foreman_remote_execution 4.7.0 → 5.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 742978171c8d62de9fdf9e14b2be742235dc1cce90c0c522871d65a90ee1f612
-  data.tar.gz: caae67492773457e26461ae6e39addec2cc1b105bf387a9cf0dbfc667ad25102
+  metadata.gz: 831ec5aca2ec4aaa3df1229f7addd9a968c7c49b0fc49a15253e33d2ab0f5689
+  data.tar.gz: 07a4f17f0d4d694c4b927291ee8e55dafd839cf902a9ef06c79b227fdf65760f
 SHA512:
-  metadata.gz: e40d5600dbe09f3ea875179a3ac44a4046ffd8615efe5c88f364828e7bd21b24d2d2a7f5f8ea09954f2f00056bc6d867efc22f7b82b0189de766f225101ae896
-  data.tar.gz: 6875df7248f14be5a915f7b3001cd6d4a50476f84824b0118747d4ba7b2993b977cf85cfe5f9cdde8706b2d2cb4fea20c1770988405adebf09683cc966ba9e70
+  metadata.gz: 75fd11cfe45b5223a2427561c0859c39f19923535283fa919927af9b4ffd67ea56a4c9b791632e73c72c4dff1946f2e1046cb10a1f84ed7dae0e686daff2d90d
+  data.tar.gz: 03557c309e25a902c0def6e7575ad74a02e724482da823b4580f4bbe9b80358eadb2e0781b832f45a2e9101196447edf887476fa79782a3d6ee125640dccd92a

data/.rubocop_todo.yml

@@ -220,6 +220,7 @@ Naming/FileName:
     - 'db/seeds.d/60-ssh_proxy_feature.rb'
     - 'db/seeds.d/70-job_templates.rb'
     - 'db/seeds.d/90-bookmarks.rb'
+    - 'db/seeds.d/95-mail_notifications.rb'
 
 # Offense count: 1
 # Configuration parameters: ForbiddenDelimiters.

data/Gemfile

@@ -2,4 +2,4 @@ source 'http://rubygems.org'
 
 gemspec :name => 'foreman_remote_execution'
 
-gem 'theforeman-rubocop', '~> 0.1.0.pre'
+gem 'theforeman-rubocop', '~> 0.1.1'

data/app/controllers/api/v2/job_invocations_controller.rb

@@ -41,12 +41,18 @@ module Api
             param :effective_user, String,
               :required => false,
               :desc => N_('What user should be used to run the script (using sudo-like mechanisms). Defaults to a template parameter or global setting.')
+            param :effective_user_password, String,
+              :required => false,
+              :desc => N_('Set password for effective user (using sudo-like mechanisms)')
           end
+          param :password, String, :required => false, :desc => N_('Set SSH password')
+          param :key_passphrase, String, :required => false, :desc => N_('Set SSH key passphrase')
 
           param :recurrence, Hash, :desc => N_('Create a recurring job') do
             param :cron_line, String, :required => false, :desc => N_('How often the job should occur, in the cron format')
             param :max_iteration, :number, :required => false, :desc => N_('Repeat a maximum of N times')
             param :end_time, DateTime, :required => false, :desc => N_('Perform no more executions after this time')
+            param :purpose, String, :required => false, :desc => N_('Designation of a special purpose')
           end
 
           param :scheduling, Hash, :desc => N_('Schedule the job to start at a later time') do
@@ -162,6 +168,15 @@ module Api
         render :json => { :outputs => outputs }
       end
 
+      def resource_name(resource = controller_name)
+        case resource
+        when 'organization', 'location'
+          nil
+        else
+          'job_invocation'
+        end
+      end
+
       private
 
       def allowed_nested_id
@@ -197,7 +212,7 @@ module Api
         end
 
         if job_invocation_params.key?(:ssh)
-          job_invocation_params.merge!(job_invocation_params.delete(:ssh).permit(:effective_user))
+          job_invocation_params.merge!(job_invocation_params.delete(:ssh).permit(:effective_user, :effective_user_password))
         end
 
         job_invocation_params[:inputs] ||= {}

data/app/controllers/ui_job_wizard_controller.rb

@@ -1,11 +1,12 @@
-class UiJobWizardController < ::Api::V2::BaseController
+class UiJobWizardController < ApplicationController
+  include FiltersHelper
   def categories
     job_categories = resource_scope
                      .search_for("job_category ~ \"#{params[:search]}\"")
                      .select(:job_category).distinct
                      .reorder(:job_category)
                      .pluck(:job_category)
-    render :json => {:job_categories =>job_categories}
+    render :json => {:job_categories =>job_categories, :with_katello => with_katello}
   end
 
   def template
@@ -19,12 +20,16 @@ class UiJobWizardController < ::Api::V2::BaseController
     }
   end
 
