foreman_remote_execution 3.3.7 → 4.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7c5854e373426c0a630f0a643f88522425c6482fb88fee1888fc6f61114217c3
-  data.tar.gz: f333b2504dc7db6e1119d418c89fcd2cd35d5dcbd72e97d393b57a16c9d305a6
+  metadata.gz: 93860edb8974a0691383b3a199a1a2d079d10401d7780b99aa6275b75125eb58
+  data.tar.gz: d333f8eb85a42b36694dee932447d4364b57ed2c095ad5a055d1e7adf69a9866
 SHA512:
-  metadata.gz: 3df47233fbc5b7bb2628a2bb49906c284e8e7c821bb8a026659e0473f9bc8760d5ed3c19f27183f5fd32ab39d5b06cdb0e9345a1e9e4a4629a269adb3121370a
-  data.tar.gz: 33d40d8f6449814f23648dbe20c6a376a152135b4a4c5de583a73e1db03ab69ecb39b1a2ce3a1cabad717be898a683f3d58fe5e1aaf50438011f6ce4cfbbe2b4
+  metadata.gz: 70c300e719d6587639719a4d95aa23da2d3f3a16d51692392c789b70cd381b31320789db0f45b57c129e4b90d36bd1a8ddadd29db4f38f2d9e40a39219b1d130
+  data.tar.gz: 1feab0c5cfd3fee6054a004eba812b7257df80a2dce50aa200d15dd20797f24f8a614d802668ac6daf043c189b7caa8e8d5f0d4a997726764c80c91173d9437b

data/.github/workflows/ci.yml

@@ -30,7 +30,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        foreman-core-branch: [2.1-stable, develop]
+        foreman-core-branch: [develop]
         ruby-version: [2.5, 2.6]
         node-version: [12]
     steps:

data/app/controllers/job_invocations_controller.rb

@@ -52,16 +52,18 @@ class JobInvocationsController < ApplicationController
 
   def show
     @job_invocation = resource_base.includes(:template_invocations => :run_host_job_task).find(params[:id])
-    @auto_refresh = @job_invocation.task.try(:pending?)
-    @resource_base = @job_invocation.targeting.hosts.authorized(:view_hosts, Host)
-    # There's no need to do the joining if we're not filtering
-    unless params[:search].nil?
-      @resource_base = @resource_base.joins(:template_invocations)
-                                     .where(:template_invocations => { :job_invocation_id => @job_invocation.id})
-    end
-    @hosts = resource_base_search_and_page
     @job_organization = Taxonomy.find_by(id: @job_invocation.task.input[:current_organization_id])
     @job_location = Taxonomy.find_by(id: @job_invocation.task.input[:current_location_id])
+    @auto_refresh = @job_invocation.task.try(:pending?)
+
+    respond_to do |format|
+      format.json do
+        targeting_hosts_resources
+      end
+
+      format.html
+      format.js
+    end
   end
 
   def index
@@ -153,4 +155,16 @@ class JobInvocationsController < ApplicationController
       JobInvocationComposer.from_ui_params(with_triggering)
     end
   end
+
+  def targeting_hosts_resources
+    @auto_refresh = @job_invocation.task.try(:pending?)
+    @resource_base = @job_invocation.targeting.hosts.authorized(:view_hosts, Host)
+
+    unless params[:search].nil?
+      @resource_base = @resource_base.joins(:template_invocations)
+                                     .where(:template_invocations => { :job_invocation_id => @job_invocation.id})
+    end
+    @hosts = resource_base_search_and_page
+    @total_hosts = resource_base_with_search.size
+  end
 end

data/app/lib/actions/remote_execution/run_host_job.rb

@@ -60,7 +60,7 @@ module Actions
       def secrets(host, job_invocation, provider)
         job_secrets = { :ssh_password => job_invocation.password,
                         :key_passphrase => job_invocation.key_passphrase,
-                        :sudo_password => job_invocation.sudo_password }
+                        :effective_user_password => job_invocation.effective_user_password }
 
         job_secrets.merge(provider.secrets(host)) { |_key, job_secret, provider_secret| job_secret || provider_secret }
       end

data/app/lib/actions/remote_execution/run_hosts_job.rb

@@ -47,7 +47,7 @@ module Actions
       end
 
       def finalize
-        job_invocation.password = job_invocation.key_passphrase = job_invocation.sudo_password = nil
+        job_invocation.password = job_invocation.key_passphrase = job_invocation.effective_user_password = nil
         job_invocation.save!
 
