foreman_rh_cloud 5.0.35 → 5.0.36

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 437d70d98a43e88f7835426bf1a8ae7995a2b759038e3a5908dc41e122544ed1
-  data.tar.gz: a655276cda12b06662db3670019747c518e9204c22ca8ad3591024945dd48fb8
+  metadata.gz: 229da2311b8f5aece8a84c51159cc218e0b40f6ed7e537c95741e86c4376be15
+  data.tar.gz: 4f5f98dfa6c9e16b51f4a06709dbdbe39db56ffcd216468ce99d8a9823303053
 SHA512:
-  metadata.gz: 3d59ebbe9a845efd88c9d70f1d44ff9ebae7e5faabd947c3ba3d48e5f22435c97052be363839805208b381fea29f643a35ef241f2ff0ae462d1720d6ff5fd538
-  data.tar.gz: f7d94f184cbeba9d50b6e8a83d71db08a3c6417972b6d51b6ca247558a4769a6f17fbfdae37f9e4f5efe2a73a8095885a44e109d2b736fbc1d824f9e68528fe1
+  metadata.gz: b0da1a9cee46f80aeb164909f26b73302d7eb5552612361eb37281ff88996de448f3df5227955ad388ee63f88380578eabf8023a54433829d9e3dc47032b5638
+  data.tar.gz: 8a9866f4c442d0d42f8d0673d41c0889522b45a0bd5940c05bab92cf21cf2df28eb1d41a65a2a70be25c5e2156cc0a8e65e252f2027267fbb9fa5f7710abbaba

data/app/controllers/api/v2/rh_cloud/cloud_request_controller.rb

@@ -40,7 +40,6 @@ module Api::V2::RhCloud
     end
 
     def handle_run_playbook_request
-      logger.error("API token is not set, unable to fetch data from the cloud") && return if Setting[:rh_cloud_token].empty?
       logger.error("Playbook URL is not valid: #{content}") && return unless valid_url?(content)
       logger.error("Reporting URL is not valid: #{metadata['return_url']}") && return unless valid_url?(metadata['return_url'])
 
@@ -60,6 +59,7 @@ module Api::V2::RhCloud
           host_ids,
           {
             playbook_url: content,
+            organization_id: org_id,
             report_url: metadata['return_url'],
             report_interval: metadata['response_interval'].to_i,
             correlation_id: metadata['correlation_id'],

data/app/controllers/foreman_inventory_upload/uploads_settings_controller.rb

@@ -7,7 +7,6 @@ module ForemanInventoryUpload
         ipsObfuscationEnabled: Setting[:obfuscate_inventory_ips],
         excludePackagesEnabled: Setting[:exclude_installed_packages],
         CloudConnectorStatus: ForemanInventoryUpload::UploadsSettingsController.cloud_connector_status,
-        cloudToken: !Setting[:rh_cloud_token].empty?,
         lastSyncTask: last_successful_inventory_sync_task,
       }, status: :ok
     end

data/app/controllers/insights_cloud/hits_controller.rb

@@ -6,7 +6,6 @@ module InsightsCloud
       hits = resource_base_search_and_page.preload(:host, :rule)
 
       render json: {
-        hasToken: !Setting[:rh_cloud_token].empty?,
         hits: hits.map { |hit| hit.attributes.merge(hostname: hit.host&.name, has_playbook: hit.has_playbook?, host_uuid: hit.host_uuid) },
         itemCount: hits.count,
       }, status: :ok

data/app/controllers/insights_cloud/settings_controller.rb

@@ -9,14 +9,6 @@ module InsightsCloud
       render_setting(:insightsSyncEnabled, :allow_auto_insights_sync)
     end
 