+  def map_template_inputs(template_inputs_with_foreign)
+    template_inputs_with_foreign.map { |input| input.attributes.merge({:resource_type_tableize => input.resource_type&.tableize }) }
+  end
+
   def resource_name(nested_resource = nil)
     nested_resource || 'job_template'
   end
 
-  def map_template_inputs(template_inputs_with_foreign)
-    template_inputs_with_foreign.map { |input| input.attributes.merge({:resource_type => input.resource_type&.tableize }) }
+  def with_katello
+    !!defined?(::Katello)
   end
 
   def resource_class
@@ -34,4 +39,11 @@ class UiJobWizardController < ::Api::V2::BaseController
   def action_permission
     :view_job_templates
   end
+
+  def resources
+    resource_type = params[:resource]
+    resource_list = resource_type.constantize.authorized("view_#{resource_type.underscore.pluralize}").all.map { |r| {:name => r.to_s, :id => r.id } }.select { |v| v[:name] =~ /#{params[:name]}/ }
+    render :json => { :results =>
+      resource_list.sort_by { |r| r[:name] }.take(100), :subtotal => resource_list.count}
+  end
 end

data/app/graphql/mutations/job_invocations/create.rb

@@ -0,0 +1,43 @@
+module Mutations
+  module JobInvocations
+    class Create < ::Mutations::CreateMutation
+      description 'Create a new job invocation'
+      graphql_name 'CreateJobInvocationMutation'
+
+      argument :job_invocation, ::Types::JobInvocationInput, required: true
+      field :job_invocation, ::Types::JobInvocation, 'The new job invocation', null: true
+
+      def resolve(params)
+        begin
+          composer = JobInvocationComposer.from_api_params(params[:job_invocation].to_h)
+          job_invocation = composer.job_invocation
+          authorize!(job_invocation, :create)
+          errors = []
+          composer.trigger!
+        rescue ActiveRecord::RecordNotSaved
+          errors = map_all_errors(job_invocation)
+        rescue JobInvocationComposer::JobTemplateNotFound, JobInvocationComposer::FeatureNotFound => e
+          errors = [{ path => ['job_template'], :message => e.message }]
+        end
+
+        {
+          result_key => job_invocation,
+          :errors => errors,
+        }
+      end
+
+      def map_all_errors(job_invocation)
+        map_errors_to_path(job_invocation) + map_errors('triggering', job_invocation.triggering) + map_errors('targeting', job_invocation.targeting)
+      end
+
+      def map_errors(attr_name, resource)
+        resource.errors.map do |attribute, message|
+          {
+            path: [attr_name, attribute.to_s.camelize(:lower)],
+            message: message,
+          }
+        end
+      end
+    end
+  end
+end

data/app/graphql/types/job_invocation_input.rb

@@ -0,0 +1,13 @@
+module Types
+  class JobInvocationInput < BaseInputObject
+    argument :job_category, String, required: false
+    argument :job_template_id, Integer, required: false
+    argument :feature, String, required: false
+    argument :targeting_type, ::Types::TargetingEnum, required: false
+    argument :recurrence, ::Types::RecurrenceInput, required: false
+    argument :scheduling, ::Types::SchedulingInput, required: false
+    argument :search_query, String, required: false
+    argument :host_ids, [Integer], required: false
+    argument :inputs, ::Types::RawJson, required: false
+  end
+end

data/app/graphql/types/recurrence_input.rb

@@ -0,0 +1,8 @@
+module Types
+  class RecurrenceInput < BaseInputObject
+    argument :cron_line, String, required: false
+    argument :max_iteration, Integer, required: false
+    argument :end_time, String, required: false
+    argument :purpose, String, required: false
+  end
+end

