From 9f76b0c739fe87b910136a9d903cb8eff0b1bce9 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 09:22:38 +0200
Subject: [PATCH 1/7] Refactor fetchVarsFromVault

---
 bridgehead       |  2 +-
 lib/functions.sh | 36 +++++++++++++++++++++---------------
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/bridgehead b/bridgehead
index c39e1ae..20616e6 100755
--- a/bridgehead
+++ b/bridgehead
@@ -44,7 +44,7 @@ esac
 case "$ACTION" in
 	start)
 		checkRequirements
-		fetchVarsFromVault /etc/bridgehead/$PROJECT.conf || exit 1
+		fetchVarsFromVaultByFile /etc/bridgehead/$PROJECT.conf || exit 1
 		exec docker-compose -f ./$PROJECT/docker-compose.yml --env-file /etc/bridgehead/$PROJECT.conf up
 		;;
 	stop)
diff --git a/lib/functions.sh b/lib/functions.sh
index e2db02c..a63031f 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -26,20 +26,6 @@ checkRequirements() {
 }
 
 fetchVarsFromVault() {
-	VARS_TO_FETCH=""
-
-	for line in $(cat $@); do
-		if [[ $line =~ .*=\<VAULT\>.* ]]; then
-			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
-		fi
-	done
-
-	if [ -z "$VARS_TO_FETCH" ]; then
-		return 0
-	fi
-
-	log "INFO" "Fetching secrets from vault ..."
-
 	[ -e /etc/bridgehead/vault.conf ] && source /etc/bridgehead/vault.conf
 
 	if [ -z "$BW_MASTERPASS" ] || [ -z "$BW_CLIENTID" ] || [ -z "$BW_CLIENTSECRET" ]; then
@@ -49,7 +35,7 @@ fetchVarsFromVault() {
 
 	set +e
 
-	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $VARS_TO_FETCH)
+	PASS=$(BW_MASTERPASS="$BW_MASTERPASS" BW_CLIENTID="$BW_CLIENTID" BW_CLIENTSECRET="$BW_CLIENTSECRET" docker run --rm -e BW_MASTERPASS -e BW_CLIENTID -e BW_CLIENTSECRET -e http_proxy samply/bridgehead-vaultfetcher $@)
 	RET=$?
 
 	if [ $RET -ne 0 ]; then
@@ -65,6 +51,26 @@ fetchVarsFromVault() {
 	return 0
 }
 
+fetchVarsFromVaultByFile() {
+	VARS_TO_FETCH=""
+
+	for line in $(cat $@); do
+		if [[ $line =~ .*=\<VAULT\>.* ]]; then
+			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
+		fi
+	done
+
+	if [ -z "$VARS_TO_FETCH" ]; then
+		return 0
+	fi
+
+	log INFO "Fetching $(echo $VARS_TO_FETCH | wc -w) secrets from Vault ..."
+
+	fetchVarsFromVault $VARS_TO_FETCH
+
+	return 0
+}
+
 ##Setting Network properties
 export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 export HOST=$(hostname)

From ff3d6fb4fec5a32544979c90d2e676cf5315bb80 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 13:40:25 +0200
Subject: [PATCH 2/7] =?UTF-8?q?Bugfix=20in=20fetchVarsFromVaultByFile:=20D?=
 =?UTF-8?q?etect=20variables=20with=20values=20=C3=A0=20la=20"<VAULT>"?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 lib/functions.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index a63031f..2dccb5d 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -55,7 +55,7 @@ fetchVarsFromVaultByFile() {
 	VARS_TO_FETCH=""
 
 	for line in $(cat $@); do
-		if [[ $line =~ .*=\<VAULT\>.* ]]; then
+		if [[ $line =~ .*=[\"]*\<VAULT\>[\"]*.* ]]; then
 			VARS_TO_FETCH+="$(echo -n $line | sed 's/=.*//') "
 		fi
 	done

From 57483e78d440ab734bf896ec0defd54cce2553c2 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 13:55:40 +0200
Subject: [PATCH 3/7] Move checkOwner() to functions.sh

---
 lib/functions.sh     |  9 +++++++++
 lib/prerequisites.sh | 13 ++-----------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/lib/functions.sh b/lib/functions.sh
index 2dccb5d..c524dd4 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -7,6 +7,15 @@ exitIfNotRoot() {
   fi
 }
 
