Add deployment-related changes

Signed-off-by: Ivan Dolgov <ivan@qvarnlabs.com>

16 files changed, 189 insertions, 96 deletions

diff --git a/NEWS b/NEWS
index 0a04d9a..2c8b509 100644
--- a/NEWS
+++ b/NEWS
@@ -3,7 +3,11 @@ NEWS for Salami
 
 This file has release notes for Salami
 
-Version 0.7+git, not yet released
+Version 0.8+git, not yet released
+---------------------------------
+
+
+Version 0.8, released 2018-02-03
 ---------------------------------
 
 * Salami now expects client secrets to be stored hashed in the config
@@ -20,6 +24,8 @@ Version 0.7+git, not yet released
 * A new script `salami-hash` is included to generate the hashed client
   secrets for the Salami config file.
 
+* This release is made only to facilitate internal testing.
+
 Version 0.7, released 2018-02-01
 ---------------------------------
 
diff --git a/debian/changelog b/debian/changelog
index ad62f64..59d07c1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,15 @@
-salami (0.7+git-1) UNRELEASED; urgency=medium
+salami (0.8+git-1) UNRELEASED; urgency=medium
 
   * New upstream version.
 
- -- Lars Wirzenius <liw@liw.fi>  Thu, 01 Feb 2018 11:05:56 +0200
+ -- Lars Wirzenius <liw@liw.fi>  Sat, 03 Feb 2018 15:28:54 +0200
+
+salami (0.8-1) unstable; urgency=medium
+
+  * New upstream version.
+  * Add missing dependencies.
+
+ -- Lars Wirzenius <liw@liw.fi>  Sat, 03 Feb 2018 15:28:52 +0200
 
 salami (0.7-1) unstable; urgency=medium
 
diff --git a/debian/control b/debian/control
index 98a74d6..15e2baa 100644
--- a/debian/control
+++ b/debian/control
@@ -28,6 +28,14 @@ X-Python3-Version: >= 3.5
 Package: salami
 Architecture: all
 Depends: ${python3:Depends}, ${misc:Depends},
- python3 (>= 3.5)
+ python3 (>= 3.5),
+ python3-apifw,
+ python3-slog,
+ python3-yaml,
+ python3-crypto,
+ python3-cryptography,
+ python3-pycryptodome,
+ python3-jwt,
+ python3-requests
 Description: a thing
  This is a thing.
diff --git a/debian/rules b/debian/rules
index 827d016..72f6370 100755
--- a/debian/rules
+++ b/debian/rules
@@ -4,4 +4,6 @@
 	dh $@ --with python3 --buildsystem=pybuild
 
 override_dh_auto_test:
+ifeq (,$(findstring nocheck,$(DEB_BUILD_OPTIONS)))
 	./check
+endif
diff --git a/debian/salami.install b/debian/salami.install
new file mode 100644
index 0000000..a7c6c98
--- /dev/null
+++ b/debian/salami.install
@@ -0,0 +1 @@
+salami.service lib/systemd/system
diff --git a/debian/salami.postinst b/debian/salami.postinst
new file mode 100644
index 0000000..f905b78
--- /dev/null
+++ b/debian/salami.postinst
@@ -0,0 +1,38 @@
+#!/bin/sh
+# Copyright 2018 Lars Wirzenius
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+set -eu
+
+
+create_user()
+{
+    local name="$1"
+    local logdir="$2"
+
+    addgroup --force "$name" || true
+    adduser --disabled-login --disabled-password \
+        --gecos "Ick CI" \
+        --shell /bin/true --force \
+        --ingroup "$name" \
+        "$name" || true
+    install -d -m 0755 -o "$name" -g "$name" "$logdir"
+}
+
+
+# Create a group and user for Salami
+create_user _salami /var/log/salami
+
+#DEBHELPER#
diff --git a/salami-get-token b/salami-get-token
index 5c984b6..8068585 100755
--- a/salami-get-token
+++ b/salami-get-token
@@ -18,7 +18,7 @@ data = {
     'scope': ' '.join(scopes),
 }
 
