foreman_remote_execution 1.7.1 → 1.8.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d41d1cca071fdfacdc4d90bccc1ad8fe601cd11dfbe7fa24336b162f814820e2
-  data.tar.gz: 396b3d87bb864f6697dc641efd0b242af8b52148d339d33a05ce47ddf84a107f
+  metadata.gz: 4869e54ee272ae8778eadddd9c3f6304269d924c9d44c42a5f9253ab611eae3a
+  data.tar.gz: ee709617e65b2cb1490c4881517083c48baa138b680ad2afd080936b6c06f19a
 SHA512:
-  metadata.gz: 70c95de572058c181a0eca7c3bd63b36844bcccc7f6e494ed5670713d3b232c2135547b3ca8fb85252bea16f1a055822dd988dcb8d109b193ceef8dda4886f2f
-  data.tar.gz: 722424c91de10100b3f47c3f21a4a3e18aebf1cad5916a98c0d2f92a420cb372149586e8e034b39f325197be4687f56ee8bab3c7a444f1a305301aa522b9761f
+  metadata.gz: f57be80e767108908fdd729bd05c640f541ef027d97d571a5ce9377d46a93fa9d32f0e326106f770086cd8d394efbfaa3790c486f1d90b34a437ec4a77b08331
+  data.tar.gz: cf423d9c36a3469e627644256f1e0da661cb4ea69393eae8119b15af347b5500fdafb939a94fb9b4ca326359d8578b985b136b7320ea5c367f45f91cea903224

data/app/controllers/cockpit_controller.rb

@@ -0,0 +1,34 @@
+class CockpitController < ApplicationController
+  before_action :find_resource, :only => [:host_ssh_params]
+
+  def host_ssh_params
+    render :json => SSHExecutionProvider.ssh_params(@host)
+  end
+
+  def redirect
+    return invalid_request unless params[:redirect_uri]
+    redir_url = URI.parse(params[:redirect_uri])
+
+    cockpit_url = SSHExecutionProvider.cockpit_url_for_host('')
+    redir_url.query = if redir_url.hostname == URI.join(Setting[:foreman_url], cockpit_url).hostname
+                        "access_token=#{request.session_options[:id]}"
+                      else
+                        "error_description=Sorry"
+                      end
+    redirect_to(redir_url.to_s)
+  end
+
+  private
+
+  def resource_name
+    "host"
+  end
+
+  def controller_permission
+    :hosts
+  end
+
+  def action_permission
+    :cockpit
+  end
+end

data/app/helpers/concerns/foreman_remote_execution/hosts_helper_extensions.rb

@@ -20,9 +20,17 @@ module ForemanRemoteExecution
       link_to(_('Schedule Remote Job'), new_job_invocation_path(:host_ids => [args.first.id]), :id => :run_button, :class => 'btn btn-default')
     end
 
+    def web_console_button(host, *args)
+      return unless authorized_for(permission: 'cockpit_hosts', auth_object: host)
+      url = SSHExecutionProvider.cockpit_url_for_host(host.name)
+      url ? link_to(_('Web Console'), url, :class => 'btn btn-default') : nil
+    end
+
     def host_title_actions(*args)
-      title_actions(button_group(schedule_job_multi_button(*args)))
+      title_actions(button_group(schedule_job_multi_button(*args)),
+                    button_group(web_console_button(*args)))
       super(*args)
     end
   end
+
 end

data/app/models/setting/remote_execution.rb

@@ -1,6 +1,6 @@
 class Setting::RemoteExecution < Setting
 
-  ::Setting::BLANK_ATTRS.concat %w{remote_execution_ssh_password remote_execution_ssh_key_passphrase remote_execution_sudo_password}
+  ::Setting::BLANK_ATTRS.concat %w{remote_execution_ssh_password remote_execution_ssh_key_passphrase remote_execution_sudo_password remote_execution_cockpit_url}
 