data/app/graphql/types/scheduling_input.rb

@@ -0,0 +1,6 @@
+module Types
+  class SchedulingInput < BaseInputObject
+    argument :start_at, String, required: false
+    argument :start_before, String, required: false
+  end
+end

data/app/graphql/types/targeting_enum.rb

@@ -0,0 +1,7 @@
+module Types
+  class TargetingEnum < Types::BaseEnum
+    Targeting::TYPES.each_key do |key|
+      value key
+    end
+  end
+end

data/app/lib/actions/remote_execution/run_host_job.rb

@@ -42,6 +42,8 @@ module Actions
 
         provider_type = template_invocation.template.provider_type.to_s
         proxy = determine_proxy!(proxy_selector, provider_type, host)
+        link!(proxy)
+        input[:proxy_id] = proxy.id
 
         renderer = InputTemplateRenderer.new(template_invocation.template, host, template_invocation)
         script = renderer.render
@@ -56,7 +58,8 @@ module Actions
                                :secrets => secrets(host, job_invocation, provider),
                                :use_batch_triggering => true,
                                :use_concurrency_control => options[:use_concurrency_control],
-                               :first_execution => first_execution }
+                               :first_execution => first_execution,
+                               :alternative_names => provider.alternative_names(host) }
         action_options = provider.proxy_command_options(template_invocation, host)
                                  .merge(additional_options)
 
@@ -195,6 +198,10 @@ module Actions
       def verify_permissions(host, template_invocation)
         raise _('User can not execute job on host %s') % host.name unless User.current.can?(:view_hosts, host)
         raise _('User can not execute this job template') unless User.current.can?(:view_job_templates, template_invocation.template)
+        infra_facet = host.infrastructure_facet
+        if (infra_facet&.foreman_instance || infra_facet&.smart_proxy_id) && !User.current.can?(:execute_jobs_on_infrastructure_hosts)
+          raise _('User can not execute job on infrastructure host %s') % host.name
+        end
 
         # we don't want to load all template_invocations to verify so we construct Authorizer object manually and set
         # the base collection to current template

data/app/lib/actions/remote_execution/run_hosts_job.rb

@@ -9,7 +9,9 @@ module Actions
       middleware.use Actions::Middleware::BindJobInvocation
       middleware.use Actions::Middleware::RecurringLogic
       middleware.use Actions::Middleware::WatchDelegatedProxySubTasks
-      middleware.use Actions::Middleware::ProxyBatchTriggering
+
+      execution_plan_hooks.use :notify_on_success, :on => :success
+      execution_plan_hooks.use :notify_on_failure, :on => :failure
 
       class CheckOnProxyActions; end
 
@@ -32,6 +34,10 @@ module Actions
         set_up_concurrency_control job_invocation
         input.update(:job_category => job_invocation.job_category)
         plan_self(:job_invocation_id => job_invocation.id)
+        provider = job_invocation.pattern_template_invocations.first&.template&.provider
+        input[:proxy_batch_size] ||= provider&.proxy_batch_size || Setting['foreman_tasks_proxy_batch_size']
+        trigger_action = plan_action(Actions::TriggerProxyBatch, batch_size: proxy_batch_size, total_count: hosts.count)
+        input[:trigger_run_step_id] = trigger_action.run_step_id
       end
 
       def create_sub_plans
@@ -46,14 +52,47 @@ module Actions
         end
       end
 
+      def spawn_plans
+        super
+      ensure
+        trigger_remote_batch
+      end
+
+      def trigger_remote_batch
+        batches_ready = (output[:planned_count] - output[:remote_triggered_count]) / proxy_batch_size
+        return unless batches_ready > 0
+
+        plan_event(Actions::TriggerProxyBatch::TriggerNextBatch[batches_ready], nil, step_id: input[:trigger_run_step_id])
+        output[:remote_triggered_count] += proxy_batch_size * batches_ready
+      end
+
+      def on_planning_finished
+        plan_event(Actions::TriggerProxyBatch::TriggerLastBatch, nil, step_id: input[:trigger_run_step_id])
+        super
+      end
+
       def finalize
         job_invocation.password = job_invocation.key_passphrase = job_invocation.effective_user_password = nil
         job_invocation.save!
 
