Bug 1928350 - Let macOS 10.12 to 10.14 clients download ESR 115 (#397)

docker/initdb.d/02-data.sql

@@ -27,6 +27,9 @@ INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (13,'fire
 INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (14,'firefox-esr115-latest-ssl','Firefox-115.16.1esr-SSL');
 INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (15,'firefox-msi-latest-ssl','Firefox-131.0.3-msi-SSL');
 INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (16,'firefox-beta-msi-latest-ssl','Firefox-132.0b9-msi-SSL');
+INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (17,'firefox-esr115-pkg-latest-ssl','Firefox-115.16.1esr-pkg-SSL');
+INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (18,'firefox-esr-pkg-latest-ssl','Firefox-128.3.1esr-pkg-SSL');
+INSERT INTO `mirror_aliases` (`id`, `alias`, `related_product`) VALUES (19,'firefox-pkg-latest-ssl','Firefox-133.0-pkg-SSL');
 /*!40000 ALTER TABLE `mirror_aliases` ENABLE KEYS */;
 UNLOCK TABLES;
 
@@ -139,6 +142,11 @@ INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/f
 INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/nightly/latest-mozilla-central-l10n/firefox-135.0a1.:lang.linux-aarch64.tar.xz',6,6,79);
 INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/nightly/latest-mozilla-central-l10n/firefox-135.0a1.:lang.linux-aarch64.tar.xz',7,6,80);
 
+INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/releases/115.16.1esr/mac/:lang/Firefox%20115.16.1esr.dmg',20,2,81);
+INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/releases/115.16.1esr/mac/:lang/Firefox%20115.16.1esr.pkg',29,2,82);
+INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/releases/128.3.1esr/mac/:lang/Firefox%20128.3.1esr.dmg',24,2,83);
+INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/releases/128.3.1esr/mac/:lang/Firefox%20128.3.1esr.pkg',30,2,84);
+INSERT INTO `mirror_locations` (`path`, `product_id`, `os_id`, `id`) VALUES ('/firefox/releases/133.0/mac/:lang/Firefox%20133.0.pkg',31,2,85);
 /*!40000 ALTER TABLE `mirror_locations` ENABLE KEYS */;
 UNLOCK TABLES;
 
@@ -194,6 +202,9 @@ INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`
 INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Firefox-nightly-msi-latest-SSL',1,1,1,26,1);
 INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Firefox-115.16.1esr-msi-SSL',1,1,1,27,1);
 INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Thunderbird-131.0.1-SSL',1,1,1,28,1);
+INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Firefox-115.16.1esr-pkg-SSL',1,1,1,29,1);
+INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Firefox-128.3.1esr-pkg-SSL',1,1,1,30,1);
+INSERT INTO `mirror_products` (`count`, `name`, `checknow`, `priority`, `active`, `id`, `ssl_only`) VALUES (0,'Firefox-133.0-pkg-SSL',1,1,1,31,1);
 /*!40000 ALTER TABLE `mirror_products` ENABLE KEYS */;
 UNLOCK TABLES;
 

docker/nginx/default.conf

@@ -7,10 +7,10 @@ upstream upstream_bouncer {
 map $http_user_agent $ua_bucket {
     default "other";
 
-    "~*Windows (NT 5\.1|XP|NT 5\.2|NT 6\.0)" "winxp";
     "NSIS InetBgDL (Mozilla)" "pre2024stub";
     "~*Windows NT 6\.(1|2|3).+?(Win64|WOW64)" "win7x64";
     "~*Windows NT 6\.(1|2|3)" "win7";
+    "~*Macintosh; Intel Mac OS X 10[\._]1(2|3|4)" "oldmacos";
 }
 
 map $http_referer $referer_bucket {

handlers.go

@@ -31,12 +31,19 @@ var (
 	fxPartnerAlias = regexp.MustCompile(`^partner-firefox-release-([^-]*)-(.*)-latest$`)
 	// detects x64 clients
 	win64Regex = regexp.MustCompile(`Win64|WOW64`)
+	// detects macOS 10.12 to 10.14 clients. Note that we can't keep doing UA-based
+	// detection forever... https://bugzilla.mozilla.org/show_bug.cgi?id=1679929
+	osxRegexForESR115 = regexp.MustCompile(`Macintosh; Intel Mac OS X 10[\._]1(2|3|4)`)
 )
 