-    def save_token_and_sync
-      token = Setting::RhCloud.find_by_name("rh_cloud_token")
-      token.value = params.require(:value)
-      token.save!
-      ForemanTasks.sync_task(InsightsCloud::Async::InsightsFullSync)
-      redirect_to(:controller => "hits", :action => 'index')
-    end
-
     private
 
     def render_setting(node_name, setting)

data/app/controllers/insights_cloud/tasks_controller.rb

@@ -1,7 +1,7 @@
 module InsightsCloud
   class TasksController < ::ApplicationController
     def create
-      task = ForemanTasks.async_task(InsightsCloud::Async::InsightsFullSync)
+      task = ForemanTasks.async_task(InsightsCloud::Async::InsightsFullSync, Organization.authorized)
 
       render json: {
         task: task,

data/app/models/insights_facet.rb

@@ -4,4 +4,5 @@ class InsightsFacet < HostFacets::Base
     primary_key: :host_id,
     class_name: 'InsightsHit',
     dependent: :destroy
+  scope :for_organizations, ->(organization_ids) { joins(:host).where(hosts: { organization_id: organization_ids}) }
 end

data/app/models/insights_hit.rb

@@ -8,6 +8,7 @@ class InsightsHit < ApplicationRecord
   has_one :rule, class_name: 'InsightsRule', foreign_key: 'rule_id', primary_key: 'rule_id'
 
   scope :with_playbook, -> { joins(:rule) }
+  scope :for_organizations, ->(organization_ids) { joins(:host).where(hosts: { organization_id: organization_ids}) }
 
   scoped_search on: :title, complete_value: true
   scoped_search on: :total_risk, complete_value: true

data/app/models/insights_rule.rb

@@ -1,3 +1,5 @@
 class InsightsRule < ApplicationRecord
   has_many :resolutions, class_name: 'InsightsResolution', dependent: :destroy, foreign_key: 'rule_id', primary_key: 'rule_id', inverse_of: :rule
+
+  has_many :hits, class_name: 'InsightsHit', foreign_key: 'rule_id', primary_key: 'rule_id', inverse_of: :rule
 end

data/app/models/setting/rh_cloud.rb

@@ -1,5 +1,5 @@
 class Setting::RhCloud < Setting
-  ::Setting::BLANK_ATTRS.concat %w{rh_cloud_token rhc_instance_id}
+  ::Setting::BLANK_ATTRS.concat %w{rhc_instance_id}
 
   def self.load_defaults
     return false unless table_exists?
@@ -17,7 +17,6 @@ class Setting::RhCloud < Setting
       set('allow_auto_insights_sync', N_('Enable automatic synchronization of Insights recommendations from the Red Hat cloud'), false, N_('Synchronize recommendations Automatically')),
       set('obfuscate_inventory_hostnames', N_('Obfuscate host names sent to the Red Hat cloud'), false, N_('Obfuscate host names')),
       set('obfuscate_inventory_ips', N_('Obfuscate ipv4 addresses sent to the Red Hat cloud'), false, N_('Obfuscate host ipv4 addresses')),
-      set('rh_cloud_token', N_('Authentication token to Red Hat cloud services. Used to authenticate requests to cloud APIs'), nil, N_('Red Hat Cloud token'), nil, encrypted: true),
       set('exclude_installed_packages', N_('Exclude installed packages from being uploaded to the Red Hat cloud'), false, N_("Exclude installed Packages")),
       set('include_parameter_tags', N_('Should import include parameter tags from Foreman?'), false, N_('Include parameters in insights-client reports')),
       set('rhc_instance_id', N_('RHC daemon id'), nil, N_('ID of the RHC(Yggdrasil) daemon')),

data/app/services/foreman_rh_cloud/cert_auth.rb

@@ -0,0 +1,22 @@
+module ForemanRhCloud
+  module CertAuth
+    extend ActiveSupport::Concern
+
+    include CloudRequest
+    include InsightsCloud::CandlepinCache
+
+    def cert_auth_available?(organization)
+      !!candlepin_id_cert(organization)
+    end
+
+    def execute_cloud_request(params)
+      certs = candlepin_id_cert(params.delete(:organization))
+      final_params = {
+        ssl_client_cert: OpenSSL::X509::Certificate.new(certs[:cert]),
+        ssl_client_key: OpenSSL::PKey::RSA.new(certs[:key]),
+      }.deep_merge(params)
+
+      super(final_params)
+    end
+  end
+end

data/app/services/foreman_rh_cloud/cloud_connector.rb

@@ -12,11 +12,20 @@ module ForemanRhCloud
       target_host = foreman_host
       composer = nil
 
