foreman_dlm 1.0.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a0b972d0b154b81592615546f153d32893af3647364ea66f1e0ab5826884f02e
-  data.tar.gz: 38ee0b23847863b293adaed2e15c9dcdb6883eec9b512d3c308ae0f7dee88615
+  metadata.gz: 5be1f946127eae4cab43fdd6ec4337fc1b3980ed40de368aa895c89f0714c459
+  data.tar.gz: 3f9df625f01d5c1bc64f36628388a5de2e1a38f84aac3f00be0a36c9b33a75f3
 SHA512:
-  metadata.gz: 15549c3c5366a7217fb5ed65f87528f711527698e2a6ecdcefe7330a9e3a02d34a2f4c04fb5400632ab4a79ffab503d75dfbdc9d364d351b8d68e1e443c6dc81
-  data.tar.gz: 5f5036aa09ed8ff7e72313352c1bc83a3e8eba76448524305cb4bfda5a49c05c119a080b0168a16a296bbe9ddc1d49b9397c08b0e124ca397ad3ecf4a79fe9b1
+  metadata.gz: 752c99cf8b373c6aec85803c3bd8c16104bdb50cee490138da55dcf1e924174f27121308f3a319b9632c97843b2e8f69277fc6900f881a8159b2679d6bdacbbf
+  data.tar.gz: 9b4d6b7903914234db467d42d44e33dd3d78126a3219a15b221e5a9080e84881e249b64f6fd506440fa3eb509d00e12eb3d5526445ab8bf455a0e7a5d57042e6

data/README.md

@@ -1,5 +1,7 @@
 # Foreman Distributed Lock Manager
 
+[<img src="https://opensourcelogos.aws.dmtech.cloud/dmTECH_opensource_logo%401x.svg" height="21" width="130">](https://www.dmtech.de/)
+
 This is a plugin for Foreman that allows Foreman to act as a distributed lock manager.
 Updates are key to security, but updates of an operating system are hard to apply and existing tools are hard to manage at scale. This might lead to a large drift between important security updates becoming available and all your hosts being successfully patched. Security experts recommend to install updates as soon as they come available. The ability to easily update software is the most effective way to improve server security. Automation is key to ensure this goal is reached.
 This plug-in aims to provide painless updates of the operating system. This keeps your company more secure and frees up resources of your operations team for more important tasks.
@@ -36,6 +38,12 @@ To process the HTTP status code in a bash script, you can do something like this
 curl --write-out %{http_code} -H 'Content-Type: application/json' -sS -o /dev/null -X PUT --key $(puppet config print hostprivkey) --cert $(puppet config print hostcert) https://foreman.example.com/api/dlmlocks/test/lock
 ```
 
+## Client setup
+
+The Foreman plugin itself just provides a central lock manager. To setup automatic updates, you need to run a script on your clients that tries to acquire a lock in Foreman and takes care of the actual patching process.
+The `contrib/client` directory in this repo contains a basic script and systemd units that should allow you to get started.
+A [client counterpart](https://github.com/schlitzered/foreman_dlm_updater) written in Python has been developed by the community to make it easier to use this Foreman plug-in.
+
 ## Note about curl on macOS
 
 macOS uses curl with a different ssl library which gets problematic testing the cert-signed requests.
@@ -68,7 +76,7 @@ Fork and send a Pull Request. Thanks!