         Rails.logger.debug "cleaning cache for keys that begin with 'job_invocation_#{job_invocation.id}'"

data/app/lib/foreman_remote_execution/renderer/scope/input.rb

@@ -3,14 +3,33 @@ module ForemanRemoteExecution
     module Scope
       class Input < ::Foreman::Renderer::Scope::Template
         include Foreman::Renderer::Scope::Macros::HostTemplate
+        extend ApipieDSL::Class
 
         attr_reader :template, :host, :invocation, :input_template_instance, :current_user
         delegate :input, to: :input_template_instance
 
+        apipie :class, 'Macros related to template rendering' do
+          name 'Template Input Render'
+          sections only: %w[all jobs]
+        end
+
+        apipie :method, 'Always raises an error with a description provided as an argument' do
+          desc 'This method is useful for aborting script execution if some of the conditions are not met'
+          required :message, String, desc: 'Description for the error'
+          raises error: ::InputTemplateRenderer::RenderError, desc: 'The error is always being raised'
+          returns nil, desc: "Doesn't return anything"
+          example "<%
+  @host.operatingsystem #=> nil
+  render_error(N_('Unsupported or no operating system found for this host.')) unless @host.operatingsystem #=> InputTemplateRenderer::RenderError is raised and the execution of the script is aborted
+%>"
+        end
         def render_error(message)
           raise ::InputTemplateRenderer::RenderError.new(message)
         end
 
+        apipie :method, 'Check whether the template in preview mode or not' do
+          returns one_of: [true, false], desc: 'Returns true if the template in preview mode, false otherwise'
+        end
         def preview?
           !!@preview
         end
@@ -23,6 +42,16 @@ module ForemanRemoteExecution
           Rails.cache.fetch(cache_key, &block)
         end
 
+        # rubocop:disable Lint/InterpolationCheck
+        apipie :method, 'Render template by given name' do
+          required :template_name, String, desc: 'name of the template to render'
+          optional :input_values, Hash, desc: 'key:value list of input values for the template'
+          optional :options, Hash, desc: 'Additional options such as :with_foreign_input_set. Set to true if a foreign input set should be considered when rendering the template'
+          raises error: StandardError, desc: 'raises an error if there is no template or template input with such name'
+          returns String, desc: 'Rendered template'
+          example '<%= render_template("Run Command - Ansible Default", command: "yum -y group install #{input("package")}") %>'
+        end
+        # rubocop:enable Lint/InterpolationCheck
         def render_template(template_name, input_values = {}, options = {})
           options.assert_valid_keys(:with_foreign_input_set)
           with_foreign_input_set = options.fetch(:with_foreign_input_set, true)
@@ -59,6 +88,12 @@ module ForemanRemoteExecution
           input_values.merge(overrides).with_indifferent_access
         end
 
+        apipie :method, 'Returns the value of template input' do
+          required :name, String, desc: 'name of the template input'
+          raises error: UndefinedInput, desc: 'when there is no input with such name defined for the current template'
+          returns Object, desc: 'The value of template input'
+          example 'input("Include Facts") #=> "yes"'
+        end
         def input(name)
           return template_input_values[name.to_s] if template_input_values.key?(name.to_s)
 

data/app/models/job_invocation.rb

@@ -41,7 +41,10 @@ class JobInvocation < ApplicationRecord
   has_many :template_invocation_tasks, :through => :template_invocations,
                                        :class_name => 'ForemanTasks::Task',
                                        :source => 'run_host_job_task'
-
+  has_one :user, through: :task
+  scoped_search relation: :user, on: :login, rename: 'user', complete_value: true,
+                value_translation: ->(value) { value == 'current_user' ? User.current.login : value },
+                special_values: [:current_user], aliases: ['owner'], :only_explicit => true
   scoped_search :relation => :task, :on => :started_at, :rename => 'started_at', :complete_value => true
   scoped_search :relation => :task, :on => :start_at, :rename => 'start_at', :complete_value => true
   scoped_search :relation => :task, :on => :ended_at, :rename => 'ended_at', :complete_value => true
@@ -70,7 +73,7 @@ class JobInvocation < ApplicationRecord
 
   delegate :start_at, :to => :task, :allow_nil => true
 
-  encrypts :password, :key_passphrase, :sudo_password
+  encrypts :password, :key_passphrase, :effective_user_password
 
   def self.search_by_status(key, operator, value)
     conditions = HostStatus::ExecutionStatus::ExecutionTaskStatusMapper.sql_conditions_for(value)
@@ -139,7 +142,7 @@ class JobInvocation < ApplicationRecord
       invocation.pattern_template_invocations = self.pattern_template_invocations.map(&:deep_clone)
       invocation.password = self.password
       invocation.key_passphrase = self.key_passphrase
-      invocation.sudo_password = self.sudo_password
+      invocation.effective_user_password = self.effective_user_password
     end
   end
 

