From b2a725121c76a637921392f8a3f01438cfce88da Mon Sep 17 00:00:00 2001
From: irregulator <irregulator@riseup.net>
Date: Mon, 26 May 2014 09:26:47 +0300
Subject: [PATCH 1/5] Introduce eip-service-2.json to add values for obfsproxy

---
 .../v1/eip-service-2.json.erb                 | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 provider_base/files/service-definitions/v1/eip-service-2.json.erb

diff --git a/provider_base/files/service-definitions/v1/eip-service-2.json.erb b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
new file mode 100644
index 00000000..bdbe533e
--- /dev/null
+++ b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
@@ -0,0 +1,64 @@
+<%=
+  def underscore(words)
+    words = words.to_s.dup
+    words.downcase!
+    words.gsub! /[^a-z]/, '_'
+    words
+  end
+
+  def add_gateway(node, locations, options={})
+    return nil if options[:ip] == 'REQUIRED'
+    gateway = {}
+    gateway["capabilities"] = node.openvpn.pick(:ports, :protocols, :user_ips, :adblock, :filter_dns)
+    gateway["capabilities"]["transport"] = ["openvpn"]
+    gateway["host"] = node.domain.full
+    gateway["ip_address"] = options[:ip]
+    gateway["capabilities"]["limited"] = options[:limited]
+    if node['location']
+      location_name = underscore(node.location.name)
+      gateway["location"] = location_name
+      locations[location_name] ||= node.location
+    end
+    gateway
+  end
+
+  def add_obfsproxy(node)
+    obfsproxy = {}
+    obfsproxy["ip_address"] = node.ip_address
+    if node['obfsproxy']['scramblesuit']
+      obfsproxy["transport"]  = "scramblesuit"
+      obfsproxy["scramblesuit"] = node.obfsproxy.scramblesuit.pick(:port, :password)
+    end
+    obfsproxy
+  end
+
+  hsh = {}
+  hsh["serial"] = 1
+  hsh["version"] = 1
+  locations = {}
+  gateways = []
+  obfsproxies = []
+  configuration = nil
+  nodes_like_me[:services => 'openvpn'].each_node do |node|
+    if node.openvpn.allow_limited && node.openvpn.allow_unlimited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+      gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true)
+    elsif node.openvpn.allow_unlimited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+    elsif node.openvpn.allow_limited
+      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
+    end
+    if configuration && node.openvpn.configuration != configuration
+      log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
+    end
+    configuration = node.openvpn.configuration
+  end
+  nodes_like_me[:services => 'obfsproxy'].each_node do |node|
+    obfsproxies << add_obfsproxy(node)
+  end
+  hsh["gateways"] = gateways.compact
+  hsh["locations"] = locations
+  hsh["openvpn_configuration"] = configuration
+  hsh["obfsproxies"] = obfsproxies.compact
+  JSON.sorted_generate hsh
+%>

From d1bdd3ed03526eabd7b070d4190129bd04e3bb04 Mon Sep 17 00:00:00 2001
From: irregulator <irregulator@riseup.net>
Date: Tue, 27 May 2014 22:41:40 +0300
Subject: [PATCH 2/5] Make web_app serve eip-service-2.json, with obfsproxy
 details

---
 platform.rb                                  | 2 +-
 provider_base/services/webapp.json           | 3 ++-
 puppet/modules/site_webapp/manifests/init.pp | 7 +++++++
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/platform.rb b/platform.rb
index 872a34cb..a0844ddb 100644
--- a/platform.rb
+++ b/platform.rb
@@ -39,7 +39,7 @@
 
     # input templates
     :provider_json_template        => 'files/service-definitions/provider.json.erb',
-    :eip_service_json_template     => 'files/service-definitions/#{arg}/eip-service.json.erb',
+    :eip_service_json_template     => 'files/service-definitions/#{arg[0]}/eip-service#{arg[1]}.json.erb',
     :soledad_service_json_template => 'files/service-definitions/#{arg}/soledad-service.json.erb',
     :smtp_service_json_template    => 'files/service-definitions/#{arg}/smtp-service.json.erb',
 
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 3af0dade..5093bec3 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -45,7 +45,8 @@
   },
   "definition_files": {
     "provider": "= file :provider_json_template",
-    "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s]",
+    "eip_service": "= file [:eip_service_json_template, 'v'+webapp.api_version.to_s, '']",
+    "eip_service_2": "= try_file [:eip_service_json_template, 'v'+webapp.api_version.to_s, '-2']",
     "soledad_service": "= file [:soledad_service_json_template, 'v'+webapp.api_version.to_s]",
     "smtp_service": "= file [:smtp_service_json_template, 'v'+webapp.api_version.to_s]"
   },
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index 08618457..03336ddb 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -3,6 +3,7 @@
   $definition_files = hiera('definition_files')
   $provider         = $definition_files['provider']
   $eip_service      = $definition_files['eip_service']
+  $eip_service_2    = $definition_files['eip_service_2']
   $soledad_service  = $definition_files['soledad_service']
   $smtp_service     = $definition_files['smtp_service']
   $node_domain      = hiera('domain')
@@ -123,6 +124,12 @@
       content => $smtp_service,
       require => Vcsrepo['/srv/leap/webapp'],
       owner   => leap-webapp, group => leap-webapp, mode => '0644';
+
+    "/srv/leap/webapp/public/${api_version}/config/eip-service-2.json":
+      content => $eip_service_2,
+      require => Vcsrepo['/srv/leap/webapp'],
+      owner   => leap-webapp, group => leap-webapp, mode => '0644';
+
   }
 
