foreman_rh_cloud 3.0.16 → 3.0.17

data/db/migrate/20210214000002_add_rule_id_to_hits.foreman_rh_cloud.rb

@@ -0,0 +1,5 @@
+class AddRuleIdToHits < ActiveRecord::Migration[5.2]
+  def change
+    add_column :insights_hits, :rule_id, :string
+  end
+end

data/lib/foreman_inventory_upload/generators/slice.rb

@@ -103,10 +103,10 @@ module ForemanInventoryUpload
         @stream.simple_field('cores_per_socket', fact_value(host, 'cpu::core(s)_per_socket')) { |v| v.to_i }
         @stream.simple_field('system_memory_bytes', fact_value(host, 'memory::memtotal')) { |v| kilobytes_to_bytes(v.to_i) }
         @stream.array_field('network_interfaces') do
-          @stream.raw(host.interfaces.map do |nic|
+          @stream.raw(host.interfaces.reject { |nic| nic.identifier.empty? }.map do |nic|
             {
-              'ipv4_addresses': [host_ips_cache[nic.ip]].compact,
-              'ipv6_addresses': [nic.ip6].compact,
+              'ipv4_addresses': [host_ips_cache[nic.ip]].reject(&:empty?),
+              'ipv6_addresses': [nic.ip6].reject(&:empty?),
               'mtu': nic.try(:mtu) && nic.mtu.to_i,
               'mac_address': nic.mac,
               'name': nic.identifier,

data/lib/foreman_rh_cloud.rb

@@ -8,6 +8,10 @@ module ForemanRhCloud
     @base_url ||= ENV['SATELLITE_RH_CLOUD_URL'] || 'https://cloud.redhat.com'
   end
 
+  def self.cert_base_url
+    @cert_base_url ||= ENV['SATELLITE_CERT_RH_CLOUD_URL'] || 'https://cert.cloud.redhat.com'
+  end
+
   def self.authentication_url
     # https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
     @authentication_url ||= ENV['SATELLITE_RH_CLOUD_SSO_URL'] || 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'
@@ -17,6 +21,10 @@ module ForemanRhCloud
     @verify_ssl_method ||= ENV['SATELLITE_RH_CLOUD_URL'] ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
   end
 
+  def self.query_limit
+    @query_limit ||= ENV['SATELLITE_RH_CLOUD_QUERY_LIMIT'] ? ENV['SATELLITE_RH_CLOUD_QUERY_LIMIT'].to_i : 100
+  end
+
   def self.http_proxy_string(logger: Foreman::Logging.logger('background'))
     ForemanRhCloud.proxy_setting(logger: logger)
   end
@@ -58,6 +66,7 @@ module ForemanRhCloud
   # This method assumes uri_string contains uri-encoded username and p@$$word:
   # http://user:p%40%24%24word@localhost:8888
   def self.transform_scheme(uri_string)
+    return unless uri_string
     transformed_uri = URI.parse(uri_string)
 
     case transformed_uri.scheme

data/lib/foreman_rh_cloud/engine.rb

@@ -13,6 +13,7 @@ module ForemanRhCloud
     config.autoload_paths += Dir["#{config.root}/app/controllers/concerns"]
     config.autoload_paths += Dir["#{config.root}/app/helpers/concerns"]
     config.autoload_paths += Dir["#{config.root}/app/models/concerns"]
+    config.autoload_paths += Dir["#{config.root}/app/services"]
     config.autoload_paths += Dir["#{config.root}/app/overrides"]
     config.autoload_paths += Dir["#{config.root}/app/services"]
     config.autoload_paths += Dir["#{config.root}/lib"]

data/lib/foreman_rh_cloud/version.rb

@@ -1,3 +1,3 @@
 module ForemanRhCloud
-  VERSION = '3.0.16'.freeze
+  VERSION = '3.0.17'.freeze
 end

data/lib/insights_cloud.rb

@@ -12,4 +12,8 @@ module InsightsCloud
   def self.hits_export_url
     ForemanRhCloud.base_url + '/api/insights/v1/export/hits/'
   end
+
+  def self.rules_url(limit: ForemanRhCloud.query_limit, offset: 0)
+    ForemanRhCloud.base_url + "/api/insights/v1/rule/?impacting=true&rule_status=enabled&has_playbook=true&limit=#{limit}&offset=#{offset}"
+  end
 end

data/lib/insights_cloud/async/insights_full_sync.rb

@@ -12,6 +12,8 @@ module InsightsCloud
         setup_host_names(@hits_host_names.keys)
 
         replace_hits_data(hits)
+
+        InsightsRulesSync.perform_later
       end
 
       def logger
@@ -34,6 +36,20 @@ module InsightsCloud
         JSON.parse(hits_response)
       end
 
