foreman_remote_execution 4.8.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c7565defbf0881174acb2a48e274aacb3d790d2ee8b9de3119307c2afabd7355
-  data.tar.gz: acffdb2df04d0c1caeff65513e1a63e5cf66276897206affd606c5136b7afba8
+  metadata.gz: 66efbd042b1d607eeaa4e72b07452ac00a4e68d28bf09e1fc496f26cae25f1e4
+  data.tar.gz: 124621a113adab399e259ece92caad11fdf35da117da77dc512fc9e31e6ec66a
 SHA512:
-  metadata.gz: 7064c4e3984fd4ef3ef463fc10cb27e911d1f24ac0b74ccf5fb3b7682ba3d4c3418e130f5b6e0f1920ed83406dbf0787585ef1e1b83cfd0c0e412219c059309c
-  data.tar.gz: ab22827c2750d67893621267a43095c2b845937b6d72d5a665bf800ab97542a06cda1480187174943077c9365caac0076d67f765b6c43c4e01650dca1f7b9010
+  metadata.gz: 04ed33fb87e3b0830501f97b95ab62c129897e8510909b47163559854bb0b2b792ccab4035c5fc606a6a8d8e5ff8c084fcfd2109331dff8b4e7a6eac23c86825
+  data.tar.gz: bca23be551bd1d8169c28a5a4e2d71079ea42cae3a11d6d289f40c9c862a2e7307b6c6e569ba79be7e743f729ef58a3ef72b027ee8735e9c448e4672a105db4b

data/app/controllers/api/v2/job_invocations_controller.rb

@@ -168,6 +168,15 @@ module Api
         render :json => { :outputs => outputs }
       end
 
+      def resource_name(resource = controller_name)
+        case resource
+        when 'organization', 'location'
+          nil
+        else
+          'job_invocation'
+        end
+      end
+
       private
 
       def allowed_nested_id

data/app/controllers/ui_job_wizard_controller.rb

@@ -1,11 +1,12 @@
-class UiJobWizardController < ::Api::V2::BaseController
+class UiJobWizardController < ApplicationController
+  include FiltersHelper
   def categories
     job_categories = resource_scope
                      .search_for("job_category ~ \"#{params[:search]}\"")
                      .select(:job_category).distinct
                      .reorder(:job_category)
                      .pluck(:job_category)
-    render :json => {:job_categories =>job_categories}
+    render :json => {:job_categories =>job_categories, :with_katello => with_katello}
   end
 
   def template
@@ -19,12 +20,16 @@ class UiJobWizardController < ::Api::V2::BaseController
     }
   end
 
+  def map_template_inputs(template_inputs_with_foreign)
+    template_inputs_with_foreign.map { |input| input.attributes.merge({:resource_type_tableize => input.resource_type&.tableize }) }
+  end
+
   def resource_name(nested_resource = nil)
     nested_resource || 'job_template'
   end
 
-  def map_template_inputs(template_inputs_with_foreign)
-    template_inputs_with_foreign.map { |input| input.attributes.merge({:resource_type => input.resource_type&.tableize }) }
+  def with_katello
+    !!defined?(::Katello)
   end
 
   def resource_class
@@ -34,4 +39,11 @@ class UiJobWizardController < ::Api::V2::BaseController
   def action_permission
     :view_job_templates
   end
+
+  def resources
+    resource_type = params[:resource]
+    resource_list = resource_type.constantize.authorized("view_#{resource_type.underscore.pluralize}").all.map { |r| {:name => r.to_s, :id => r.id } }.select { |v| v[:name] =~ /#{params[:name]}/ }
+    render :json => { :results =>
+      resource_list.sort_by { |r| r[:name] }.take(100), :subtotal => resource_list.count}
+  end
 end

