foreman_dlm 0.1.0 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6d01a9afd6f4e70cd4d05bc1691faa86144c463cb69a46a20af4ce7365f7df66
-  data.tar.gz: 6d1a4884600efc752622be4452aa9ac694f57eaa70c3cbb27d6d6dd16d2c03fa
+  metadata.gz: 46b88d4ab255520440c5a8aeb4222e8ab62e167027ca0a833eaa03bf4ee32885
+  data.tar.gz: 9b953cde9907b2e7be6282aedbf44fad05d447f13d97e420c62ffd47a3ccf685
 SHA512:
-  metadata.gz: 834f7277d2779b95cef01c64a15a146f3c5c2ead8f2d808914d2b9b248d4f7b6702581a4b460994b9df0c46cc80b5a62d30f62969d3d91a7cb8cf407d963bec0
-  data.tar.gz: 384039584a5bb43567a14ec986db25a7295df791f5293b2809485063f096ba92bfc894350becfa5c1dc18022e29b3036b455ad295a07f82979b87e98d848403b
+  metadata.gz: 3f07de80a511db25bbfdc37d01726a611678b8be5c360c1020ad6ff3e69fdac0d269fe2312fbed24770d8ebec21f05148eb5d629ea69e8b6f2298597adfdea1f
+  data.tar.gz: 9ced134c94780300383e6096e968fdadf1035ac6323f053a0ffcffa8027c660447ce1fd49c830a9d9c103389c7412021e96243fe63e8581fbe743f314b8a605d

data/README.md

@@ -1,5 +1,7 @@
 # Foreman Distributed Lock Manager
 
+[<img src="https://opensourcelogos.aws.dmtech.cloud/dmTECH_opensource_logo%401x.svg" height="21" width="130">](https://www.dmtech.de/)
+
 This is a plugin for Foreman that allows Foreman to act as a distributed lock manager.
 Updates are key to security, but updates of an operating system are hard to apply and existing tools are hard to manage at scale. This might lead to a large drift between important security updates becoming available and all your hosts being successfully patched. Security experts recommend to install updates as soon as they come available. The ability to easily update software is the most effective way to improve server security. Automation is key to ensure this goal is reached.
 This plug-in aims to provide painless updates of the operating system. This keeps your company more secure and frees up resources of your operations team for more important tasks.
@@ -10,7 +12,9 @@ With this plugin servers can acquire a lock in Foreman to ensure only one server
 
 | Foreman Version | Plugin Version |
 | --------------- | -------------- |
-| >= 1.15         | any            |
+| >= 1.15         | ~> 0.1         |
+| >= 1.17         | ~> 1.0         |
+| >= 3.0          | ~> 2.0         |
 
 ## Installation
 
@@ -31,10 +35,17 @@ Use the HTTP method `GET` to show a lock, `PUT` to acquire a lock and `DELETE` t
 Foreman will respond with the HTTP status code `200 OK` if the action was successful and `412 Precondition Failed` if the lock could not be acquired or release. This may happen, if the lock is taken by another host.
 
 To process the HTTP status code in a bash script, you can do something like this:
+
 ```
 curl --write-out %{http_code} -H 'Content-Type: application/json' -sS -o /dev/null -X PUT --key $(puppet config print hostprivkey) --cert $(puppet config print hostcert) https://foreman.example.com/api/dlmlocks/test/lock
 ```
 
+## Client setup
+
+The Foreman plugin itself just provides a central lock manager. To setup automatic updates, you need to run a script on your clients that tries to acquire a lock in Foreman and takes care of the actual patching process.
+The `contrib/client` directory in this repo contains a basic script and systemd units that should allow you to get started.
+A [client counterpart](https://github.com/schlitzered/foreman_dlm_updater) written in Python has been developed by the community to make it easier to use this Foreman plug-in.
+
 ## Note about curl on macOS
 