-r = requests.post(url, auth=auth, data=data)
+r = requests.post(url, auth=auth, data=data, verify=False)
 if r.ok:
     obj = r.json()
     print(obj['access_token'])
diff --git a/salami.service b/salami.service
new file mode 100644
index 0000000..f02e8bb
--- /dev/null
+++ b/salami.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Salami OpenID Connect provider
+Requires=network.target
+After=network.target
+ConditionPathExists=/etc/salami/salami.yaml
+
+[Service]
+Type=simple
+User=_salami
+Group=_salami
+ExecStart=/usr/bin/start_salami /etc/salami/salami.yaml
+
+[Install]
+WantedBy=multi-user.target
diff --git a/salami/__init__.py b/salami/__init__.py
index 14b0f73..bc00c79 100644
--- a/salami/__init__.py
+++ b/salami/__init__.py
@@ -28,4 +28,4 @@ from .version_router import VersionRouter
 from .token_router import TokenRouter
 
 from .api import SalamiAPI
-from .backend import create_app
+from .app import create_app
diff --git a/salami/app.py b/salami/app.py
new file mode 100644
index 0000000..1a01c07
--- /dev/null
+++ b/salami/app.py
@@ -0,0 +1,76 @@
+# Copyright (C) 2017-2018  Lars Wirzenius
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+
+import os
+
+
+import apifw
+import slog
+import yaml
+
+
+import salami
+
+
+DEFAULT_CONFIG_FILE = '/dev/null'
+
+
+def dict_logger(log, stack_info=None):
+    salami.log.log(exc_info=stack_info, **log)
+
+
+def read_config(filename):
+    with open(filename) as f:
+        return yaml.safe_load(f)
+
+
+def check_config(cfg):
+    for key in cfg:
+        if cfg[key] is None:
+            raise Exception('Configration %s should not be None' % key)
+
+
+_counter = slog.Counter()
+
+
+def counter():
+    new_context = 'HTTP transaction {}'.format(_counter.increment())
+    salami.log.set_context(new_context)
+
+
+default_config = {
+    'log': [],
+    'token-issuer': None,
+    'token-public-key': None,
+    'token-private-key': None,
+    'token-lifetime': None,
+    'clients': None,
+}
+
+
+def create_app():
+    config_filename = os.environ.get('SALAMI_CONFIG', DEFAULT_CONFIG_FILE)
+    actual_config = read_config(config_filename)
+    config = dict(default_config)
+    config.update(actual_config or {})
+    if 'token-audience' not in config:
+        config['token-audience'] = config.get('token-issuer')
+    check_config(config)
+    salami.setup_logging(config)
+    salami.log.log('info', msg_text='Salami starting')
+
+    api = salami.SalamiAPI(config)
+    return apifw.create_bottle_application(api, counter, dict_logger, config)
diff --git a/salami/backend.py b/salami/backend.py
index 18b27dc..3befdaf 100644
--- a/salami/backend.py
+++ b/salami/backend.py
@@ -14,66 +14,7 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 
-import os
-
-
-import apifw
-import slog
-import yaml
-
-
 import salami
 
