#!/bin/bash
ENVIRONMENT=`cat /etc/bake-scripts/config.json | python -c 'import sys, json; print json.load(sys.stdin)["environment"]'`
SSL_TERM=/etc/httpd/conf.d/bbc-httpd-includes/https_vhost/custom/restrict_access.inc
if [ "$ENVIRONMENT" == "live" ]; then
cat > $SSL_TERM <<-EOF
<Location />
# Start the rewrite engine...
RewriteEngine on
# Match only a POST or PUT request (GETs are always allowed through, regardless of environment & user)
RewriteCond %{REQUEST_METHOD} POST|PUT
# Allow this as long as the CommonName on the cert matches "dev-news-jenkins-agents" or "news-jenkins-agents"
RewriteCond %{SSL:SSL_CLIENT_S_DN_CN} !^(dev-)?news-jenkins-agents$
# Match any route (.*) and don't redirect ("-") and then 403 ([F])
RewriteRule .* "-" [F]
</Location>
EOF
fi