Merge pull request #4691 from StackStorm/301_additional_changes

Kami · web-flow · commit 152b4180b74f · 2019-05-22T18:14:03.000+02:00
Additional changes for v3.0.1
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -5,7 +5,7 @@ In development
 --------------
 
 
-3.0.1 - May 20, 2019
+3.0.1 - May 24, 2019
 --------------------
 
 Fixed
@@ -39,6 +39,15 @@ Fixed
   ``service`` or ``action`` parameter. (bug fix) #4675
 
   Reported by James Robinson (Netskope and Veracode).
+* Replace ``sseclient`` library on which CLI depends on with ``sseclient-py``. ``sseclient`` has
+  various issue which cause client to sometimes hang and keep the connection open which also causes
+  ``st2 execution tail`` command to sometimes hang for a long time. (improvement)
+* Truncate some database index names so they are less than 65 characters long in total. This way it
+  also works with AWS DocumentDB which doesn't support longer index name at the moment.
+
+  NOTE: AWS DocumentDB is not officially supported. Use at your own risk. (improvement) #4688 #4690
+
+  Reported by Guillaume Truchot (@GuiTeK)
 
 3.0.0 - April 26, 2019
 ----------------------
diff --git a/Makefile b/Makefile
@@ -281,6 +281,8 @@ flake8: requirements .flake8
 	chmod +x $(VIRTUALENV_ST2CLIENT_DIR)/bin/activate
 
 	$(VIRTUALENV_ST2CLIENT_DIR)/bin/pip install --upgrade "pip>=9.0,<9.1"
+	# NOTE We need to upgrade setuptools to avoid bug with dependency resolving in old versions
+	$(VIRTUALENV_ST2CLIENT_DIR)/bin/pip install --upgrade "setuptools==41.0.1"
 	$(VIRTUALENV_ST2CLIENT_DIR)/bin/activate; cd st2client ; ../$(VIRTUALENV_ST2CLIENT_DIR)/bin/python setup.py install ; cd ..
 	$(VIRTUALENV_ST2CLIENT_DIR)/bin/st2 --version
 	$(VIRTUALENV_ST2CLIENT_DIR)/bin/python -c "import st2client"
diff --git a/conf/HA/nginx/st2.conf.blueprint.sample b/conf/HA/nginx/st2.conf.blueprint.sample
@@ -13,10 +13,10 @@ server {
   add_header X-Content-Type-Options nosniff;
 
   if ($ssl_protocol = "") {
-       return 301 https://$host$request_uri;
+       return 308 https://$host$request_uri;
   }
 
-  index  index.html index.htm index.php;
+  index  index.html;
 
   access_log /var/log/nginx/st2webui.access.log combined;
   error_log /var/log/nginx/st2webui.error.log;
@@ -32,10 +32,10 @@ server {
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
   ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
+  ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;
 
-  index  index.html index.htm index.php;
+  index  index.html;
 
   access_log            /var/log/nginx/ssl-st2webui.access.log combined;
   error_log             /var/log/nginx/ssl-st2webui.error.log;
@@ -62,58 +62,14 @@ server {
     proxy_set_header Host $host;
   }
 
-  location /stream/ {
-    rewrite ^/stream/(.*)  /$1 break;
-
-    proxy_pass            http://127.0.0.1:9102/;
-    proxy_read_timeout    90;
-    proxy_connect_timeout 90;
-    proxy_redirect        off;
-
-    proxy_set_header      Host $host;
-    proxy_set_header      X-Real-IP $remote_addr;
-    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_pass_header     Authorization;
-
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-
-    # Disable buffering and chunked encoding.
-    # In the stream case we want to receive the whole payload at once, we don't
-    # want multiple chunks.
-    proxy_set_header Connection '';
-    chunked_transfer_encoding off;
-    proxy_buffering off;
-    proxy_cache off;
-    proxy_set_header Host $host;
-  }
-
   # For backward compatibility reasons, rewrite requests from "/api/stream"
   # to "/stream/v1/stream" and "/api/v1/stream" to "/stream/v1/stream"
-  location /api/stream/ {
-    rewrite ^/api/stream/?(.*)$ /v1/stream/$1 break;
-    proxy_pass  http://127.0.0.1:9102;
-    proxy_set_header Host $host;
-    proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-
-    # Disable buffering and chunked encoding.
-    # In the stream case we want to receive the whole payload at once, we don't
-    # want multiple chunks.
-    proxy_set_header Connection '';
-    chunked_transfer_encoding off;
-    proxy_buffering off;
-    proxy_cache off;
-  }
+  rewrite ^/api/stream/?$ /stream/v1/stream break;
+  rewrite ^/api/(v\d)/stream/?$ /stream/$1/stream break;
+  location /stream/ {
+    rewrite ^/stream/(.*)  /$1 break;
 
