WIP support graceful configtest and reload with conf from git

build-contracts/docker-compose.yml

@@ -0,0 +1,64 @@
+version: '2'
+services:
+  gitclient.build:
+    build: ../gitclient
+    image: httpd-gitclient
+    entrypoint: ["echo", "This service was just a build job. Exiting."]
+  git.build:
+    build: ../git
+    depends_on:
+      - gitclient.build
+    image: httpd-git
+    entrypoint: ["echo", "This service was just a build job. Exiting."]
+  # httpd-git acceptance testing
+  githost:
+    build: ./githost
+    depends_on:
+      - git.build
+    ports:
+      - "80"
+  readonly:
+    build: ./githost
+    depends_on:
+      - git.build
+    ports:
+      - "80"
+    environment:
+      - GIT_READONLY=1
+  test.git:
+    build:  ./perlspec
+    labels:
+      com.yolean.build-contract: "*"
+    links:
+      - githost
+      - readonly
+    volumes:
+      - ./test:/project/t
+  # httpd-gitconf acceptance testing
+  httpd:
+    build: ../httpd-gitconf
+    image: httpd-gitconf
+    depends_on:
+      - gitclient.build
+    links:
+      - githost
+    volumes:
+      - ./gitconf-test:/gitconf-test
+      - ../httpd-gitconf:/perldev
+    entrypoint: /gitconf-test/httpd-entrypoint-gitconf
+    ports:
+      - "80"
+    environment:
+      - DEBUG=*
+  test.reconf:
+    build:  ./perlspec
+    labels:
+      com.yolean.build-contract: "*"
+    links:
+      - githost
+      - httpd
+    volumes:
+      - ./gitconf-test:/project/t
+    # Of these test watch tools prowess' terminal usage seems to work better with docker-compose run, but neither understands Ctrl+C so you need docker kill
+    #entrypoint: autoprove
+    #entrypoint: prowess

build-contracts/gitconf-test/httpd-entrypoint-gitconf

@@ -0,0 +1,12 @@
+#!/usr/bin/perl -w
+use strict;
+
+`git clone http://githost/git/Test/conf.git /tmp/conf`; $? == 0 or die;
+`git clone http://githost/git/Test/cert.git /tmp/cert`; $? == 0 or die;
+`rm /usr/local/apache2/conf -Rf`; $? == 0 or die;
+`mv /tmp/conf /usr/local/apache2/conf`; $? == 0 or die;
+`mv /tmp/cert /usr/local/apache2/cert`; $? == 0 or die;
+`apachectl configtest`; $? == 0 or die;
+
+# now the real entrypoint
+exec 'httpd-foreground';

build-contracts/gitconf-test/reconf-spec.t

@@ -0,0 +1,85 @@
+#!/usr/bin/perl -w
+use strict;
+
+use Test::Spec;
+
+my $testkey = time();
+mkdir "/tmp/testrun-$testkey";
+chdir "/tmp/testrun-$testkey";
+print "# testrun /tmp/testrun-$testkey\n";
+
+use HTTP::Tiny;
+use JSON;
+
+my $r;
+
+describe "Httpd state at container startup" => sub {
+
+  it "Should be running" => sub {
+    $r = HTTP::Tiny->new->head('http://httpd/');
+    is($r->{status}, 200);
+  };
+
+  it "Should have a typical 404 error page" => sub {
+    $r = HTTP::Tiny->new->head('http://httpd/testing/notfound');
+    is($r->{status}, 404);
+    isnt($r->{content}, 'Custom.');
+  };
+
+};
+
+describe "A shared git remote" => sub {
+
+  it "Is alive" => sub {
+    $r = HTTP::Tiny->new->head('http://githost/');
+    is($r->{status}, 200);
+  };
+
+  it "Has a conf repo to clone" => sub {
+    `git clone http://githost/git/Test/conf.git`;
+    is($?, 0);
+    ok(-e 'conf/.git');
+  };
+
+  it "Has a cert repo to clone" => sub {
+    `git clone http://githost/git/Test/cert.git`;
+    is($?, 0);
+    ok(-e 'conf/.git');
+  };
+
+};
+
+describe "Extenal conf modification over git" => sub {
+
+  it "Add a simple one liner that can be detected over HTTP" => sub {
+    `echo '<Location /testing>ErrorDocument 404 "Custom."</Location>' >> conf/httpd.conf`;
+    is($?, 0);
+    `cd conf/; git add httpd.conf; git commit -m "Change 404 page"`;
+    is($?, 0);
+  };
+
+  it "Trigger httpd reconf using REST endpoint" => sub {
+    my $http = HTTP::Tiny->new();
+    my $r = $http->post(
+      'http://httpd/admin/reconf' => {
+        content => to_json(
+          {}
+        ),
+        headers => {
+          'Accept' => 'application/json',
+        },
+      },
+    );
+    is($r->{status}, 200);
+  };
+
+  it "Shuld now have affected httpd's runtime conf" => sub {
+    $r = HTTP::Tiny->new->head('http://httpd/testing/notfound');
+    is($r->{content}, 'Custom.');
+  };
+
+};
+
+
+
+runtests unless caller;