   # rubocop:disable Metrics/MethodLength,Metrics/AbcSize
   def self.load_defaults
@@ -67,7 +67,12 @@ class Setting::RemoteExecution < Setting
         self.set('remote_execution_cleanup_working_dirs',
                  N_('When enabled, working directories will be removed after task completion. You may override this per host by setting a parameter called remote_execution_cleanup_working_dirs.'),
                  true,
-                 N_('Cleanup working directories'))
+                 N_('Cleanup working directories')),
+        self.set('remote_execution_cockpit_url',
+                 N_('Where to find the Cockpit instance for the Web Console button.  By default, no button is shown.'),
+                 nil,
+                 N_('Cockpit URL'),
+                 nil)
       ].each { |s| self.create! s.update(:category => 'Setting::RemoteExecution') }
     end
 

data/app/models/ssh_execution_provider.rb

@@ -29,6 +29,23 @@ class SSHExecutionProvider < RemoteExecutionProvider
       'ssh'
     end
 
+    def ssh_params(host)
+      proxy_selector = ::RemoteExecutionProxySelector.new
+      proxy = proxy_selector.determine_proxy(host, 'SSH')
+      {
+        :hostname => find_ip_or_hostname(host),
+        :proxy => proxy.class == Symbol ? proxy : proxy.url,
+        :ssh_user => ssh_user(host),
+        :ssh_port => ssh_port(host),
+        :ssh_password => ssh_password(host),
+        :ssh_key_passphrase => ssh_key_passphrase(host)
+      }
+    end
+
+    def cockpit_url_for_host(host)
+      Setting[:remote_execution_cockpit_url] % { :host => host } if Setting[:remote_execution_cockpit_url].present?
+    end
+
     private
 
     def ssh_user(host)

data/app/views/job_templates/edit.html.erb

@@ -1,4 +1,3 @@
-<%= javascript 'lookup_keys' %>
 <%= javascript 'foreman_remote_execution/template_input' %>
 
 <%= breadcrumbs(

data/app/views/job_templates/index.html.erb

@@ -1,5 +1,4 @@
 <%= javascript 'foreman_remote_execution/job_templates' %>
-<%= javascript 'lookup_keys' %>
 <%= javascript 'foreman_remote_execution/template_input' %>
 
 <% title _("Job Templates") %>

data/app/views/job_templates/new.html.erb

@@ -1,4 +1,3 @@
-<%= javascript 'lookup_keys' %>
 <%= javascript 'foreman_remote_execution/template_input' %>
 
 <% title _("New Job Template") %>

data/config/routes.rb

@@ -38,6 +38,11 @@ Rails.application.routes.draw do
     end
   end
 
+  constraints(:id => %r{[^/]+}) do
+    get 'cockpit/host_ssh_params/:id', to: 'cockpit#host_ssh_params'
+  end
+  get 'cockpit/redirect', to: 'cockpit#redirect'
+
   namespace :api, :defaults => {:format => 'json'} do
     scope '(:apiv)', :module => :v2, :defaults => {:apiv => 'v2'}, :apiv => /v1|v2/, :constraints => ApiConstraints.new(:version => 2, :default => true) do
       resources :job_invocations, :except => [:new, :edit, :update, :destroy] do