+      input = {
+        :satellite_cloud_connector_user => service_user.login,
+        :satellite_cloud_connector_password => token_value,
+      }
+
+      if (http_proxy = ForemanRhCloud.proxy_setting(logger: Foreman::Logging.logger('app')))
+        input[:satellite_cloud_connector_http_proxy] = http_proxy
+      end
+
       Taxonomy.as_taxonomy(target_host.organization, target_host.location) do
         composer = ::JobInvocationComposer.for_feature(
           CLOUD_CONNECTOR_FEATURE,
           [target_host.id],
-          {:satellite_cloud_connector_user => service_user.login, :satellite_cloud_connector_password => token_value}
+          input
         )
         composer.trigger!
       end

data/app/services/foreman_rh_cloud/cloud_ping_service.rb

@@ -2,28 +2,6 @@ require 'rest-client'
 
 module ForemanRhCloud
   class CloudPingService
-    class TokenPing
-      include ForemanRhCloud::CloudAuth
-
-      attr_accessor :logger
-
-      def initialize(logger)
-        @logger = logger
-      end
-
-      def ping
-        execute_cloud_request(
-          method: :get,
-          url: ForemanRhCloud.base_url + "/api/inventory/v1/hosts?per_page=1",
-          headers: {
-            content_type: :json,
-          }
-        )
-      rescue StandardError => ex
-        ex
-      end
-    end
-
     class CertPing
       include ForemanRhCloud::CloudRequest
       include InsightsCloud::CandlepinCache
@@ -62,12 +40,7 @@ module ForemanRhCloud
     end
 
     def ping
-      token_response = TokenPing.new(@logger).ping
       {
-        token_auth: {
-          success: token_response.is_a?(RestClient::Response),
-          error: (token_response.is_a?(Exception) ? token_response.inspect : nil),
-        },
         cert_auth: Hash[
           @organizations.map do |org|
             cert_response = CertPing.new(org, @logger).ping

data/app/services/foreman_rh_cloud/hit_remediations_retriever.rb

@@ -63,5 +63,9 @@ module ForemanRhCloud
     def method
       :post
     end
+
+    def organization
+      InsightsHit.find(@hit_remediation_pairs.first['hit_id']).host.organization
+    end
   end
 end

data/app/services/foreman_rh_cloud/remediations_retriever.rb

@@ -1,6 +1,6 @@
 module ForemanRhCloud
   class RemediationsRetriever
-    include CloudAuth
+    include CertAuth
 
     attr_reader :logger
 
@@ -9,8 +9,8 @@ module ForemanRhCloud
     end
 
     def create_playbook
-      unless cloud_auth_available?
-        logger.debug('Cloud authentication is not available, cannot continue')
+      unless cert_auth_available?(@organization)
+        logger.debug('Manifest is not available, cannot continue')
         return
       end
 
@@ -25,6 +25,7 @@ module ForemanRhCloud
 
     def query_playbook
       execute_cloud_request(
+        organization: organization,
         method: method,
         url: playbook_url,
         headers: headers,
@@ -47,5 +48,8 @@ module ForemanRhCloud
     def method
       :get
     end
+
+    def organization
+    end
   end
 end

data/app/services/foreman_rh_cloud/template_renderer_helper.rb

@@ -20,11 +20,12 @@ module ForemanRhCloud
     end
 
     apipie :method, 'Returns a Red Hat remediation playbook compiled on console.redhat.com' do
-      required :remediation_path, String, desc: ''
+      required :playbook_url, String, desc: 'URL of the playbook on console.redhat.com'
+      required :organization_id, Integer, desc: 'Id of the organization that owns the playbook'
       returns String, desc: 'Playbook downloaded from the cloud'
     end
-    def download_rh_playbook(playbook_url)
-      retriever = ForemanRhCloud::UrlRemediationsRetriever.new(url: playbook_url, logger: template_logger)
+    def download_rh_playbook(playbook_url, organization_id)
+      retriever = ForemanRhCloud::UrlRemediationsRetriever.new(url: playbook_url, organization_id: organization_id, logger: template_logger)
 