 
-DEFAULT_CONFIG_FILE = '/dev/null'
-
-
-def dict_logger(log, stack_info=None):
-    salami.log.log(exc_info=stack_info, **log)
-
-
-def read_config(filename):
-    with open(filename) as f:
-        return yaml.safe_load(f)
-
-
-def check_config(cfg):
-    for key in cfg:
-        if cfg[key] is None:
-            raise Exception('Configration %s should not be None' % key)
-
-
-_counter = slog.Counter()
-
-
-def counter():
-    new_context = 'HTTP transaction {}'.format(_counter.increment())
-    salami.log.set_context(new_context)
-
-
-default_config = {
-    'log': [],
-    'token-issuer': None,
-    'token-public-key': None,
-    'token-private-key': None,
-    'token-lifetime': None,
-    'clients': None,
-}
-
-
-def create_app():
-    config_filename = os.environ.get('SALAMI_CONFIG', DEFAULT_CONFIG_FILE)
-    actual_config = read_config(config_filename)
-    config = dict(default_config)
-    config.update(actual_config or {})
-    if 'token-audience' not in config:
-        config['token-audience'] = config.get('token-issuer')
-    check_config(config)
-    salami.setup_logging(config)
-    salami.log.log('info', msg_text='Salami starting')
-
-    api = salami.SalamiAPI(config)
-    return apifw.create_bottle_application(api, counter, dict_logger, config)
-
-
-app = create_app()
+app = salami.create_app()
diff --git a/salami/version.py b/salami/version.py
index 6ab0781..456773e 100644
--- a/salami/version.py
+++ b/salami/version.py
@@ -1,2 +1,2 @@
-__version__ = "0.7+git"
-__version_info__ = (0, 7, '+git')
+__version__ = "0.8+git"
+__version_info__ = (0, 8, '+git')
diff --git a/setup.py b/setup.py
index 7e3fdb6..8a8bf9f 100644
--- a/setup.py
+++ b/setup.py
@@ -24,9 +24,9 @@ import salami
 setup(
     name='salami',
     version=salami.__version__,
-    description='thing',
+    description='OpenID Connect provider',
     author='Lars Wirzenius',
     author_email='liw@qvarnlabs.com',
     packages=['salami', 'salami_secrets'],
-    scripts=['start_salami', 'salami-hash'],
+    scripts=['start_salami', 'salami-hash', 'salami-get-token'],
 )
diff --git a/start_salami b/start_salami
index 16a09f5..83a5a60 100755
--- a/start_salami
+++ b/start_salami
@@ -30,23 +30,12 @@ print(config.get(varname, ""))
 }
 
 
-gunicorn_wanted()
-{
-    set -eu
-    case "$(get "$1" gunicorn)" in
-         yes|True)
-             return 0
-             ;;
-    esac
-    return 1
-}
-
-
 run_bottle()
 {
     set -eu
+    local port="$(get "$config" gunicorn-port)"
     export SALAMI_CONFIG="$1"
-    python3 -c 'import salami; salami.create_app().run(host="127.0.0.1", port=12765)'
+    python3 -c "import salami; salami.create_app().run(host='127.0.0.1', port=$port)"
 }
 
 
@@ -55,6 +44,7 @@ run_gunicorn()
 {
     set -eu
     local config="$1"
+    local gunicorn="$(get "$config" gunicorn)"
     local log_file="$(get "$config" gunicorn-log)"
     local pid_file="$(get "$config" gunicorn-pid-file)"
     local port="$(get "$config" gunicorn-port)"
@@ -66,22 +56,31 @@ run_gunicorn()
         pid_opt="-p $pid_file"
     fi
 
-    export SALAMI_CONFIG="$config"
-    gunicorn3 \
-        --bind 127.0.0.1:"$port" \
+    opts="
+        --bind 127.0.0.1:$port \
         -w1 \
-        --log-file "$log_file" \
-        "$pid_opt" \
+        --log-file $log_file \
+        $pid_opt \
         --log-level debug \
-        --daemon \
-        salami.backend:app
+    "
+
+    if [ "$gunicorn" = background ]
+    then
+        opts="$opts --daemon"
+    fi
+
+    export SALAMI_CONFIG="$config"
+    gunicorn3 $opts salami.backend:app
 }
 
 
 config="$1"
-if gunicorn_wanted "$config"
-then
-        run_gunicorn "$config"
-else
+gunicorn="$(get "$config" gunicorn)"
+case "$gunicorn" in
+    no)
         run_bottle "$config"
-fi
+        ;;
+    yes|True|background)
+        run_gunicorn "$config"
+        ;;
+esac
diff --git a/without-tests b/without-tests
index a95a008..e093520 100644
--- a/without-tests
+++ b/without-tests
@@ -2,6 +2,7 @@ setup.py
 doc/build.py
 salami/__init__.py
 salami/api.py
+salami/app.py
 salami/backend.py
 salami/log_setup.py
 salami/responses.py
diff --git a/yarns/lib.py b/yarns/lib.py
index b36869d..8379b16 100644
--- a/yarns/lib.py
+++ b/yarns/lib.py
@@ -185,7 +185,7 @@ def start_salami():
         }
 
     config = {
-        'gunicorn': True,
+        'gunicorn': 'background',
         'gunicorn-log': 'gunicorn.log',
         'gunicorn-pid-file': V['pid-file'],
         'gunicorn-port': V['port'],