data/extra/cockpit/foreman-cockpit-session

@@ -0,0 +1,303 @@
+#!/usr/bin/env ruby
+
+require "logger"
+require "json"
+require "net/https"
+require "yaml"
+
+# Logging
+
+LOG = Logger.new($stderr)
+LOG.formatter = proc { | severity, datetime, progname, msg | "#{severity}: #{msg}\n" }
+
+def safe_log(format_string, data = nil)
+  if data.is_a? Hash
+    data = data.dup
+    data.each do |key, _|
+      if key.to_s =~ /password|passphrase/
+        data[key] = '*******'
+      end
+    end
+  end
+  format_string % [data]
+end
+
+# Settings
+
+def read_settings
+  settings_path = ENV["FOREMAN_COCKPIT_SETTINGS"] || "/etc/foreman-cockpit/settings.yml"
+  settings = YAML.load(File.read(settings_path))
+  LOG.level = Logger.const_get(settings.fetch(:log_level, "INFO"))
+  LOG.info("Running foreman-cockpit-session with settings from #{settings_path}:\n#{settings.inspect}")
+  settings
+end
+
+# Cockpit protocol, encoding and decoding of control messages.
+
+def send_control(msg)
+  text = JSON.dump(msg)
+  LOG.debug("Sending control message #{text}")
+  $stdout.write("#{text.length+1}\n\n#{text}")
+  $stdout.flush
+end
+
+def read_control
+  size = $stdin.readline.chomp.to_i
+  raise ArgumentError, "Invalid frame: invalid size" if size.zero?
+  data = $stdin.read(size)
+  LOG.debug("Received control message #{data.lstrip}")
+  raise ArgumentError, "Invalid frame: too short" if data == nil || data.length < size
+  JSON.parse(data)
+end
+
+# Specific control messages
+
+def send_auth_challenge(challenge)
+  send_control({ "command" => "authorize",
+                 "cookie" => "1234", # must be present, but value doesn't matter
+                 "challenge" => challenge
+               })
+end
+
+def send_auth_response(response)
+  send_control({ "command" => "authorize",
+                 "response" => response
+               })
+end
+
+def read_auth_reply
+  cmd = read_control()
+  response = cmd["response"]
+  raise ArgumentError, "Did not receive a valid authorize command" if cmd["command"] != "authorize" || !response
+  response
+end
+
+def exit_with_problem(problem, message, auth_methods)
+  LOG.error("#{problem} - #{message}")
+  send_control({ "command" => "init",
+                 "problem" => problem,
+                 "message" => message,
+                 "auth-method-results" => auth_methods
+               })
+  exit 1
+end
+
+# Talking to Foreman
+
+def get_token_from_auth_data(auth_data)
+  auth_data.split(" ")[1]
+end
+
+def foreman_call(path, token)
+  foreman = SETTINGS[:foreman_url] || "https://localhost/"
+  uri = URI(foreman + "/" + path)
+
+  LOG.debug("Foreman request GET #{uri}")
+
+  http = Net::HTTP.new(uri.hostname, uri.port)
+  if uri.scheme == "https"
+    http.use_ssl = true
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    http.ca_file = SETTINGS[:ssl_ca_file]
+  end
+
+  req = Net::HTTP::Get.new(uri)
+  req["Cookie"] = "_session_id=#{token}"
+  res = http.request(req)
+
+  LOG.debug do
+    body = JSON.parse(res.body) rescue res.body
+    safe_log("Foreman response #{res.code} - %s", body)
+  end
+
+  case res.code
+  when "200"
+    return JSON.parse(res.body)
+  when "401"
+    exit_with_problem("authentication-failed",
+                      "Token was not valid",
+                      { "password" => "not-tried", "token" => "denied" })
+  when "404"
+    return nil
+  else
+    LOG.error("Error talking to foreman: #{res.body}\n")
+    exit 1
+  end
+end
+
+# SSH via the smart proxy
+
+def ssh_write_request_header(url, sock, params)
+  data = JSON.dump(params) + "\r\n"
+  sock.write("POST /ssh/session HTTP/1.1\r\nHost: #{url.host}:#{url.port}\r\nConnection: upgrade\r\nUpgrade: raw\r\nContent-Length: #{data.length}\r\n\r\n#{data}")
+  sock.flush
+end
+
+def ssh_read_and_handle_response_header(sock, url, params)
+  header = ""
+  loop do
+    line = sock.readline
+    break unless line and line != "\r\n"
+    header += line
+  end
+
+  status_line, headers_text = header.split("\r\n", 2)
+  status = status_line.split(" ")[1]
+  if status != "101"
+    m = /^Content-Length:[ \t]*([0-9]+)\r?$/i.match(headers_text)