+      def query_insights_rules
+        rules_response = RestClient::Request.execute(
+          method: :get,
+          url: InsightsCloud.rules_url,
+          verify_ssl: ForemanRhCloud.verify_ssl_method,
+          proxy: ForemanRhCloud.transformed_http_proxy_string(logger: logger),
+          headers: {
+            Authorization: "Bearer #{rh_credentials}",
+          }
+        )
+
+        JSON.parse(rules_response)
+      end
+
       def setup_host_names(host_names)
         @host_ids = Hash[
           Host.unscoped.where(name: host_names).pluck(:name, :id)
@@ -46,6 +62,8 @@ module InsightsCloud
 
       def replace_hits_data(hits)
         InsightsHit.transaction do
+          # Reset hit counters to 0, they will be recreated later
+          InsightsFacet.unscoped.update_all(hits_count: 0)
           # create new facets for hosts that are missing one
           hosts_with_existing_facets = InsightsFacet.where(host_id: @host_ids.values).pluck(:host_id)
           InsightsFacet.create(
@@ -77,8 +95,19 @@ module InsightsCloud
           total_risk: hit_hash['total_risk'].to_i,
           likelihood: hit_hash['likelihood'].to_i,
           results_url: hit_hash['results_url'],
+          rule_id: to_rule_id(hit_hash['results_url']),
         }
       end
+
+      def to_rule_id(results_url)
+        URI.decode(safe_results_match(results_url)[:id] || '')
+      end
+
+      def safe_results_match(results_url)
+        match = results_url.match(/\/(?<id>[^\/]*)\/[^\/]*\/\z/)
+
+        match || { id: nil }
+      end
     end
   end
 end

data/lib/insights_cloud/async/insights_rules_sync.rb

@@ -0,0 +1,80 @@
+require 'rest-client'
+
+module InsightsCloud
+  module Async
+    class InsightsRulesSync < ::ApplicationJob
+      include ::ForemanRhCloud::CloudAuth
+
+      def perform
+        offset = 0
+        InsightsRule.transaction do
+          InsightsResolution.delete_all
+          InsightsRule.delete_all
+          loop do
+            api_response = query_insights_rules(offset)
+            results = RulesResult.new(api_response)
+            logger.debug("Downloaded #{offset + results.count} of #{results.total}")
+            write_rules_page(results.rules)
+            offset += results.count
+            break if offset >= results.total
+          end
+        end
+      end
+
+      def logger
+        Foreman::Logging.logger('background')
+      end
+
+      private
+
+      def query_insights_rules(offset)
+        rules_response = RestClient::Request.execute(
+          method: :get,
+          url: InsightsCloud.rules_url(offset: offset),
+          verify_ssl: ForemanRhCloud.verify_ssl_method,
+          proxy: ForemanRhCloud.transformed_http_proxy_string(logger: logger),
+          headers: {
+            Authorization: "Bearer #{rh_credentials}",
+          }
+        )
+
+        JSON.parse(rules_response)
+      end
+
+      def write_rules_page(rules)
+        rules_attributes = rules.map { |rule| to_rule_hash(rule) }
+        resolutions_attributes = rules.map do |rule|
+          rule['resolution_set'].map { |resolution| to_resolution_hash(rule['rule_id'], resolution) }
+        end.flatten
+
+        InsightsRule.create(rules_attributes)
+        InsightsResolution.create(resolutions_attributes)
+      end
+
+      def to_rule_hash(rule_hash)
+        {
+          rule_id: rule_hash['rule_id'],
+          description:  rule_hash['description'],
+          category_name:  rule_hash.dig('category', 'name'),
+          impact_name:  rule_hash.dig('impact', 'name'),
+          summary:  rule_hash['summary'],
+          generic:  rule_hash['generic'],
+          reason:  rule_hash['reason'],
+          total_risk:  rule_hash['total_risk'],
+          reboot_required:  rule_hash['reboot_required'],
+          more_info:  rule_hash['more_info'],
+          rating:  rule_hash['rating'],
+        }
+      end
+
+      def to_resolution_hash(rule_id, resolution_hash)
+        {
+          rule_id: rule_id,
+          system_type: resolution_hash['system_type'],
+          resolution: resolution_hash['resolution'],
+          has_playbook: resolution_hash['has_playbook'],
+        }
+      end
+    end
+  end
+end