       cached("rh_playbook_#{playbook_url}") do
         retriever.create_playbook

data/app/services/foreman_rh_cloud/url_remediations_retriever.rb

@@ -2,12 +2,13 @@ module ForemanRhCloud
   class UrlRemediationsRetriever < RemediationsRetriever
     attr_reader :url, :payload, :headers
 
-    def initialize(url:, payload: '', headers: {}, logger: Logger.new(IO::NULL))
+    def initialize(url:, organization_id:, payload: '', headers: {}, logger: Logger.new(IO::NULL))
       super(logger: logger)
 
       @url = url
       @payload = payload
       @headers = headers
+      @organization_id = organization_id
     end
 
     private
@@ -33,5 +34,9 @@ module ForemanRhCloud
     def method
       :get
     end
+
+    def organization
+      Organization.find(@organization_id)
+    end
   end
 end

data/app/views/job_templates/cloud_connector.erb

@@ -14,6 +14,12 @@ template_inputs:
   advanced: false
   value_type: plain
   hidden_value: true
+- name: satellite_cloud_connector_http_proxy
+  required: false
+  input_type: user
+  advanced: true
+  value_type: plain
+  hidden_value: false
 model: JobTemplate
 job_category: Maintenance Operations
 description_format: "%{template_name}"

data/app/views/job_templates/rh_cloud_download_playbook.erb

@@ -9,6 +9,10 @@ template_inputs:
   description: URL of the playbook to run
   input_type: user
   required: true
+- name: organization_id
+  description: Id of the organization that owns the playbook
+  input_type: user
+  required: true
 - name: report_url
   description: URL for calling the report callback
   input_type: user
@@ -23,4 +27,4 @@ template_inputs:
   required: true
 provider_type: Ansible
 %>
-<%= download_rh_playbook(input('playbook_url')) %>
+<%= download_rh_playbook(input('playbook_url'), input('organization_id')) %>

data/config/routes.rb

@@ -25,7 +25,6 @@ Rails.application.routes.draw do
       end
     end
     match 'hits/:host_id', to: 'hits#show', via: :get
-    post 'save_token_and_sync', to: 'settings#save_token_and_sync'
   end
 
   namespace :foreman_rh_cloud do

data/db/migrate/20220321000001_add_unique_to_insights_rules.foreman_rh_cloud.rb

@@ -0,0 +1,13 @@
+class AddUniqueToInsightsRules < ActiveRecord::Migration[5.2]
+  def change
+    begin
+      # remove old index
+      remove_index :insights_rules, [:rule_id]
+    rescue ArgumentError
+      # noop, if the index is not there, it's OK.
+    end
+
+    # add unique constraint
+    add_index :insights_rules, [:rule_id], unique: true
+  end
+end

data/lib/foreman_inventory_upload.rb

@@ -71,7 +71,7 @@ module ForemanInventoryUpload
   end
 
   def self.inventory_base_url
-    ForemanRhCloud.base_url + "/api/inventory/v1/hosts"
+    ForemanRhCloud.cert_base_url + "/api/inventory/v1/hosts"
   end
 
   def self.inventory_export_url

data/lib/foreman_rh_cloud/engine.rb

@@ -56,7 +56,7 @@ module ForemanRhCloud
             'api/v2/rh_cloud/inventory': [:sync_inventory_status, :download_file, :generate_report, :enable_cloud_connector],
             'foreman_inventory_upload/uploads': [:enable_cloud_connector],
             'foreman_inventory_upload/uploads_settings': [:set_advanced_setting],
-            'insights_cloud/settings': [:save_token_and_sync, :update],
+            'insights_cloud/settings': [:update],
             'insights_cloud/tasks': [:create]
           )
           permission(

