.connect()`
azure_cdn: use subgroups, attempt 3 2022-04-25 15:06:24 +01:00			`result = conn.execute(text("""`
azure_cdn: use subgroups, attempt 2 2022-04-25 15:05:28 +01:00			`SELECT origin.group_id, proxy.psg, COUNT(proxy.id) FROM proxy, origin`
			`WHERE proxy.origin_id = origin.id`
			`AND proxy.destroyed IS NULL`
			`AND proxy.provider = :provider`
			`GROUP BY origin.group_id, proxy.psg;`
azure_cdn: use subgroups, attempt 3 2022-04-25 15:06:24 +01:00			`"""), provider=self.provider)`
lots of typing fixes 2022-05-16 11:44:03 +01:00			`subgroups: Dict[int, Dict[int, int]] = defaultdict(lambda: defaultdict(lambda: 0))`
azure_cdn: use subgroups, attempt 2 2022-04-25 15:05:28 +01:00			`for row in result:`
			`subgroups[row[0]][row[1]] = row[2]`
			`return subgroups`

lots of typing fixes 2022-05-16 11:44:03 +01:00			`def create_missing_proxies(self) -> None:`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`groups = Group.query.all()`
			`subgroups = self.get_subgroups()`
			`for group in groups:`
			`subgroup = 0`
			`for origin in group.origins:`
automation: establish an automation framework 2022-05-08 17:20:04 +01:00			`if origin.destroyed is not None:`
			`continue`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`while True:`
			`if subgroups[group.id][subgroup] >= self.subgroup_max:`
			`subgroup += 1`
			`else:`
			`break`
			`proxies = [`
			`x for x in origin.proxies`
			`if x.provider == self.provider and x.deprecated is None and x.destroyed is None`
			`]`
			`if not proxies:`
			`subgroups[group.id][subgroup] += 1`
			`proxy = Proxy()`
			`proxy.origin_id = origin.id`
			`proxy.provider = self.provider`
			`proxy.psg = subgroup`
security: fix all bandit issues 2022-05-16 12:47:40 +01:00			`# The random usage below is good enough for its purpose: to create a slug that`
			`# hasn't been used before.`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`proxy.slug = tldextract.extract(origin.domain_name).domain[:5] + ''.join(`
security: fix all bandit issues 2022-05-16 12:47:40 +01:00			`random.choices(string.ascii_lowercase, k=12)) # nosec`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`proxy.added = datetime.datetime.utcnow()`
			`proxy.updated = datetime.datetime.utcnow()`
			`db.session.add(proxy)`
			`db.session.commit()`
Initial import 2022-03-10 14:26:22 +00:00
lots of typing fixes 2022-05-16 11:44:03 +01:00			`def deprecate_orphaned_proxies(self) -> None:`
mirrors: deprecate orphaned proxies fixes #5 2022-05-08 10:47:01 +01:00			`proxies = Proxy.query.filter(`
ci: add flake8 2022-05-16 13:29:48 +01:00			`Proxy.deprecated.is_(None),`
			`Proxy.destroyed.is_(None),`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`Proxy.provider == self.provider`
mirrors: deprecate orphaned proxies fixes #5 2022-05-08 10:47:01 +01:00			`).all()`
			`for proxy in proxies:`
			`if proxy.origin.destroyed is not None:`
			`proxy.deprecate(reason="origin_destroyed")`
			`db.session.commit()`

lots of typing fixes 2022-05-16 11:44:03 +01:00			`def destroy_expired_proxies(self) -> None:`
Initial import 2022-03-10 14:26:22 +00:00			`cutoff = datetime.datetime.utcnow() - datetime.timedelta(days=3)`
			`proxies = Proxy.query.filter(`
ci: add flake8 2022-05-16 13:29:48 +01:00			`Proxy.destroyed.is_(None),`
Initial import 2022-03-10 14:26:22 +00:00			`Proxy.provider == self.provider,`
			`Proxy.deprecated < cutoff`
			`).all()`
			`for proxy in proxies:`
			`proxy.destroyed = datetime.datetime.utcnow()`
			`proxy.updated = datetime.datetime.utcnow()`
			`db.session.commit()`

lots of typing fixes 2022-05-16 11:44:03 +01:00			`@abstractmethod`
			`def import_state(self, state: Any) -> None:`
			`raise NotImplementedError()`

lint: add back "useless" return to tf_prehook 2022-06-17 14:26:22 +01:00			`def tf_prehook(self) -> Optional[Any]: # pylint: disable=useless-return`
mirrors: deprecate orphaned proxies fixes #5 2022-05-08 10:47:01 +01:00			`self.create_missing_proxies()`
			`self.deprecate_orphaned_proxies()`
			`self.destroy_expired_proxies()`
lint: add back "useless" return to tf_prehook 2022-06-17 14:26:22 +01:00			`return None`
mirrors: deprecate orphaned proxies fixes #5 2022-05-08 10:47:01 +01:00
lots of typing fixes 2022-05-16 11:44:03 +01:00			`def tf_posthook(self, *, prehook_result: Any = None) -> None:`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`self.import_state(self.tf_show())`