data/lib/insights_cloud/async/rules_result.rb

@@ -0,0 +1,13 @@
+module InsightsCloud
+  module Async
+    class RulesResult
+      attr_reader :rules, :count, :total
+
+      def initialize(result)
+        @total = result.dig('meta', 'count')
+        @count = result['data'].length
+        @rules = result['data']
+      end
+    end
+  end
+end

data/package.json

@@ -1,6 +1,6 @@
 {
   "name": "foreman_rh_cloud",
-  "version": "3.0.14",
+  "version": "3.0.17",
   "description": "Inventory Upload =============",
   "main": "index.js",
   "scripts": {

data/test/controllers/insights_cloud/api/machine_telemetries_controller_test.rb

@@ -0,0 +1,107 @@
+require 'test_plugin_helper'
+
+module InsightsCloud::Api
+  class MachineTelemetriesControllerTest < ActionController::TestCase
+    context '#forward_request' do
+      setup do
+        @body = 'Cloud response body'
+        @http_req = RestClient::Request.new(:method => 'GET', :url => 'http://test.theforeman.org')
+
+        org = FactoryBot.create(:organization)
+        host = FactoryBot.create(:host, :with_subscription, :organization => org)
+        User.current = ::Katello::CpConsumerUser.new(:uuid => host.subscription_facet.uuid, :login => host.subscription_facet.uuid)
+        InsightsCloud::Api::MachineTelemetriesController.any_instance.stubs(:upstream_owner).returns({ 'uuid' => 'abcdefg' })
+      end
+
+      test "should respond with response from cloud" do
+        net_http_resp = Net::HTTPResponse.new(1.0, 200, "OK")
+        net_http_resp.add_field 'Set-Cookie', 'Monster'
+        res = RestClient::Response.create(@body, net_http_resp, @http_req)
+        ::ForemanRhCloud::CloudRequestForwarder.any_instance.stubs(:forward_request).returns(res)
+
+        get :forward_request, params: { "path" => "platform/module-update-router/v1/channel" }
+        assert_equal @body, @response.body
+      end
+
+      test "should add headers to response from cloud" do
+        x_resource_count = '101'
+        x_rh_insights_request_id = '202'
+        net_http_resp = Net::HTTPResponse.new(1.0, 200, "OK")
+        net_http_resp['x_resource_count'] = x_resource_count
+        net_http_resp['x_rh_insights_request_id'] = x_rh_insights_request_id
+        res = RestClient::Response.create(@body, net_http_resp, @http_req)
+        ::ForemanRhCloud::CloudRequestForwarder.any_instance.stubs(:forward_request).returns(res)
+
+        get :forward_request, params: { "path" => "platform/module-update-router/v1/channel" }
+        assert_equal x_resource_count, @response.headers['x-resource-count']
+        assert_equal x_rh_insights_request_id, @response.headers['x_rh_insights_request_id']
+      end
+
+      test "should handle failed authentication to cloud" do
+        net_http_resp = Net::HTTPResponse.new(1.0, 401, "Unauthorized")
+        res = RestClient::Response.create(@body, net_http_resp, @http_req)
+        ::ForemanRhCloud::CloudRequestForwarder.any_instance.stubs(:forward_request).returns(res)
+
+        get :forward_request, params: { "path" => "platform/module-update-router/v1/channel" }
+        assert_equal 502, @response.status
+        assert_equal 'Authentication to the Insights Service failed.', JSON.parse(@response.body)['message']
+      end
+    end
+
+    context '#branch_info' do
+      setup do
+        User.current = User.find_by(login: 'secret_admin')
+
+        @env = FactoryBot.create(:katello_k_t_environment)
+        cv = @env.content_views << FactoryBot.create(:katello_content_view, organization: @env.organization)
+
+        @host = FactoryBot.create(
+          :host,
+          :with_subscription,
+          :with_content,
+          :with_hostgroup,
+          :with_parameter,
+          content_view: cv.first,
+          lifecycle_environment: @env,
+          organization: @env.organization
+        )
+
+        @host.subscription_facet.pools << FactoryBot.create(:katello_pool, account_number: '5678', cp_id: 1)
+
+        uuid = @host.subscription_facet.uuid
+
+        @user = ::Katello::CpConsumerUser.new({ :uuid => uuid, :login => uuid })
+
+        @controller.stub(:set_client_user, @user) do
+          User.current = @user
+        end
+
+        @controller.stubs(:cp_owner_id).returns('test-branch-id')
+      end
+
+      test 'should get branch info' do
+        get :branch_info
+
+        assert_response :success
+      end
+
+      test 'should handle missing organization' do
+        Host::Managed.any_instance.stubs(:organization).returns(nil)
+        get :branch_info
+
+        res = JSON.parse(@response.body)
+        assert_equal "Organization not found or invalid", res['message']
+        assert_response 400
+      end
+
+      test 'should handle missing branch id' do
+        @controller.stubs(:cp_owner_id).returns(nil)
+        get :branch_info
+
+        res = JSON.parse(@response.body)
+        assert_equal "Branch ID not found for organization #{@host.organization.title}", res['message']
+        assert_response 400
+      end
+    end
+  end
+end