+checkOwner(){
+  COUNT=$(find $1 ! -user $2 |wc -l)
+  if [ $COUNT -gt 0 ]; then
+    log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
+    return 1
+  fi
+  return 0
+}
+
 log() {
   echo -e "$(date +'%Y-%m-%d %T')" "$1:" "$2"
 }
diff --git a/lib/prerequisites.sh b/lib/prerequisites.sh
index 13e32f6..e04161b 100755
--- a/lib/prerequisites.sh
+++ b/lib/prerequisites.sh
@@ -2,22 +2,13 @@
 
 source lib/functions.sh
 
-checkOwner(){
-  ## Check for file permissions
-  COUNT=$(find $1 ! -user $2 |wc -l)
-  if [ $COUNT -gt 0 ]; then
-    log ERROR "$COUNT files in $1 are not owned by user $2. Run find $1 ! -user $2 to see them, chown -R $2 $1 to correct this issue."
-    exit 1
-  fi
-}
-
 if ! id "bridgehead" &>/dev/null; then
   log ERROR "User bridgehead does not exist. Please consult readme for installation."
   exit 1
 fi
 
-checkOwner . bridgehead
-checkOwner /etc/bridgehead bridgehead
+checkOwner . bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
 
 ## Check if user is a su
 log INFO "Checking if all prerequisites are met ..."

From 37d954e304ba95b164af34ed1a1141f5417c4027 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 13:56:12 +0200
Subject: [PATCH 4/7] New function assertVarsNotEmpty()

---
 lib/functions.sh | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/lib/functions.sh b/lib/functions.sh
index c524dd4..3d5a88f 100755
--- a/lib/functions.sh
+++ b/lib/functions.sh
@@ -80,6 +80,23 @@ fetchVarsFromVaultByFile() {
 	return 0
 }
 
+assertVarsNotEmpty() {
+	MISSING_VARS=""
+
+	for VAR in $@; do
+	if [ -z "${!VAR}" ]; then
+			MISSING_VARS+="$VAR "
+		fi
+	done
+
+	if [ -n "$MISSING_VARS" ]; then
+		log "ERROR" "Mandatory variables not defined: $MISSING_VARS"
+		return 1
+	fi
+
+	return 0
+}
+
 ##Setting Network properties
 export HOSTIP=$(MSYS_NO_PATHCONV=1 docker run --rm --add-host=host.docker.internal:host-gateway ubuntu cat /etc/hosts | grep 'host.docker.internal' | awk '{print $1}');
 export HOST=$(hostname)

From 519f4785cb0b4f71c8384f2184e56d180d7ea10c Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 13:56:44 +0200
Subject: [PATCH 5/7] Make git update use new credential helper that fetches
 git creds from vault.

---
 lib/gitpassword.sh       | 46 ++++++++++++++++++++++++++++++++++++++++
 lib/update-bridgehead.sh | 29 ++++++++++++++++++++++---
 2 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100755 lib/gitpassword.sh

diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
new file mode 100755
index 0000000..3ec76d5
--- /dev/null
+++ b/lib/gitpassword.sh
@@ -0,0 +1,46 @@
+#!/bin/bash
+
+if [ "$1" != "get" ]; then
+	echo "Usage: $0 get"
+	exit 1
+fi
+
+baseDir() {
+	# see https://stackoverflow.com/questions/59895
+	SOURCE=${BASH_SOURCE[0]}
+	while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+		DIR=$( cd -P "$( dirname "$SOURCE" )" >/dev/null 2>&1 && pwd )
+		SOURCE=$(readlink "$SOURCE")
+		[[ $SOURCE != /* ]] && SOURCE=$DIR/$SOURCE # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+        done
+        DIR=$( cd -P "$( dirname "$SOURCE" )/.." >/dev/null 2>&1 && pwd )
+        echo $DIR
+}
+
+BASE=$(baseDir)
+cd $BASE
+
+source lib/functions.sh
+
+assertVarsNotEmpty SITE_ID || exit 1
+
+date >> /tmp/gitpass
+
+PARAMS="$(tee -a /tmp/gitpass)"
+GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
+
+fetchVarsFromVault CCP_GIT
+
+if [ -z "${CCP_GIT}" ]; then
+	log ERROR "Git password not found."
+	exit 1
+fi
+
+tee -a /tmp/gitpass <<EOF
+protocol=https
+host=$GITHOST
+username=bk-${SITE_ID}
+password=${CCP_GIT}
+EOF
+
+echo >> /tmp/gitpass
diff --git a/lib/update-bridgehead.sh b/lib/update-bridgehead.sh
index 2b06687..b6cd317 100755
--- a/lib/update-bridgehead.sh
+++ b/lib/update-bridgehead.sh
@@ -1,10 +1,30 @@
 #!/bin/bash
 source lib/functions.sh
 