-  location /api/v1/stream/ {
-    rewrite ^/api/v1/stream/?(.*)$ /v1/stream/$1 break;
-    proxy_pass  http://127.0.0.1:9102;
+    proxy_pass  http://127.0.0.1:9102/;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -170,5 +126,4 @@ server {
     proxy_cache off;
     proxy_set_header Host $host;
   }
-
 }
diff --git a/conf/HA/nginx/st2.conf.controller.sample b/conf/HA/nginx/st2.conf.controller.sample
@@ -18,10 +18,10 @@ server {
   add_header X-Content-Type-Options nosniff;
 
   if ($ssl_protocol = "") {
-       return 301 https://$host$request_uri;
+       return 308 https://$host$request_uri;
   }
 
-  index  index.html index.htm index.php;
+  index  index.html;
 
   access_log /var/log/nginx/st2webui.access.log combined;
   error_log /var/log/nginx/st2webui.error.log;
@@ -37,21 +37,27 @@ server {
   ssl_session_cache         shared:SSL:10m;
   ssl_session_timeout       5m;
   ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
+  ssl_ciphers               EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4;
   ssl_prefer_server_ciphers on;
 
-  index  index.html index.htm index.php;
+  index  index.html;
 
   access_log            /var/log/nginx/ssl-st2webui.access.log combined;
   error_log             /var/log/nginx/ssl-st2webui.error.log;
 
   add_header              Front-End-Https on;
   add_header              X-Content-Type-Options nosniff;
 
+  location @apiError {
+    add_header Content-Type application/json always;
+    return 503 '{ "faultstring": "Nginx is unable to reach st2api. Make sure service is running." }';
+  }
+
   location /api/ {
-    rewrite ^/api/(.*)  /api/$1 break;
+    error_page 502 = @apiError;
 
     proxy_pass            https://st2/api/;
+    proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_redirect        off;
@@ -67,7 +73,7 @@ server {
     proxy_set_header Host $host;
   }
 
-    location @streamError {
+  location @streamError {
     add_header Content-Type text/event-stream;
     return 200 "retry: 1000\n\n";
   }
@@ -79,9 +85,8 @@ server {
   location /stream/ {
     error_page 502 = @streamError;
 
-    rewrite ^/stream/(.*)  /$1 break;
-
     proxy_pass            https://st2/stream/;
+    proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@@ -99,10 +104,16 @@ server {
     proxy_cache off;
   }
 
+  location @authError {
+    add_header Content-Type application/json always;
+    return 503 '{ "faultstring": "Nginx is unable to reach st2auth. Make sure service is running." }';
+  }
+
   location /auth/ {
-    rewrite ^/auth/(.*)  /auth/$1 break;
+    error_page 502 = @authError;
 
     proxy_pass            https://st2/auth/;
+    proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_redirect        off;
@@ -118,11 +129,10 @@ server {
     proxy_cache off;
     proxy_set_header Host $host;
   }
-  
-  location /mistral/ {
-    rewrite ^/mistral/(.*)  /mistral/$1 break;
 
+  location /mistral/ {
     proxy_pass            https://st2/mistral/;
+    proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
     proxy_read_timeout    90;
     proxy_connect_timeout 90;
     proxy_redirect        off;
@@ -141,6 +151,10 @@ server {
 
   location / {
     root      /opt/stackstorm/static/webui/;
-    index     index.html index.htm index.php;
+    index     index.html;
+
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
   }
 }
diff --git a/fixed-requirements.txt b/fixed-requirements.txt
@@ -35,7 +35,8 @@ cryptography==2.6.1
 retrying==1.3.3
 # Note: We use latest version of virtualenv which uses pip 9.0
 virtualenv==15.1.0
-sseclient==0.0.19
+# NOTE: sseclient has various issues which sometimes hang the connection for a long time, etc.
+sseclient-py==1.7
 python-editor==1.0.4
 prompt-toolkit==1.0.15
 tooz==1.64.2
diff --git a/requirements.txt b/requirements.txt
@@ -50,7 +50,7 @@ retrying==1.3.3
 routes==2.4.1
 semver==2.8.1
 six==1.12.0
-sseclient==0.0.19
+sseclient-py==1.7
 stevedore==1.30.1
 tooz==1.64.2
 ujson==1.35
diff --git a/st2client/in-requirements.txt b/st2client/in-requirements.txt
@@ -8,7 +8,7 @@ jsonschema
 jsonpath-rw
 requests
 six
-sseclient
+sseclient-py
 python-editor
 prompt-toolkit
 cryptography
diff --git a/st2client/requirements.txt b/st2client/requirements.txt
@@ -11,4 +11,4 @@ pytz==2019.1
 pyyaml==5.1
 requests[security]<2.15,>=2.14.1
 six==1.12.0
-sseclient==0.0.19
+sseclient-py==1.7
diff --git a/st2client/st2client/models/core.py b/st2client/st2client/models/core.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 from __future__ import absolute_import
+
 import os
 import json
 import logging
@@ -22,6 +23,7 @@
 import six
 from six.moves import urllib
 from six.moves import http_client
+import requests
 
 from st2client.utils import httpclient
 
@@ -632,8 +634,10 @@ def listen(self, events=None, **kwargs):
         query_string = '?' + urllib.parse.urlencode(query_params)
         url = url + query_string
 