data/test/factories/insights_factories.rb

@@ -16,7 +16,8 @@ FactoryBot.define do
     total_risk { 1 }
     likelihood { 2 }
     publish_date { DateTime.now }
-    sequence(:results_url) { |n| "http://example.com/results/#{n}" }
+    sequence(:results_url) { |n| "https://cloud.redhat.com/insights/overview/stability/test_rule%7CTEST_RULE/accdf444-5628-451d-bf3e-cf909ad7275#{n}/" }
+    rule_id { "test_rule|TEST_RULE" }
   end
 end
 

data/test/factories/inventory_upload_factories.rb

@@ -61,6 +61,18 @@ FactoryBot.define do
   end
 end
 
+FactoryBot.define do
+  factory :katello_host_collection_host, :class => Katello::HostCollectionHosts do
+    host_id { nil }
+    host_collection_id { nil }
+  end
+
+  factory :katello_host_collection, :class => Katello::HostCollection do
+    sequence(:name) { |n| "Host Collection #{n}" }
+    organization_id { nil }
+  end
+end
+
 FactoryBot.modify do
   factory :host do
     transient do

data/test/jobs/insights_full_sync_test.rb

@@ -62,6 +62,23 @@ class InsightsFullSyncTest < ActiveJob::TestCase
     assert_equal 'accdf444-5628-451d-bf3e-cf909ad72757', @host2.insights.uuid
   end
 
+  test 'Hits counters are reset correctly' do
+    InsightsCloud::Async::InsightsFullSync.any_instance.expects(:query_insights_hits).returns(@hits).twice
+
+    InsightsCloud::Async::InsightsFullSync.perform_now()
+    # Invoke again
+    InsightsCloud::Async::InsightsFullSync.perform_now()
+
+    @host1.reload
+    @host2.reload
+
+    # Check that the counters are correct
+    assert_equal 2, @host1.insights.hits.count
+    assert_equal 1, @host2.insights.hits.count
+    assert_equal 'accdf444-5628-451d-bf3e-cf909ad72756', @host1.insights.uuid
+    assert_equal 'accdf444-5628-451d-bf3e-cf909ad72757', @host2.insights.uuid
+  end
+
   test 'Hits ignoring non-existent hosts' do
     hits_json = <<-HITS_JSON
     [