 macOS uses curl with a different ssl library which gets problematic testing the cert-signed requests.
@@ -50,24 +61,26 @@ $ brew link curl --force
 ```
 
 After that `curl --version` changes from
+
 ```
 $ curl --version
 curl 7.54.0 (x86_64-apple-darwin16.0) libcurl/7.54.0 SecureTransport zlib/1.2.8
 ```
+
 to
+
 ```
 $ curl --version
 curl 7.56.1 (x86_64-apple-darwin16.7.0) libcurl/7.56.1 OpenSSL/1.0.2m zlib/1.2.8
 ```
 
-
 ## Contributing
 
 Fork and send a Pull Request. Thanks!
 
 ## Copyright
 
-Copyright (c) 2018 dm-drogerie markt GmbH & Co. KG, https://dm.de
+Copyright (c) 2018 dmTECH GmbH, [dmtech.de](https://www.dmtech.de/)
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -76,9 +89,8 @@ the Free Software Foundation, either version 3 of the License, or
 
 This program is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
+along with this program. If not, see <http://www.gnu.org/licenses/>.

data/app/controllers/api/v2/dlmlock_events_controller.rb

@@ -0,0 +1,42 @@
+module Api
+  module V2
+    class DlmlockEventsController < V2::BaseController
+      include Api::Version2
+
+      before_action :find_required_nested_object
+
+      api :GET, '/dlmlocks/:dlmlock_id/dlmlock_events', N_('List all events for a given DLM lock')
+      param :dlmlock_id, String, :desc => N_('ID of DLM lock')
+
+      def index
+        @events = resource_scope_for_index
+      end
+
+      def resource_class
+        ForemanDlm::DlmlockEvent
+      end
+
+      private
+
+      def action_permission
+        case params[:action]
+        when 'index'
+          :view
+        else
+          super
+        end
+      end
+
+      def allowed_nested_id
+        ['dlmlock_id']
+      end
+
+      def resource_class_for(resource)
+        return ForemanDlm::Dlmlock if resource == 'dlmlock'
+        return ForemanDlm::DlmlockEvent if resource == 'dlmlock_event'
+
+        super
+      end
+    end
+  end
+end

data/app/controllers/api/v2/dlmlocks_controller.rb

@@ -4,10 +4,12 @@ module Api
       include Api::Version2
       include Foreman::Controller::Parameters::Dlmlocks
       include ::ForemanDlm::FindHostByClientCert
+      include ::ForemanDlm::UpdateCheckinTime
 
-      wrap_parameters Dlmlock, :include => dlmlocks_params_filter.accessible_attributes(parameter_filter_context)
+      wrap_parameters ForemanDlm::Dlmlock, :include => dlmlocks_params_filter.accessible_attributes(parameter_filter_context)
 
       authorize_host_by_client_cert [:show, :release, :acquire]
+      update_host_checkin_time [:show, :release, :acquire]
 
       before_action :find_resource, :only => [:show, :update, :destroy]
       before_action :find_resource_or_create, :only => [:release, :acquire]
@@ -17,7 +19,7 @@ module Api
       def_param_group :dlmlock do
         param :dlmlock, Hash, :required => true, :action_aware => true do
           param :name, String, :required => true, :desc => N_('Name')
-          param :type, ['Dlmlock:Update'], :required => true, :desc => N_('Type, e.g. Dlmlock:Update')
+          param :type, ['ForemanDlm::Dlmlock:Update'], :required => true, :desc => N_('Type, e.g. ForemanDlm::Dlmlock:Update')
           param :enabled, :bool, :desc => N_('Enable the lock')
         end
       end
@@ -41,11 +43,11 @@ module Api
       param_group :dlmlock, :as => :create
 
       def create
-        @dlmlock = Dlmlock.new(dlmlocks_params)
+        @dlmlock = ForemanDlm::Dlmlock.new(dlmlocks_params)
         process_response @dlmlock.save
       end
 
-      api :PUT, "/dlmlocks/:id/", N_("Update a DLM lock")
+      api :PUT, '/dlmlocks/:id/', N_('Update a DLM lock')
       param :id, String, :required => true, :desc => N_('Id or name of the DLM lock')
       param_group :dlmlock
 
@@ -64,14 +66,14 @@ module Api
       param :id, String, :required => true, :desc => N_('Id or name of the DLM lock')
       error 200, 'Lock acquired successfully.'
       error 412, 'Lock could not be acquired.'
-      description <<-EOS
+      description <<-DOCS
         == Acquire a lock
         This action acquires a lock.
         It fails, if the lock is currently taken by another host.
 
         == Authentication & Host Identification
         The host is authenticated via a client certificate and identified via the CN of that certificate.
-        EOS
+      DOCS
 
       def acquire
         process_lock_response @dlmlock.acquire!(@host)
@@ -82,19 +84,23 @@ module Api
       error 200, 'Lock released successfully.'
       error 412, 'Lock could not be released.'
 