         Rails.logger.debug "cleaning cache for keys that begin with 'job_invocation_#{job_invocation.id}'"
         Rails.cache.delete_matched(/\A#{JobInvocation::CACHE_PREFIX}_#{job_invocation.id}/)
-        # creating the success notification should be the very last thing this tasks do
+      end
+
+      def notify_on_success(_plan)
         job_invocation.build_notification.deliver!
+
+        if [RexMailNotification::SUCCEEDED_JOBS, RexMailNotification::ALL_JOBS].include?(mail_notification_preference&.interval)
+          RexJobMailer.job_finished(job_invocation, subject: _("REX job has succeeded - %s") % job_invocation.to_s).deliver_now
+        end
+      end
+
+      def notify_on_failure(_plan)
+        job_invocation.build_notification.deliver!
+
+        if [RexMailNotification::FAILED_JOBS, RexMailNotification::ALL_JOBS].include?(mail_notification_preference&.interval)
+          RexJobMailer.job_finished(job_invocation, subject: _("REX job has failed - %s") % job_invocation.to_s).deliver_now
+        end
       end
 
       def job_invocation
@@ -67,6 +106,7 @@ module Actions
 
       def initiate
         output[:host_count] = total_count
+        output[:remote_triggered_count] = 0
         super
       end
 
@@ -94,7 +134,11 @@ module Actions
       end
 
       def run(event = nil)
-        super unless event == Dynflow::Action::Skip
+        if event == Dynflow::Action::Skip
+          plan_event(Dynflow::Action::Skip, nil, step_id: input[:trigger_run_step_id])
+        else
+          super
+        end
       end
 
       def humanized_input
@@ -104,6 +148,16 @@ module Actions
       def humanized_name
         '%s:' % _(super)
       end
+
+      def proxy_batch_size
+        input[:proxy_batch_size]
+      end
+
+      private
+
+      def mail_notification_preference
+        UserMailNotification.where(mail_notification_id: RexMailNotification.first, user_id: User.current.id).first
+      end
     end
   end
 end

data/app/lib/foreman_remote_execution/renderer/scope/input.rb

@@ -98,7 +98,7 @@ module ForemanRemoteExecution
         def input(name)
           return template_input_values[name.to_s] if template_input_values.key?(name.to_s)
 
-          input = find_by_name(template.template_inputs_with_foreign, name) # rubocop:disable Rails/DynamicFindBy
+          input = find_by_name(template.template_inputs_with_foreign, name)
           if input
             @preview ? input.preview(self) : input.value(self)
           else

data/app/mailers/rex_job_mailer.rb

@@ -0,0 +1,15 @@
+class RexJobMailer < ApplicationMailer
+  add_template_helper(ApplicationHelper)
+
+  def job_finished(job, opts = {})
+    @job = job
+    @subject = opts[:subject] || _('REX job has finished - %s') % @job.to_s
+
+    if @job.user.nil?
+      Rails.logger.warn 'Job user no longer exist, skipping email notification'
+      return
+    end
+
+    mail(to: @job.user.mail, subject: @subject)
+  end
+end

data/app/models/concerns/foreman_remote_execution/host_extensions.rb

@@ -20,6 +20,14 @@ module ForemanRemoteExecution
         scoped_search :relation => :execution_status_object, :on => :status, :rename => :execution_status,
           :complete_value => { :ok => HostStatus::ExecutionStatus::OK, :error => HostStatus::ExecutionStatus::ERROR }
 