-func isUserAgentOnlyCompatibleWithESR115(userAgent string) bool {
+func isWindowsUserAgentOnlyCompatibleWithESR115(userAgent string) bool {
 	return windowsRegexForESR115.MatchString(userAgent)
 }
 
+func isMacOSUserAgentOnlyCompatibleWithESR115(userAgent string) bool {
+	return osxRegexForESR115.MatchString(userAgent)
+}
+
 func hasMozorgReferrer(referrer string) bool {
 	return mozorgRegex.MatchString(referrer)
 }
@@ -45,6 +52,31 @@ func isWin64UserAgent(userAgent string) bool {
 	return win64Regex.MatchString(userAgent)
 }
 
+func shouldReturnESR115(product, os, referrer, userAgent string) bool {
+	// We want to return ESR115 when the product is for Firefox
+	if !strings.HasPrefix(product, "firefox-") ||
+		// and the request doesn't come from mozilla.org
+		hasMozorgReferrer(referrer) ||
+		// and the product is _not_ a partial or complete update (MAR files)
+		strings.Contains(product, "-partial") ||
+		strings.Contains(product, "-complete") {
+		return false
+	}
+
+	if strings.HasPrefix(os, "win") {
+		// When the requested OS is Windows, we only return ESR115 for non-MSI
+		// builds, and only if the User-Agent says it's a Windows 7/8/8.1.
+		return !strings.Contains(product, "-msi") && isWindowsUserAgentOnlyCompatibleWithESR115(userAgent)
+	} else if os == "osx" {
+		// When the requested OS is macOS, we only return ESR115 for non-pkg
+		// builds, and only if the User-Agent says it's a macOS 10.12/10.13/10.14
+		// client.
+		return !strings.Contains(product, "-pkg") && isMacOSUserAgentOnlyCompatibleWithESR115(userAgent)
+	}
+
+	return false
+}
+
 // isPre2024StubUserAgent is used to detect stub installers that pin the
 // "DigiCert SHA2 Assured ID Code Signing CA" intermediate.
 func isPre2024StubUserAgent(userAgent string) bool {
@@ -308,22 +340,8 @@ func (b *BouncerHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	// We want to return ESR115 when... the product is for Firefox
-	shouldReturnESR115 := strings.HasPrefix(reqParams.Product, "firefox-") &&
-		// and the product is _not_ an MSI build
-		!strings.Contains(reqParams.Product, "-msi") &&
-		// and the product is _not_ a partial or complete update (MAR files)
-		!strings.Contains(reqParams.Product, "-partial") &&
-		!strings.Contains(reqParams.Product, "-complete") &&
-		// and the OS param specifies windows
-		strings.HasPrefix(reqParams.OS, "win") &&
-		// and the User-Agent says it's a Windows 7/8/8.1 client
-		isUserAgentOnlyCompatibleWithESR115(req.UserAgent()) &&
-		// and the request doesn't come from mozilla.org
-		!hasMozorgReferrer(reqParams.Referer)
-
 	// Send the latest compatible ESR product if we detect that this is the best option for the client.
-	if shouldReturnESR115 {
+	if shouldReturnESR115(reqParams.Product, reqParams.OS, reqParams.Referer, req.UserAgent()) {
 		// Override the OS if we detect a x64 client that attempts to get a stub installer.
 		if strings.Contains(reqParams.Product, "-stub") && isWin64UserAgent(req.UserAgent()) {
 			reqParams.OS = "win64"