From fc3a64ac905c9366e91bb0f62a3b6cea7928adb2 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 31 Jan 2021 19:44:45 +0000
Subject: [PATCH] Disable API writes via cgimap when in readonly mode

---
 cookbooks/web/recipes/cgimap.rb | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/cookbooks/web/recipes/cgimap.rb b/cookbooks/web/recipes/cgimap.rb
index 009b0a6d7..3936c8500 100644
--- a/cookbooks/web/recipes/cgimap.rb
+++ b/cookbooks/web/recipes/cgimap.rb
@@ -31,20 +31,28 @@ database_host = node[:web][:readonly_database_host] || node[:web][:database_host
 
 memcached_servers = node[:web][:memcached_servers] || []
 
+cgimap_options = {
+  "CGIMAP_HOST" => database_host,
+  "CGIMAP_DBNAME" => "openstreetmap",
+  "CGIMAP_USERNAME" => "cgimap",
+  "CGIMAP_PASSWORD" => db_passwords["cgimap"],
+  "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
+  "CGIMAP_UPDATE_HOST" => node[:web][:database_host],
+  "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
+  "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
+  "CGIMAP_MEMCACHE" => memcached_servers.join(","),
+  "CGIMAP_RATELIMIT" => "204800",
+  "CGIMAP_MAXDEBT" => "250"
+}
+
+if %w[database_readonly api_readonly].include?(node[:web][:status])
+  cgimap_options["CGIMAP_DISABLE_API_WRITE"] = "true"
+end
+
 systemd_service "cgimap" do
   description "OpenStreetMap API Server"
   type "forking"
-  environment_file "CGIMAP_HOST" => database_host,
-                   "CGIMAP_DBNAME" => "openstreetmap",
-                   "CGIMAP_USERNAME" => "cgimap",
-                   "CGIMAP_PASSWORD" => db_passwords["cgimap"],
-                   "CGIMAP_OAUTH_HOST" => node[:web][:database_host],
-                   "CGIMAP_UPDATE_HOST" => node[:web][:database_host],
-                   "CGIMAP_PIDFILE" => "#{node[:web][:pid_directory]}/cgimap.pid",
-                   "CGIMAP_LOGFILE" => "#{node[:web][:log_directory]}/cgimap.log",
-                   "CGIMAP_MEMCACHE" => memcached_servers.join(","),
-                   "CGIMAP_RATELIMIT" => "204800",
-                   "CGIMAP_MAXDEBT" => "250"
+  environment_file cgimap_options
   user "rails"
   exec_start "/usr/bin/openstreetmap-cgimap --daemon --port 8000 --instances 30"
   exec_reload "/bin/kill -HUP $MAINPID"
-- 
2.43.2