data/test/jobs/insights_rules_sync_test.rb

@@ -0,0 +1,198 @@
+require 'test_helper'
+
+class InsightsRulesSyncTest < ActiveJob::TestCase
+  setup do
+    rules_json = <<-'RULES_JSON'
+    {
+      "meta": {
+        "count": 2
+      },
+      "links": {
+        "first": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=0\u0026rule_status=enabled",
+        "next": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=2\u0026rule_status=enabled",
+        "previous": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=0\u0026rule_status=enabled",
+        "last": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=1\u0026rule_status=enabled"
+      },
+      "data": [
+        {
+        "rule_id": "test_rule|TEST_RULE",
+        "created_at": "2020-09-25T07:37:09.745864Z",
+        "updated_at": "2020-10-23T02:43:09.662260Z",
+        "description": "Kdump auto crashkernel reservation failed because the total memory does not meet the minimum requirement",
+        "active": true,
+        "category": {
+          "id": 1,
+          "name": "Availability"
+        },
+        "impact": {
+          "name": "Diagnostics Failure",
+          "impact": 1
+        },
+        "likelihood": 4,
+        "node_id": "1186753",
+        "tags": "incident kdump",
+        "playbook_count": 1,
+        "reboot_required": false,
+        "publish_date": "2020-10-01T19:04:00Z",
+        "summary": "Kdump fails to collect vmcore when the reserved size does not meet the minimum requirement.\n",
+        "generic": "Automatic reservation did not work because the total memory does not meet the minimum requirement for kdump.\n",
+        "reason": "{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\nThis **{{=pydata.value[3]}}** system is running with a total memory of **{{=pydata.value[0]}}MB**. The kdump reserved size is **{{=pydata.value[1]}}MB** while the minimum amount of reserved memory required for memory **{{=pydata.value[0]}}MB** is **{{=pydata.value[2]}}MB**. \n\n{{?pydata.version == 7}}\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-requirements)\n{{?}}\n{{?pydata.version == 8}}\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#memory-requirements-for-kdump_supported-kdump-configurations-and-targets)\n{{?}}\n{{?}}\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\nThis **{{=pydata.value[2]}}** system is running with a total memory of **{{=pydata.value[0]}}MB**. The **crashkernel** is configured as **auto** and the minimum amount of memory required for automatic memory reservation is **{{=pydata.auto_minimum}}MB**. As the total memory does not meet the requirement, kdump auto crashkernel reservation failed with following log:\n  ~~~\n  {{=pydata.msg}}\n  ~~~\n\n{{?pydata.version == 7}}\n* [Minimum Amount of Memory Required for Automatic Memory Reservation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-thresholds)\n\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-requirements)\n{{?}}\n{{?pydata.version == 8}}\n* [Minimum Amount of Memory Required for Automatic Memory Reservation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#minimum-threshold-for-automatic-memory-reservation_supported-kdump-configurations-and-targets)\n\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#memory-requirements-for-kdump_supported-kdump-configurations-and-targets)\n{{?}}\n{{?}}\n",
+        "more_info": "{{?pydata.version == 7}}\n* [How should the crashkernel parameter be configured for using kdump on RHEL7 ?](https://access.redhat.com/solutions/916043)\n{{?}}\n{{?pydata.version == 8}}\n* [How should the crashkernel parameter be configured for using kdump on Red Hat Enterprise Linux 8 ?](https://access.redhat.com/solutions/3698411)\n{{?}}\n",
+        "impacted_systems_count": 2,
+        "reports_shown": true,
+        "rule_status": "enabled",
+        "resolution_set": [{
+            "system_type": 105,
+            "resolution": "Red Hat recommends that you change the **crashkernel** setting in the `grub.conf` file.\n\n{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[2]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[1]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n",
+            "resolution_risk": {
+              "name": "Update Service Configuration",
+              "risk": 1
+            },
+            "has_playbook": true
+          },
+          {
+            "system_type": 105,