data/app/models/job_invocation_composer.rb

@@ -15,7 +15,7 @@ class JobInvocationComposer
         :description_format => job_invocation_base[:description_format],
         :password => blank_to_nil(job_invocation_base[:password]),
         :key_passphrase => blank_to_nil(job_invocation_base[:key_passphrase]),
-        :sudo_password => blank_to_nil(job_invocation_base[:sudo_password]),
+        :effective_user_password => blank_to_nil(job_invocation_base[:effective_user_password]),
         :concurrency_control => concurrency_control_params,
         :execution_timeout_interval => execution_timeout_interval,
         :template_invocations => template_invocations_params }.with_indifferent_access
@@ -348,7 +348,7 @@ class JobInvocationComposer
     job_invocation.execution_timeout_interval = params[:execution_timeout_interval]
     job_invocation.password = params[:password]
     job_invocation.key_passphrase = params[:key_passphrase]
-    job_invocation.sudo_password = params[:sudo_password]
+    job_invocation.effective_user_password = params[:effective_user_password]
 
     if @reruns && job_invocation.targeting.static?
       job_invocation.targeting.host_ids = JobInvocation.find(@reruns).targeting.host_ids

data/app/models/remote_execution_provider.rb

@@ -57,8 +57,8 @@ class RemoteExecutionProvider
       [true, 'true', 'True', 'TRUE', '1'].include?(setting)
     end
 
-    def sudo_password(host)
-      host_setting(host, :remote_execution_sudo_password)
+    def effective_user_password(host)
+      host_setting(host, :remote_execution_effective_user_password)
     end
 
     def effective_interfaces(host)

data/app/models/setting/remote_execution.rb

@@ -1,6 +1,6 @@
 class Setting::RemoteExecution < Setting
 
-  ::Setting::BLANK_ATTRS.concat %w{remote_execution_ssh_password remote_execution_ssh_key_passphrase remote_execution_sudo_password remote_execution_cockpit_url remote_execution_form_job_template}
+  ::Setting::BLANK_ATTRS.concat %w{remote_execution_ssh_password remote_execution_ssh_key_passphrase remote_execution_sudo_password remote_execution_effective_user_password remote_execution_cockpit_url remote_execution_form_job_template}
 
   def self.default_settings
     [
@@ -27,7 +27,7 @@ class Setting::RemoteExecution < Setting
         N_('Effective User Method'),
         nil,
         { :collection => proc { Hash[SSHExecutionProvider::EFFECTIVE_USER_METHODS.map { |method| [method, method] }] } }),
-      self.set('remote_execution_sudo_password', N_("Sudo password"), '', N_("Sudo password"), nil, {:encrypted => true}),
+      self.set('remote_execution_effective_user_password', N_("Effective user password"), '', N_("Effective user password"), nil, {:encrypted => true}),
       self.set('remote_execution_sync_templates',
         N_('Whether we should sync templates from disk when running db:seed.'),
         true,

data/app/models/ssh_execution_provider.rb

@@ -32,7 +32,7 @@ class SSHExecutionProvider < RemoteExecutionProvider
       {
         :ssh_password => ssh_password(host),
         :key_passphrase => ssh_key_passphrase(host),
-        :sudo_password => sudo_password(host),
+        :effective_user_password => effective_user_password(host),
       }
     end
 

data/app/views/job_invocations/_form.html.erb

@@ -95,7 +95,7 @@
     <div class="advanced hidden">
       <%= password_f f, :password, :placeholder => '*****', :label => _('Password'), :label_help => N_('Password is stored encrypted in DB until the job finishes. For future or recurring executions, it is removed after the last execution.') %>
       <%= password_f f, :key_passphrase, :placeholder => '*****', :label => _('Private key passphrase'), :label_help => N_('Key passhprase is only applicable for SSH provider. Other providers ignore this field. <br> Passphrase is stored encrypted in DB until the job finishes. For future or recurring executions, it is removed after the last execution.') %>
-      <%= password_f f, :sudo_password, :placeholder => '*****', :label => _('Sudo password'), :label_help => N_('Sudo password is only applicable for SSH provider. Other providers ignore this field. <br> Password is stored encrypted in DB until the job finishes. For future or recurring executions, it is removed after the last execution.') %>
+      <%= password_f f, :effective_user_password, :placeholder => '*****', :label => _('Effective user password'), :label_help => N_('Effective user password is only applicable for SSH provider. Other providers ignore this field. <br> Password is stored encrypted in DB until the job finishes. For future or recurring executions, it is removed after the last execution.') %>
     </div>
 