+    if m
+      expected_len = m[1].to_i
+    else
+      expected_len = -1
+    end
+    response = ""
+    while expected_len < 0 || response.length < expected_len
+      begin
+        response += sock.readpartial(4096)
+      rescue EOFError
+        break
+      end
+    end
+    if status == "404"
+      exit_with_problem("access-denied", "The proxy #{url.hostname} does not support web console sessions", nil)
+    elsif status[0] == "4"
+      if response.include? "cockpit-bridge: command not found"
+        exit_with_problem("access-denied", "#{params["hostname"]} has no web console", nil)
+      else
+        exit_with_problem("access-denied", response, nil)
+      end
+    else
+      LOG.error("Error talking to smart proxy: #{response}\n")
+      exit 1
+    end
+  end
+end
+
+def ssh_read_sock(sock)
+  data = ""
+  begin
+    loop do
+      data += sock.read_nonblock(4096)
+    end
+  rescue IO::WaitReadable
+    data
+  rescue IO::WaitWritable
+    # This might happen with SSL during a renegotiation.  Block a
+    # bit to get it over with.
+    IO.select(nil, [sock])
+    retry
+  end
+  data
+end
+
+def ssh_write_sock(sock, data)
+  begin
+    sock.write_nonblock(data)
+  rescue IO::WaitWritable
+    0
+  rescue IO::WaitReadable
+    # This might happen with SSL during a renegotiation.  Block a
+    # bit to get it over with.
+    IO.select([sock])
+    retry
+  end
+end
+
+def ssh_with_proxy(proxy, params)
+  url = URI(proxy)
+  LOG.debug("Connecting to proxy at #{url}")
+  raw_sock = TCPSocket.open(url.hostname, url.port)
+  if url.scheme == 'https'
+    ssl_context = OpenSSL::SSL::SSLContext.new()
+    ssl_context.cert = OpenSSL::X509::Certificate.new(File.read(SETTINGS[:ssl_certificate]))
+    ssl_context.key = OpenSSL::PKey.read(File.read(SETTINGS[:ssl_private_key]))
+    sock = OpenSSL::SSL::SSLSocket.new(raw_sock, ssl_context)
+    sock.sync_close = true
+    sock.connect
+  else
+    sock = raw_sock
+  end
+
+  ssh_write_request_header(url, sock, params)
+  ssh_read_and_handle_response_header(sock, url, params)
+
+  inp_buf = ""
+  out_buf = ssh_read_sock(sock)
+
+  ws_eof = false
+  bridge_eof = false
+
+  loop do
+    readers = [ ]
+    writers = [ ]
+
+    readers += [ $stdin ] unless ws_eof
+    readers += [ sock ] unless bridge_eof
+    writers += [ $stdout ] unless out_buf == ""
+    writers += [ sock ] unless inp_buf == ""
+
+    break if readers.length + writers.length == 0
+
+    r, w, x = IO.select(readers, writers)
+
+    if r.include?(sock)
+      begin
+        out_buf += ssh_read_sock(sock)
+      rescue EOFError
+        bridge_eof = true
+        break if out_buf == ""
+      end
+    end
+
+    if w.include?(sock)
+      begin
+        n = ssh_write_sock(sock, inp_buf)
+        inp_buf = inp_buf[n..-1]
+        raw_sock.close_write() if inp_buf == "" and ws_eof
+      end
+    end
+
+    if r.include?($stdin)
+      begin
+        inp_buf += $stdin.readpartial(4096)
+      rescue EOFError
+        ws_eof = true
+        raw_sock.close_write() if inp_buf == ""
+      end
+    end
+
+    if w.include?($stdout)
+      n = $stdout.write(out_buf)
+      $stdout.flush()
+      out_buf = out_buf[n..-1]
+      break if out_buf == "" and bridge_eof
+    end
+
+  end
+end
+
+# Main
+
+SETTINGS = read_settings
+
+host = ARGV[0]
+
+send_auth_challenge("*")
+token = get_token_from_auth_data(read_auth_reply())
+
+params = foreman_call("cockpit/host_ssh_params/#{host}", token)
+exit_with_problem("access-denied", "Host #{host} is not known", nil) unless params
+
+LOG.debug(safe_log("SSH parameters %s", params))
+
+params["command"] = "cockpit-bridge"
+case params["proxy"]
+when "not_available"
+  exit_with_problem("access-denied", "A proxy is required to reach #{host} but all of them are down", nil)
+when "not_defined"
+  exit_with_problem("access-denied", "A proxy is required to reach #{host} but none has been configured", nil)
+when "direct"
+  exit_with_problem("access-denied", "Web console sessions require a proxy but none has been configured", nil)
+else
+  ssh_with_proxy(params["proxy"], params)
+end