lots of typing fixes 2022-05-16 11:44:03 +01:00			`def tf_generate(self) -> None:`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`groups = Group.query.all()`
automation: pull up terraform funcs to abstract class see #1 2022-05-08 13:01:15 +01:00			`self.tf_write(`
Initial import 2022-03-10 14:26:22 +00:00			`self.template,`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`groups=groups,`
Initial import 2022-03-10 14:26:22 +00:00			`proxies=Proxy.query.filter(`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`Proxy.provider == self.provider, Proxy.destroyed.is_(None)).all(), subgroups=self.get_subgroups(),`
			`global_namespace=app.config['GLOBAL_NAMESPACE'], bypass_token=app.config['BYPASS_TOKEN'],`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`terraform_modules_path=os.path.join(*list(os.path.split(app.root_path))[:-1], 'terraform-modules'),`
terraform: generate conf with http backend 2022-08-30 10:05:12 +01:00			`backend_config=f"""backend "http" {{`
			`lock_address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"`
			`unlock_address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"`
			`address = "{app.config['TFSTATE_BACKEND']}/{self.short_name}"`
			`}}""",`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`**{k: app.config[k.upper()] for k in self.template_parameters})`
			`if self.smart_proxies:`
			`for group in groups:`
			`self.sp_config(group)`

			`def sp_config(self, group: Group) -> None:`
			`group_origins: List[Origin] = Origin.query.filter(`
			`Origin.group_id == group.id,`
			`Origin.destroyed.is_(None),`
			`Origin.smart.is_(True)`
			`).all()`
			`self.tmpl_write(f"smart_proxy.{group.id}.conf", """`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`geoip2 /usr/share/GeoIP/GeoIP2-City.mmdb {`
			`auto_reload 5m;`
			`$geoip2_metadata_country_build metadata build_epoch;`
			`$geoip2_data_country_code default=US country iso_code;`
			`}`
terraform: generate conf with http backend 2022-08-30 10:05:12 +01:00			`""" + sp_trusted_prefixes() + """`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`geoip2_proxy_recursive on;`
smart proxy: do not redirect when given argument ?redirect=false 2022-08-15 10:13:44 +01:00			`map $geoip2_data_country_code $redirect_country {`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`default yes;`
			`""" + "\n".join([f" {cc} no;" for cc in app.config['CENSORED_COUNTRIES']]) + """`
			`}`

proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`{% for origin in origins %}`
			`server {`
			`listen 443 ssl;`
smart_proxy: add asset domains concept 2022-05-25 15:32:17 +01:00			`server_name origin-{{ origin.id }}.{{ provider }}.smart.{{ smart_zone[:-1] }};`
smart proxy: fixups 2022-08-12 13:42:07 +01:00			`if ($redirect_country = yes) {`
smart proxy: do not redirect when given argument ?redirect=false 2022-08-15 10:13:44 +01:00			`set $redirect_test 1;`
			`}`
			`if ($arg_redirect = "false") {`
			`set $redirect_test 0;`
			`}`
smart proxy: disable temporarily 2022-08-16 16:49:13 +01:00			`if ($redirect_test = 2) {`
smart proxy: avoid duplicating 2022-08-12 15:58:46 +01:00			`rewrite ^ https://{{ origin.domain_name }}$request_uri? break;`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`}`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`location / {`
			`proxy_set_header Accept-Encoding "";`
			`proxy_ssl_server_name on;`
			`proxy_pass https://{{ origin.domain_name }}/;`
			`subs_filter_types text/html text/css text/xml;`
			`subs_filter https://{{ origin.domain_name }}/ /;`
proxy: smart redirector 2022-08-12 11:55:14 +01:00			`subs_filter "([^:]\|)\\\"https://{{ origin.domain_name }}\\\"" \\1\\\"/\\\";`
smart_proxy: asset domain configuration formatting 2022-05-25 15:57:00 +01:00			`{%- for asset_origin in origin.group.origins \| selectattr("assets") -%}`
proxy: ensure use of only active proxies for smart proxy 2022-05-27 15:24:34 +01:00			`{%- for asset_proxy in asset_origin.proxies \| selectattr("provider", "equalto", provider) \| selectattr("deprecated", "none") \| selectattr("destroyed", "none") -%}`
smart_proxy: asset domain configuration formatting 2022-05-25 15:57:00 +01:00			`{%- if loop.first %}`
proxy: ensure use of only active proxies for smart proxy 2022-05-27 15:24:34 +01:00			`subs_filter https://{{ asset_origin.domain_name }}/ {{ asset_proxy.url }}/;`
smart_proxy: asset domain configuration formatting 2022-05-25 15:57:00 +01:00			`{%- endif -%}`
			`{%- endfor -%}`
			`{%- endfor %}`
proxies: add smart proxy support still to do: * document new configuration options * add smart proxies to groups view * import bandwidth and CPU alarms 2022-05-24 19:51:38 +01:00			`}`
			`ssl_certificate /etc/ssl/smart_proxy.crt;`
			`ssl_certificate_key /etc/ssl/private/smart_proxy.key;`
			`}`
			`{% endfor %}`
			`""",`
			`provider=self.provider,`
smart_proxy: add asset domains concept 2022-05-25 15:32:17 +01:00			`origins=group_origins,`
			`smart_zone=app.config['SMART_ZONE'])`