     <div class="advanced hidden">

data/app/views/job_invocations/_tab_hosts.html.erb

@@ -1,24 +1,5 @@
 <% if job_invocation.resolved? %>
-  <%= form_with url: job_invocation_path(job_invocation), method: "get", id: "search-form" do |f| %>
-    <div class="row">
-      <div class="title_filter col-md-6">
-        <div class="input-group">
-            <%= autocomplete_f(f, :search, value: params[:search].try(:squeeze, " "), placeholder: _("Filter") + ' ...', path: hosts_path, only_input: true) %>
-            <span class="input-group-btn">
-              <button class="btn btn-default" type="submit">
-                <%= icon_text('search', content_tag(:span, _('Search'), :class => 'hidden-xs', :kind => 'fa')) %>
-              </button>
-            </span>
-        </div>
-      </div>
-    </div>
-  <% end %>
-  <br>
-
-  <div id="targeting_hosts">
-    <%= mount_react_component('TargetingHosts', '#targeting_hosts') %>
-  </div>
-  <%= will_paginate_with_info @hosts, :container => true %>
+  <%= react_component('TargetingHosts' ) %>
 <% else %>
   <div class="alert alert-warning">
     <%=

data/app/views/job_invocations/show.html.erb

@@ -2,6 +2,9 @@
 <% stylesheet 'foreman_remote_execution/foreman_remote_execution' %>
 <% javascript 'charts', 'foreman_remote_execution/template_invocation' %>
 <% javascript *webpack_asset_paths('foreman_remote_execution', :extension => 'js') %>
+<% content_for(:stylesheets) do %>
+  <%= webpacked_plugins_css_for :foreman_remote_execution %>
+<% end %>
 
 <%= breadcrumbs name_field: 'description' %>
 

data/app/views/job_invocations/show.json.erb

@@ -1,4 +1,5 @@
 {
   "autoRefresh": "<%= @auto_refresh %>",
-  "hosts": <%= targeting_hosts(@job_invocation, @hosts).to_json.html_safe %>
+  "hosts": <%= targeting_hosts(@job_invocation, @hosts).to_json.html_safe %>,
+  "total_hosts": <%= @total_hosts %>
 }

data/db/migrate/20200623073022_rename_sudo_password_to_effective_user_password.rb

@@ -0,0 +1,34 @@
+class RenameSudoPasswordToEffectiveUserPassword < ActiveRecord::Migration[6.0]
+  def up
+    rename_column :job_invocations, :sudo_password, :effective_user_password
+
+    Parameter.where(name: 'remote_execution_sudo_password').each do |parameter|
+      record = Parameter.find_by(type: parameter.type, reference_id: parameter.reference_id, name: "remote_execution_effective_user_password")
+      if record.nil?
+        parameter.update(name: "remote_execution_effective_user_password")
+      end
+    end
+
+    return unless (password = Setting.find_by(:name => 'remote_execution_sudo_password').try(:value))
+
+    Setting.find_by(:name => 'remote_execution_effective_user_password').update(value: password)
+
+    Setting.find_by(:name => 'remote_execution_sudo_password').delete
+  end
+
+  def down
+    rename_column :job_invocations, :effective_user_password, :sudo_password
+
+    Parameter.where(name: 'remote_execution_effective_user_password').each do |parameter|
+      record = Parameter.find_by(type: parameter.type, reference_id: parameter.reference_id, name: "remote_execution_sudo_password")
+      if record.nil?
+        parameter.update(name: "remote_execution_sudo_password")
+      end
+    end
+
+    return unless (password = Setting.find_by(:name => 'remote_execution_effective_user_password').try(:value))
+
+    Setting.create!(name: 'remote_execution_sudo_password', value: password, description: 'Sudo password', category: 'Setting::RemoteExecution', settings_type: 'string', full_name: 'Sudo password',encrypted: true, default: nil)
+    Setting.find_by(:name => 'remote_execution_effective_user_password').delete
+  end
+end

data/db/seeds.d/20-permissions.rb

@@ -0,0 +1,9 @@
+view_permission = Permission.find_by(name: "view_job_invocations", resource_type: 'JobInvocation')
+default_role = Role.default
+
+# the view_permissions can be nil in tests: skipping in that case
+if view_permission && !default_role.permissions.include?(view_permission)
+  default_role.filters.create(:search => 'user = current_user') do |filter|
+    filter.filterings.build { |f| f.permission = view_permission }
+  end
+end