-log "INFO" "Checking for updates of services"
+CONFFILE=/etc/bridgehead/$1.conf
+
+if [ ! -e $CONFFILE ]; then
+  log ERROR "Configuration file $CONFFILE not found."
+  exit 1
+fi
+
+source $CONFFILE
+
+assertVarsNotEmpty SITE_ID || exit 1
+export SITE_ID
+
+checkOwner . bridgehead || exit 1
+checkOwner /etc/bridgehead bridgehead || exit 1
+
+CREDHELPER="/srv/docker/bridgehead/lib/gitpassword.sh"
 
 # Check git updates
 for DIR in /etc/bridgehead $(pwd); do
+  log "INFO" "Checking for updates to git repo $DIR ..."
+  if [ "$(git -C $DIR config --get credential.helper)" != "$CREDHELPER" ]; then
+    log "INFO" "Configuring repo to use bridgehead git credential helper."
+    git -C $DIR config credential.helper "$CREDHELPER"
+  fi
   old_git_hash="$(git -C $DIR rev-parse --verify HEAD)"
   git -C $DIR fetch 2>&1
   git -C $DIR pull 2>&1
@@ -30,6 +50,7 @@ for DIR in /etc/bridgehead $(pwd); do
 done
 
 # Check docker updates
+log "INFO" "Checking for updates to running docker images ..."
 docker_updated="false"
 for IMAGE in $(docker ps --filter "name=bridgehead" --format {{.Image}}); do
   log "INFO" "Checking for Updates of Image: $IMAGE"
@@ -41,10 +62,12 @@ done
 
 # If anything is updated, restart service
 if [ $git_updated = "true" ] || [ $docker_updated = "true" ]; then
-  log "INFO" "Due to previous updates now restarting bridgehead"
+  log "INFO" "Update detected, now restarting bridgehead"
   systemctl restart 'bridgehead@*'
+else
+  log "INFO" "Nothing updated, nothing to restart."
 fi
-log "INFO" "checking updates finished"
+
 exit 0
 
 # TODO: Print last commit explicit

From 2168e6299dd4b01b4ea64b35d550464988ce5792 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 14:02:09 +0200
Subject: [PATCH 6/7] Variable renamed to GIT_PASSWORD

---
 lib/gitpassword.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
index 3ec76d5..43795a4 100755
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@@ -29,9 +29,9 @@ date >> /tmp/gitpass
 PARAMS="$(tee -a /tmp/gitpass)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 
-fetchVarsFromVault CCP_GIT
+fetchVarsFromVault GIT_PASSWORD
 
-if [ -z "${CCP_GIT}" ]; then
+if [ -z "${GIT_PASSWORD}" ]; then
 	log ERROR "Git password not found."
 	exit 1
 fi
@@ -40,7 +40,7 @@ tee -a /tmp/gitpass <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
-password=${CCP_GIT}
+password=${GIT_PASSWORD}
 EOF
 
 echo >> /tmp/gitpass

From 2c50d357a9e07ce9a18eabcdd33437819a20e092 Mon Sep 17 00:00:00 2001
From: Martin Lablans <m.lablans@dkfz-heidelberg.de>
Date: Tue, 31 May 2022 14:03:07 +0200
Subject: [PATCH 7/7] Disable debug output.

---
 lib/gitpassword.sh | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/lib/gitpassword.sh b/lib/gitpassword.sh
index 43795a4..25eb9ce 100755
--- a/lib/gitpassword.sh
+++ b/lib/gitpassword.sh
@@ -24,9 +24,7 @@ source lib/functions.sh
 
 assertVarsNotEmpty SITE_ID || exit 1
 
-date >> /tmp/gitpass
-
-PARAMS="$(tee -a /tmp/gitpass)"
+PARAMS="$(cat)"
 GITHOST=$(echo "$PARAMS" | grep "^host=" | sed 's/host=\(.*\)/\1/g')
 
 fetchVarsFromVault GIT_PASSWORD
@@ -36,11 +34,9 @@ if [ -z "${GIT_PASSWORD}" ]; then
 	exit 1
 fi
 
-tee -a /tmp/gitpass <<EOF
+cat <<EOF
 protocol=https
 host=$GITHOST
 username=bk-${SITE_ID}
 password=${GIT_PASSWORD}
 EOF
-
-echo >> /tmp/gitpass