+        scope :execution_scope, lambda {
+          if User.current&.can?('execute_jobs_on_infrastructure_hosts')
+            self
+          else
+            search_for('not (infrastructure_facet.foreman = true or set? infrastructure_facet.smart_proxy_id)')
+          end
+        }
+
         def search_by_job_invocation(key, operator, value)
           if key == 'job_invocation.result'
             operator = operator == '=' ? 'IN' : 'NOT IN'

data/app/models/job_invocation.rb

@@ -15,8 +15,10 @@ class JobInvocation < ApplicationRecord
 
   belongs_to :targeting, :dependent => :destroy
   has_many :all_template_invocations, :inverse_of => :job_invocation, :dependent => :destroy, :class_name => 'TemplateInvocation'
+  # rubocop:disable Rails/HasManyOrHasOneDependent
   has_many :template_invocations, -> { where('template_invocations.host_id IS NOT NULL') }, :inverse_of => :job_invocation
   has_many :pattern_template_invocations, -> { where('template_invocations.host_id IS NULL') }, :inverse_of => :job_invocation, :class_name => 'TemplateInvocation'
+  # rubocop:enable Rails/HasManyOrHasOneDependent
   has_many :pattern_templates, :through => :pattern_template_invocations, :source => :template
 
   validates :targeting, :presence => true
@@ -65,6 +67,8 @@ class JobInvocation < ApplicationRecord
   scoped_search :on => 'pattern_template_name', :rename => 'pattern_template_name', :operators => ['= '],
     :complete_value => false, :only_explicit => true, :ext_method => :search_by_pattern_template
 
+  scoped_search :relation => :recurring_logic, :on => 'purpose', :rename => 'recurring_logic.purpose'
+
   scoped_search :relation => :recurring_logic, :on => 'id', :rename => 'recurring_logic.id'
 
   scoped_search :relation => :recurring_logic, :on => 'id', :rename => 'recurring',
@@ -73,6 +77,8 @@ class JobInvocation < ApplicationRecord
 
   default_scope -> { order('job_invocations.id DESC') }
 
+  scope :latest_jobs, -> { unscoped.joins(:task).order('foreman_tasks_tasks.start_at DESC').authorized(:view_job_invocations).limit(5) }
+
   validates_lengths_from_database :only => [:description]
 
   attr_accessor :start_before, :description_format

data/app/models/job_invocation_composer.rb

@@ -121,7 +121,10 @@ class JobInvocationComposer
         :targeting => targeting_params,
         :triggering => triggering_params,
         :description_format => api_params[:description_format],
+        :password => api_params[:password],
         :remote_execution_feature_id => remote_execution_feature_id,
+        :effective_user_password => api_params[:effective_user_password],
+        :key_passphrase => api_params[:key_passphrase],
         :concurrency_control => concurrency_control_params,
         :execution_timeout_interval => api_params[:execution_timeout_interval] || template.execution_timeout_interval,
         :template_invocations => template_invocations_params }.with_indifferent_access
@@ -138,17 +141,11 @@ class JobInvocationComposer
     end
 
     def triggering_params
-      raise ::Foreman::Exception, _('Cannot specify both recurrence and scheduling') if api_params[:recurrence].present? && api_params[:scheduling].present?
-
-      if api_params[:recurrence].present?
-        {
-          :mode => :recurring,
-          :cronline => api_params[:recurrence][:cron_line],
-          :end_time => format_datetime(api_params[:recurrence][:end_time]),
-          :input_type => :cronline,
-          :max_iteration => api_params[:recurrence][:max_iteration],
-        }
-      elsif api_params[:scheduling].present?
+      if api_params[:recurrence].present? && api_params[:scheduling].present?
+        recurring_mode_params.merge :start_at_raw => format_datetime(api_params[:scheduling][:start_at])
+      elsif api_params[:recurrence].present? && api_params[:scheduling].empty?
+        recurring_mode_params
+      elsif api_params[:recurrence].empty? && api_params[:scheduling].present?
         {
           :mode => :future,
           :start_at_raw => format_datetime(api_params[:scheduling][:start_at]),
@@ -160,6 +157,17 @@ class JobInvocationComposer
       end
     end
 
+    def recurring_mode_params
+      {
+        :mode => :recurring,
+        :cronline => api_params[:recurrence][:cron_line],
+        :end_time => format_datetime(api_params[:recurrence][:end_time]),
+        :input_type => :cronline,
+        :max_iteration => api_params[:recurrence][:max_iteration],
+        :purpose => api_params[:recurrence][:purpose],
+      }
+    end
+
     def concurrency_control_params
       {
         :level => api_params.fetch(:concurrency_control, {})[:concurrency_level],
@@ -520,7 +528,7 @@ class JobInvocationComposer
     if displayed_search_query.blank?
       Host.where('1 = 0')
     else
-      Host.authorized(Targeting::RESOLVE_PERMISSION, Host).search_for(displayed_search_query)
+      Host.execution_scope.authorized(Targeting::RESOLVE_PERMISSION, Host).search_for(displayed_search_query)
     end
   end
 
