foreman_rh_cloud 12.1.3 → 12.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6bc60ead37485cf4bb034dd6ccbd416ca9ad957c37123553c1cf529a2a948d48
-  data.tar.gz: 7490a0bf69893145965f99d692735dca1ad3786439efb306e99423f555c83ad0
+  metadata.gz: abf912ff1170fb60a3b10a6d1178f71ad7a92662c2272a883179eb30a62e2c2e
+  data.tar.gz: 3ff64877a61a50890423e1d25980ea37e9fc3ae949f875be344b299f5580ab24
 SHA512:
-  metadata.gz: 68a8fcbff3c147991ee6c05699a9a0be941552dd97bcd94fb8230635120c40302a06b1ed4d2428a16ad71b353da2a56696e045eca29a3beda0b3df2877bd2206
-  data.tar.gz: 00ae0a4cafbad304e4da6ff962c8214c67aecc0e7af37a8c2dbd1be1f889dbca095cf93f4c6222441cef08298d333758ff8c2f942358736aca8473cc813fee34
+  metadata.gz: 5792bc34bf4e7a254cacc14cd014b9e008378d695ddc5ae00afcbd5f10371840a53ecdd106f2a845531a2c174fab3c7d1b931ba0a6f766c749124adcbcff742f
+  data.tar.gz: dffa948ae7cca41a839be2c07f26193ccc11c9af71d84c07d4b0f256a0ad0e5763ce107cf69a22ecb6436212a5e68d09512a4043eb8eb5b01a2268c88d0d44fd

data/README.md

@@ -1,18 +1,16 @@
 [![Ruby tests](https://github.com/theforeman/foreman_rh_cloud/actions/workflows/ruby_tests.yml/badge.svg)](https://github.com/theforeman/foreman_rh_cloud/actions/workflows/ruby_tests.yml)
 [![JS](https://github.com/theforeman/foreman_rh_cloud/actions/workflows/js_tests.yml/badge.svg)](https://github.com/theforeman/foreman_rh_cloud/actions/workflows/js_tests.yml)
+[![Ask DeepWiki](https://deepwiki.com/badge.svg)](https://deepwiki.com/theforeman/foreman_rh_cloud)
 
 # ForemanRhCloud
 
-*Introduction here*
-
 ## Installation
 
 See [How_to_Install_a_Plugin](http://projects.theforeman.org/projects/foreman/wiki/How_to_Install_a_Plugin)
 for how to install Foreman plugins
 
-## Usage
-
-*Usage here*
+## Project overview
+See our [wiki](https://deepwiki.com/theforeman/foreman_rh_cloud)
 
 ### In Satellite
 

data/app/controllers/concerns/insights_cloud/package_profile_upload_extensions.rb

@@ -0,0 +1,33 @@
+module InsightsCloud
+  module PackageProfileUploadExtensions
+    extend ActiveSupport::Concern
+
+    included do
+      # This method explicitly listens on Katello actions
+      # rubocop:disable Rails/LexicallyScopedActionFilter
+      after_action :generate_host_report, only: [:upload_package_profile, :upload_profiles]
+      # rubocop:enable Rails/LexicallyScopedActionFilter
+    end
+
+    def generate_host_report
+      return unless ForemanRhCloud.with_local_advisor_engine?
+
+      logger.debug("Generating host-specific report for host #{@host.name}")
+
+      ForemanTasks.async_task(
+        ForemanInventoryUpload::Async::GenerateReportJob,
+        ForemanInventoryUpload.generated_reports_folder,
+        @host.organization_id,
+        false,
+        "id=#{@host.id}"
+      )
+
+      # in IoP case, the hosts are identified by the sub-man ID, and we can assume they already
+      # exist in the local inventory. This will also handle facet creation for new hosts.
+      return if @host.insights
+
+      insights_facet = @host.build_insights(uuid: @host.subscription_facet.uuid)
+      insights_facet.save
+    end
+  end
+end

