From 277d031bb6b96163f18c17e332521eb3f0cdfcfa Mon Sep 17 00:00:00 2001
From: Andrew Nowak <andrew.nowak@guardian.co.uk>
Date: Tue, 25 Apr 2023 12:08:31 +0100
Subject: [PATCH] Only make changes in setup-app and -cert if previous config
 does not already exist

---
 README.md         |  8 +++--
 script/setup-app  | 82 ++++++++++++++++++++++++++++-------------------
 script/setup-cert | 57 +++++++++++++++++++++-----------
 3 files changed, 94 insertions(+), 53 deletions(-)

diff --git a/README.md b/README.md
index bbd6665..52679f4 100644
--- a/README.md
+++ b/README.md
@@ -122,18 +122,22 @@ Stops, if running, and starts nginx.
 #### `setup-cert`
 
 ```bash
-dev-nginx setup-cert demo-frontend.foobar.co.uk
+dev-nginx setup-cert [--force] demo-frontend.foobar.co.uk
 ```
 
 Uses `mkcert` to issue a certificate for a domain, writing it to `~/.gu/mkcert` and symlinking it into the directory nginx is installed.
+By default will do nothing if a certificate has been issued, installed and remains valid for the next 14 days. Include the `--force` flag
+to issue a new certificate if required.
 
 #### `setup-app`
 
 ```bash
-dev-nginx setup-app /path/to/nginx-mapping.yml
+dev-nginx setup-app [--force] /path/to/nginx-mapping.yml
 ```
 
 Generates config for nginx proxy site(s) from a config file, issues the certificate(s) and restarts nginx.
+By default will do nothing if config already exists and matches what would be generated. Include the `--force` flag to
+install config and issue new certificates if required.
 
 ##### Config format
 
diff --git a/script/setup-app b/script/setup-app
index d172601..d5281b5 100755
--- a/script/setup-app
+++ b/script/setup-app
@@ -3,8 +3,8 @@
 require 'yaml'
 require 'fileutils'
 
-if ARGV.size != 1
-    puts "usage: setup-app <config.yml>"
+if ARGV.size != 1 and ARGV.size != 2
+    puts "usage: setup-app [--force] <config.yml>"
     exit(1)
 end
 
@@ -12,7 +12,9 @@ HERE=File.dirname(__FILE__)
 DEFAULT_DOMAIN_ROOT = "local.dev-gutools.co.uk"
 NGINX_DIR = `#{HERE}/locate-nginx`.chomp
 
-config_file = ARGV[0]
+config_file = ARGV[0] != "--force" ? ARGV[0] : ARGV[1]
+
+force = ARGV[0] == "--force" or ARGV[1] == "--force"
 
 config = YAML.load_file(config_file)
 name = config['name']
@@ -24,32 +26,32 @@ FileUtils.mkdir_p(dest_dir)
 
 dest = File.join(dest_dir, "#{name}.conf")
 
-file = File.open(dest, 'w') do |file|
+server_config = ""
 
-    config['mappings'].each do |mapping|
+config['mappings'].each do |mapping|
 
-        domain_root = mapping['domain-root'] || global_domain_root
-        path = mapping['path'] || ''
-        websocket = mapping['websocket']
+  domain_root = mapping['domain-root'] || global_domain_root
+  path = mapping['path'] || ''
+  websocket = mapping['websocket']
 
-        domain = if mapping['prefix'] then "#{mapping['prefix']}.#{domain_root}" else "#{domain_root}" end
+  domain = if mapping['prefix'] then "#{mapping['prefix']}.#{domain_root}" else "#{domain_root}" end
 
-        client_max_body_size = mapping['client_max_body_size']
+  client_max_body_size = mapping['client_max_body_size']
 
-        file.write <<-EOS
+  server_config << <<-EOS
 server {
   listen #{port};
   server_name #{domain};
 EOS
-        if client_max_body_size
-          file.write <<-EOS
+  if client_max_body_size
+    server_config << <<-EOS
   client_max_body_size #{client_max_body_size};
 
-          EOS
-        end
+EOS
+  end
 
-        if websocket
-            file.write <<-EOS
+  if websocket
+    server_config << <<-EOS
 
     location #{websocket} {
       proxy_pass http://localhost:#{mapping['port']}#{websocket};
@@ -60,9 +62,9 @@ EOS
       proxy_buffering off;
     }
 EOS
-        end
+  end
 
-	file.write <<-EOS
+  server_config << <<-EOS
 
   location / {
     proxy_http_version 1.1;
@@ -77,8 +79,8 @@ EOS
 
 EOS
 
-        if ssl
-            file.write <<-EOS
+  if ssl
+    server_config << <<-EOS
   ssl_certificate     #{domain}.crt;
   ssl_certificate_key #{domain}.key;
 
@@ -88,15 +90,15 @@ EOS
   ssl_ciphers HIGH:!aNULL:!MD5;
   ssl_prefer_server_ciphers on;
 EOS
-        end
+  end
 