data/app/graphql/mutations/job_invocations/create.rb

@@ -0,0 +1,43 @@
+module Mutations
+  module JobInvocations
+    class Create < ::Mutations::CreateMutation
+      description 'Create a new job invocation'
+      graphql_name 'CreateJobInvocationMutation'
+
+      argument :job_invocation, ::Types::JobInvocationInput, required: true
+      field :job_invocation, ::Types::JobInvocation, 'The new job invocation', null: true
+
+      def resolve(params)
+        begin
+          composer = JobInvocationComposer.from_api_params(params[:job_invocation].to_h)
+          job_invocation = composer.job_invocation
+          authorize!(job_invocation, :create)
+          errors = []
+          composer.trigger!
+        rescue ActiveRecord::RecordNotSaved
+          errors = map_all_errors(job_invocation)
+        rescue JobInvocationComposer::JobTemplateNotFound, JobInvocationComposer::FeatureNotFound => e
+          errors = [{ path => ['job_template'], :message => e.message }]
+        end
+
+        {
+          result_key => job_invocation,
+          :errors => errors,
+        }
+      end
+
+      def map_all_errors(job_invocation)
+        map_errors_to_path(job_invocation) + map_errors('triggering', job_invocation.triggering) + map_errors('targeting', job_invocation.targeting)
+      end
+
+      def map_errors(attr_name, resource)
+        resource.errors.map do |attribute, message|
+          {
+            path: [attr_name, attribute.to_s.camelize(:lower)],
+            message: message,
+          }
+        end
+      end
+    end
+  end
+end

data/app/graphql/types/job_invocation_input.rb

@@ -0,0 +1,13 @@
+module Types
+  class JobInvocationInput < BaseInputObject
+    argument :job_category, String, required: false
+    argument :job_template_id, Integer, required: false
+    argument :feature, String, required: false
+    argument :targeting_type, ::Types::TargetingEnum, required: false
+    argument :recurrence, ::Types::RecurrenceInput, required: false
+    argument :scheduling, ::Types::SchedulingInput, required: false
+    argument :search_query, String, required: false
+    argument :host_ids, [Integer], required: false
+    argument :inputs, ::Types::RawJson, required: false
+  end
+end

data/app/graphql/types/recurrence_input.rb

@@ -0,0 +1,8 @@
+module Types
+  class RecurrenceInput < BaseInputObject
+    argument :cron_line, String, required: false
+    argument :max_iteration, Integer, required: false
+    argument :end_time, String, required: false
+    argument :purpose, String, required: false
+  end
+end

data/app/graphql/types/scheduling_input.rb

@@ -0,0 +1,6 @@
+module Types
+  class SchedulingInput < BaseInputObject
+    argument :start_at, String, required: false
+    argument :start_before, String, required: false
+  end
+end

data/app/graphql/types/targeting_enum.rb

@@ -0,0 +1,7 @@
+module Types
+  class TargetingEnum < Types::BaseEnum
+    Targeting::TYPES.each_key do |key|
+      value key
+    end
+  end
+end

data/app/lib/actions/remote_execution/run_host_job.rb

@@ -196,6 +196,10 @@ module Actions
       def verify_permissions(host, template_invocation)
         raise _('User can not execute job on host %s') % host.name unless User.current.can?(:view_hosts, host)
         raise _('User can not execute this job template') unless User.current.can?(:view_job_templates, template_invocation.template)
+        infra_facet = host.infrastructure_facet
+        if (infra_facet&.foreman_instance || infra_facet&.smart_proxy_id) && !User.current.can?(:execute_jobs_on_infrastructure_hosts)
+          raise _('User can not execute job on infrastructure host %s') % host.name
+        end
 
         # we don't want to load all template_invocations to verify so we construct Authorizer object manually and set
         # the base collection to current template

data/app/models/concerns/foreman_remote_execution/host_extensions.rb

@@ -20,6 +20,14 @@ module ForemanRemoteExecution
         scoped_search :relation => :execution_status_object, :on => :status, :rename => :execution_status,
           :complete_value => { :ok => HostStatus::ExecutionStatus::OK, :error => HostStatus::ExecutionStatus::ERROR }
 
