Merge pull request #440 from foundriesio/fetch-apps-thru-proxy

appengine: Fetch apps through proxy if set

Author: mike-sul

src/composeapp/appengine.cc

@@ -14,11 +14,22 @@ static bool isNullOrEmptyOrUnset(const Json::Value& val, const std::string& fiel
 
 AppEngine::Result AppEngine::fetch(const App& app) {
   Result res{false};
+  bool was_proxy_set{false};
   try {
     // If a given app was fetched before, then don't consider it as a fetched app if a caller tries to fetch it again
     // for one reason or another - hence remove it from the set of fetched apps.
     fetched_apps_.erase(app.uri);
     if (local_source_path_.empty()) {
+      if (proxy_) {
+        // If the proxy provider is set, then obtain the proxy URL and CA from it,
+        // and set the corresponding environment variables for `composectl`.
+        const auto proxy{proxy_()};
+        if (!proxy.first.empty()) {
+          ::setenv("COMPOSE_APPS_PROXY", proxy.first.c_str(), 1);
+          ::setenv("COMPOSE_APPS_PROXY_CA", proxy.second.c_str(), 1);
+          was_proxy_set = true;
+        }
+      }
       exec(boost::format{"%s --store %s pull -p %s --storage-usage-watermark %d"} % composectl_cmd_ % storeRoot() %
                app.uri % storage_watermark_,
            "failed to pull compose app", "", nullptr, "4h", true);
@@ -40,6 +51,10 @@ AppEngine::Result AppEngine::fetch(const App& app) {
   } catch (const std::exception& exc) {
     res = {false, exc.what()};
   }
+  if (was_proxy_set) {
+    ::unsetenv("COMPOSE_APPS_PROXY");
+    ::unsetenv("COMPOSE_APPS_PROXY_CA");
+  }
   return res;
 }
 

src/composeapp/appengine.h

@@ -5,6 +5,8 @@
 
 namespace composeapp {
 
+using ProxyProvider = std::function<std::pair<std::string, std::string>()>;
+
 class AppEngine : public Docker::RestorableAppEngine {
  public:
   AppEngine(boost::filesystem::path store_root, boost::filesystem::path install_root,
@@ -14,14 +16,15 @@ class AppEngine : public Docker::RestorableAppEngine {
             int storage_watermark = 80,
             StorageSpaceFunc storage_space_func = RestorableAppEngine::GetDefStorageSpaceFunc(),
             ClientImageSrcFunc client_image_src_func = nullptr, bool create_containers_if_install = true,
-            const std::string& local_source_path = "")
+            const std::string& local_source_path = "", ProxyProvider proxy = nullptr)
       : Docker::RestorableAppEngine(
             std::move(store_root), std::move(install_root), std::move(docker_root), std::move(registry_client),
             std::move(docker_client), "", std::move(docker_host), std::move(compose_cmd), std::move(storage_space_func),
             std::move(client_image_src_func), create_containers_if_install, !local_source_path.empty()),
         composectl_cmd_{std::move(composectl_cmd)},
         storage_watermark_{storage_watermark},
-        local_source_path_{local_source_path} {}
+        local_source_path_{local_source_path},
+        proxy_{proxy} {}
 
   Result fetch(const App& app) override;
   void remove(const App& app) override;
@@ -37,6 +40,7 @@ class AppEngine : public Docker::RestorableAppEngine {
   const std::string composectl_cmd_;
   const int storage_watermark_;
   const std::string local_source_path_;
+  ProxyProvider proxy_;
   mutable std::set<std::string> fetched_apps_;
 };
 

src/composeappmanager.cc

@@ -63,6 +63,12 @@ ComposeAppManager::Config::Config(const PackageConfig& pconfig) {
   if (raw.count("composectl_bin") == 1) {
     composectl_bin = raw.at("composectl_bin");
   }
+  if (raw.count("compose_apps_proxy") == 1) {
+    apps_proxy = raw.at("compose_apps_proxy");
+  }
+  if (raw.count("compose_apps_proxy_ca") == 1) {
+    apps_proxy_ca = raw.at("compose_apps_proxy_ca");
+  }
 #endif  // USE_COMPOSEAPP_ENGINE
 
   if (raw.count("docker_prune") == 1) {
@@ -145,10 +151,24 @@ ComposeAppManager::ComposeAppManager(const PackageConfig& pconfig, const Bootloa
       }
 #ifdef USE_COMPOSEAPP_ENGINE
       const auto composectl_cmd{boost::filesystem::canonical(cfg_.composectl_bin).string()};
+      composeapp::ProxyProvider proxy{nullptr};
+      if (!cfg_.apps_proxy.empty()) {
+        proxy = [this]() {
+          std::string proxy_url;
+          const auto& proxyUrlResp{http_->post(cfg_.apps_proxy, "")};
+          if (proxyUrlResp.isOk()) {
+            proxy_url = proxyUrlResp.body;
+            LOG_DEBUG << "Got app proxy URL: " << proxy_url;
+          } else {
+            LOG_ERROR << "Failed to obtain proxy URL: " << proxyUrlResp.getStatusStr();
+          }
+          return std::make_pair(proxy_url, cfg_.apps_proxy_ca);
+        };
+      }
       app_engine_ = std::make_shared<composeapp::AppEngine>(
           cfg_.reset_apps_root, cfg_.apps_root, cfg_.images_data_root, registry_client,
           std::make_shared<Docker::DockerClient>(), docker_host, compose_cmd, composectl_cmd, cfg_.storage_watermark,
-          Docker::RestorableAppEngine::GetDefStorageSpaceFunc(cfg_.storage_watermark));
+          Docker::RestorableAppEngine::GetDefStorageSpaceFunc(cfg_.storage_watermark), nullptr, true, "", proxy);
 #else
       const std::string skopeo_cmd{boost::filesystem::canonical(cfg_.skopeo_bin).string()};
       app_engine_ = std::make_shared<Docker::RestorableAppEngine>(

src/composeappmanager.h

@@ -27,6 +27,8 @@ class ComposeAppManager : public RootfsTreeManager {
     boost::filesystem::path skopeo_bin{"/sbin/skopeo"};
 #ifdef USE_COMPOSEAPP_ENGINE
     boost::filesystem::path composectl_bin{"/usr/bin/composectl"};
+    std::string apps_proxy;
+    std::string apps_proxy_ca;
 #endif  // USE_COMPOSEAPP_ENGINE
     bool docker_prune{true};
     bool force_update{false};

src/liteclient.cc

@@ -149,6 +149,7 @@ LiteClient::LiteClient(Config config_in, const AppEngine::Ptr& app_engine, const
       // Enforce the restorable app engine usage
       config.pacman.extra["reset_apps"] = "";
     }
+    config.pacman.extra["compose_apps_proxy_ca"] = config.storage.tls_cacert_path.get(config.storage.path).string();
     basepacman = std::make_shared<ComposeAppManager>(config.pacman, config.bootloader, storage, http_client,
                                                      ostree_sysroot, *key_manager_, app_engine);
   } else if (config.pacman.type == RootfsTreeManager::Name) {