data/app/controllers/insights_cloud/api/machine_telemetries_controller.rb

@@ -15,9 +15,8 @@ module InsightsCloud::Api
 
     # The method that "proxies" requests over to Cloud
     def forward_request
-      certs = candlepin_id_cert @organization
       begin
-        @cloud_response = ::ForemanRhCloud::CloudRequestForwarder.new.forward_request(request, controller_name, @branch_id, certs)
+        @cloud_response = ::ForemanRhCloud::CloudRequestForwarder.new.forward_request(request, controller_name, @branch_id, @host)
       rescue RestClient::Exceptions::Timeout => e
         response_obj = e.response.presence || e.exception
         return render json: { message: response_obj.to_s, error: response_obj.to_s }, status: :gateway_timeout

data/app/controllers/insights_cloud/ui_requests_controller.rb

@@ -0,0 +1,99 @@
+module InsightsCloud
+  class UIRequestsController < ::ApplicationController
+    layout false
+
+    before_action :ensure_org, :ensure_loc, :only => [:forward_request]
+
+    # The method that "proxies" requests over to Cloud
+    def forward_request
+      begin
+        path_match = request.original_fullpath.match(%r{^/insights_cloud/(?<path>[^?]*)})&.[](:path)
+        path_to_forward = path_match || params.require(:path)
+
+        @cloud_response = ::ForemanRhCloud::InsightsApiForwarder.new.forward_request(
+          request,
+          path_to_forward,
+          controller_name,
+          User.current,
+          @organization,
+          @location
+        )
+      rescue RestClient::Exceptions::Timeout => e
+        response_obj = e.response.presence || e.exception
+        return render json: { message: response_obj.to_s, error: response_obj.to_s }, status: :gateway_timeout
+      rescue RestClient::Unauthorized => e
+        logger.warn("Forwarding request auth error: #{e}")
+        message = 'Authentication to the Insights Service failed.'
+        return render json: { message: message, error: message }, status: :unauthorized
+      rescue RestClient::NotModified => e
+        logger.info("Forwarding request not modified: #{e}")
+        message = 'Cloud request not modified'
+        return render json: { message: message, error: message }, status: :not_modified
+      rescue RestClient::ExceptionWithResponse => e
+        response_obj = e.response.presence || e.exception
+        code = response_obj.try(:code) || response_obj.try(:http_code) || 500
+        message = 'Cloud request failed'
+
+        return render json: {
+          :message => message,
+          :error => response_obj.to_s,
+          :headers => {},
+          :response => response_obj,
+        }, status: code
+      rescue StandardError => e
+        # Catch any other exceptions here, such as Errno::ECONNREFUSED
+        logger.warn("Cloud request failed with exception: #{e}")
+        return render json: { error: e.to_s }, status: :bad_gateway
+      end
+
+      # Append redhat-specific headers
+      @cloud_response.headers.each do |key, _value|
+        assign_header(response, @cloud_response, key, false) if key.to_s.start_with?('x_rh_')
+      end
+
+      # Append general headers
+      assign_header(response, @cloud_response, :x_resource_count, true)
+      headers[Rack::ETAG] = @cloud_response.headers[:etag]
+
+      if @cloud_response.headers[:content_disposition]
+        # If there is a Content-Disposition header, it means we are forwarding binary data, send the raw data with proper
+        # content type
+        send_data @cloud_response, disposition: @cloud_response.headers[:content_disposition], type: @cloud_response.headers[:content_type]
+      elsif @cloud_response.headers[:content_type] =~ /zip/
+        # If there is no Content-Disposition, but the content type is binary according to Content-Type, send the raw data
+        # with proper content type
+        send_data @cloud_response, type: @cloud_response.headers[:content_type]
+      else
+        render json: @cloud_response, status: @cloud_response.code
+      end
+    end
+
+    def assign_header(res, cloud_res, header, transform)
+      header_content = cloud_res.headers[header]
+      return unless header_content
+      new_header = transform ? header.to_s.tr('_', '-') : header.to_s
+      res.headers[new_header] = header_content
+    end
+
+    private
+
+    def ensure_org
+      @organization = Organization.current
+      return render_message 'Organization not found or invalid', :status => 400 unless @organization
+    end
+
+    def ensure_loc
+      @location = Location.current
+      return render_message 'Location not found or invalid', :status => 400 unless @location
+    end
+
+    def base_url
+      InsightsCloud.ui_base_url
+    end
+
+    def render_message(msg, render_options = {})
+      render_options[:json] = { :message => msg }
+      render render_options
+    end
+  end
+end