+        scope :execution_scope, lambda {
+          if User.current&.can?('execute_jobs_on_infrastructure_hosts')
+            self
+          else
+            search_for('not (infrastructure_facet.foreman = true or set? infrastructure_facet.smart_proxy_id)')
+          end
+        }
+
         def search_by_job_invocation(key, operator, value)
           if key == 'job_invocation.result'
             operator = operator == '=' ? 'IN' : 'NOT IN'

data/app/models/job_invocation_composer.rb

@@ -528,7 +528,7 @@ class JobInvocationComposer
     if displayed_search_query.blank?
       Host.where('1 = 0')
     else
-      Host.authorized(Targeting::RESOLVE_PERMISSION, Host).search_for(displayed_search_query)
+      Host.execution_scope.authorized(Targeting::RESOLVE_PERMISSION, Host).search_for(displayed_search_query)
     end
   end
 

data/app/models/targeting.rb

@@ -44,7 +44,7 @@ class Targeting < ApplicationRecord
     self.validate!
     # avoid validation of hosts objects - they will be loaded for no reason.
     #   pluck(:id) returns duplicate results for HostCollections
-    host_ids = User.as(user.login) { Host.authorized(RESOLVE_PERMISSION, Host).search_for(search_query).order(:name, :id).pluck(:id).uniq }
+    host_ids = User.as(user.login) { Host.execution_scope.authorized(RESOLVE_PERMISSION, Host).search_for(search_query).order(:name, :id).pluck(:id).uniq }
     host_ids.shuffle!(random: Random.new) if randomized_ordering
     self.assign_host_ids(host_ids)
     self.save(:validate => false)
@@ -66,7 +66,7 @@ class Targeting < ApplicationRecord
   def self.build_query_from_hosts(ids)
     return '' if ids.empty?
 
-    hosts = Host.where(:id => ids).distinct.pluck(:name)
+    hosts = Host.execution_scope.where(:id => ids).distinct.pluck(:name)
     "name ^ (#{hosts.join(', ')})"
   end
 

data/app/views/job_invocations/refresh.js.erb

@@ -1,3 +1,4 @@
 $('form#job_invocation_form').replaceWith("<%=j render :partial => 'form' %>");
 $('#job_invocation_form').find('a[rel="popover"]').popover();
 $('#job_invocation_form select:not(.without_select2)').select2({ allowClear: true });
+$('div.tooltip').remove();

data/config/routes.rb

@@ -45,6 +45,7 @@ Rails.application.routes.draw do
   get 'cockpit/redirect', to: 'cockpit#redirect'
   get 'ui_job_wizard/categories', to: 'ui_job_wizard#categories'
   get 'ui_job_wizard/template/:id', to: 'ui_job_wizard#template'
+  get 'ui_job_wizard/resources', to: 'ui_job_wizard#resources'
 
   match '/experimental/job_wizard', to: 'react#index', :via => [:get]
 

data/db/migrate/20210816100932_rex_setting_category_to_dsl.rb

@@ -0,0 +1,5 @@
+class RexSettingCategoryToDsl < ActiveRecord::Migration[6.0]
+  def up
+    Setting.where(category: 'Setting::RemoteExecution').update_all(category: 'Setting')
+  end
+end

data/lib/foreman_remote_execution/engine.rb

@@ -19,10 +19,6 @@ module ForemanRemoteExecution
       end
     assets_to_precompile += %w(foreman_remote_execution/foreman_remote_execution.css)
 
-    initializer 'foreman_remote_execution.load_default_settings', :before => :load_config_initializers do
-      require_dependency File.expand_path('../../../app/models/setting/remote_execution.rb', __FILE__) if (Setting.table_exists? rescue(false))
-    end
-
     # Add any db migrations
     initializer 'foreman_remote_execution.load_app_instance_data' do |app|
       ForemanRemoteExecution::Engine.paths['db/migrate'].existent.each do |path|
@@ -51,7 +47,7 @@ module ForemanRemoteExecution
 
     initializer 'foreman_remote_execution.register_plugin', before: :finisher_hook do |_app|
       Foreman::Plugin.register :foreman_remote_execution do
-        requires_foreman '>= 2.2'
+        requires_foreman '>= 3.1'
         register_global_js_file 'global'
 
         apipie_documented_controllers ["#{ForemanRemoteExecution::Engine.root}/app/controllers/api/v2/*.rb"]
@@ -61,13 +57,114 @@ module ForemanRemoteExecution
         automatic_assets(false)
         precompile_assets(*assets_to_precompile)
 