build-contracts/githost/Dockerfile

@@ -0,0 +1,22 @@
+FROM httpd-git
+
+RUN sed -i 's|^#LoadModule authn_anon_module|LoadModule authn_anon_module|' conf/httpd.conf
+
+COPY auth-anon.conf conf/git/
+
+RUN mkdir -p /opt/git/Test \
+  && git init --bare /opt/git/Test/test.git \
+  && git init --bare /opt/git/Test/conf.git \
+  && git init --bare /opt/git/Test/cert.git \
+  && chown -R daemon /opt/git
+
+RUN git config --global user.email "you@example.com" \
+  && git config --global user.name "Your Name" \
+  && git clone /opt/git/Test/conf.git /tmp/conf \
+  && cd /tmp/conf/ \
+  && cp /usr/local/apache2/conf/httpd.conf . \
+  && cp /usr/local/apache2/conf/mime.types . \
+  && sed -i 's/^Include/#Include/' httpd.conf \
+  && git add * \
+  && git commit -m "Gets httpd up and running" \
+  && git push origin master

build-contracts/githost/auth-anon.conf

@@ -0,0 +1,11 @@
+<Location />
+  AuthName "If visitors get this auth prompt you are at risk"
+  AuthType Basic
+  AuthBasicProvider anon
+
+  Anonymous_NoUserID off
+  Anonymous_MustGiveEmail off
+  Anonymous_VerifyEmail off
+  Anonymous_LogEmail off
+  Anonymous "*"
+</Location>

build-contracts/perlspec/Dockerfile

@@ -0,0 +1,25 @@
+FROM perl:5.24
+
+# http://stackoverflow.com/questions/3462058/how-do-i-automate-cpan-configuration
+RUN (echo y;echo o conf prerequisites_policy follow;echo o conf commit) | cpan
+
+RUN cpan install Test::Spec
+
+RUN cpan install HTTP::Tiny JSON
+
+# We need one of these and I don't know which one is more stable or useful yet
+# To evaluate, toggle entrypoint between prove/autoprove/prowess
+RUN cpan install Test::Continuous App::prowess
+
+RUN git --version && cpan install Git::Wrapper
+
+RUN git config --global user.email "perlspec-testing@example.com" \
+  && git config --global user.name "Perlspec Testint"
+
+# Official perl image gotcha, /usr/bin/perl fails to include CPAN modules
+RUN mv /usr/bin/perl /usr/bin/perl.org \
+  && ln -s /usr/local/bin/perl /usr/bin/perl
+
+WORKDIR /project
+
+ENTRYPOINT ["prove"]

build-contracts/test/git-http-spec.t

@@ -0,0 +1,70 @@
+#!/usr/bin/perl -w
+use strict;
+
+use Test::Spec;
+
+# Didn't like this much, let's see if we need it
+#use Git::Wrapper;
+#my $git = Git::Wrapper->new('/tmp/test');
+
+my $testkey = time();
+mkdir "/tmp/testrun-$testkey";
+chdir "/tmp/testrun-$testkey";
+print "# testrun /tmp/testrun-$testkey\n";
+
+describe "Clone at /git/[org]/[repo]" => sub {
+
+  it "Allowed" => sub {
+    `git clone http://githost/git/Test/test.git ./test`;
+    is($?, 0);
+  };
+
+  it "Produces a local repo" => sub {
+    ok(-e 'test/.git' and -d 'test/.git');
+  };
+
+};
+
+describe "Readonly" => sub {
+
+  it "Same clone behavior as regular host" => sub {
+    `git clone http://readonly/git/Test/test.git ./readonly`;
+    is($?, 0);
+  };
+
+  it "Same fetch" => sub {
+    `cd test/ && git remote add readonly http://readonly/git/Test/test.git && git fetch readonly`;
+    is($?, 0);
+  };
+
+  it "Denies push" => sub {
+    `cd test/ && echo test > test1.txt && git add test1.txt && git commit -m "Test 1"`;
+    is($?, 0);
+    `cd test/ && git push readonly master`;
+    isnt($?, 0);
+  };
+
+  # TODO test for status code 403 at GET /git/Test/test.git/info/refs?service=git-receive-pack
+  # as the test above passes for status 500 (i.e. auth not configured) too
+  # Or we can possibly just check for git auth attempt "fatal: could not read Username for 'http://readonly': No such device or address"
+
+};
+
+describe "Push" => sub {
+
+  it "Requires authentication (with default config, custom auth conf needed)" => sub {
+    `cd test/ && git push origin master`;
+    isnt($?, 0);
+  };
+
+  it "Test container runs mod_auth_anon so any username will do here" => sub {
+    `cd test/ && git remote add auth 'http://testuser:\@githost/git/Test/test.git' && git remote -v`;
+    ## more presistent auth
+    #`echo 'http://testuser:@githost' >> ~/.git-credentials`
+    #`cd test/ && git config credential.helper store && git push origin master`;
+    is($?, 0);
+  };
+
+};
+
+runtests unless caller;