-        file.write <<-EOS
+  server_config << <<-EOS
 }
 
 EOS
 
-        if ssl
-          file.write <<-EOS
+  if ssl
+    server_config << <<-EOS
 server {
   listen 80;
   server_name #{domain};
@@ -106,13 +108,27 @@ server {
 }
 
 EOS
-        end
-        if ssl
-          `#{HERE}/setup-cert #{domain}`
-        end
-    end
+  end
+  if ssl
+    opts = force ? "--force" : ""
+    `#{HERE}/setup-cert #{domain} #{opts}`
+  end
 end
 
-puts "Restarting nginx. This needs sudo permission, please enter password when prompted."
-`#{HERE}/restart-nginx`
-puts "Done."
+begin
+  old_server_config = File.read(dest)
+rescue
+  old_server_config = ""
+end
+
+if force or old_server_config != server_config
+  file = File.open(dest, 'w') do |file|
+    file.write server_config
+    puts "Restarting nginx. This needs sudo permission, please enter password when prompted."
+    `#{HERE}/restart-nginx`
+    puts "Done."
+  end
+else
+  puts "Found existing nginx configuration for this app, so doing nothing."
+  puts "Rerun with --force to force installation of new configuration if required."
+end
diff --git a/script/setup-cert b/script/setup-cert
index 06bd675..dfb7c0b 100755
--- a/script/setup-cert
+++ b/script/setup-cert
@@ -9,15 +9,6 @@ set -e
 YELLOW='\033[1;33m'
 NC='\033[0m' # no colour - reset console colour
 
-if [[ $# -lt 1 ]]
-then
-  echo -e "Create a certificate for ${YELLOW}development use only${NC} using mkcert."
-  echo -e "See https://github.com/FiloSottile/mkcert for more information."
-  echo
-	echo "Example usage: $0 foo.local"
-	exit 1
-fi
-
 if type -p java > /dev/null ; then
   # ensure JAVA_HOME is set for mkcert to install local root CA in the java trust store
   # see https://github.com/FiloSottile/mkcert#supported-root-stores
@@ -40,19 +31,49 @@ DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 NGINX_HOME=$("${DIR}/locate-nginx")
 CERT_DIRECTORY=$HOME/.gu/mkcert
 
-DOMAIN=$1
+FORCE=no
+DOMAIN=""
+while [[ $# != 0 ]] ; do
+  case "$1" in
+    --force)
+      FORCE=yes
+      ;;
+    *)
+      DOMAIN="$1"
+      ;;
+  esac
+  shift
+done
+
+if [[ "$DOMAIN" == "" ]] ; then
+  echo -e "Create a certificate for ${YELLOW}development use only${NC} using mkcert."
+  echo -e "See https://github.com/FiloSottile/mkcert for more information."
+  echo
+  echo "Example usage: $0 [--force] foo.local"
+  exit 1
+fi
 
 KEY_FILE=${CERT_DIRECTORY}/${DOMAIN}.key
 CERT_FILE=${CERT_DIRECTORY}/${DOMAIN}.crt
 
-mkcert -install
+# test certificate has been created, and installed, and does not expire in next 14 days
+if [[ "$FORCE" == no ]] && \
+  [[ -r "$CERT_FILE" ]] && \
+  [[ -r "${NGINX_HOME}/${DOMAIN}.crt" ]] && \
+  >/dev/null 2>&1 openssl x509 -in "$CERT_FILE" -noout -checkend 1209600
+then
+  echo -e "🔐 Found existing certificate for: ${YELLOW}${DOMAIN}${NC}"
+  echo -e "Rerun with --force to recreate if needed."
+else
+  mkcert -install
 
-echo -e "🔐 Creating certificate for: ${YELLOW}${DOMAIN}${NC}"
-mkdir -p ${CERT_DIRECTORY}
-mkcert -key-file=${KEY_FILE} -cert-file=${CERT_FILE} ${DOMAIN}
+  echo -e "🔐 Creating certificate for: ${YELLOW}${DOMAIN}${NC}"
+  mkdir -p ${CERT_DIRECTORY}
+  mkcert -key-file=${KEY_FILE} -cert-file=${CERT_FILE} ${DOMAIN}
 
-echo -e "Symlinking the certificate for nginx at ${NGINX_HOME}"
-ln -sf ${KEY_FILE} ${NGINX_HOME}/${DOMAIN}.key
-ln -sf ${CERT_FILE} ${NGINX_HOME}/${DOMAIN}.crt
+  echo -e "Symlinking the certificate for nginx at ${NGINX_HOME}"
+  ln -sf ${KEY_FILE} ${NGINX_HOME}/${DOMAIN}.key
+  ln -sf ${CERT_FILE} ${NGINX_HOME}/${DOMAIN}.crt
 
-echo -e "🚀 ${YELLOW}Done. Please restart nginx.${NC}"
+  echo -e "🚀 ${YELLOW}Done. Please restart nginx.${NC}"
+fi