From 672b720b591c8b56d1bb8318a1dd947b128a9dee Mon Sep 17 00:00:00 2001
From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk>
Date: Fri, 16 Apr 2021 09:14:29 +0100
Subject: [PATCH] Add custom user-agent for git clones from opendev.org

There has been one confirmed denial-of-service against the opendev
git servers due to an openstack-ansible deployment failing to
correctly use cached wheels from the repo server and instead clone
and build the source code for each openstack service on each target
host.

Whilst we wait for further information to understand the root cause
of that DOS, it is possible to adjust the user-agent that git uses
on a per-domain basis.

This patch sets the user-agent to a string which identifies that
OSA is responsible for git operations, which version of OSA is
in use, and if the host is a deploy host or an AIO build.

Change-Id: I8157c744a58a8ade56776e8cb29956a8abed081c
---
 scripts/bootstrap-ansible.sh                  |  2 +-
 scripts/get-ansible-role-requirements.yml     | 14 ++++++++++
 scripts/log-collect.sh                        |  1 +
 tests/roles/bootstrap-host/tasks/main.yml     |  3 ++
 .../tasks/prepare_git_useragent.yml           | 28 +++++++++++++++++++
 5 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml

diff --git a/scripts/bootstrap-ansible.sh b/scripts/bootstrap-ansible.sh
index 1f8369086f..33d177df35 100755
--- a/scripts/bootstrap-ansible.sh
+++ b/scripts/bootstrap-ansible.sh
@@ -135,7 +135,7 @@ if [ "${SETUP_ARA}" == "true" ]; then
 fi
 
 # Get current code version (this runs at the root of OSA clone)
-CURRENT_OSA_VERSION=$(cd ${OSA_CLONE_DIR}; /opt/ansible-runtime/bin/python setup.py --version)
+export CURRENT_OSA_VERSION=$(cd ${OSA_CLONE_DIR}; /opt/ansible-runtime/bin/python setup.py --version)
 
 # Ensure that Ansible binaries run from the venv
 pushd /opt/ansible-runtime/bin
diff --git a/scripts/get-ansible-role-requirements.yml b/scripts/get-ansible-role-requirements.yml
index d80758a29e..a30bf7a6bd 100644
--- a/scripts/get-ansible-role-requirements.yml
+++ b/scripts/get-ansible-role-requirements.yml
@@ -23,6 +23,20 @@
       setup:
         gather_subset: '!all'
 
+    - name: Find the git version
+      command:
+        cmd: "git --version"
+      register: _git_version
+      changed_when: false
+      tags:
+        - skip_ansible_lint
+
+    - name: Set the git user agent for the deploy host
+      git_config:
+        scope: system
+        name: http.https://opendev.org/.userAgent
+        value: "{{ 'git/' ~ _git_version.stdout.split(' ')[2] ~ ' (osa/' ~ lookup('env', 'CURRENT_OSA_VERSION') ~ '/deploy)' }}"
+
     - name: Remove target directory if required
       file:
         path: "{{ item.path | default(role_path_default) }}/{{ item.name | default(item.src | basename) }}"
diff --git a/scripts/log-collect.sh b/scripts/log-collect.sh
index c3ac5d8d7d..658b4b98ba 100755
--- a/scripts/log-collect.sh
+++ b/scripts/log-collect.sh
@@ -45,6 +45,7 @@ COMMON_ETC_LOG_NAMES="apt \
     dnf \
     etcd \
     ganesha \
+    gitconfig \
     haproxy \
     httpd \
     memcached \
diff --git a/tests/roles/bootstrap-host/tasks/main.yml b/tests/roles/bootstrap-host/tasks/main.yml
index 6399f546b3..1a3972c34d 100644
--- a/tests/roles/bootstrap-host/tasks/main.yml
+++ b/tests/roles/bootstrap-host/tasks/main.yml
@@ -13,6 +13,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+# Identify AIO builds in the git user-agent
+- include_tasks: prepare_git_useragent.yml
+
 # Attempt data device detection if enabled
 - include_tasks: detect_data_disk_device.yml
   when:
diff --git a/tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml b/tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml
new file mode 100644
index 0000000000..43e8691f70
--- /dev/null
+++ b/tests/roles/bootstrap-host/tasks/prepare_git_useragent.yml
@@ -0,0 +1,28 @@
+---
+# Copyright 2021, BBC R&D
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: Find the git version
+  command:
+    cmd: "git --version"
+  register: _git_version
+  changed_when: false
+  tags:
+    - skip_ansible_lint
+
+- name: Set the git user agent for the AIO
+  git_config:
+    scope: system
+    name: http.https://opendev.org/.userAgent
+    value: "{{ 'git/' ~ _git_version.stdout.split(' ')[2] ~ ' (osa/' ~ lookup('env', 'OSA_VERSION') ~ '/aio)' }}"