git/Dockerfile

@@ -1,51 +1,12 @@
-
-FROM httpd:2.4.23
-
-ENV GIT_VERSION 2.9.3
-ENV GIT_VERSION_TGZ_URL https://www.kernel.org/pub/software/scm/git/git-$GIT_VERSION.tar.gz
-ENV GIT_VERSION_TGZ_SHA1 ae90c4e5008ae10c8a67a51ff3dbea8364d97168
-
-RUN depsRuntime=' \
-		libcurl3 \
-		libexpat1 \
-		gettext \
-		libssl1.0.0 \
-	' \
-  && depsBuild=' \
-		curl ca-certificates \
-		gcc \
-		make \
-		autoconf \
-		libcurl4-gnutls-dev \
-		libexpat1-dev \
-		gettext \
-		libz-dev \
-		libssl-dev \
-	' \
-	set -x \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends $depsRuntime \
-	&& apt-get install -y --no-install-recommends $depsBuild \
-	&& rm -r /var/lib/apt/lists/* \
-	&& curl -SL "$GIT_VERSION_TGZ_URL" -o git-$GIT_VERSION.tar.gz \
-	&& echo "$GIT_VERSION_TGZ_SHA1 git-$GIT_VERSION.tar.gz" | sha1sum -c - \
-	&& mkdir -p src/git \
-	&& tar -xvf git-$GIT_VERSION.tar.gz -C src/git --strip-components=1 \
-	&& rm git-$GIT_VERSION.tar.gz* \
-	&& cd src/git \
-	&& make configure \
-	&& ./configure --prefix=/usr \
-	&& make all \
-	&& make install \
-	&& cd ../../ \
-	&& rm -r src/git \
-	&& apt-get purge -y --auto-remove $depsBuild
-
-EXPOSE 80
+FROM httpd-gitclient
 
 RUN sed -i 's|#LoadModule cgid_module|LoadModule cgid_module|' conf/httpd.conf \
   && sed -i 's|#LoadModule rewrite_module|LoadModule rewrite_module|' conf/httpd.conf \
   && echo "Include conf/git/*.conf" >> conf/httpd.conf
 
+ENV GIT_PROJECT_ROOT="/opt/git"
+ENV GIT_HTTP_EXPORT_ALL="1"
+ENV GIT_READONLY=""
+
 ADD conf/git.conf /usr/local/apache2/conf/git/
-ADD conf/git-readonly.conf /usr/local/apache2/conf/git/
+ADD conf/git-access.conf /usr/local/apache2/conf/git/

git/conf/git-access.conf

@@ -0,0 +1,18 @@
+
+RewriteEngine On
+
+RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
+RewriteCond %{REQUEST_URI} /git-receive-pack$
+RewriteCond %{GIT_READONLY} !^$
+RewriteRule ^/git/ - [F]
+
+RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
+RewriteCond %{REQUEST_URI} /git-receive-pack$
+RewriteRule ^/git/ - [E=AUTHREQUIRED]
+
+<Files "git-http-backend">
+  Require valid-user
+  Order deny,allow
+  Deny from env=AUTHREQUIRED
+  Satisfy any
+</Files>

git/conf/git.conf

@@ -1,13 +1,9 @@
-SetEnv GIT_PROJECT_ROOT /opt/git
-SetEnv GIT_HTTP_EXPORT_ALL 1
+PassEnv GIT_PROJECT_ROOT
+PassEnv GIT_HTTP_EXPORT_ALL
+
 ScriptAlias /git/ /usr/libexec/git-core/git-http-backend/
 
 <Location /usr/libexec/git-core>
   Options +ExecCGI
   Require all granted
 </Location>
-
-RewriteEngine On
-RewriteCond %{QUERY_STRING} service=git-receive-pack [OR]
-RewriteCond %{REQUEST_URI} /git-receive-pack$
-RewriteRule ^/git/ - [E=AUTHREQUIRED]