data/lib/foreman_rh_cloud/version.rb

@@ -1,3 +1,3 @@
 module ForemanRhCloud
-  VERSION = '5.0.35'.freeze
+  VERSION = '5.0.36'.freeze
 end

data/lib/foreman_rh_cloud.rb

@@ -16,11 +16,6 @@ module ForemanRhCloud
     @legacy_insights_url ||= ENV['SATELLITE_LEGACY_INSIGHTS_URL'] || 'https://cert-api.access.redhat.com'
   end
 
-  def self.authentication_url
-    # https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token
-    @authentication_url ||= ENV['SATELLITE_RH_CLOUD_SSO_URL'] || 'https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token'
-  end
-
   def self.verify_ssl_method
     @verify_ssl_method ||= ENV['SATELLITE_RH_CLOUD_URL'] ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
   end

data/lib/insights_cloud/async/connector_playbook_execution_reporter_task.rb

@@ -2,7 +2,7 @@ module InsightsCloud
   module Async
     class ConnectorPlaybookExecutionReporterTask < ::Actions::EntryAction
       include Dynflow::Action::Polling
-      include ForemanRhCloud::CloudAuth
+      include ForemanRhCloud::CertAuth
 
       def self.subscribe
         Actions::RemoteExecution::RunHostsJob
@@ -23,6 +23,7 @@ module InsightsCloud
         correlation_id = invocation_inputs['correlation_id']
 
         plan_self(
+          current_org_id: job_invocation.targeted_hosts.first.organization_id,
           report_url: report_url,
           report_interval: report_interval,
           job_invocation_id: job_invocation.id,
@@ -159,6 +160,7 @@ module InsightsCloud
 
       def send_report(report)
         execute_cloud_request(
+          organization: current_org,
           method: :post,
           url: report_url,
           content_type: 'application/vnd.redhat.playbook-sat.v3+jsonl',
@@ -188,6 +190,10 @@ module InsightsCloud
       def logger
         action_logger
       end
+
+      def current_org
+        Organization.find(input[:current_org_id])
+      end
     end
   end
 end

data/lib/insights_cloud/async/insights_full_sync.rb

@@ -3,37 +3,48 @@ require 'rest-client'
 module InsightsCloud
   module Async
     class InsightsFullSync < ::Actions::EntryAction
-      include ::ForemanRhCloud::CloudAuth
-
-      def plan
-        unless cloud_auth_available?
-          logger.debug('Cloud authentication is not available, skipping insights sync')
-          return
+      include ::ForemanRhCloud::CertAuth
+
+      def plan(organizations)
+        organizations = organizations.select do |organization|
+          if cert_auth_available?(organization)
+            true
+          else
+            logger.debug("Certificate is not available for org: #{organization.name}, skipping insights sync")
+            false
+          end
         end
 
         sequence do
           # This can be turned off when we enable automatic status syncs
           # This step will query cloud inventory to retrieve inventory uuids for each host
-          plan_hosts_sync
-          plan_self
+          plan_hosts_sync(organizations)
+          plan_self(organization_ids: organizations.map(&:id))
           concurrence do
-            plan_rules_sync
+            plan_rules_sync(organizations)
             plan_notifications
           end
         end
       end
 
       def run
-        perform_hits_sync
+        organizations.each do |organization|
+          unless cert_auth_available?(organization)
+            logger.debug("Certificate is not available for org: #{organization.name}, skipping insights sync")
+            next
+          end
+
+          perform_hits_sync(organization)
+        end
       end
 
-      def perform_hits_sync
-        hits = query_insights_hits
+      def perform_hits_sync(organization)
+        hits = query_insights_hits(organization)
 
         uuids = hits.map { |hit| hit['uuid'] }
-        setup_host_ids(uuids)
+        setup_host_ids(uuids, organization)
 