 
 ## Copyright
 
-Copyright (c) 2018 dm-drogerie markt GmbH & Co. KG, https://dm.de
+Copyright (c) 2018 dmTECH GmbH, [dmtech.de](https://www.dmtech.de/)
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by

data/app/controllers/api/v2/dlmlock_events_controller.rb

@@ -0,0 +1,41 @@
+module Api
+  module V2
+    class DlmlockEventsController < V2::BaseController
+      include Api::Version2
+
+      before_action :find_required_nested_object
+
+      api :GET, '/dlmlocks/:dlmlock_id/dlmlock_events', N_('List all events for a given DLM lock')
+      param :dlmlock_id, String, :desc => N_('ID of DLM lock')
+
+      def index
+        @events = resource_scope_for_index
+      end
+
+      def resource_class
+        ForemanDlm::DlmlockEvent
+      end
+
+      private
+
+      def action_permission
+        case params[:action]
+        when 'index'
+          :view
+        else
+          super
+        end
+      end
+
+      def allowed_nested_id
+        ['dlmlock_id']
+      end
+
+      def resource_class_for(resource)
+        return ForemanDlm::Dlmlock if resource == 'dlmlock'
+        return ForemanDlm::DlmlockEvent if resource == 'dlmlock_event'
+        super
+      end
+    end
+  end
+end

data/app/controllers/api/v2/dlmlocks_controller.rb

@@ -4,10 +4,12 @@ module Api
       include Api::Version2
       include Foreman::Controller::Parameters::Dlmlocks
       include ::ForemanDlm::FindHostByClientCert
+      include ::ForemanDlm::UpdateCheckinTime
 
-      wrap_parameters Dlmlock, :include => dlmlocks_params_filter.accessible_attributes(parameter_filter_context)
+      wrap_parameters ForemanDlm::Dlmlock, :include => dlmlocks_params_filter.accessible_attributes(parameter_filter_context)
 
       authorize_host_by_client_cert [:show, :release, :acquire]
+      update_host_checkin_time [:show, :release, :acquire]
 
       before_action :find_resource, :only => [:show, :update, :destroy]
       before_action :find_resource_or_create, :only => [:release, :acquire]
@@ -17,7 +19,7 @@ module Api
       def_param_group :dlmlock do
         param :dlmlock, Hash, :required => true, :action_aware => true do
           param :name, String, :required => true, :desc => N_('Name')
-          param :type, ['Dlmlock:Update'], :required => true, :desc => N_('Type, e.g. Dlmlock:Update')
+          param :type, ['ForemanDlm::Dlmlock:Update'], :required => true, :desc => N_('Type, e.g. ForemanDlm::Dlmlock:Update')
           param :enabled, :bool, :desc => N_('Enable the lock')
         end
       end
@@ -41,7 +43,7 @@ module Api
       param_group :dlmlock, :as => :create
 
       def create
-        @dlmlock = Dlmlock.new(dlmlocks_params)
+        @dlmlock = ForemanDlm::Dlmlock.new(dlmlocks_params)
         process_response @dlmlock.save
       end
 
@@ -95,6 +97,10 @@ module Api
         process_lock_response @dlmlock.release!(@host)
       end
 
+      def resource_class
+        ForemanDlm::Dlmlock
+      end
+
       private
 
       def resource_finder(scope, id)
@@ -108,7 +114,7 @@ module Api
       def find_resource_or_create
         find_resource
       rescue ActiveRecord::RecordNotFound
-        @dlmlock = Dlmlock.create(:name => params[:id], :type => 'Dlmlock::Update')
+        @dlmlock = ForemanDlm::Dlmlock.create(:name => params[:id], :type => 'ForemanDlm::Dlmlock::Update')
       end
 
       def action_permission

data/app/controllers/concerns/foreman_dlm/update_checkin_time.rb

@@ -0,0 +1,21 @@
+module ForemanDlm
+  module UpdateCheckinTime
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def update_host_checkin_time(actions)
+        before_action(:only => actions) { update_detected_host_checkin_time }
+      end
+    end
+
+    private
+
+    # Updates the last_checkin timestamp of a user
+    def update_detected_host_checkin_time
+      return unless @detected_host
+      facet = @detected_host.dlm_facet || @detected_host.build_dlm_facet
+      facet.save unless facet.persisted?
+      facet.touch(:last_checkin_at)
+    end
+  end
+end

data/app/controllers/foreman_dlm/application_controller.rb

@@ -0,0 +1,19 @@
+module ForemanDlm
+  class ApplicationController < ::ApplicationController
+    def resource_class
+      self.class.to_s.sub(/Controller$/, '').singularize.constantize
+    end
+
+    def resource_name(resource = resource_class)
+      resource.name.split('::').last.downcase.singularize
+    end
+
+    def controller_name
+      "foreman_dlm_#{super}"
+    end
+
+    def controller_permission
+      super.sub(/^foreman_dlm_/, '')
+    end
+  end
+end

data/app/controllers/foreman_dlm/dlmlocks_controller.rb

@@ -0,0 +1,73 @@
+module ForemanDlm
+  class DlmlocksController < ::ForemanDlm::ApplicationController
+    include ::Foreman::Controller::AutoCompleteSearch
+
+    before_action :setup_search_options, :only => :index
+    before_action :find_resource, :only => [:show, :destroy, :release, :disable, :enable]
+
+    def index
+      @dlmlocks = resource_base_search_and_page(:host)
+    end
+
+    def show; end
+
+    def destroy
+      if @dlmlock.destroy
+        process_success(
+          :success_msg => _('Successfully deleted lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def release
+      if @dlmlock.update(host: nil)
+        process_success(
+          :success_msg => _('Successfully released lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def disable
+      if @dlmlock.disable!
+        process_success(
+          :success_msg => _('Successfully disabled lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def enable
+      if @dlmlock.enable!