+        # Add settings to a Remote Execution category
+        settings do
+          category :remote_execution, N_('Remote Execution') do
+            setting 'remote_execution_fallback_proxy',
+              type: :boolean,
+              description: N_('Search the host for any proxy with Remote Execution, useful when the host has no subnet or the subnet does not have an execution proxy'),
+              default: false,
+              full_name: N_('Fallback to Any Proxy')
+            setting 'remote_execution_global_proxy',
+              type: :boolean,
+              description: N_('Search for remote execution proxy outside of the proxies assigned to the host. The search will be limited to the host\'s organization and location.'),
+              default: true,
+              full_name: N_('Enable Global Proxy')
+            setting 'remote_execution_ssh_user',
+              type: :string,
+              description: N_('Default user to use for SSH.  You may override per host by setting a parameter called remote_execution_ssh_user.'),
+              default: 'root',
+              full_name: N_('SSH User')
+            setting 'remote_execution_effective_user',
+              type: :string,
+              description: N_('Default user to use for executing the script. If the user differs from the SSH user, su or sudo is used to switch the user.'),
+              default: 'root',
+              full_name: N_('Efffective User')
+            setting 'remote_execution_effective_user_method',
+              type: :string,
+              description: N_('What command should be used to switch to the effective user. One of %s') % SSHExecutionProvider::EFFECTIVE_USER_METHODS.inspect,
+              default: 'sudo',
+              full_name: N_('Effective User Method'),
+              collection: proc { Hash[SSHExecutionProvider::EFFECTIVE_USER_METHODS.map { |method| [method, method] }] }
+            setting 'remote_execution_effective_user_password',
+              type: :string,
+              description: N_('Effective user password'),
+              default: '',
+              full_name: N_('Effective user password'),
+              encrypted: true
+            setting 'remote_execution_sync_templates',
+              type: :boolean,
+              description: N_('Whether we should sync templates from disk when running db:seed.'),
+              default: true,
+              full_name: N_('Sync Job Templates')
+            setting 'remote_execution_ssh_port',
+              type: :integer,
+              description: N_('Port to use for SSH communication. Default port 22. You may override per host by setting a parameter called remote_execution_ssh_port.'),
+              default: 22,
+              full_name: N_('SSH Port')
+            setting 'remote_execution_connect_by_ip',
+              type: :boolean,
+              description: N_('Should the ip addresses on host interfaces be preferred over the fqdn? '\
+                              'It is useful when DNS not resolving the fqdns properly. You may override this per host by setting a parameter called remote_execution_connect_by_ip. '\
+                              'For dual-stacked hosts you should consider the remote_execution_connect_by_ip_prefer_ipv6 setting'),
+              default: false,
+              full_name: N_('Connect by IP')
+            setting 'remote_execution_connect_by_ip_prefer_ipv6',
+              type: :boolean,
+              description: N_('When connecting using ip address, should the IPv6 addresses be preferred? '\
+                              'If no IPv6 address is set, it falls back to IPv4 automatically. You may override this per host by setting a parameter called remote_execution_connect_by_ip_prefer_ipv6. '\
+                              'By default and for compatibility, IPv4 will be preferred over IPv6 by default'),
+              default: false,
+              full_name: N_('Prefer IPv6 over IPv4')
+            setting 'remote_execution_ssh_password',
+              type: :string,
+              description: N_('Default password to use for SSH. You may override per host by setting a parameter called remote_execution_ssh_password'),
+              default: nil,
+              full_name: N_('Default SSH password'),
+              encrypted: true
+            setting 'remote_execution_ssh_key_passphrase',
+              type: :string,