data/app/services/foreman_rh_cloud/cert_auth.rb

@@ -10,7 +10,8 @@ module ForemanRhCloud
     end
 
     def execute_cloud_request(params)
-      certs = candlepin_id_cert(params.delete(:organization))
+      organization = params.delete(:organization)
+      certs = ForemanRhCloud.with_local_advisor_engine? ? foreman_certificate : candlepin_id_cert(organization)
       final_params = {
         ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
         ssl_client_key: OpenSSL::PKey.read(certs[:key]),
@@ -18,5 +19,12 @@ module ForemanRhCloud
 
       super(final_params)
     end
+
+    def foreman_certificate
+      @foreman_certificate ||= {
+        cert: File.read(Setting[:ssl_certificate]),
+        key: File.read(Setting[:ssl_priv_key]),
+      }
+    end
   end
 end

data/app/services/foreman_rh_cloud/cloud_request_forwarder.rb

@@ -3,8 +3,9 @@ require 'rest-client'
 module ForemanRhCloud
   class CloudRequestForwarder
     include ForemanRhCloud::CloudRequest
+    include ForemanRhCloud::CertAuth
 
-    def forward_request(original_request, controller_name, branch_id, certs)
+    def forward_request(original_request, controller_name, branch_id, host)
       forward_params = prepare_forward_params(original_request, branch_id)
       logger.debug("Request parameters for telemetry request: #{forward_params}")
 
@@ -12,14 +13,15 @@ module ForemanRhCloud
 
       logger.debug("User agent for telemetry is: #{http_user_agent original_request}")
 
-      request_opts = prepare_request_opts(original_request, forward_payload, forward_params, certs)
+      request_opts = prepare_request_opts(original_request, forward_payload, forward_params, host)
+      request_opts[:organization] = host.organization
 
       logger.debug("Sending request to: #{request_opts[:url]}")
 
       execute_cloud_request(request_opts)
     end
 
-    def prepare_request_opts(original_request, forward_payload, forward_params, certs)
+    def prepare_request_opts(original_request, forward_payload, forward_params, host)
       base_params = {
         method: original_request.method,
         payload: forward_payload,
@@ -28,11 +30,12 @@ module ForemanRhCloud
             params: forward_params,
             user_agent: http_user_agent(original_request),
             content_type: original_request.media_type.presence || original_request.format.to_s,
+            Forwarded: prepare_forwarded_header(host),
           }
         ),
       }
       requested_url = original_request.original_fullpath.end_with?('/') ? original_request.path + '/' : original_request.path
-      params = path_params(requested_url, certs)
+      params = path_params(requested_url)
 
       if ForemanRhCloud.with_local_advisor_engine?
         params[:ssl_ca_file] = ForemanRhCloud.ca_cert
@@ -65,31 +68,23 @@ module ForemanRhCloud
       forward_params
     end
 
-    def path_params(request_path, certs)
+    def path_params(request_path)
       case request_path
       when lightspeed?
         {
           url: ForemanRhCloud.cert_base_url + request_path,
-          ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
-          ssl_client_key: OpenSSL::PKey.read(certs[:key]),
         }
       when platform_request?
         {
           url: ForemanRhCloud.cert_base_url + request_path.sub('/redhat_access/r/insights/platform', '/api'),
-          ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
-          ssl_client_key: OpenSSL::PKey.read(certs[:key]),
         }
       when connection_test_request?
         {
           url: ForemanRhCloud.cert_base_url + '/api/apicast-tests/ping',
-          ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
-          ssl_client_key: OpenSSL::PKey.read(certs[:key]),
         }
       else # Legacy insights API
         {
           url: ForemanRhCloud.legacy_insights_url + request_path.sub('/redhat_access/r/insights', '/r/insights'),
-          ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
-          ssl_client_key: OpenSSL::PKey.read(certs[:key]),
           ssl_ca_file: ForemanRhCloud.legacy_insights_ca,
         }
       end
@@ -105,6 +100,10 @@ module ForemanRhCloud
       headers
     end
 