-      description <<-EOS
+      description <<-DOCS
         == Release a lock
          This action releases a lock.
          It fails, if the lock is currently taken by another host.
 
         == Authentication & Host Identification
          The host is authenticated via a client certificate and identified via the CN of that certificate.
-        EOS
+      DOCS
 
       def release
         process_lock_response @dlmlock.release!(@host)
       end
 
+      def resource_class
+        ForemanDlm::Dlmlock
+      end
+
       private
 
       def resource_finder(scope, id)
@@ -102,21 +108,22 @@ module Api
       rescue ActiveRecord::RecordNotFound
         result = scope.find_by(:name => id)
         raise ActiveRecord::RecordNotFound unless result
+
         result
       end
 
       def find_resource_or_create
         find_resource
       rescue ActiveRecord::RecordNotFound
-        @dlmlock = Dlmlock.create(:name => params[:id], :type => 'Dlmlock::Update')
+        @dlmlock = ForemanDlm::Dlmlock.create(:name => params[:id], :type => 'ForemanDlm::Dlmlock::Update')
       end
 
       def action_permission
         case params[:action]
-          when 'release', 'acquire'
-            :edit
-          else
-            super
+        when 'release', 'acquire'
+          :edit
+        else
+          super
         end
       end
 
@@ -125,9 +132,17 @@ module Api
         unless @host
           logger.info 'Denying access because no host could be detected.'
           if User.current
-            render_error 'access_denied', :status => :forbidden, :locals => { :details => 'You need to authenticate with a valid client cert. The DN has to match a known host.' }
+            render_error 'access_denied',
+                         :status => :forbidden,
+                         :locals => {
+                           :details => 'You need to authenticate with a valid client cert. The DN has to match a known host.'
+                         }
           else
-            render_error 'unauthorized', :status => :unauthorized, :locals => { :user_login => get_client_cert_hostname }
+            render_error 'unauthorized',
+                         :status => :unauthorized,
+                         :locals => {
+                           :user_login => get_client_cert_hostname
+                         }
           end
         end
         true
@@ -148,7 +163,7 @@ module Api
           deny_access
         else
           render_error 'precondition_failed', :status => :precondition_failed, :locals => {
-            :message => 'Precondition failed. Lock is in invalid state for this operation.',
+            :message => 'Precondition failed. Lock is in invalid state for this operation.'
           }
         end
       end

data/app/controllers/concerns/foreman_dlm/find_host_by_client_cert.rb

@@ -3,7 +3,7 @@ module ForemanDlm
     extend ActiveSupport::Concern
 
     module ClassMethods
-      def authorize_host_by_client_cert(actions, options = {})
+      def authorize_host_by_client_cert(actions, _options = {})
         skip_before_action :require_login, :only => actions, :raise => false
         skip_before_action :authorize, :only => actions
         skip_before_action :verify_authenticity_token, :only => actions
@@ -39,24 +39,18 @@ module ForemanDlm
 
       return unless hostname
 
-      host ||= Host::Base.find_by_certname(hostname) ||
-      Host::Base.find_by_name(hostname)
+      host ||= Host::Base.find_by(certname: hostname) ||
+               Host::Base.find_by(name: hostname)
       logger.info { "Found Host #{host} by client cert #{hostname}" } if host
       host
     end
 
     def get_client_cert_hostname
-      verify = request.env[Setting[:ssl_client_verify_env]]
-      unless verify == 'SUCCESS'
-        logger.info { "Client certificate is invalid: #{verify}" }
-        return
-      end
-
-      dn = request.env[Setting[:ssl_client_dn_env]]
-      return unless (dn && dn =~ /CN=([^\s\/,]+)/i)
+      client_certificate = Foreman::ClientCertificate.new(request: request)
+      return unless client_certificate.verified?
 
-      hostname = $1.downcase
-      logger.debug "Extracted hostname '#{hostname}' from client certificate."
+      hostname = client_certificate.subject
+      logger.debug "Extracted hostname '#{hostname}' from client certificate." if hostname
       hostname
     end
   end

data/app/controllers/concerns/foreman_dlm/find_host_by_ip.rb

@@ -3,7 +3,7 @@ module ForemanDlm
     extend ActiveSupport::Concern
 
     module ClassMethods
