foreman_maintain 1.8.2 → 1.9.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: a042b3f0cd480eab2e674abcbd5aecb247943b481bad114e31376610a3b785d0
-  data.tar.gz: 16e74a0e82caffb11d5d0363046bfa5120afab203ce1d88ad88a4311f664e1f4
+  metadata.gz: 73708bb032234b95b2f4e43e6a754f4edd5a10b5fab5b0fe48e025e97c07b045
+  data.tar.gz: 804e89098c9776b9eaabbe8ddbf25b42fadafca9180bfaaafcc1e2ad19a68cbd
 SHA512:
-  metadata.gz: 7bcc01a88e2f8bebb549a83af6d0b1f33a714a76925dc51ee48a2a979611e7d8fc47ed91b162ce97bd004360f9bb8cef7499c34160283e539e63e8b7f4b8315f
-  data.tar.gz: 4e056e25de905cb6bb98da55c10dc1c1a57b99de6ed39b13241c4d09d7e2ca8cbaacaf6a44153ccd0f9675f432cda32ed9cb617399c3258940b0569898b12448
+  metadata.gz: 7436f734603158c084a33422808590fc4de98432ecf44d64106c58d625c7356e015d9fba968dd89c72aff8974364bbcd2493e7f74d99e079be59489df4a00714
+  data.tar.gz: d24586355b6f3bd785d8222ee93443712c4de0ce14a0dff53705b029e9a1bf0ab83db582cbce0ccf0da9e603edd5f030c259220d814a466faa20e78e40ef09fd

data/definitions/checks/check_sha1_certificate_authority.rb

@@ -0,0 +1,29 @@
+class Checks::CheckSha1CertificateAuthority < ForemanMaintain::Check
+  metadata do
+    label :check_sha1_certificate_authority
+    description 'Check if server certificate authority is sha1 signed'
+
+    confine do
+      feature(:katello) || feature(:foreman_proxy)
+    end
+
+    do_not_whitelist
+  end
+
+  def run
+    installer_answers = feature(:installer).answers
+    server_ca = installer_answers['certs']['server_ca_cert']
+
+    return unless server_ca
+
+    certificate = OpenSSL::X509::Certificate.new(File.read(server_ca))
+
+    msg = <<~MSG
+      Server CA certificate signed with sha1 which will break on upgrade.
+      Update the server CA certificate with one signed with sha256 or
+      stronger then proceed with the upgrade.
+    MSG
+
+    assert(certificate.signature_algorithm != 'sha1WithRSAEncryption', msg)
+  end
+end

data/definitions/checks/foreman/check_external_db_evr_permissions.rb

@@ -0,0 +1,61 @@
+module Checks
+  module Foreman
+    class CheckExternalDbEvrPermissions < ForemanMaintain::Check
+      metadata do
+        label :external_db_evr_permissions
+        for_feature :foreman_database
+        description 'Check that external databases have proper EVR extension permissions'
+        tags :pre_upgrade
+        confine do
+          feature(:foreman_database) && !feature(:foreman_database).local? && feature(:katello)
+        end
+      end
+
+      def run
+        return true unless evr_exists?
+
+        error_msg = 'The evr extension is not owned by the foreman database owner. ' \
+              'Please run the following command on the external foreman database to fix it: ' \
+              'UPDATE pg_extension SET extowner = (SELECT oid FROM pg_authid WHERE ' \
+              "rolname='#{foreman_db_user}') WHERE extname='evr';"
+        fail!(error_msg) unless foreman_owns_evr?
+      end
+
+      private
+
+      def foreman_db_user
+        feature(:foreman_database).configuration['username'] || 'foreman'
+      end
+
+      def evr_exists?
+        evr_exists = feature(:foreman_database).query(query_for_evr_existence)
+        return false if evr_exists.empty?
+        return evr_exists.first['evr_exists'] == '1'
+      end
+
+      def foreman_owns_evr?
+        evr_owned_by_postgres = feature(:foreman_database).query(query_if_postgres_owns_evr)
+        unless evr_owned_by_postgres.empty?
+          return evr_owned_by_postgres.first['evr_owned_by_postgres'] == '0'
+        end
+        failure_msg = 'Could not determine if the evr extension is owned by the ' \
+                'foreman database owner. Check that the foreman database is accessible ' \
+                "and that the database connection configuration is up to date."
+        fail!(failure_msg)
+      end
+
+      def query_for_evr_existence
+        <<-SQL
+          SELECT 1 AS evr_exists FROM pg_extension WHERE extname = 'evr'
+        SQL
+      end
+
+      def query_if_postgres_owns_evr
+        <<-SQL
+          SELECT CASE WHEN r.rolname = '#{foreman_db_user}' THEN 0 ELSE 1 END AS evr_owned_by_postgres
+          FROM pg_extension e JOIN pg_roles r ON e.extowner = r.oid WHERE e.extname = 'evr'
+        SQL
+      end
+    end
+  end
+end