+              description: N_('Default key passphrase to use for SSH. You may override per host by setting a parameter called remote_execution_ssh_key_passphrase'),
+              default: nil,
+              full_name: N_('Default SSH key passphrase'),
+              encrypted: true
+            setting 'remote_execution_workers_pool_size',
+              type: :integer,
+              description: N_('Amount of workers in the pool to handle the execution of the remote execution jobs. Restart of the dynflowd/foreman-tasks service is required.'),
+              default: 5,
+              full_name: N_('Workers pool size')
+            setting 'remote_execution_cleanup_working_dirs',
+              type: :boolean,
+              description: N_('When enabled, working directories will be removed after task completion. You may override this per host by setting a parameter called remote_execution_cleanup_working_dirs.'),
+              default: true,
+              full_name: N_('Cleanup working directories')
+            setting 'remote_execution_cockpit_url',
+              type: :string,
+              description: N_('Where to find the Cockpit instance for the Web Console button.  By default, no button is shown.'),
+              default: nil,
+              full_name: N_('Cockpit URL')
+            setting 'remote_execution_form_job_template',
+              type: :string,
+              description: N_('Choose a job template that is pre-selected in job invocation form'),
+              default: 'Run Command - SSH Default',
+              full_name: N_('Form Job Template'),
+              collection: proc { Hash[JobTemplate.unscoped.map { |template| [template.name, template.name] }] }
+            setting 'remote_execution_job_invocation_report_template',
+              type: :string,
+              description: N_('Select a report template used for generating a report for a particular remote execution job'),
+              default: 'Jobs - Invocation report template',
+              full_name: N_('Job Invocation Report Template'),
+              collection: proc { ForemanRemoteExecution.job_invocation_report_templates_select }
+          end
+        end
+
         # Add permissions
         security_block :foreman_remote_execution do
           permission :view_job_templates, { :job_templates => [:index, :show, :revision, :auto_complete_search, :auto_complete_job_category, :preview, :export],
                                             :'api/v2/job_templates' => [:index, :show, :revision, :export],
                                             :'api/v2/template_inputs' => [:index, :show],
                                             :'api/v2/foreign_input_sets' => [:index, :show],
-                                            :ui_job_wizard => [:categories, :template]}, :resource_type => 'JobTemplate'
+                                            :ui_job_wizard => [:categories, :template, :resources]}, :resource_type => 'JobTemplate'
           permission :create_job_templates, { :job_templates => [:new, :create, :clone_template, :import],
                                               :'api/v2/job_templates' => [:create, :clone, :import] }, :resource_type => 'JobTemplate'
           permission :edit_job_templates, { :job_templates => [:edit, :update],
@@ -86,6 +183,7 @@ module ForemanRemoteExecution
           permission :view_template_invocations, { :template_invocations => [:show],
                                                    'api/v2/template_invocations' => [:template_invocations] }, :resource_type => 'TemplateInvocation'
           permission :create_template_invocations, {}, :resource_type => 'TemplateInvocation'
+          permission :execute_jobs_on_infrastructure_hosts, {}, :resource_type => 'JobInvocation'
           permission :cancel_job_invocations, { :job_invocations => [:cancel], 'api/v2/job_invocations' => [:cancel] }, :resource_type => 'JobInvocation'
           # this permissions grants user to get auto completion hints when setting up filters
           permission :filter_autocompletion_for_template_invocation, { :template_invocations => [ :auto_complete_search, :index ] },
@@ -156,6 +254,8 @@ module ForemanRemoteExecution
         register_graphql_query_field :job_invocations, '::Types::JobInvocation', :collection_field
         register_graphql_query_field :job_invocation, '::Types::JobInvocation', :record_field
 