-      def authorize_host_by_ip(actions, options = {})
+      def authorize_host_by_ip(actions, _options = {})
         skip_before_action :require_login, :only => actions, :raise => false
         skip_before_action :authorize, :only => actions
         skip_before_action :verify_authenticity_token, :only => actions

data/app/controllers/concerns/foreman_dlm/update_checkin_time.rb

@@ -0,0 +1,22 @@
+module ForemanDlm
+  module UpdateCheckinTime
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def update_host_checkin_time(actions)
+        before_action(:only => actions) { update_detected_host_checkin_time }
+      end
+    end
+
+    private
+
+    # Updates the last_checkin timestamp of a user
+    def update_detected_host_checkin_time
+      return unless @detected_host
+
+      facet = @detected_host.dlm_facet || @detected_host.build_dlm_facet
+      facet.save unless facet.persisted?
+      facet.touch(:last_checkin_at)
+    end
+  end
+end

data/app/controllers/foreman_dlm/application_controller.rb

@@ -0,0 +1,19 @@
+module ForemanDlm
+  class ApplicationController < ::ApplicationController
+    def resource_class
+      self.class.to_s.sub(/Controller$/, '').singularize.constantize
+    end
+
+    def resource_name(resource = resource_class)
+      resource.name.split('::').last.downcase.singularize
+    end
+
+    def controller_name
+      "foreman_dlm_#{super}"
+    end
+
+    def controller_permission
+      super.sub(/^foreman_dlm_/, '')
+    end
+  end
+end

data/app/controllers/foreman_dlm/dlmlocks_controller.rb

@@ -0,0 +1,82 @@
+module ForemanDlm
+  class DlmlocksController < ::ForemanDlm::ApplicationController
+    include ::Foreman::Controller::AutoCompleteSearch
+
+    before_action :setup_search_options, :only => :index
+    before_action :find_resource, :only => [:show, :destroy, :release, :disable, :enable]
+
+    def index
+      @dlmlocks = resource_base_search_and_page(:host)
+    end
+
+    def show; end
+
+    def destroy
+      if @dlmlock.destroy
+        process_success(
+          :success_msg => _('Successfully deleted lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def release
+      if @dlmlock.update(host: nil)
+        process_success(
+          :success_msg => _('Successfully released lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def disable
+      if @dlmlock.disable!
+        process_success(
+          :success_msg => _('Successfully disabled lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def enable
+      if @dlmlock.enable!
+        process_success(
+          :success_msg => _('Successfully enabled lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def model_of_controller
+      ForemanDlm::Dlmlock
+    end
+
+    # see https://projects.theforeman.org/issues/25976
+    # can be removed for Foreman 1.22+
+    def auto_complete_controller_name
+      current_version = Gem::Version.new(Foreman::Version.new.notag)
+      return '/foreman_dlm/dlmlocks' if current_version >= Gem::Version.new('1.20') && current_version < Gem::Version.new('1.22')
+
+      controller_name
+    end
+
+    private
+
+    def action_permission
+      case params[:action]
+      when 'release', 'disable', 'enable'
+        :edit
+      else
+        super
+      end
+    end
+  end
+end

data/app/helpers/foreman_dlm/dlmlock_helper.rb

@@ -3,13 +3,46 @@ module ForemanDlm
     def dlmlock_status_icon_class(lock)
       return 'ban' if lock.disabled?
       return 'lock' if lock.taken?
+
       'unlock'
     end
 
     def dlmlock_status_icon_color_class(lock)
       return 'text-danger' if lock.disabled?
       return 'text-success' if lock.taken?
+
       'text-info'
     end
+
+    def dlmlock_actions(lock, authorizer)
+      actions = []
+
+      if lock.enabled?
+        actions << display_link_if_authorized(
+          _('Disable'),
+          hash_for_disable_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      if lock.disabled?
+        actions << display_link_if_authorized(
+          _('Enable'),
+          hash_for_enable_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      if lock.taken?
+        actions << display_link_if_authorized(
+          _('Release'),
+          hash_for_release_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      actions << display_delete_if_authorized(hash_for_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer), class: 'delete')
+      actions
+    end
   end
 end

data/app/jobs/foreman_dlm/refresh_dlmlock_status.rb

@@ -0,0 +1,17 @@
+module ForemanDlm