data/lib/foreman_remote_execution/engine.rb

@@ -32,15 +32,6 @@ module ForemanRemoteExecution
       end
     end
 
-    # A workaround for https://projects.theforeman.org/issues/30685
-    initializer 'foreman_remote_execution.rails_loading_workaround' do
-      # Without this, in production environment the module gets prepended too
-      # late and the extensions do not get applied
-      # TODO: Remove this and from config.to_prepare once there is an extension
-      # point in Foreman
-      ProvisioningTemplatesHelper.prepend ForemanRemoteExecution::JobTemplatesExtensions
-    end
-
     initializer 'foreman_remote_execution.apipie' do
       Apipie.configuration.checksum_path += ['/api/']
     end
@@ -53,9 +44,12 @@ module ForemanRemoteExecution
 
     initializer 'foreman_remote_execution.register_plugin', before: :finisher_hook do |_app|
       Foreman::Plugin.register :foreman_remote_execution do
-        requires_foreman '>= 1.25'
+        requires_foreman '>= 2.2'
 
         apipie_documented_controllers ["#{ForemanRemoteExecution::Engine.root}/app/controllers/api/v2/*.rb"]
+        ApipieDSL.configuration.dsl_classes_matchers += [
+          "#{ForemanRemoteExecution::Engine.root}/app/lib/foreman_remote_execution/renderer/**/*.rb",
+        ]
 
         automatic_assets(false)
         precompile_assets(*assets_to_precompile)

data/lib/foreman_remote_execution/version.rb

@@ -1,3 +1,3 @@
 module ForemanRemoteExecution
-  VERSION = '3.3.7'.freeze
+  VERSION = '4.0.0'.freeze
 end

data/test/functional/api/v2/job_invocations_controller_test.rb

@@ -38,10 +38,11 @@ module Api
 
         test 'should see only permitted hosts' do
           @user = FactoryBot.create(:user, admin: false)
+          @invocation.task.update(user: @user)
           setup_user('view', 'job_invocations', nil, @user)
           setup_user('view', 'hosts', 'name ~ nope.example.com', @user)
 
-          get :show, params: { :id => @invocation.id }, session: set_session_user(@user)
+          get :show, params: { :id => @invocation.id }, session: prepare_user(@user)
           assert_response :success
           response = ActiveSupport::JSON.decode(@response.body)
           assert_equal response['targeting']['hosts'], []
@@ -298,6 +299,68 @@ module Api
         post :rerun, params: { :id => @invocation.id }
         assert_response 404
       end
+
+      describe 'restricted access' do
+        setup do
+          @admin = FactoryBot.create(:user, mail: 'admin@test.foreman.com', admin: true)
+          @user = FactoryBot.create(:user, mail: 'user@test.foreman.com', admin: false)
+          @invocation = FactoryBot.create(:job_invocation, :with_template, :with_task, :with_unplanned_host)
+          @invocation2 = FactoryBot.create(:job_invocation, :with_template, :with_task, :with_unplanned_host)
+
+          @invocation.task.update(user: @admin)
+          @invocation2.task.update(user: @user)
+
+          setup_user 'view', 'hosts', nil, @user
+          setup_user 'view', 'job_invocations', 'user = current_user', @user
+          setup_user 'create', 'job_invocations', 'user = current_user', @user
+          setup_user 'cancel', 'job_invocations', 'user = current_user', @user
+        end
+
+        let(:host) { @invocation.targeting.hosts.first }
+        let(:host2) { @invocation2.targeting.hosts.first }
+
+        context 'without user filter' do
+          test '#index' do
+            get :index, session: prepare_user(@admin)
+            assert_response :success
+            assert JSON.parse(@response.body)['results'].size >= 2
+          end
+
+          test '#show' do
+            get :show, params: { id: @invocation2.id }, session: prepare_user(@admin)
+            assert_response :success
+          end
+
+          test '#output' do
+            get :output, params: { job_invocation_id: @invocation2.id, host_id: host2.id }, session: prepare_user(@admin)
+            assert_response :success
+          end
+        end
+
+        context 'with user filter' do
+          test '#index' do
+            get :index, session: prepare_user(@user)
+            assert_response :success
+            assert_equal 1, JSON.parse(@response.body)['results'].size
+          end
+
+          test '#show' do
+            get :show, params: { id: @invocation.id }, session: prepare_user(@user)
+            assert_response :not_found
+          end
+
+          test '#output' do
+            get :output, params: { job_invocation_id: @invocation.id, host_id: host.id }, session: prepare_user(@user)
+            assert_response :not_found
+            assert_includes @response.body, 'Job invocation not found'
+          end
+        end
+      end
+
+      def prepare_user(user)
+        User.current = user
+        set_session_user(user)
+      end
     end
   end
 end