+            "resolution": "Red Hat recommends that you change the **crashkernel** setting in the `grub.conf` file.\n\n{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[2]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[1]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n",
+            "resolution_risk": {
+              "name": "test resolution name",
+              "risk": 2
+            },
+            "has_playbook": true
+          }],
+        "total_risk": 2,
+        "hosts_acked_count": 0,
+        "rating": 0
+      }, {
+        "rule_id": "test_rule2|TEST_RULE2",
+        "created_at": "2019-02-07T19:02:34.501496Z",
+        "updated_at": "2020-08-10T20:42:48.967063Z",
+        "description": "\"SMBLoris\" Samba denial of service",
+        "active": true,
+        "category": {
+          "id": 2,
+          "name": "Security"
+        },
+        "impact": {
+          "name": "Denial Of Service",
+          "impact": 3
+        },
+        "likelihood": 3,
+        "node_id": "",
+        "tags": "samba security",
+        "playbook_count": 1,
+        "reboot_required": false,
+        "publish_date": "2017-08-08T15:52:38Z",
+        "summary": "A denial of service flaw exists in Samba. The vulnerability has not been assigned a CVE.\n\nA remote attacker in a position to supply the crafted data can render system unusable.\n",
+        "generic": "A denial of service flaw exists in Samba that allows a remote attacker to supply crafted NetBIOS Session Service headers and cause out-of-memory state.\n\nRed Hat recommends that you apply mitigation or update Samba packages once fixed packages are available.\n",
+        "reason": "This machine is vulnerable because:\n\n* It has the following vulnerable Samba server package installed: **{{=pydata.INSTALLED_PACKAGES[Object.keys(pydata.INSTALLED_PACKAGES)[0]]}}**\n{{? pydata.SERVICE_RUNNING }}* An `smbd` process is running.\n{{?}}{{? pydata.SERVICE_ENABLED }}* The `smb` service is enabled.\n{{?}}{{? pydata.assuming_port_listening }}* The system {{? pydata.port_listening }}is{{??}}may be{{?}} listening on port 445.\n{{?}}{{? pydata.assuming_port_reachable }}* Port 445 appears to allow external connections.\n{{?}}\n\nBased on this information, a vulnerable version of Samba is being actively used on this machine.\n\n{{? !pydata.iptables_info_available || !pydata.netstat_info_available }}\nBecause information about this system's {{? !pydata.iptables_info_available }} firewall {{? !pydata.netstat_info_available }}and{{?}}{{?}} {{? !pydata.netstat_info_available }}listening services {{?}}is not available, it is not possible to determine this system's exact level of vulnerability.\n{{?}}\n\n{{? !pydata.samba_config_info  }}\nBecause information about this system's smb.conf is not available, it is not possible to determine whether the mitigation is applied.\n{{?}}\n",
+        "more_info": "* For more information about the denial of service flaw see [knowledge base article](https://access.redhat.com/security/vulnerabilities/smbloris).\n* To learn how to upgrade packages, see \"[What is yum and how do I use it?](https://access.redhat.com/solutions/9934).\"\n* [Using Firewalls](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html) in RHEL 7\n* [Using Firewalls](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/sect-Security_Guide-Firewalls.html) in RHEL 6\n* The Customer Portal page for the [Red Hat Security Team](https://access.redhat.com/security/) contains more information about policies, procedures, and alerts for Red Hat Products.\n* The Security Team also maintains a frequently updated blog at [securityblog.redhat.com](https://securityblog.redhat.com).\n",
+        "impacted_systems_count": 1,
+        "reports_shown": true,
+        "rule_status": "enabled",
+        "resolution_set": [{
+          "system_type": 105,