data/extra/cockpit/settings.yml.example

@@ -0,0 +1,8 @@
+:foreman_url: http://localhost:3000/
+
+# :log_level: INFO
+
+# Certificates used to call to external proxies
+# :ssl_ca_file: /path/to/certs/cacert.pem
+# :ssl_certificate: /path/to/certs/cert.pem
+# :ssl_private_key: /path/to/certs/key.pem

data/lib/foreman_remote_execution/engine.rb

@@ -66,6 +66,7 @@ module ForemanRemoteExecution
           # this permissions grants user to get auto completion hints when setting up filters
           permission :filter_autocompletion_for_template_invocation, { :template_invocations => [ :auto_complete_search, :index ] },
                      :resource_type => 'TemplateInvocation'
+          permission :cockpit_hosts, { 'cockpit' => [:redirect, :host_ssh_params] }, :resource_type => 'Host'
         end
 
         USER_PERMISSIONS = [

data/lib/foreman_remote_execution/version.rb

@@ -1,3 +1,3 @@
 module ForemanRemoteExecution
-  VERSION = '1.7.1'.freeze
+  VERSION = '1.8.0'.freeze
 end

data/test/functional/cockpit_controller_test.rb

@@ -0,0 +1,17 @@
+require 'test_plugin_helper'
+
+class CockpitControllerTest < ActionController::TestCase
+  def setup
+    Setting::RemoteExecution.load_defaults
+    as_admin do
+      @host = FactoryBot.create(:host)
+    end
+  end
+
+  test "should get host_ssh_params" do
+    get :host_ssh_params, params: { id: @host.id }, session: set_session_user
+    assert_response :success
+    response = ActiveSupport::JSON.decode(@response.body)
+    assert response.key?('ssh_user'), 'ssh_params response must include ssh_user'
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: foreman_remote_execution
 version: !ruby/object:Gem::Version
-  version: 1.7.1
+  version: 1.8.0
 platform: ruby
 authors:
 - Foreman Remote Execution team
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-04-11 00:00:00.000000000 Z
+date: 2019-05-21 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: deface
@@ -155,6 +155,7 @@ files:
 - app/controllers/api/v2/job_templates_controller.rb
 - app/controllers/api/v2/remote_execution_features_controller.rb
 - app/controllers/api/v2/template_invocations_controller.rb
+- app/controllers/cockpit_controller.rb
 - app/controllers/concerns/foreman/controller/parameters/foreign_input_set.rb
 - app/controllers/concerns/foreman/controller/parameters/job_template.rb
 - app/controllers/concerns/foreman/controller/parameters/remote_execution_feature.rb
@@ -329,6 +330,8 @@ files:
 - db/seeds.d/60-ssh_proxy_feature.rb
 - db/seeds.d/70-job_templates.rb
 - db/seeds.d/90-bookmarks.rb
+- extra/cockpit/foreman-cockpit-session
+- extra/cockpit/settings.yml.example
 - foreman_remote_execution.gemspec
 - lib/foreman_remote_execution.rb
 - lib/foreman_remote_execution/engine.rb
@@ -369,6 +372,7 @@ files:
 - test/functional/api/v2/job_templates_controller_test.rb
 - test/functional/api/v2/remote_execution_features_controller_test.rb
 - test/functional/api/v2/template_invocations_controller_test.rb
+- test/functional/cockpit_controller_test.rb
 - test/functional/job_invocations_controller_test.rb
 - test/functional/job_templates_controller_test.rb
 - test/helpers/remote_execution_helper_test.rb
@@ -420,7 +424,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.3
+rubygems_version: 2.7.6
 signing_key: 
 specification_version: 4
 summary: A plugin bringing remote execution to the Foreman, completing the config
@@ -434,6 +438,7 @@ test_files:
 - test/functional/api/v2/job_templates_controller_test.rb
 - test/functional/api/v2/remote_execution_features_controller_test.rb
 - test/functional/api/v2/template_invocations_controller_test.rb
+- test/functional/cockpit_controller_test.rb
 - test/functional/job_invocations_controller_test.rb
 - test/functional/job_templates_controller_test.rb
 - test/helpers/remote_execution_helper_test.rb