+        register_graphql_mutation_field :create_job_invocation, ::Mutations::JobInvocations::Create
+
         extend_template_helpers ForemanRemoteExecution::RendererMethods
 
         extend_rabl_template 'api/v2/smart_proxies/main', 'api/v2/smart_proxies/pubkey'
@@ -241,6 +341,10 @@ module ForemanRemoteExecution
     end
   end
 
+  def self.job_invocation_report_templates_select
+    Hash[ReportTemplate.unscoped.joins(:template_inputs).where(template_inputs: TemplateInput.where(name: 'job_id')).map { |template| [template.name, template.name] }]
+  end
+
   def self.register_rex_feature
     RemoteExecutionFeature.register(
       :puppet_run_host,

data/lib/foreman_remote_execution/version.rb

@@ -1,3 +1,3 @@
 module ForemanRemoteExecution
-  VERSION = '4.8.0'.freeze
+  VERSION = '5.0.0'.freeze
 end

data/package.json

@@ -21,11 +21,11 @@
   },
   "devDependencies": {
     "@babel/core": "^7.7.0",
-    "@theforeman/builder": "^8.10.0",
-    "@theforeman/eslint-plugin-foreman": "^8.10.0",
-    "@theforeman/stories": "^8.10.0",
-    "@theforeman/test": "^8.10.0",
-    "@theforeman/vendor-dev": "^8.10.0",
+    "@theforeman/builder": "^8.16.0",
+    "@theforeman/eslint-plugin-foreman": "^8.16.0",
+    "@theforeman/stories": "^8.16.0",
+    "@theforeman/test": "^8.16.0",
+    "@theforeman/vendor-dev": "^8.16.0",
     "babel-eslint": "^10.0.0",
     "eslint": "^6.8.0",
     "prettier": "^1.19.1",
@@ -33,6 +33,6 @@
     "redux-mock-store": "^1.2.2"
   },
   "peerDependencies": {
-    "@theforeman/vendor": "^8.10.0"
+    "@theforeman/vendor": "^8.16.0"
   }
 }

data/test/functional/api/v2/job_invocations_controller_test.rb

@@ -191,6 +191,11 @@ module Api
                                  host_id: FactoryBot.create(:host).id }
           assert_response :missing
         end
+
+        test 'should not break when taxonomy parameters are provided' do
+          get :output, params: { :job_invocation_id => @invocation.id, :host_id => host.id, :organization_id => host.organization_id, :location_id => host.location_id }
+          assert_response :success
+        end
       end
 
       describe '#outputs' do
@@ -243,6 +248,11 @@ module Api
           assert_response :success
         end
 
+        test 'should not break when taxonomy parameters are provided' do
+          get :raw_output, params: { :job_invocation_id => @invocation.id, :host_id => host.id, :organization_id => host.organization_id, :location_id => host.location_id }
+          assert_response :success
+        end
+
         test 'should provide raw output for delayed task' do
           start_time = Time.now
           JobInvocation.any_instance

data/test/functional/cockpit_controller_test.rb

@@ -2,7 +2,6 @@ require 'test_plugin_helper'
 
 class CockpitControllerTest < ActionController::TestCase
   def setup
-    Setting::RemoteExecution.load_defaults
     as_admin do
       @host = FactoryBot.create(:host)
     end

data/test/graphql/mutations/job_invocations/create.rb

@@ -0,0 +1,58 @@
+require 'test_plugin_helper'
+
+module Mutations
+  module JobInvocations
+    class CreateMutationTest < ActiveSupport::TestCase
+      let(:host) { FactoryBot.create(:host) }
+      let(:job_template) { FactoryBot.create(:job_template, :with_input) }
+      let(:cron_line) { '5 * * * *' }
+      let(:purpose) { 'test' }
+      let(:variables) do
+        {
+          jobInvocation: {
+            hostIds: [host.id],
+            jobTemplateId: job_template.id,
+            targetingType: 'static_query',
+            inputs: { job_template.template_inputs.first.name => "bar" },
+            recurrence: {
+              cronLine: cron_line,
+              purpose:  purpose,
+            },
+          },
+        }
+      end
+
+      let(:query) do
+        <<-GRAPHQL
+          mutation CreateJobInvocation($jobInvocation: JobInvocationInput!) {
+              createJobInvocation(input: { jobInvocation: $jobInvocation }) {
+                jobInvocation {
+                  id
+                  description
+                  recurringLogic {
+                    cronLine
+                    purpose
+                  }
+                }
+              }
+            }
+        GRAPHQL
+      end
+
+      context 'with admin user' do
+        let(:user) { FactoryBot.create(:user, :admin) }
+        let(:context) { { current_user: user } }
+
+        test 'create a job invocation' do
+          assert_difference('JobInvocation.count', +1) do
+            result = ForemanGraphqlSchema.execute(query, variables: variables, context: context)
+            assert_empty result['errors']
+            assert_empty result['data']['createJobInvocation']['jobInvocation']['errors']
+            assert_equal cron_line, result['data']['createJobInvocation']['jobInvocation']['recurringLogic']['cronLine']
+            assert_equal purpose, result['data']['createJobInvocation']['jobInvocation']['recurringLogic']['purpose']
+          end
+        end
+      end
+    end
+  end
+end

data/test/helpers/remote_execution_helper_test.rb

@@ -26,7 +26,6 @@ class RemoteExecutionHelperTest < ActionView::TestCase
 
   describe 'test correct setting' do
     it 'should found correct template from setting' do
-      Setting::RemoteExecution.load_defaults
       template_name = 'Job Invocation Report Template'
       setting_key = 'remote_execution_job_invocation_report_template'
       template = FactoryBot.create(:report_template, name: template_name)