@@ -636,7 +644,7 @@ class JobInvocationComposer
     setting_value = Setting['remote_execution_form_job_template']
     return default_value unless setting_value
 
-    form_template = JobTemplate.find_by :name => setting_value
+    form_template = JobTemplate.authorized(:view_job_templates).find_by :name => setting_value
     return default_value unless form_template
 
     if block_given?

data/app/models/job_template.rb

@@ -17,8 +17,10 @@ class JobTemplate < ::Template
 
   has_many :audits, :as => :auditable, :class_name => Audited.audit_class.name, :dependent => :nullify
   has_many :all_template_invocations, :dependent => :destroy, :foreign_key => 'template_id', :class_name => 'TemplateInvocation'
+  # rubocop:disable Rails/HasManyOrHasOneDependent
   has_many :template_invocations, -> { where('host_id IS NOT NULL') }, :foreign_key => 'template_id'
   has_many :pattern_template_invocations, -> { where('host_id IS NULL') }, :foreign_key => 'template_id', :class_name => 'TemplateInvocation'
+  # rubocop:enable Rails/HasManyOrHasOneDependent
   has_many :remote_execution_features, :dependent => :nullify
 
   # these can't be shared in parent class, scoped search can't handle STI properly
@@ -192,7 +194,7 @@ class JobTemplate < ::Template
   end
 
   def default_input_values(ignore_keys)
-    result = self.template_inputs_with_foreign.select { |ti| !ti.required? && ti.user_template_input? }.map { |ti| ti.name.to_s }
+    result = self.template_inputs_with_foreign.select { |ti| !ti.required? && ti.input_type == 'user' }.map { |ti| ti.name.to_s }
     result -= ignore_keys.map(&:to_s)
     Hash[result.map { |k| [ k, nil ] }]
   end

data/app/models/remote_execution_provider.rb

@@ -80,7 +80,14 @@ class RemoteExecutionProvider
 
     def find_ip(host, interfaces)
       if host_setting(host, :remote_execution_connect_by_ip)
-        interfaces.find { |i| i.ip.present? }.try(:ip)
+        ip4_address = interfaces.find { |i| i.ip.present? }.try(:ip)
+        ip6_address = interfaces.find { |i| i.ip6.present? }.try(:ip6)
+
+        if host_setting(host, :remote_execution_connect_by_ip_prefer_ipv6)
+          ip6_address || ip4_address
+        else
+          ip4_address || ip6_address
+        end
       end
     end
 
@@ -89,7 +96,8 @@ class RemoteExecutionProvider
     end
 
     def host_setting(host, setting)
-      host.host_param(setting.to_s) || Setting[setting]
+      param_value = host.host_param(setting.to_s)
+      param_value.nil? ? Setting[setting] : param_value
     end
 
     def ssh_password(_host)
@@ -114,6 +122,10 @@ class RemoteExecutionProvider
       'Proxy::RemoteExecution::Ssh::Actions::RunScript'
     end
 
+    def proxy_batch_size
+      Setting['foreman_tasks_proxy_batch_size']
+    end
+
     # Return a specific proxy selector to use for running a given template
     # Returns either nil to use the default selector or an instance of a (sub)class of ::ForemanTasks::ProxySelector
     def required_proxy_selector_for(template)
@@ -123,5 +135,9 @@ class RemoteExecutionProvider
         ::DefaultProxyProxySelector.new
       end
     end
+
+    def alternative_names(host)
+      { :fqdn => find_fqdn(effective_interfaces(host)) }
+    end
   end
 end

data/app/models/rex_mail_notification.rb

@@ -0,0 +1,13 @@
+class RexMailNotification < MailNotification
+  FAILED_JOBS = N_("Subscribe to my failed jobs")
+  SUCCEEDED_JOBS = N_("Subscribe to my succeeded jobs")
+  ALL_JOBS = N_("Subscribe to all my jobs")
+
+  def subscription_options
+    [
+      FAILED_JOBS,
+      SUCCEEDED_JOBS,
+      ALL_JOBS,
+    ]
+  end
+end

