From f86b1b1e95b61cd2b5547628603c90e864b2a8c0 Mon Sep 17 00:00:00 2001
From: mwiegand <mwiegand@seibert-media.net>
Date: Thu, 18 Nov 2021 18:26:27 +0100
Subject: [PATCH] wip

---
 bundles/nginx/metadata.py  | 39 ++++++++++++++++++++++++++++++++++++++
 bundles/rspamd/metadata.py |  6 ++++--
 libs/htpasswd.py           | 17 +++++++++++++++++
 requirements.txt           |  1 +
 4 files changed, 61 insertions(+), 2 deletions(-)
 create mode 100644 libs/htpasswd.py

diff --git a/bundles/nginx/metadata.py b/bundles/nginx/metadata.py
index 8c213b9..8a76d24 100644
--- a/bundles/nginx/metadata.py
+++ b/bundles/nginx/metadata.py
@@ -111,3 +111,42 @@ def letsencrypt(metadata):
             },
         },
     }
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts',
+)
+def basic_auth_passwords(metadata):
+    return {
+        'nginx': {
+            'vhosts': {
+                domain: {
+                    'context': {
+                        'basic_auth': {
+                            user: {
+                                'password': str(repo.vault.password_for('basic_auth'+domain+user))
+                            }
+                                for user in metadata.get(f'nginx/vhosts/{domain}/context/basic_auth')
+                        },
+                    },
+                }
+                    for domain, vhost in metadata.get('nginx/vhosts').items()
+                    if metadata.get(f'nginx/vhosts/{domain}/context/basic_auth', None)
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'nginx/htpasswd',
+)
+def htpasswd(metadata):
+    return {
+        'nginx': {
+            'htpasswd': {
+                repo.libs.htpasswd.line(name, data['password'], metadata.get('id')+domain, repo)
+                    for domain, vhost in metadata.get('nginx/vhosts').items()
+                    for name, data in metadata.get(f'nginx/vhosts/{domain}/context/basic_auth', {}).items()
+            },
+        },
+    }
diff --git a/bundles/rspamd/metadata.py b/bundles/rspamd/metadata.py
index bc43044..0961bda 100644
--- a/bundles/rspamd/metadata.py
+++ b/bundles/rspamd/metadata.py
@@ -30,8 +30,10 @@ def nginx_vhost(metadata):
                 metadata.get('rspamd/hostname'): {
                     'content': 'nginx/proxy_pass.conf',
                     'context': {
-                        'target': 'http://localhost:9999',
-                        # 'target': 'http://localhost:11334',
+                        'target': 'http://localhost:11334',
+                        'basic_auth': {
+                            'rspamd': {},
+                        },
                     },
                 },
             },
diff --git a/libs/htpasswd.py b/libs/htpasswd.py
new file mode 100644
index 0000000..9e76729
--- /dev/null
+++ b/libs/htpasswd.py
@@ -0,0 +1,17 @@
+import bcrypt
+from base64 import b64decode, b64encode
+from binascii import hexlify
+from hashlib import sha3_256
+
+def line(user, pw, salt, repo):
+    full_salt = str(repo.vault.password_for(user+pw+salt))
+    sha = sha3_256(full_salt.encode()).digest()
+    sha_base64 = b64encode(sha)[0:22]
+    salt_string = f"$2b$10${sha_base64.decode().replace('+', '.')}"
+    print(sha, sha_base64, salt_string)
+    hash = bcrypt.hashpw(
+        pw.encode(),
+        salt_string.encode()
+    ).decode()
+
+    return f'{user}:{hash}'
diff --git a/requirements.txt b/requirements.txt
index 8280d8b..b42e520 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -2,3 +2,4 @@ bundlewrap>=4.13.1
 pycryptodome
 PyNaCl
 PyYAML
+bcrypt