-        for message in SSEClient(url, **request_params):
+        response = requests.get(url, stream=True, **request_params)
+        client = SSEClient(response)
 
+        for message in client.events():
             # If the execution on the API server takes too long, the message
             # can be empty. In this case, rerun the query.
             if not message.data:
diff --git a/st2client/tests/unit/test_models.py b/st2client/tests/unit/test_models.py
@@ -257,32 +257,41 @@ def test_resource_delete_failed(self):
         instance = mgr.get_by_name('abc')
         self.assertRaises(Exception, mgr.delete, instance)
 
+    @mock.patch('requests.get')
     @mock.patch('sseclient.SSEClient')
-    def test_stream_resource_listen(self, mock):
+    def test_stream_resource_listen(self, mock_sseclient, mock_requests):
         mock_msg = mock.Mock()
         mock_msg.data = json.dumps(base.RESOURCES)
 
         # checking the case to specify valid 'cacert' parameter to the StreamManager
-        def side_effect_checking_verify_parameter_is(endpoint_url, **kwargs):
-            self.assertEqual(endpoint_url, 'https://example.com/stream?events=foo%2Cbar')
-            self.assertEqual(kwargs['verify'], '/path/ca.crt')
+        def side_effect_checking_verify_parameter_is():
             return [mock_msg]
 
-        mock.side_effect = side_effect_checking_verify_parameter_is
+        mock_sseclient.return_value.events.side_effect = side_effect_checking_verify_parameter_is
         mgr = models.StreamManager('https://example.com', cacert='/path/ca.crt')
 
         resp = mgr.listen(events=['foo', 'bar'])
         self.assertEqual(list(resp), [base.RESOURCES])
 
+        call_args = tuple(['https://example.com/stream?events=foo%2Cbar'])
+        call_kwargs = {'stream': True, 'verify': '/path/ca.crt'}
+
+        self.assertEqual(mock_requests.call_args_list[0][0], call_args)
+        self.assertEqual(mock_requests.call_args_list[0][1], call_kwargs)
+
         # checking the case not to specify valid 'cacert' parameter to the StreamManager
-        def side_effect_checking_verify_parameter_is_not(endpoint_url, **kwargs):
-            # checking endpoint_url in case of no event specification
-            self.assertEqual(endpoint_url, 'https://example.com/stream?')
-            self.assertFalse('verify' in kwargs)
+        def side_effect_checking_verify_parameter_is_not():
             return [mock_msg]
 
-        mock.side_effect = side_effect_checking_verify_parameter_is_not
+        mock_sseclient.return_value.events.side_effect = \
+            side_effect_checking_verify_parameter_is_not
         mgr = models.StreamManager('https://example.com')
 
         resp = mgr.listen()
         self.assertEqual(list(resp), [base.RESOURCES])
+
+        call_args = tuple(['https://example.com/stream?'])
+        call_kwargs = {'stream': True}
+
+        self.assertEqual(mock_requests.call_args_list[1][0], call_args)
+        self.assertEqual(mock_requests.call_args_list[1][1], call_kwargs)
diff --git a/st2common/st2common/models/db/execution_queue.py b/st2common/st2common/models/db/execution_queue.py
@@ -62,10 +62,13 @@ class ActionExecutionSchedulingQueueItemDB(stormbase.StormFoundationDB,
 
     meta = {
         'indexes': [
-            {'fields': ['action_execution_id']},
-            {'fields': ['liveaction_id']},
-            {'fields': ['original_start_timestamp']},
-            {'fields': ['scheduled_start_timestamp']},
+            # NOTE: We limit index names to 65 characters total for compatibility with AWS
+            # DocumentDB.
+            # See https://github.com/StackStorm/st2/pull/4690 for details.
+            {'fields': ['action_execution_id'], 'name': 'ac_exc_id'},
+            {'fields': ['liveaction_id'], 'name': 'lv_ac_id'},
+            {'fields': ['original_start_timestamp'], 'name': 'orig_s_ts'},
+            {'fields': ['scheduled_start_timestamp'], 'name': 'schd_s_ts'},
         ]
     }
 
diff --git a/st2common/tests/unit/test_db.py b/st2common/tests/unit/test_db.py
diff --git a/st2tests/st2tests/base.py b/st2tests/st2tests/base.py
