foreman_maintain 1.9.0 → 1.9.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9209b1f3f4a9910f6a635cd5876edbb3f9fa59e1381e532ae4961e18627fe638
-  data.tar.gz: 8a7f2e3ba17c629eea5535f86b94bb1be409620d520da3c0d96c61c1aea5009f
+  metadata.gz: 353f969fb5c1563fa146f6f5cca6a9a5c0a42e22564aa6e26d0d5d2b58d1b943
+  data.tar.gz: b9f71f13a94ffef3cf8b338faf4d43f5aa053c58f84327713581c2f8b8bc6fa8
 SHA512:
-  metadata.gz: 97e0f20269bc3b480bc429e91d7d119520ea4592162362f75efd42e9a4bc71200f4d13ff07b7103185200293826a3d887db265f99a2b7c94c385bd94a2eab352
-  data.tar.gz: de0dce8771c46602be6124a04a58b935529c051b2efb7d7f38fc8b5dd25e7b0d2203580335eb9038f2e6b21b79e0dab87a361e38ba173cb6f936bcfcd7378beb
+  metadata.gz: 81316471839fc3ac86ecc96edccecdf4b6475bdd908ab79c1d55eba6d07a8bad0e75aaa83a440449fc8bf357e1c93df87e0d5f45f4211ba602172be9fde31bd4
+  data.tar.gz: ae7ae727511fe75f9c517de28a93c66231c5e6e2a362541f769a5d99c364f4b49f9bf80b178b1def23fd6f4d83596fdc0d83e06e89540a17d0751bc838347797

data/definitions/checks/check_sha1_certificate_authority.rb

@@ -0,0 +1,49 @@
+class Checks::CheckSha1CertificateAuthority < ForemanMaintain::Check
+  metadata do
+    label :check_sha1_certificate_authority
+    description 'Check if server certificate authority is sha1 signed'
+
+    confine do
+      feature(:katello) || feature(:foreman_proxy)
+    end
+
+    do_not_whitelist
+  end
+
+  def run
+    installer_answers = feature(:installer).answers
+    server_ca = installer_answers['certs']['server_ca_cert']
+
+    return unless server_ca
+
+    begin
+      certificates = load_fullchain(server_ca)
+    rescue OpenSSL::X509::CertificateError => e
+      assert(false, "Error reading server CA certificate #{server_ca}.\n #{e.message}")
+    else
+      msg = <<~MSG
+        Server CA certificate #{server_ca} signed with sha1 which will break on upgrade.
+        Update the server CA certificate with one signed with sha256 or
+        stronger then proceed with the upgrade.
+      MSG
+
+      assert(
+        certificates.all? { |cert| cert.signature_algorithm != 'sha1WithRSAEncryption' },
+        msg
+      )
+    end
+  end
+
+  def load_fullchain(bundle_pem)
+    if OpenSSL::X509::Certificate.respond_to?(:load_file)
+      OpenSSL::X509::Certificate.load_file(bundle_pem)
+    else
+      # Can be removed when only Ruby with load_file support is supported
+      File.binread(bundle_pem).
+        lines.
+        slice_after(/^-----END CERTIFICATE-----/).
+        filter { |pem| pem.join.include?('-----END CERTIFICATE-----') }.
+        map { |pem| OpenSSL::X509::Certificate.new(pem.join) }
+    end
+  end
+end

data/definitions/checks/disk/postgresql_mountpoint.rb

@@ -0,0 +1,35 @@
+module Checks
+  module Disk
+    class PostgresqlMountpoint < ForemanMaintain::Check
+      metadata do
+        label :postgresql_mountpoint
+        description 'Check to make sure PostgreSQL data is not on an own mountpoint'
+        confine do
+          feature(:instance).postgresql_local? && ForemanMaintain.el?
+        end
+      end
+
+      def run
+        assert(psql_dir_device == psql_data_dir_device, warning_message)
+      end
+
+      def psql_dir_device
+        device = ForemanMaintain::Utils::Disk::Device.new('/var/lib/pgsql')
+        device.name
+      end
+
+      def psql_data_dir_device
+        device = ForemanMaintain::Utils::Disk::Device.new('/var/lib/pgsql/data')
+        device.name
+      end
+
+      def warning_message
+        <<~MSG
+          PostgreSQL data (/var/lib/pgsql/data) is on a different device than /var/lib/pgsql.
+          This is not supported and breaks PostgreSQL upgrades.
+          Please ensure PostgreSQL data is on the same mountpoint as the /var/lib/pgsql.
+        MSG
+      end
+    end
+  end
+end

