software/restic: handle certificate renewal

restart restic after renewing certificate, using the same approach as
software/dufs

software/restic-rest-server/buildout.hash.cfg

@@ -15,4 +15,4 @@
 
 [instance.cfg.in]
 filename = instance.cfg.in
-md5sum = 573e23c88fea6a11ab5c79b1eb106601
+md5sum = 69237df07b8819e2eb683702b8cd199a

software/restic-rest-server/instance.cfg.in

@@ -54,7 +54,20 @@ dash_path = {{ dash_bin }}
 curl_path = {{ curl_bin }}
 
 # Caucase
+[rest-server-certificate-init-certificate]
+recipe = slapos.recipe.build
+init =
+  # pre-create a file at the path of the certificate,
+  # so that we can use hash-existing-files options
+  import pathlib
+  cert_file = pathlib.Path(self.buildout['rest-server-certificate']['cert-file'])
+  if not cert_file.parent.exists():
+    cert_file.parent.mkdir()
+  if not cert_file.exists():
+    cert_file.touch()
+
 [rest-server-certificate]
+init = ${rest-server-certificate-init-certificate:init}
 key-file = ${directory:etc}/${:_buildout_section_name_}.key
 cert-file = ${directory:etc}/${:_buildout_section_name_}.crt
 common-name = ${:_buildout_section_name_}
@@ -165,6 +178,8 @@ ip = ${instance-parameter:ipv6-random}
 url = https://[${:ip}]:${:port}
 depends =
   ${rest-server-htpassword:recipe}
+hash-existing-files =
+  ${rest-server-certificate:cert-file}
 
 [rest-server-listen-promise]
 <= check-port-listening-promise

software/restic-rest-server/test/test.py

@@ -25,8 +25,9 @@
 #
 ##############################################################################
 
-import glob
+import contextlib
 import os
+import pathlib
 import subprocess
 import tempfile
 import urllib.parse
@@ -35,6 +36,7 @@ import requests
 
 from slapos.testing.testcase import makeModuleSetUpAndTestCaseClass
 
+
 setUpModule, SlapOSInstanceTestCase = makeModuleSetUpAndTestCaseClass(
     os.path.abspath(
         os.path.join(os.path.dirname(__file__), '..', 'software.cfg')))
@@ -143,3 +145,38 @@ class TestResticRestServer(SlapOSInstanceTestCase):
       self.assertIn('restoring <Snapshot', out)
       with open(os.path.join(restore_directory, backup_path, 'data')) as f:
         self.assertEqual(f.read(), 'data to backup')
+
+  def test_renew_certificate(self):
+    def _getpeercert():
+      # XXX low level way to get get the server certificate
+      with requests.Session() as session:
+        pool = session.get(
+          self.connection_parameters['url'],
+          verify=self.ca_cert,
+        ).raw._pool.pool
+        with contextlib.closing(pool.get()) as cnx:
+          return cnx.sock._sslobj.getpeercert()
+
+    cert_before = _getpeercert()
+    # execute certificate updater two month later, when it's time to renew certificate.
+    # use a timeout, because this service runs forever
+    subprocess.run(
+      (
+        'timeout',
+        '5',
+        'faketime',
+        '+2 months',
+        os.path.join(
+          self.computer_partition_root_path,
+          'etc/service/rest-server-certificate-updater'),
+      ),
+      capture_output=not self._debug,
+    )
+
+    # reprocess instance to get the new certificate, after removing the timestamp
+    # to force execution
+    (pathlib.Path(self.computer_partition_root_path) / '.timestamp').unlink()
+    self.waitForInstance()
+
+    cert_after = _getpeercert()
+    self.assertNotEqual(cert_before['notAfter'], cert_after['notAfter'])