+    def prepare_forwarded_header(host)
+      "for=\"_#{host.subscription_facet.uuid}\""
+    end
+
     def lightspeed?
       ->(request_path) { request_path.include? '/lightspeed' }
     end

data/app/services/foreman_rh_cloud/gateway_request.rb

@@ -0,0 +1,26 @@
+module ForemanRhCloud
+  module GatewayRequest
+    extend ActiveSupport::Concern
+
+    include CloudRequest
+
+    def execute_cloud_request(params)
+      certs = params.delete(:certs) || foreman_certificates
+      final_params = {
+        ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
+        ssl_client_key: OpenSSL::PKey.read(certs[:key]),
+        ssl_ca_file: Setting[:ssl_ca_file],
+        verify_ssl: OpenSSL::SSL::VERIFY_PEER,
+      }.deep_merge(params)
+
+      super(final_params)
+    end
+
+    def foreman_certificates
+      {
+        cert: File.read(Setting[:ssl_certificate]),
+        key: File.read(Setting[:ssl_priv_key]),
+      }
+    end
+  end
+end

data/app/services/foreman_rh_cloud/insights_api_forwarder.rb

@@ -0,0 +1,116 @@
+require 'rest-client'
+
+module ForemanRhCloud
+  class InsightsApiForwarder
+    include ForemanRhCloud::GatewayRequest
+
+    SCOPED_REQUESTS = [
+      %r{/api/vulnerability/v1/vulnerabilities/cves},
+      %r{/api/vulnerability/v1/dashbar},
+      %r{/api/vulnerability/v1/cves/[^/]+/affected_systems},
+      %r{/api/vulnerability/v1/systems/[^/]+/cves},
+      %r{/api/insights/.*},
+      %r{/api/inventory/.*},
+      %r{/api/tasks/.*},
+    ].freeze
+
+    def forward_request(original_request, path, controller_name, user, organization, location)
+      TagsAuth.new(user, organization, location, logger).update_tag if scope_request?(original_request, path)
+
+      forward_params = prepare_forward_params(original_request, path, user: user, organization: organization, location: location).to_a
+      logger.debug("Request parameters for UI request: #{forward_params}")
+
+      forward_payload = prepare_forward_payload(original_request, controller_name)
+
+      logger.debug("User agent for UI is: #{http_user_agent(original_request)}")
+
+      request_opts = prepare_request_opts(original_request, path, forward_payload, forward_params)
+
+      logger.debug("Sending request to: #{request_opts[:url]}")
+
+      execute_cloud_request(request_opts)
+    end
+
+    def prepare_tags(user, organization, location)
+      [
+        TagsAuth.auth_tag_for(user, organization, location),
+      ].map { |tag_value| [:tag, tag_value] }
+    end
+
+    def prepare_request_opts(original_request, path, forward_payload, forward_params)
+      base_params = {
+        method: original_request.method,
+        payload: forward_payload,
+        headers: original_headers(original_request).merge(
+          {
+            params: RestClient::ParamsArray.new(forward_params),
+            user_agent: http_user_agent(original_request),
+            content_type: original_request.media_type.presence || original_request.format.to_s,
+          }
+        ),
+      }
+      params = path_params(path)
+
+      base_params.merge(params)
+    end
+
+    def prepare_forward_payload(original_request, controller_name)
+      forward_payload = original_request.request_parameters[controller_name]
+
+      forward_payload = original_request.raw_post.clone if (original_request.post? || original_request.patch?) && original_request.raw_post
+      forward_payload = original_request.body.read if original_request.put?
+
+      forward_payload = original_request.params.slice(:file, :metadata) if original_request.params[:file]
+
+      # fix rails behaviour for http PATCH:
+      forward_payload = forward_payload.to_json if original_request.format.json? && original_request.patch? && forward_payload && !forward_payload.is_a?(String)
+      forward_payload
+    end
+
+    def prepare_forward_params(original_request, path, user:, organization:, location:)
+      forward_params = original_request.query_parameters.to_a
+
+      forward_params += prepare_tags(user, organization, location) if scope_request?(original_request, path)
+
+      forward_params
+    end
+
+    def path_params(path)
+      {
+        url: "#{InsightsCloud.ui_base_url}/#{path}",
+      }
+    end
+
+    def original_headers(original_request)
+      headers = {
+        if_none_match: original_request.if_none_match,
+        if_modified_since: original_request.if_modified_since,
+      }.compact
+
+      logger.debug("Sending headers: #{headers}")
+      headers
+    end
+
+    def scope_request?(original_request, path)
+      return false unless original_request.get?
+
+      SCOPED_REQUESTS.any? { |request_pattern| request_pattern.match?(path) }
+    end
+
+    def core_app_name
+      BranchInfo.new.core_app_name
+    end
+
+    def core_app_version
+      BranchInfo.new.core_app_version
+    end
+
+    def http_user_agent(original_request)
+      "#{core_app_name}/#{core_app_version};#{ForemanRhCloud::Engine.engine_name}/#{ForemanRhCloud::VERSION};#{original_request.env['HTTP_USER_AGENT']}"
+    end
+
+    def logger
+      Foreman::Logging.logger('app')
+    end
+  end
+end