data/definitions/features/pulpcore.rb

@@ -25,7 +25,14 @@ class Features::Pulpcore < ForemanMaintain::Feature
   end
 
   def running_tasks
-    cli('task list --state-in running --state-in canceling')
+    tasks = cli('task list --state-in running --state-in canceling')
+    # cli() uses parse_json() which swallows JSON::ParserError and returns nil
+    # but running_tasks should return an Array
+    if tasks.nil?
+      []
+    else
+      tasks
+    end
   rescue ForemanMaintain::Error::ExecutionError
     []
   end

data/definitions/scenarios/foreman_upgrade.rb

@@ -39,6 +39,7 @@ module Scenarios::Foreman
         Checks::Disk::AvailableSpace,
         Checks::Disk::AvailableSpaceCandlepin, # if candlepin
         Checks::Disk::AvailableSpacePostgresql13,
+        Checks::Disk::PostgresqlMountpoint,
         Checks::Foreman::ValidateExternalDbVersion, # if external database
         Checks::Foreman::CheckExternalDbEvrPermissions, # if external database
         Checks::Foreman::CheckCorruptedRoles,
@@ -54,6 +55,7 @@ module Scenarios::Foreman
         Checks::PackageManager::Dnf::ValidateDnfConfig,
         Checks::Repositories::CheckNonRhRepository,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate
       )
     end

data/definitions/scenarios/satellite_upgrade.rb

@@ -38,6 +38,7 @@ module Scenarios::Satellite
         Checks::CheckUpstreamRepository,
         Checks::Disk::AvailableSpace,
         Checks::Disk::AvailableSpaceCandlepin, # if candlepin
+        Checks::Disk::PostgresqlMountpoint,
         Checks::Foreman::ValidateExternalDbVersion, # if external database
         Checks::Foreman::CheckExternalDbEvrPermissions, # if external database
         Checks::Foreman::CheckCorruptedRoles,
@@ -55,6 +56,7 @@ module Scenarios::Satellite
         Checks::CheckIpv6Disable,
         Checks::Disk::AvailableSpacePostgresql13,
         Checks::CheckOrganizationContentAccessMode,
+        Checks::CheckSha1CertificateAuthority,
         Checks::Repositories::Validate.new(:version => target_version),
       )
     end

data/lib/foreman_maintain/version.rb

@@ -1,3 +1,3 @@
 module ForemanMaintain
-  VERSION = '1.9.0'.freeze
+  VERSION = '1.9.2'.freeze
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_maintain
 version: !ruby/object:Gem::Version
-  version: 1.9.0
+  version: 1.9.2
 platform: ruby
 authors:
 - Ivan Nečas
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-25 00:00:00.000000000 Z
+date: 2025-01-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: clamp
@@ -161,11 +161,13 @@ files:
 - definitions/checks/candlepin/db_up.rb
 - definitions/checks/check_hotfix_installed.rb
 - definitions/checks/check_ipv6_disable.rb
+- definitions/checks/check_sha1_certificate_authority.rb
 - definitions/checks/check_tmout.rb
 - definitions/checks/disk/available_space.rb
 - definitions/checks/disk/available_space_candlepin.rb
 - definitions/checks/disk/available_space_postgresql13.rb
 - definitions/checks/disk/performance.rb
+- definitions/checks/disk/postgresql_mountpoint.rb
 - definitions/checks/env_proxy.rb
 - definitions/checks/foreman/check_corrupted_roles.rb
 - definitions/checks/foreman/check_duplicate_permission.rb
@@ -410,7 +412,7 @@ homepage: https://github.com/theforeman/foreman_maintain
 licenses:
 - GPL-3.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -429,7 +431,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubygems_version: 3.3.27
-signing_key: 
+signing_key:
 specification_version: 4
 summary: Foreman maintenance tool belt
 test_files: []