   try::file {

From b73fece88e08769d1d31d52e536553faa101cb60 Mon Sep 17 00:00:00 2001
From: irregulator <irregulator@riseup.net>
Date: Wed, 28 May 2014 16:05:29 +0300
Subject: [PATCH 3/5] Let eip-service-2.json pick obfsproxy details from vpn
 nodes too.

When obfsproxy is deployed alongside eip service, gateway address
will be used. If standalone, ip_address will be used.
---
 .../files/service-definitions/v1/eip-service-2.json.erb    | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/provider_base/files/service-definitions/v1/eip-service-2.json.erb b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
index bdbe533e..3937ae3c 100644
--- a/provider_base/files/service-definitions/v1/eip-service-2.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
@@ -24,7 +24,11 @@
 
   def add_obfsproxy(node)
     obfsproxy = {}
-    obfsproxy["ip_address"] = node.ip_address
+    if node.services.include?("openvpn")
+      obfsproxy["ip_address"] = node.openvpn.gateway_address
+    elsif node.services.include?("obfsproxy")
+      obfsproxy["ip_address"] = node.ip_address
+    end
     if node['obfsproxy']['scramblesuit']
       obfsproxy["transport"]  = "scramblesuit"
       obfsproxy["scramblesuit"] = node.obfsproxy.scramblesuit.pick(:port, :password)
@@ -52,6 +56,7 @@
       log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
     end
     configuration = node.openvpn.configuration
+    obfsproxies << add_obfsproxy(node)
   end
   nodes_like_me[:services => 'obfsproxy'].each_node do |node|
     obfsproxies << add_obfsproxy(node)

From 20c7d9b38cc28e6005ea6759ea4672784d009036 Mon Sep 17 00:00:00 2001
From: irregulator <irregulator@riseup.net>
Date: Wed, 28 May 2014 16:42:25 +0300
Subject: [PATCH 4/5] In eip_service_2 definition, move gateways from array to
 hash

---
 .../service-definitions/v1/eip-service-2.json.erb    | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/provider_base/files/service-definitions/v1/eip-service-2.json.erb b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
index 3937ae3c..c6f2eb3d 100644
--- a/provider_base/files/service-definitions/v1/eip-service-2.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
@@ -40,17 +40,17 @@
   hsh["serial"] = 1
   hsh["version"] = 1
   locations = {}
-  gateways = []
+  gateways = {}
   obfsproxies = []
   configuration = nil
   nodes_like_me[:services => 'openvpn'].each_node do |node|
     if node.openvpn.allow_limited && node.openvpn.allow_unlimited
-      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
-      gateways << add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true)
+      gateways[node.name + '_unlimited'] =  add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+      gateways[node.name + '_limited'] = add_gateway(node, locations, :ip => node.openvpn.second_gateway_address, :limited => true)
     elsif node.openvpn.allow_unlimited
-      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
+      gateways[node.name + '_unlimited'] = add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => false)
     elsif node.openvpn.allow_limited
-      gateways << add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
+      gateways[node.name + '_limited'] = add_gateway(node, locations, :ip => node.openvpn.gateway_address, :limited => true)
     end
     if configuration && node.openvpn.configuration != configuration
       log :error, "OpenVPN nodes in the environment `#{node.environment}` have conflicting `openvpn.configuration` values. This will result in bad errors."
@@ -61,7 +61,7 @@
   nodes_like_me[:services => 'obfsproxy'].each_node do |node|
     obfsproxies << add_obfsproxy(node)
   end
-  hsh["gateways"] = gateways.compact
+  hsh["gateways"] = gateways
   hsh["locations"] = locations
   hsh["openvpn_configuration"] = configuration
   hsh["obfsproxies"] = obfsproxies.compact

From 2e7d04e34a2a78fef4265f4ee2df62bdb70986ad Mon Sep 17 00:00:00 2001
From: irregulator <irregulator@riseup.net>
Date: Wed, 28 May 2014 16:50:47 +0300
Subject: [PATCH 5/5] Remove serial and version from eip_service_2 definition

---
 .../files/service-definitions/v1/eip-service-2.json.erb         | 2 --
 1 file changed, 2 deletions(-)

diff --git a/provider_base/files/service-definitions/v1/eip-service-2.json.erb b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
index c6f2eb3d..9293e7c4 100644
--- a/provider_base/files/service-definitions/v1/eip-service-2.json.erb
+++ b/provider_base/files/service-definitions/v1/eip-service-2.json.erb
@@ -37,8 +37,6 @@
   end
 
   hsh = {}
-  hsh["serial"] = 1
-  hsh["version"] = 1
   locations = {}
   gateways = {}
   obfsproxies = []