data/definitions/features/pulpcore.rb

@@ -25,7 +25,14 @@ class Features::Pulpcore < ForemanMaintain::Feature
   end
 
   def running_tasks
-    cli('task list --state-in running --state-in canceling')
+    tasks = cli('task list --state-in running --state-in canceling')
+    # cli() uses parse_json() which swallows JSON::ParserError and returns nil
+    # but running_tasks should return an Array
+    if tasks.nil?
+      []
+    else
+      tasks
+    end
   rescue ForemanMaintain::Error::ExecutionError
     []
   end

data/definitions/scenarios/foreman_upgrade.rb

@@ -40,6 +40,7 @@ module Scenarios::Foreman
         Checks::Disk::AvailableSpaceCandlepin, # if candlepin
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::Foreman::ValidateExternalDbVersion, # if external database
+        Checks::Foreman::CheckExternalDbEvrPermissions, # if external database
         Checks::Foreman::CheckCorruptedRoles,
         Checks::Foreman::CheckDuplicatePermissions,
         Checks::Foreman::TuningRequirements, # if katello present
@@ -53,6 +54,7 @@ module Scenarios::Foreman
         Checks::PackageManager::Dnf::ValidateDnfConfig,
         Checks::Repositories::CheckNonRhRepository,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate
       )
     end

data/definitions/scenarios/satellite_upgrade.rb

@@ -39,6 +39,7 @@ module Scenarios::Satellite
         Checks::Disk::AvailableSpace,
         Checks::Disk::AvailableSpaceCandlepin, # if candlepin
         Checks::Foreman::ValidateExternalDbVersion, # if external database
+        Checks::Foreman::CheckExternalDbEvrPermissions, # if external database
         Checks::Foreman::CheckCorruptedRoles,
         Checks::Foreman::CheckDuplicatePermissions,
         Checks::Foreman::TuningRequirements, # if katello present
@@ -54,6 +55,7 @@ module Scenarios::Satellite
         Checks::CheckIpv6Disable,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate.new(:version => target_version),
       )
     end

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.8.2'.freeze
+  VERSION = '1.9.1'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.8.2
+  version: 1.9.1
 platform: ruby
 authors:
 - Ivan Nečas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-13 00:00:00.000000000 Z
+date: 2024-12-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -161,6 +161,7 @@ files:
 - definitions/checks/candlepin/db_up.rb
 - definitions/checks/check_hotfix_installed.rb
 - definitions/checks/check_ipv6_disable.rb
+- definitions/checks/check_sha1_certificate_authority.rb
 - definitions/checks/check_tmout.rb
 - definitions/checks/disk/available_space.rb
 - definitions/checks/disk/available_space_candlepin.rb
@@ -169,6 +170,7 @@ files:
 - definitions/checks/env_proxy.rb
 - definitions/checks/foreman/check_corrupted_roles.rb
 - definitions/checks/foreman/check_duplicate_permission.rb
+- definitions/checks/foreman/check_external_db_evr_permissions.rb
 - definitions/checks/foreman/check_puppet_capsules.rb
 - definitions/checks/foreman/check_tuning_requirements.rb
 - definitions/checks/foreman/db_up.rb
@@ -409,7 +411,7 @@ homepage: https://github.com/theforeman/foreman_maintain
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -428,7 +430,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.27
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Foreman maintenance tool belt
 test_files: []