+        process_success(
+          :success_msg => _('Successfully enabled lock.'),
+          :success_redirect => foreman_dlm_dlmlocks_path
+        )
+      else
+        process_error
+      end
+    end
+
+    def model_of_controller
+      ForemanDlm::Dlmlock
+    end
+
+    private
+
+    def action_permission
+      case params[:action]
+      when 'release', 'disable', 'enable'
+        :edit
+      else
+        super
+      end
+    end
+  end
+end

data/app/helpers/foreman_dlm/dlmlock_helper.rb

@@ -11,5 +11,36 @@ module ForemanDlm
       return 'text-success' if lock.taken?
       'text-info'
     end
+
+    def dlmlock_actions(lock, authorizer)
+      actions = []
+
+      if lock.enabled?
+        actions << display_link_if_authorized(
+          _('Disable'),
+          hash_for_disable_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      if lock.disabled?
+        actions << display_link_if_authorized(
+          _('Enable'),
+          hash_for_enable_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      if lock.taken?
+        actions << display_link_if_authorized(
+          _('Release'),
+          hash_for_release_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer),
+          method: :put
+        )
+      end
+
+      actions << display_delete_if_authorized(hash_for_foreman_dlm_dlmlock_path(:id => lock.to_param).merge(auth_object: lock, authorizer: authorizer), class: 'delete')
+      actions
+    end
   end
 end

data/app/jobs/foreman_dlm/refresh_dlmlock_status.rb

@@ -0,0 +1,17 @@
+module ForemanDlm
+  class RefreshDlmlockStatus < ApplicationJob
+    queue_as :refresh_dlmlock_status_queue
+
+    def perform(host_ids)
+      Host::Managed.where(id: host_ids).each(&:refresh_dlmlock_status)
+    end
+
+    rescue_from(StandardError) do |error|
+      Foreman::Logging.exception('Failed to refresh Distributed Lock status', error, logger: 'background')
+    end
+
+    def humanized_name
+      _('Refresh Distributed Lock status')
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/dlm_facet_host_extensions.rb

@@ -0,0 +1,13 @@
+module ForemanDlm
+  module DlmFacetHostExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      has_one :dlm_facet, class_name: '::ForemanDlm::DlmFacet', foreign_key: :host_id, inverse_of: :host, dependent: :destroy
+
+      accepts_nested_attributes_for :dlm_facet, update_only: true, reject_if: ->(attrs) { attrs.values.compact.empty? }
+
+      scoped_search on: :last_checkin_at, relation: :dlm_facet, rename: :last_dlm_checkin_at, complete_value: true, only_explicit: true
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/expirable.rb

@@ -0,0 +1,35 @@
+module ForemanDlm
+  module Expirable
+    extend ActiveSupport::Concern
+
+    module ClassMethods
+      def expire(created_before:, batch_size:, sleep_time:)
+        created_before ||= 1.week
+        batch_size ||= 1000
+        sleep_time ||= 0.2
+
+        total_count = 0
+        event_ids = []
+
+        logger.info "Starting #{to_s.underscore.humanize.pluralize} expiration before #{created_before.ago} in batches of #{batch_size}"
+
+        start_time = Process.clock_gettime(Process::CLOCK_MONOTONIC)
+        loop do
+          event_ids = where(arel_table[:created_at].lt(created_before.ago)).reorder('').limit(batch_size).pluck(:id)
+
+          count = where(id: event_ids).reorder('').delete_all
+
+          total_count += count
+
+          break if event_ids.blank?