-        replace_hits_data(hits)
+        replace_hits_data(hits, organization)
       end
 
       def logger
@@ -42,20 +53,21 @@ module InsightsCloud
 
       private
 
-      def plan_hosts_sync
-        plan_action InventorySync::Async::InventoryHostsSync
+      def plan_hosts_sync(organizations)
+        plan_action(InventorySync::Async::InventoryHostsSync, organizations)
       end
 
-      def plan_rules_sync
-        plan_action InsightsRulesSync
+      def plan_rules_sync(organizations)
+        plan_action(InsightsRulesSync, organizations)
       end
 
       def plan_notifications
         plan_action InsightsGenerateNotifications
       end
 
-      def query_insights_hits
+      def query_insights_hits(organization)
         hits_response = execute_cloud_request(
+          organization: organization,
           method: :get,
           url: InsightsCloud.hits_export_url
         )
@@ -72,9 +84,9 @@ module InsightsCloud
         JSON.parse(rules_response)
       end
 
-      def setup_host_ids(uuids)
+      def setup_host_ids(uuids, organization)
         @host_ids = Hash[
-          InsightsFacet.where(uuid: uuids).pluck(:uuid, :host_id)
+          InsightsFacet.for_organizations(organization.id).where(uuid: uuids).pluck(:uuid, :host_id)
         ]
       end
 
@@ -82,11 +94,11 @@ module InsightsCloud
         @host_ids[uuid]
       end
 
-      def replace_hits_data(hits)
+      def replace_hits_data(hits, organization)
         InsightsHit.transaction do
           # Reset hit counters to 0, they will be recreated later
-          InsightsFacet.unscoped.update_all(hits_count: 0)
-          InsightsHit.delete_all
+          InsightsFacet.for_organizations(organization.id).update_all(hits_count: 0)
+          InsightsHit.for_organizations(organization.id).delete_all
           InsightsHit.create(hits.map { |hits_hash| to_model_hash(hits_hash) }.compact)
         end
       end
@@ -122,6 +134,10 @@ module InsightsCloud
       def rescue_strategy_for_self
         Dynflow::Action::Rescue::Fail
       end
+
+      def organizations
+        @organizations ||= Organization.where(id: input[:organization_ids])
+      end
     end
   end
 end

data/lib/insights_cloud/async/insights_resolutions_sync.rb

@@ -3,25 +3,20 @@ require 'rest-client'
 module InsightsCloud
   module Async
     class InsightsResolutionsSync < ::Actions::EntryAction
-      include ::ForemanRhCloud::CloudAuth
+      include ::ForemanRhCloud::CertAuth
 
       RULE_ID_REGEX = /[^:]*:(?<id>.*)/
 
-      def plan
-        unless cloud_auth_available?
-          logger.debug('Cloud authentication is not available, skipping resolutions sync')
-          return
-        end
-
-        plan_self
-      end
-
       def run
         InsightsResolution.transaction do
           InsightsResolution.delete_all
           rule_ids = relevant_rules
-          api_response = query_insights_resolutions(rule_ids) unless rule_ids.empty?
-          write_resolutions(api_response) if api_response
+          Organization.all.each do |organization|
+            next if !cert_auth_available?(organization) || organization.manifest_expired?
+            api_response = query_insights_resolutions(rule_ids, organization) unless rule_ids.empty?
+            written_rules = write_resolutions(api_response) if api_response
+            rule_ids -= Array(written_rules)
+          end
         end
       end
 
@@ -31,8 +26,9 @@ module InsightsCloud
 
       private
 
-      def query_insights_resolutions(rule_ids)
+      def query_insights_resolutions(rule_ids, organization)
         resolutions_response = execute_cloud_request(
+          organization: organization,
           method: :post,
           url: InsightsCloud.resolutions_url,
           headers: {
@@ -66,6 +62,7 @@ module InsightsCloud
         end.flatten
 
         InsightsResolution.create(all_resolutions)
+        response.keys
       end
 
       def to_rule_id(resolution_rule_id)