From 05e1560e82b28d5cf357e05caf42a80538708201 Mon Sep 17 00:00:00 2001
From: cyBerta <cyberta@riseup.net>
Date: Fri, 6 Dec 2024 16:34:10 +0100
Subject: [PATCH] Update README and remove test against upstream APIv3 provider
 using LE certs for the API communication. This variant is diverging from the
 initial APIv3 (Bonafide) protocol and it would add more code complexity to
 maintain this option: The required certificate handling changes require that
 we always start menshen with --ca-file flag for the PEM formatted root CA
 file. In turn that would require to add an additional flag to let menshen
 distinuish if we point to the providers self-signed API endpoints or the LE
 signed endpoints. Before the absence of the --ca-file flag was exactly that
 distinguisher.

---
 Makefile                                      |  8 ------
 README.md                                     | 27 +++----------------
 .../docker-compose-remote-client-cert.yml     | 19 -------------
 3 files changed, 3 insertions(+), 51 deletions(-)
 delete mode 100644 test/compose-files/docker-compose-remote-client-cert.yml

diff --git a/Makefile b/Makefile
index ff0deec..708b4f0 100644
--- a/Makefile
+++ b/Makefile
@@ -56,14 +56,6 @@ run-container-test-api:
 	# check the validity of certificate 
 	openssl x509 -in /tmp/cert.pem -noout -text
 	podman-compose -f test/compose-files/docker-compose-remote-client-cert-selfsigned.yml down
-	# 3. run container image with remote standard url's for fetching config and certs
-	podman-compose -f test/compose-files/docker-compose-remote-client-cert.yml up -d
-	sleep 10s
-	podman logs compose-files_menshen_1
-	curl localhost:8443/api/5/openvpn/cert > /tmp/cert.pem
-	# check the validity of certificate 
-	openssl x509 -in /tmp/cert.pem -noout -text
-	podman-compose -f test/compose-files/docker-compose-remote-client-cert.yml down
 
 clean-container-setup:
 	# clean local menshen setup 
diff --git a/README.md b/README.md
index 7b929d1..e170fd7 100644
--- a/README.md
+++ b/README.md
@@ -97,15 +97,13 @@ go build ./cmd/menshen
 
 ## Run 
 
-The parameter `--from-provider-json` is a file path to a provider.json. It is always required to start menshen.
+The parameter `--from-provider-json` is a file path to a provider.json, `--ca-file` is the file path to the root CA.  Both are always required to start menshen.
  Use `--verbose` to get debug output.
 
 
 ### by pointing to another upstream provider
 
-#### *a) with self-signed provider API endpoints*
-
-Further required parameters are `--ca-file`, `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
+Further required parameters are `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
 You can start menshen from a v3 eip-service file:
 
 ```
@@ -126,26 +124,6 @@ go run ./cmd/menshen/main.go --verbose \
 --client-cert-url https://api.demo.bitmask.net:4430/3/cert
 ```
 
-#### *b) with ca-signed provider endpoints*
-
-Additional required parameters are `--client-cert-url` and an eip source (`--from-eip-file` or `--from-eip-url `).
-You can start menshen from a v3 eip-service file:
-
-```
-go run ./cmd/menshen/main.go --verbose \
---from-provider-json-file test/data/provider.json \
---from-eip-url https://api.demo.bitmask.net/3/config/eip-service.json \
---client-cert-url https://api.demo.bitmask.net/3/cert
-```
-
-Alternatively you can start menshen with a eip-service.json from an URL:    
-```
-go run ./cmd/menshen/main.go --verbose \
---from-provider-json-file test/data/provider.json \
---from-eip-file test/data/eip-service.json \
---client-cert-url https://api.demo.bitmask.net/3/cert
-```
-
 ##### **Note**: Replace `test/data/eip-service.json` and `test/data/provider.json` with the relevant configuration files, as they are just samples.
 
 ### by configuring for local cert generation
@@ -156,6 +134,7 @@ You can start menshen from a v3 eip-service file:
 ```
 go run ./cmd/menshen/main.go --verbose \
 --from-provider-json-file test/data/provider.json \
+--ca-file test/data/ca.crt
 --from-eip-file test/data/eip-service.json \
 --ovpn-ca-crt test/data/ovpn_client_ca.crt \
 --ovpn-ca-key test/data/ovpn_client_ca.key
diff --git a/test/compose-files/docker-compose-remote-client-cert.yml b/test/compose-files/docker-compose-remote-client-cert.yml
deleted file mode 100644
index a8ea081..0000000
--- a/test/compose-files/docker-compose-remote-client-cert.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-services:
-  menshen:
-    build: ../../.
-    entrypoint: ["menshen"]
-    environment:
-      - MENSHEN_FROM_EIP_URL=https://api.${PROVIDER:-ft1.bitmask.net}/3/config/eip-service.json
-      - MENSHEN_CLIENT_CERT_URL=https://api.${PROVIDER:-ft1.bitmask.net}/3/cert
-      - MENSHEN_FROM_PROVIDER_JSON_FILE=/etc/leap/test/provider.json
-      - MENSHEN_DB_FILE=/tmp/sqlite.db
-      - MENSHEN_PORT=8443
-      - MENSHEN_ALLOW_GATEWAY_LIST=true
-      - MENSHEN_ALLOW_BRIDGE_LIST=true
-      - MENSHEN_AUTO_TLS=false
-      - MENSHEN_VERBOSE=false
-    network_mode: host
-    ports:
-      - "127.0.0.1:8443:8443/tcp"
-    volumes:
-      - "../data:/etc/leap/test"
-- 
GitLab