+          sleep sleep_time
+        end
+        duration = ((Process.clock_gettime(Process::CLOCK_MONOTONIC) - start_time) / 60).to_i
+
+        logger.info "Total #{to_s.underscore.humanize.pluralize} expired: #{total_count}, duration: #{duration} min(s)"
+
+        total_count
+      end
+    end
+  end
+end

data/app/models/concerns/foreman_dlm/host_extensions.rb

@@ -4,12 +4,23 @@ module ForemanDlm
 
     included do
       has_many :dlmlocks,
+               class_name: 'ForemanDlm::Dlmlock',
                foreign_key: 'host_id',
                dependent: :nullify,
                inverse_of: :host
 
+      has_many :dlmlock_events,
+               class_name: 'ForemanDlm::DlmlockEvent',
+               foreign_key: 'host_id',
+               dependent: :destroy,
+               inverse_of: :host
+
       define_model_callbacks :lock, :only => :after
       define_model_callbacks :unlock, :only => :after
     end
+
+    def refresh_dlmlock_status
+      refresh_statuses([HostStatus::DlmlockStatus])
+    end
   end
 end

data/app/models/concerns/foreman_dlm/user_extensions.rb

@@ -0,0 +1,13 @@
+module ForemanDlm
+  module UserExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      has_many :dlmlock_events,
+               class_name: 'ForemanDlm::DlmlockEvent',
+               foreign_key: 'user_id',
+               dependent: :nullify,
+               inverse_of: :user
+    end
+  end
+end

data/app/models/foreman_dlm/dlm_facet.rb

@@ -0,0 +1,7 @@
+module ForemanDlm
+  class DlmFacet < ApplicationRecord
+    include Facets::Base
+
+    validates :host, presence: true, allow_blank: false
+  end
+end

data/app/models/foreman_dlm/dlmlock.rb

@@ -0,0 +1,136 @@
+module ForemanDlm
+  class Dlmlock < ApplicationRecord
+    include Authorizable
+
+    def self.humanize_class_name
+      N_('Distributed Lock')
+    end
+
+    def self.dlm_stale_time
+      (Setting::General[:dlm_stale_time] || 4).hours
+    end
+
+    belongs_to_host
+
+    has_many :dlmlock_events,
+             class_name: '::ForemanDlm::DlmlockEvent',
+             foreign_key: 'dlmlock_id',
+             dependent: :destroy,
+             inverse_of: :dlmlock
+
+    validates :name, presence: true, uniqueness: true
+
+    after_save :log_enable_or_disable_event, if: -> { saved_change_to_enabled? }
+    after_save :log_release_and_acquire_events, if: -> { saved_change_to_host_id? }
+
+    def log_enable_or_disable_event
+      event_type = enabled ? :enable : :disable
+      log_event(host, event_type)
+    end
+
+    def log_release_and_acquire_events
+      old_host_id = saved_changes[:host_id].first
+      old_host = Host.find_by(id: old_host_id) if old_host_id
+      log_event(old_host, :release) if old_host
+      log_event(host, :acquire) if host
+    end
+
+    scope :locked,  -> { where.not(host_id: nil) }
+    scope :stale,   -> { locked.where('updated_at < ?', Time.now.utc - dlm_stale_time) }
+
+    scoped_search :on => :name, :complete_value => true, :default_order => true
+    scoped_search :relation => :host, :on => :name, :complete_value => true, :rename => :host
+    scoped_search :on => :type, :complete_value => true, :default_order => true
+    scoped_search :on => :enabled, :complete_value => { :true => true, :false => false }, :only_explicit => true
+
+    attr_accessor :old
+
+    def acquire!(host)
+      result = atomic_update(nil, host)
+      ForemanDlm::RefreshDlmlockStatus.set(wait: self.class.dlm_stale_time).perform_later([host.id]) if result
+      result
+    end
+
+    def release!(host)
+      atomic_update(host, nil)
+    end
+
+    def enable!
+      update(enabled: true)
+    end
+
+    def disable!
+      update(enabled: false)
+    end
+
+    def locked_by?(host)
+      self.host == host
+    end
+    alias acquired_by? locked_by?
+
+    def disabled?
+      !enabled?
+    end
+
+    def locked?
+      host.present?
+    end
+    alias taken? locked?
+
+    def humanized_type
+      _('Generic Lock')
+    end
+
+    private
+
+    def atomic_update(old_host, new_host)
+      changes = { host_id: new_host.try(:id) }
+      self.old = dup
+
+      query = {
+        id: id,
+        host_id: [new_host.try(:id), old_host.try(:id)],
+        enabled: true
+      }
+
+      updated = self.class.where(query).update(changes.merge(updated_at: Time.now.utc))
+
+      unless updated.count.zero?
+        reload
+        process_host_change(old_host, new_host)
+        [old_host, new_host].compact.each(&:refresh_dlmlock_status)
+        return true
+      end
+
+      log_event(host, :fail)
+
+      false
+    end
+
+    def process_host_change(old_host, new_host)
+      return if host.try(:id) == old.host.try(:id)
+
+      run_callback(old_host, :unlock) if old.host
+
+      return unless host
+
+      run_callback(new_host, :lock)
+    end
+
+    def log_event(host, event_type)
+      DlmlockEvent.create!(
+        dlmlock: self,
+        event_type: event_type,
+        host: host,
+        user: User.current
+      )
+    end
+
+    def run_callback(h, callback)
+      h.run_callbacks callback do
+        logger.debug { "custom hook after_#{callback} on #{h} will be executed if defined." }
+        true
+      end
+    end
+  end
+end