+          "resolution": "{{ var FIXED_PACKAGES_AVAILABLE=false; }}\n{{? false == FIXED_PACKAGES_AVAILABLE \u0026\u0026 \"Frontend until fixed packages are available.\"}}\nRed Hat recommends that you use the following mitigation:\n\nLimit the number of smbd processes by modifying `/etc/samba/smb.conf` and add the following line to the `[global]` section:\n~~~\nmax smbd processes = 1000\n~~~\n\nThen restart Samba service:\n{{? pydata.rhel_version == 6 }}\n~~~\n# service smb restart\n~~~\n{{?}}\n{{? pydata.rhel_version == 7 }}\n~~~\n# systemctl restart smb.service\n~~~\n{{?}}\n\n{{? pydata.assuming_port_reachable }}\nRed Hat recommends that you limit access to port 445 from untrusted sources. Please refer to the documentation of the firewall you use.\n\n{{? !pydata.iptables_info_available || !pydata.netstat_info_available }}\nBecause information about this system's {{? !pydata.iptables_info_available }} firewall {{? !pydata.netstat_info_available }}and{{?}}{{?}} {{? !pydata.netstat_info_available }}listening services {{?}}is not available, it is not possible to determine whether this system's port 445 is accessible.\n\n{{?}}\nRed Hat recommends that you test the new settings before applying them to production systems.\n{{?}}\n{{?}}\n{{? true == FIXED_PACKAGES_AVAILABLE \u0026\u0026 \"Frontend after fixed packages are available.\"}}\nRed Hat recommends that you update Samba packages to include the CVE-2017-TODO security release, and restart the Samba service.\n\n{{? pydata.rhel_version == 6 }}\n~~~\n# yum update {{=Object.keys(pydata.INSTALLED_PACKAGES).join(\" \")}}\n# service smb restart\n~~~\n{{?}}\n{{? pydata.rhel_version == 7 }}\n~~~\n# yum update {{=Object.keys(pydata.INSTALLED_PACKAGES).join(\" \")}}\n# systemctl restart smb.service\n~~~\n{{?}}\n\n**Alternatively**, you can use the following mitigation:\n\nLimit the number of smbd processes by modifying `/etc/samba/smb.conf` and add the following line to the `[global]` section:\n~~~\nmax smbd processes = 1000\n~~~\n\nThen restart Samba service:\n{{? pydata.rhel_version == 6 }}\n~~~\n# service smb restart\n~~~\n{{?}}\n{{? pydata.rhel_version == 7 }}\n~~~\n# systemctl restart smb.service\n~~~\n{{?}}\n\n{{? pydata.assuming_port_reachable }}\nRed Hat recommends that you limit access to port 445 from untrusted sources. Please refer to the documentation of the firewall you use.\n\n{{? !pydata.iptables_info_available || !pydata.netstat_info_available }}\nBecause information about this system's {{? !pydata.iptables_info_available }} firewall {{? !pydata.netstat_info_available }}and{{?}}{{?}} {{? !pydata.netstat_info_available }}listening services {{?}}is not available, it is not possible to determine whether this system's port 445 is accessible.\n\n{{?}}\nRed Hat recommends that you test the new settings before applying them to production systems.\n{{?}}\n\n\n{{?}}\n",
+          "resolution_risk": {
+            "name": "Update Service Configuration",
+            "risk": 1
+          },
+          "has_playbook": true
+        }],
+        "total_risk": 3,
+        "hosts_acked_count": 0,
+        "rating": 0
+      }]
+    }
+    RULES_JSON
+    @rules = JSON.parse(rules_json)
+    @host = FactoryBot.create(:host, :managed, name: 'host1')
+    @hit = FactoryBot.create(:insights_hit, host_id: @host.id)
+  end
+
+  test 'Hits data is replaced with data from cloud' do
+    InsightsCloud::Async::InsightsRulesSync.any_instance.expects(:query_insights_rules).returns(@rules)
+
+    InsightsCloud::Async::InsightsRulesSync.perform_now()
+    @hit.reload
+
+    assert_equal 2, InsightsRule.all.count
+    assert_not_nil @hit.rule
+    assert_equal true, @hit.has_playbook?
+  end
+
+  test 'Rules queries support pagination' do
+    last_rule_json = <<-'RULES_JSON'
+    {
+      "meta": {
+        "count": 1
+      },
+      "links": {
+        "first": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=0\u0026rule_status=enabled",
+        "next": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=2\u0026rule_status=enabled",
+        "previous": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=0\u0026rule_status=enabled",
+        "last": "/api/insights/v1/rule/?has_playbook=true\u0026impacting=true\u0026limit=2\u0026offset=1\u0026rule_status=enabled"
+      },
+      "data": [
+        {
+          "rule_id": "crashkernel_reservation_value|CRASHKERNEL_AUTO_FAILURE_V2",
+          "created_at": "2020-09-25T07:37:09.745864Z",
+          "updated_at": "2020-10-23T02:43:09.662260Z",
+          "description": "Kdump auto crashkernel reservation failed because the total memory does not meet the minimum requirement",
+          "active": true,
+          "category": {
+            "id": 1,
+            "name": "Availability"
+          },
+          "impact": {
+            "name": "Diagnostics Failure",
+            "impact": 1
+          },
+          "likelihood": 4,
+          "node_id": "1186753",
+          "tags": "incident kdump",
+          "playbook_count": 1,
+          "reboot_required": false,
+          "publish_date": "2020-10-01T19:04:00Z",