data/app/models/targeting.rb

@@ -44,7 +44,7 @@ class Targeting < ApplicationRecord
     self.validate!
     # avoid validation of hosts objects - they will be loaded for no reason.
     #   pluck(:id) returns duplicate results for HostCollections
-    host_ids = User.as(user.login) { Host.authorized(RESOLVE_PERMISSION, Host).search_for(search_query).order(:name, :id).pluck(:id).uniq }
+    host_ids = User.as(user.login) { Host.execution_scope.authorized(RESOLVE_PERMISSION, Host).search_for(search_query).order(:name, :id).pluck(:id).uniq }
     host_ids.shuffle!(random: Random.new) if randomized_ordering
     self.assign_host_ids(host_ids)
     self.save(:validate => false)
@@ -66,7 +66,7 @@ class Targeting < ApplicationRecord
   def self.build_query_from_hosts(ids)
     return '' if ids.empty?
 
-    hosts = Host.where(:id => ids).distinct.pluck(:name)
+    hosts = Host.execution_scope.where(:id => ids).distinct.pluck(:name)
     "name ^ (#{hosts.join(', ')})"
   end
 

data/app/services/ui_notifications/remote_execution_jobs/base_job_finish.rb

@@ -20,7 +20,8 @@ module UINotifications
       end
 
       def blueprint
-        @blueprint ||= NotificationBlueprint.unscoped.find_by(:name => 'rex_job_succeeded')
+        blueprint = @subject.status == HostStatus::ExecutionStatus::ERROR ? 'rex_job_failed' : 'rex_job_succeeded'
+        @blueprint ||= NotificationBlueprint.unscoped.find_by(:name => blueprint)
       end
 
       def message

data/app/views/dashboard/_latest-jobs.html.erb

@@ -0,0 +1,21 @@
+<h4 class="header">
+  <%= link_to _("Latest Jobs"), job_invocations_path(:order=>'start_at DESC') %>
+</h4>
+<% if JobInvocation.latest_jobs.any? %>
+  <table class="<%= table_css_classes('table-fixed') %>">
+    <tr>
+      <th class="col-md-5"><%= _("Name") %></th>
+      <th class="col-md-2"><%= _("State") %></th>
+      <th class="col-md-3"><%= _("Started") %></th>
+    </tr>
+    <% JobInvocation.latest_jobs.each do |invocation| %>
+      <tr>
+        <td class="ellipsis"><%= link_to_if_authorized invocation_description(invocation), hash_for_job_invocation_path(invocation).merge(:auth_object => invocation, :permission => :view_job_invocations, :authorizer => authorizer) %></td>
+        <td><%= link_to_invocation_task_if_authorized(invocation) %></td>
+        <td><%= time_in_words_span(invocation.start_at) %></td>
+      </tr>
+    <% end %>
+  </table>
+<% else %>
+  <p class="ca"><%= _("No jobs available") %></p>
+<% end %>

data/app/views/job_invocations/refresh.js.erb

@@ -1,3 +1,4 @@
 $('form#job_invocation_form').replaceWith("<%=j render :partial => 'form' %>");
 $('#job_invocation_form').find('a[rel="popover"]').popover();
 $('#job_invocation_form select:not(.without_select2)').select2({ allowClear: true });
+$('div.tooltip').remove();

data/app/views/job_templates/_custom_tabs.html.erb

@@ -1,14 +1,9 @@
 <div class="tab-pane" id="template_job">
 
-  <%= field(f, :job_category, :label => _('Job category')) do %>
-    <%= auto_complete_search(:job_category,
-                             f.object.job_category,
-                             :placeholder => _("Job category") + ' ...',
-                             :name => 'job_template[job_category]',
-                             :id => 'search',
-                             :disabled => @template.locked?) %>
-  <% end %>
-
+  <%= autocomplete_f(f, :job_category,
+        :search_query => '',
+        :placeholder => _("Job category") + ' ...',
+        :disabled => @template.locked?) %>
   <%= text_f f, :description_format,
              :disabled => @template.locked?,
              :label_help => description_format_help %>