From e259e9b7fa6f3852d764936afaece9ac23b54368 Mon Sep 17 00:00:00 2001
From: Giacomo Sanchietti <giacomo.sanchietti@nethesis.it>
Date: Thu, 23 Jan 2025 16:42:15 +0100
Subject: [PATCH] feat: add tmce plugin

Include the jar plugin as encrypted file inside the module image.
The plugin is decrypted when the cluster has a valid subscription.

Subscribe also to subscription-change event to adapt the environment.
---
 build-images.sh                               | 10 +++++++++
 .../actions/configure-module/30subscription   | 22 +++++++++++++++++++
 .../subscription-changed/30subscription       |  1 +
 .../events/subscription-changed/70restart     |  8 +++++++
 imageroot/systemd/user/webapp.service         |  2 ++
 5 files changed, 43 insertions(+)
 create mode 100755 imageroot/actions/configure-module/30subscription
 create mode 120000 imageroot/events/subscription-changed/30subscription
 create mode 100755 imageroot/events/subscription-changed/70restart

diff --git a/build-images.sh b/build-images.sh
index 076aa42..1e50302 100644
--- a/build-images.sh
+++ b/build-images.sh
@@ -160,6 +160,16 @@ fi
 echo "Build static UI files with node..."
 buildah run --env="NODE_OPTIONS=--openssl-legacy-provider" nodebuilder-webtop sh -c "cd /usr/src/ui && yarn install && yarn build"
 
+# Download tmce plugin jar: plugin is encrypted with GPG, the password is 'subscription'
+tmce_jar_url="https://distfeed.nethserver.org/webtop/webtop-tmceplugins-6.3.1.0.jar.gpg"
+tmce_jar_path="${PWD}/webtop-tmceplugins-6.3.1.0.jar.gpg"
+echo "Downloading encrypted tmce plugin jar from ${tmce_jar_url}..."
+curl --fail -L -o "${tmce_jar_path}" "${tmce_jar_url}"
+
+# Add tmce plugin jar to the image
+mkdir -p imageroot/plugins
+mv "${tmce_jar_path}" imageroot/plugins/webtop-tmceplugins.jar.gpg
+
 # Add imageroot directory to the container image
 buildah add "${container}" imageroot /imageroot
 buildah add "${container}" ui/dist /ui
diff --git a/imageroot/actions/configure-module/30subscription b/imageroot/actions/configure-module/30subscription
new file mode 100755
index 0000000..dbc92f7
--- /dev/null
+++ b/imageroot/actions/configure-module/30subscription
@@ -0,0 +1,22 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import agent
+import subprocess
+
+rdb = agent.redis_connect(privileged=False)
+
+subscription = rdb.hgetall('cluster/subscription')
+
+with open('subscription.env', 'w') as env:
+    if subscription:
+        env.write(f'VALID_SUBSCRIPTION=true\n')
+        env.write("TMCE_PLUGIN=--volume=./webtop-tmceplugins.jar:/usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar:z\n")
+        subprocess.run(['gpg', '--batch', '--yes', '--passphrase', 'subscription', '-d', '-o', 'webtop-tmceplugins.jar', '../plugins/webtop-tmceplugins.jar.gpg'])
+    else:
+        env.write(f'VALID_SUBSCRIPTION=false\n')
+        env.write(f"TMCE_PLUGIN=--volume=../plugins/webtop-tmceplugins.jar.gpg:/usr/local/tomcat/webapps/webtop/WEB-INF/lib/webtop-tmceplugins.jar.gpg:z\n")
\ No newline at end of file
diff --git a/imageroot/events/subscription-changed/30subscription b/imageroot/events/subscription-changed/30subscription
new file mode 120000
index 0000000..e0e147d
--- /dev/null
+++ b/imageroot/events/subscription-changed/30subscription
@@ -0,0 +1 @@
+../../actions/configure-module/30subscription
\ No newline at end of file
diff --git a/imageroot/events/subscription-changed/70restart b/imageroot/events/subscription-changed/70restart
new file mode 100755
index 0000000..93739a2
--- /dev/null
+++ b/imageroot/events/subscription-changed/70restart
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+systemctl --user restart webapp
diff --git a/imageroot/systemd/user/webapp.service b/imageroot/systemd/user/webapp.service
index 301f171..c823faf 100644
--- a/imageroot/systemd/user/webapp.service
+++ b/imageroot/systemd/user/webapp.service
@@ -11,6 +11,7 @@ PartOf=webtop.service
 [Service]
 Environment=PODMAN_SYSTEMD_UNIT=%n
 EnvironmentFile=%S/state/environment
+EnvironmentFile=%S/state/subscription.env
 WorkingDirectory=%S/state
 Restart=always
 ExecStartPre=/bin/rm -f %t/webapp.pid %t/webapp.ctr-id
@@ -22,6 +23,7 @@ ExecStart=/usr/bin/podman run \
 			 -Dcom.sun.jndi.ldap.object.disableEndpointIdentification=true \
 			 -Dmail.mime.address.strict=false -Dwebtop.etc.dir=/etc/webtop \
 			 -Duser.timezone=${WEBTOP_TIMEZONE}" \
+    ${TMCE_PLUGIN} \
     --volume=webtop-home:/var/lib/nethserver/webtop \
     --volume=./webtop.properties:/etc/webtop/webtop.properties:z \
     --pod=webtop \