From c26b57697038a1cb286854055d9b5d3994e1382f Mon Sep 17 00:00:00 2001
From: Rich Wareham <rjw57@cam.ac.uk>
Date: Mon, 16 Jul 2018 10:18:15 +0100
Subject: [PATCH] compose: fix lookupproxy deployment

The lookupproxy compose configuration was only semi-functional. Since
we're going to need to re-deploy the lookupproxy in development *anyway*
to bring in the django-automationoauth fixes, fix up the configuration
so that it can use the upstream production image.

This should further reduce CircleCI build times and also means that
lookupproxy actually works in development. Previously it didn't since
the OAuth2 configuration was not being set.
---
 compose/base.yml                 |  9 +++++---
 compose/create-oauth2-clients.sh |  8 +++++++
 compose/lookupproxy.Dockerfile   | 22 ------------------
 compose/lookupproxy.env          |  8 ++++++-
 compose/lookupproxysettings.py   | 38 ++++++++++++++++++++++++++++++++
 5 files changed, 59 insertions(+), 26 deletions(-)
 delete mode 100644 compose/lookupproxy.Dockerfile
 create mode 100644 compose/lookupproxysettings.py

diff --git a/compose/base.yml b/compose/base.yml
index 16ecbe47..8a694996 100644
--- a/compose/base.yml
+++ b/compose/base.yml
@@ -11,9 +11,8 @@ services:
 
   # Lookup proxy service
   lookupproxy:
-    build:
-      context: .
-      dockerfile: ./lookupproxy.Dockerfile
+    image: uisautomation/lookupproxy
+    entrypoint: ["/tmp/wait-for-it.sh", "lookupproxy-db:5432", "--", "/tmp/start-devserver.sh"]
     expose:
       - "8080"
     ports:
@@ -23,6 +22,10 @@ services:
       - "hydra"
     env_file:
       - lookupproxy.env
+    volumes:
+      - ./start-devserver.sh:/tmp/start-devserver.sh
+      - ./wait-for-it.sh:/tmp/wait-for-it.sh
+      - ./lookupproxysettings.py:/usr/src/app/settings.py
   lookupproxy-db:
     image: postgres
     env_file:
diff --git a/compose/create-oauth2-clients.sh b/compose/create-oauth2-clients.sh
index 5074348c..29022a87 100755
--- a/compose/create-oauth2-clients.sh
+++ b/compose/create-oauth2-clients.sh
@@ -16,6 +16,7 @@ hydra connect \
 # corresponding clients did not exist
 hydra clients delete smswebapp || echo "-- smswebapp not deleted"
 hydra clients delete lookupproxy || echo "-- lookupproxy not deleted"
+hydra clients delete lookupproxyserver || echo "-- lookupproxyserver not deleted"
 
 # Create smswebapp client which can request scopes to access the lookup proxy
 # and to introspect tokens from hydra.
@@ -34,6 +35,13 @@ hydra clients create \
     --response-types token \
     --allowed-scopes lookup:anonymous
 
+# Create lookupproxyserver client which can request scopes to introspect tokens
+hydra clients create \
+    --id lookupproxyserver --secret lookupproxysecret \
+    --grant-types client_credentials \
+    --response-types token \
+    --allowed-scopes hydra.introspect
+
 # We need to create a Hydra policy allowing the smswebapp to introspect tokens.
 # Delete a policy if it is already in place and re-create it
 hydra policies delete introspect-policy \
diff --git a/compose/lookupproxy.Dockerfile b/compose/lookupproxy.Dockerfile
deleted file mode 100644
index 69d25ef6..00000000
--- a/compose/lookupproxy.Dockerfile
+++ /dev/null
@@ -1,22 +0,0 @@
-FROM uisautomation/django:2.0-py3.6
-
-# Do everything relative to /usr/src/app which is where we install our
-# application.
-WORKDIR /usr/src/app
-
-# Clone latest lookupproxy source
-RUN \
-	git clone https://github.com/uisautomation/lookupproxy /usr/src/app && \
-	apk add postgresql-dev gcc musl-dev && \
-	pip install -r requirements.txt && \
-	pip install -r requirements_developer.txt
-
-# Copy startup script
-ADD ./start-devserver.sh ./wait-for-it.sh /tmp/
-
-# By default, use the Django development server to serve the application and use
-# developer-specific settings.
-#
-# *DO NOT DEPLOY THIS TO PRODUCTION*
-ENV DJANGO_SETTINGS_MODULE lookupproxy.settings_developer
-ENTRYPOINT ["/tmp/wait-for-it.sh", "lookupproxy-db:5432", "--", "/tmp/start-devserver.sh"]
diff --git a/compose/lookupproxy.env b/compose/lookupproxy.env
index 906959de..f9a3ccd4 100644
--- a/compose/lookupproxy.env
+++ b/compose/lookupproxy.env
@@ -5,7 +5,7 @@
 PORT=8080
 
 # Use the developer-specific settings.
-DJANGO_SETTINGS_MODULE=lookupproxy.settings.developer
+DJANGO_SETTINGS_MODULE=settings
 
 # Set the secret key.
 DJANGO_SECRET_KEY="$zaxY\Vowc,sp9EIs31cj^T5C~0D%5HI[<Xa9P,[jxr=X67}"
@@ -22,5 +22,11 @@ POSTGRES_DB=lookupproxy
 POSTGRES_USER=lookupproxyuser
 POSTGRES_PASSWORD=databasePass
 
+OAUTH2_TOKEN_URL=http://hydra:4444/oauth2/token
+OAUTH2_INTROSPECT_URL=http://hydra:4444/oauth2/introspect
+OAUTH2_AUTH_URL=http://localhost:4444/oauth2/auth
+OAUTH2_CLIENT_ID=lookupproxyserver
+OAUTH2_CLIENT_SECRET=lookupproxysecret
+
 # To allow talking to OAuth2 endpoint over HTTP
 OAUTHLIB_INSECURE_TRANSPORT=1
diff --git a/compose/lookupproxysettings.py b/compose/lookupproxysettings.py
new file mode 100644
index 00000000..bbae418e
--- /dev/null
+++ b/compose/lookupproxysettings.py
@@ -0,0 +1,38 @@
+import os
+
+from lookupproxy.settings.base import *  # noqa: F403
+
+DEBUG = True
+
+ALLOWED_HOSTS = ['*']
+
+OAUTH2_TOKEN_URL = os.environ.get('OAUTH2_TOKEN_URL')
+OAUTH2_INTROSPECT_URL = os.environ.get('OAUTH2_INTROSPECT_URL')
+OAUTH2_CLIENT_ID = os.environ.get('OAUTH2_CLIENT_ID')
+OAUTH2_CLIENT_SECRET = os.environ.get('OAUTH2_CLIENT_SECRET')
+OAUTH2_INTROSPECT_SCOPES = ['hydra.introspect']
+
+SWAGGER_SETTINGS['SECURITY_DEFINITIONS']['oauth2']['authorizationUrl'] = (  # noqa: F405
+    os.environ.get('OAUTH2_AUTH_URL')
+)
+
+# For the moment, the lookup certificates in test do not match the root hard-coded into the client.
+LOOKUP_API_ENDPOINT_HOST = 'www.lookup.cam.ac.uk'
+
+# Ensure that logging is shown in the console.
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+        },
+    },
+    'loggers': {
+        '': {
+            'handlers': ['console'],
+            'level': 'INFO',
+            'propagate': True,
+        },
+    },
+}