+  class RefreshDlmlockStatus < ApplicationJob
+    queue_as :refresh_dlmlock_status_queue
+
+    def perform(host_ids)
+      Host::Managed.where(id: host_ids).each(&:refresh_dlmlock_status)
+    end
+
+    rescue_from(StandardError) do |error|
+      Foreman::Logging.exception('Failed to refresh Distributed Lock status', error, logger: 'background')
+    end
+
+    def humanized_name
+      _('Refresh Distributed Lock status')
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/dlm_facet_host_extensions.rb

@@ -0,0 +1,13 @@
+module ForemanDlm
+  module DlmFacetHostExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      has_one :dlm_facet, class_name: '::ForemanDlm::DlmFacet', foreign_key: :host_id, inverse_of: :host, dependent: :destroy
+
+      accepts_nested_attributes_for :dlm_facet, update_only: true, reject_if: ->(attrs) { attrs.values.compact.empty? }
+
+      scoped_search on: :last_checkin_at, relation: :dlm_facet, rename: :last_dlm_checkin_at, complete_value: true, only_explicit: true
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/expirable.rb

@@ -0,0 +1,36 @@
+module ForemanDlm
+  module Expirable
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def expire(created_before:, batch_size:, sleep_time:)
+        created_before ||= 1.week
+        batch_size ||= 1000
+        sleep_time ||= 0.2
+
+        total_count = 0
+        event_ids = []
+
+        logger.info "Starting #{to_s.underscore.humanize.pluralize} expiration before #{created_before.ago} in batches of #{batch_size}"
+
+        start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        loop do
+          event_ids = where(arel_table[:created_at].lt(created_before.ago)).reorder('').limit(batch_size).pluck(:id)
+
+          count = where(id: event_ids).reorder('').delete_all
+
+          total_count += count
+
+          break if event_ids.blank?
+
+          sleep sleep_time
+        end
+        duration = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) / 60).to_i
+
+        logger.info "Total #{to_s.underscore.humanize.pluralize} expired: #{total_count}, duration: #{duration} min(s)"
+
+        total_count
+      end
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/host_extensions.rb

@@ -4,11 +4,30 @@ module ForemanDlm
 
     included do
       has_many :dlmlocks,
-        foreign_key: 'host_id',
-        dependent: :nullify
+               class_name: 'ForemanDlm::Dlmlock',
+               foreign_key: 'host_id',
+               dependent: :nullify,
+               inverse_of: :host
+
+      has_many :dlmlock_events,
+               class_name: 'ForemanDlm::DlmlockEvent',
+               foreign_key: 'host_id',
+               dependent: :destroy,
+               inverse_of: :host
 
       define_model_callbacks :lock, :only => :after
       define_model_callbacks :unlock, :only => :after
     end
+
+    def can_acquire_update_locks?
+      param = host_param('can_acquire_update_locks')
+      return true if param.blank?
+
+      Foreman::Cast.to_bool(param)
+    end
+
+    def refresh_dlmlock_status
+      refresh_statuses([HostStatus::DlmlockStatus])
+    end
   end
 end

data/app/models/concerns/foreman_dlm/host_monitoring_extensions.rb

@@ -9,6 +9,7 @@ module ForemanDlm
 
     def add_lock_monitoring_downtime
       return unless monitored?
+
       logger.info "Setting Monitoring downtime for #{self}"
       monitoring.set_downtime_host(self, lock_monitoring_downtime_options)
       true
@@ -18,6 +19,7 @@ module ForemanDlm
 
     def remove_lock_monitoring_downtime
       return unless monitored?
+
       logger.info "Deleting Monitoring downtime for #{self}"
       monitoring.del_downtime_host(self, lock_monitoring_downtime_options)
       true

data/app/models/concerns/foreman_dlm/user_extensions.rb

@@ -0,0 +1,13 @@
+module ForemanDlm
+  module UserExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      has_many :dlmlock_events,
+               class_name: 'ForemanDlm::DlmlockEvent',
+               foreign_key: 'user_id',
+               dependent: :nullify,
+               inverse_of: :user
+    end
+  end
+end

data/app/models/foreman_dlm/dlm_facet.rb

@@ -0,0 +1,7 @@
+module ForemanDlm
+  class DlmFacet < ApplicationRecord
+    include Facets::Base
+
+    validates :host, presence: true, allow_blank: false
+  end
+end

data/app/models/foreman_dlm/dlmlock/update.rb

@@ -0,0 +1,9 @@
+module ForemanDlm
+  class Dlmlock
+    class Update < Dlmlock
+      def humanized_type
+        _('Update Lock')
+      end
+    end
+  end
+end