data/app/services/foreman_rh_cloud/tags_auth.rb

@@ -0,0 +1,55 @@
+module ForemanRhCloud
+  class TagsAuth
+    include GatewayRequest
+
+    TAG_NAMESPACE = 'sat_iam'.freeze
+    TAG_SHORT_NAME = 'scope'.freeze
+    TAG_NAME = "#{TAG_NAMESPACE}/#{TAG_SHORT_NAME}".freeze
+
+    def self.auth_tag_for(user, org, loc)
+      new(user, org, loc, nil).auth_tag
+    end
+
+    attr_reader :logger
+
+    def initialize(user, org, loc, logger)
+      @user = user
+      @org = org
+      @loc = loc
+      @logger = logger
+    end
+
+    def update_tag
+      logger.debug("Updating tags for user: #{@user}, org: #{@org.name}, loc: #{@loc.name}")
+
+      params = {
+        method: :post,
+        url: "#{InsightsCloud.gateway_url}/tags",
+        headers: {
+          content_type: :json,
+        },
+        payload: tags_query_payload.to_json,
+      }
+      execute_cloud_request(params)
+    end
+
+    def allowed_hosts
+      Host.authorized_as(@user, nil, nil).where(organization: @org, location: @loc).joins(:subscription_facet).pluck('katello_subscription_facets.uuid')
+    end
+
+    def tags_query_payload
+      {
+        tags: [{ "namespace": TAG_NAMESPACE, "key": TAG_SHORT_NAME, "value": tag_value }],
+        host_id_list: allowed_hosts,
+      }
+    end
+
+    def tag_value
+      "U:\"#{@user.login}\"O:\"#{@org.name}\"L:\"#{@loc.name}\""
+    end
+
+    def auth_tag
+      "#{TAG_NAME}=#{tag_value}"
+    end
+  end
+end

data/app/views/api/v2/hosts/insights/base.rabl

@@ -3,3 +3,9 @@ attributes :uuid
 node :insights_hit_details do |facet|
   facet&.host&.facts('insights::hit_details')&.values&.first
 end
+node :insights_hits_count do |facet|
+  facet.hits&.count
+end
+node :use_local_advisor_engine do |_facet|
+  ForemanRhCloud.with_local_advisor_engine?
+end

data/config/routes.rb

@@ -30,6 +30,8 @@ Rails.application.routes.draw do
     match 'hits/:host_id', to: 'hits#show', via: :get
 
     post ':organization_id/parameter', to: 'settings#set_org_parameter', constraints: { organization_id: %r{[^\/]+} }
+
+    match '/*path', constraints: { path: %r{api/[^\?]+} }, to: 'ui_requests#forward_request', via: :all
   end
 
   namespace :foreman_rh_cloud do

data/lib/foreman_inventory_upload/async/generate_report_job.rb

@@ -5,18 +5,19 @@ module ForemanInventoryUpload
         "report_for_#{label}"
       end
 