data/test/unit/actions/run_host_job_test.rb

@@ -36,6 +36,27 @@ module ForemanRemoteExecution
       end
     end
 
+    describe '#verify_permission' do
+      let(:job_invocation) { FactoryBot.create(:job_invocation, :with_task) }
+      let(:template_invocation) { job_invocation.template_invocations.first }
+
+      before { job_invocation }
+
+      it 'raises an exception when run against an infrastructure host' do
+        template_invocation.host = FactoryBot.create(:host, :with_infrastructure_facet)
+
+        setup_user('view', 'hosts')
+        setup_user('view', 'job_templates')
+        setup_user('create', 'template_invocations')
+
+        action = Actions::RemoteExecution::RunHostJob.allocate
+        exception = assert_raises do
+          action.send(:verify_permissions, template_invocation.host, template_invocation)
+        end
+        _(exception.message).must_include "infrastructure host #{template_invocation.host.name}"
+      end
+    end
+
     describe '#finalize' do
       let(:host) { FactoryBot.create(:host, :with_execution) }
 

data/test/unit/concerns/host_extensions_test.rb

@@ -1,9 +1,6 @@
 require 'test_plugin_helper'
 
 class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
-  before do
-    Setting::RemoteExecution.load_defaults
-  end
   let(:provider) { 'SSH' }
 
   before { User.current = FactoryBot.build(:user, :admin) }
@@ -182,4 +179,40 @@ class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
       end
     end
   end
+
+  describe '#execution_scope' do
+    let(:host) { FactoryBot.create(:host) }
+    let(:infra_host) { FactoryBot.create(:host, :with_infrastructure_facet) }
+
+    before do
+      host
+      infra_host
+    end
+
+    context 'without infrastructure host permission' do
+      it 'omits the infrastructure host' do
+        setup_user('view', 'hosts')
+
+        hosts = ::Host::Managed.execution_scope
+        hosts.must_include host
+        hosts.wont_include infra_host
+      end
+    end
+
+    context 'with infrastructure host permission' do
+      it 'finds the host as admin' do
+        assert User.current.admin?
+        hosts = ::Host::Managed.execution_scope
+        hosts.must_include host
+        hosts.must_include infra_host
+      end
+
+      it 'finds the host as user with needed permissions' do
+        setup_user('execute_jobs_on', 'infrastructure_hosts')
+        hosts = ::Host::Managed.execution_scope
+        hosts.must_include host
+        hosts.must_include infra_host
+      end
+    end
+  end
 end

data/test/unit/job_invocation_composer_test.rb

@@ -270,10 +270,6 @@ class JobInvocationComposerTest < ActiveSupport::TestCase
           composer.pattern_template_invocations.first
         end
 
-        before do
-          Setting::RemoteExecution.load_defaults
-        end
-
         context 'when overridable and provided' do
           let(:overridable) { true }
           let(:invocation_effective_user) { 'invocation user' }
@@ -370,8 +366,10 @@ class JobInvocationComposerTest < ActiveSupport::TestCase
         let(:host) { FactoryBot.create(:host) }
 
         it 'obeys authorization' do
+          fake_scope = mock
           composer.stubs(:displayed_search_query => "name = #{host.name}")
-          Host.expects(:authorized).with(:view_hosts, Host).returns(Host.where({}))
+          Host.expects(:execution_scope).returns(fake_scope)
+          fake_scope.expects(:authorized).with(:view_hosts, Host).returns(Host.where({}))
           composer.targeted_hosts_count
         end
 

data/test/unit/job_invocation_report_template_test.rb

@@ -19,7 +19,7 @@ class JobReportTemplateTest < ActiveSupport::TestCase
       it 'in settings includes only report templates with job_id input' do
         FactoryBot.create(:report_template, name: 'Template 1')
         job_invocation_template
-        templates = Setting::RemoteExecution.job_invocation_report_templates_select
+        templates = ForemanRemoteExecution.job_invocation_report_templates_select
 
         assert_include templates, 'Job Invocation Report Template'
       end