+          "summary": "Kdump fails to collect vmcore when the reserved size does not meet the minimum requirement.\n",
+          "generic": "Automatic reservation did not work because the total memory does not meet the minimum requirement for kdump.\n",
+          "reason": "{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\nThis **{{=pydata.value[3]}}** system is running with a total memory of **{{=pydata.value[0]}}MB**. The kdump reserved size is **{{=pydata.value[1]}}MB** while the minimum amount of reserved memory required for memory **{{=pydata.value[0]}}MB** is **{{=pydata.value[2]}}MB**. \n\n{{?pydata.version == 7}}\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-requirements)\n{{?}}\n{{?pydata.version == 8}}\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#memory-requirements-for-kdump_supported-kdump-configurations-and-targets)\n{{?}}\n{{?}}\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\nThis **{{=pydata.value[2]}}** system is running with a total memory of **{{=pydata.value[0]}}MB**. The **crashkernel** is configured as **auto** and the minimum amount of memory required for automatic memory reservation is **{{=pydata.auto_minimum}}MB**. As the total memory does not meet the requirement, kdump auto crashkernel reservation failed with following log:\n  ~~~\n  {{=pydata.msg}}\n  ~~~\n\n{{?pydata.version == 7}}\n* [Minimum Amount of Memory Required for Automatic Memory Reservation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-thresholds)\n\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/kernel_administration_guide/kernel_crash_dump_guide#sect-kdump-memory-requirements)\n{{?}}\n{{?pydata.version == 8}}\n* [Minimum Amount of Memory Required for Automatic Memory Reservation](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#minimum-threshold-for-automatic-memory-reservation_supported-kdump-configurations-and-targets)\n\n* [Minimum Amount of Reserved Memory Required for kdump](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_monitoring_and_updating_the_kernel/installing-and-configuring-kdump_managing-monitoring-and-updating-the-kernel#memory-requirements-for-kdump_supported-kdump-configurations-and-targets)\n{{?}}\n{{?}}\n",
+          "more_info": "{{?pydata.version == 7}}\n* [How should the crashkernel parameter be configured for using kdump on RHEL7 ?](https://access.redhat.com/solutions/916043)\n{{?}}\n{{?pydata.version == 8}}\n* [How should the crashkernel parameter be configured for using kdump on Red Hat Enterprise Linux 8 ?](https://access.redhat.com/solutions/3698411)\n{{?}}\n",
+          "impacted_systems_count": 2,
+          "reports_shown": true,
+          "rule_status": "enabled",
+          "resolution_set": [{
+              "system_type": 105,
+              "resolution": "Red Hat recommends that you change the **crashkernel** setting in the `grub.conf` file.\n\n{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[2]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[1]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n",
+              "resolution_risk": {
+                "name": "Update Service Configuration",
+                "risk": 1
+              },
+              "has_playbook": true
+            },
+            {
+              "system_type": 105,
+              "resolution": "Red Hat recommends that you change the **crashkernel** setting in the `grub.conf` file.\n\n{{?pydata.error_key == \"CRASHKERNEL_RECOMMENDED_VALUE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[2]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n\n\n{{?pydata.error_key == \"CRASHKERNEL_AUTO_FAILURE_V2\"}}\n1. Update the value of the **\"crashkernel\"** kernel parameter:\n  ~~~\n  # grubby --update-kernel=ALL --args=crashkernel={{=pydata.value[1]}}M\n  ~~~\n1. Reboot the system:\n  ~~~\n  # reboot\n  ~~~\n{{?}}\n",
+              "resolution_risk": {
+                "name": "test resolution name",
+                "risk": 2
+              },
+              "has_playbook": true
+            }],
+          "total_risk": 2,
+          "hosts_acked_count": 0,
+          "rating": 0
+        }]
+    }
+    RULES_JSON
+    @last_rule = JSON.parse(last_rule_json)
+
+    @rules['meta']['count'] = 3
+
+    InsightsCloud::Async::InsightsRulesSync.any_instance.
+      stubs(:query_insights_rules).returns(@rules).then.returns(@last_rule)
+
+    InsightsCloud::Async::InsightsRulesSync.perform_now()
+
+    assert_equal 3, InsightsRule.all.count
+  end
+end