-      def plan(base_folder, organization_id, disconnected)
+      def plan(base_folder, organization_id, disconnected, hosts_filter = nil)
         sequence do
           super(
-            GenerateReportJob.output_label(organization_id),
+            GenerateReportJob.output_label("#{organization_id}#{hosts_filter.empty? ? nil : "[#{hosts_filter.to_s.parameterize}]"}"),
             organization_id: organization_id,
-            base_folder: base_folder
+            base_folder: base_folder,
+            hosts_filter: hosts_filter
           )
 
           plan_action(
             QueueForUploadJob,
             base_folder,
-            ForemanInventoryUpload.facts_archive_name(organization_id),
+            ForemanInventoryUpload.facts_archive_name(organization_id, hosts_filter),
             organization_id,
             disconnected
           )
@@ -34,7 +35,8 @@ module ForemanInventoryUpload
       def env
         super.merge(
           'target' => base_folder,
-          'organization_id' => organization_id
+          'organization_id' => organization_id,
+          'hosts_filter' => hosts_filter
         )
       end
 
@@ -45,6 +47,10 @@ module ForemanInventoryUpload
       def organization_id
         input[:organization_id]
       end
+
+      def hosts_filter
+        input[:hosts_filter]
+      end
     end
   end
 end

data/lib/foreman_inventory_upload/async/upload_report_job.rb

@@ -33,8 +33,8 @@ module ForemanInventoryUpload
         end
 
         Tempfile.create([organization.name, '.pem']) do |cer_file|
-          cer_file.write(rh_credentials[:cert])
-          cer_file.write(rh_credentials[:key])
+          cer_file.write(certificate[:cert])
+          cer_file.write(certificate[:key])
           cer_file.flush
           @cer_path = cer_file.path
           super
@@ -59,8 +59,12 @@ module ForemanInventoryUpload
         env_vars
       end
 
-      def rh_credentials
-        @rh_credentials ||= begin
+      def certificate
+        ForemanRhCloud.with_local_advisor_engine? ? foreman_certificate : manifest_certificate
+      end
+
+      def manifest_certificate
+        @manifest_certificate ||= begin
           candlepin_id_certificate = organization.owner_details['upstreamConsumer']['idCert']
           {
             cert: candlepin_id_certificate['cert'],
@@ -69,6 +73,13 @@ module ForemanInventoryUpload
         end
       end
 
+      def foreman_certificate
+        @foreman_certificate ||= {
+          cert: File.read(Setting[:ssl_certificate]),
+          key: File.read(Setting[:ssl_priv_key]),
+        }
+      end
+
       def filename
         input[:filename]
       end

data/lib/foreman_inventory_upload/generators/archived_report.rb

@@ -6,10 +6,10 @@ module ForemanInventoryUpload
         @logger = logger
       end
 
-      def render(organization:)
+      def render(organization:, filter: nil)
         Dir.mktmpdir do |tmpdir|
           @logger.info "Started generating hosts report in #{tmpdir}"
-          host_batches = ForemanInventoryUpload::Generators::Queries.for_org(organization)
+          host_batches = ForemanInventoryUpload::Generators::Queries.for_org(organization, hosts_query: filter || '')
           File.open(File.join(tmpdir, 'metadata.json'), 'w') do |metadata_out|
             metadata_generator = ForemanInventoryUpload::Generators::Metadata.new(metadata_out)
             metadata_generator.render do |inner_generator|