RubyGems - katello - Versions diffs - 3.16.0.rc4 → 3.16.1 - Mend

katello 3.16.0.rc4 → 3.16.1

Potentially problematic release.

This version of katello might be problematic. Click here for more details.

Files changed (108) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 590a33ff3016ad29aaeca6e8d5a0c967b9053a01cf3dbf8f28fcb68b63d056bd
-  data.tar.gz: e8c30ca9e88f472f3aabf89b7f2cc3c6122750706e9bdfbb9d1cfa8aa957d4a5
+  metadata.gz: 961e7dd9a56b1752c55e19c1f29dc6b4e55366db3e87ab59610d7b89e8dea975
+  data.tar.gz: aa5c95aec6191209c2bc76988bc81b18984167176bf71eaa4186f517a06028f6
 SHA512:
-  metadata.gz: 2fbba71f828db21edacf4100aac226a638fa7c6dd59871f6d0f029846af27ff54914c803798fd6054463ae4f44bbfc29d9466fca8a19867e63c10486668ce30c
-  data.tar.gz: 17347500daf6bb1b2dd1ff7126b97e84f2120e1c12e23066036d2f30402cdb9018dc5c6cb1f74ceff441f069a2733dceb4e3a4958032237034eaff5783915b49
+  metadata.gz: a60d61a7d375ff622d7d4db78fd7c5da3d78f8421d45cb5204ce7b690b031515412e727e03c906d96fb3ba538c585819350c2671d103e6415ea51987481df037
+  data.tar.gz: b62c7366deacc4d5875488bff0913e11fa61cf0a4e7077391a459a78587d598b032ce815b45ade45d0e6e3e870e09e87ebef0ba60034d5166aa83cf8520f501e

data/app/controllers/katello/api/registry/registry_proxies_controller.rb CHANGED

@@ -6,8 +6,8 @@ module Katello
     before_action :confirm_push_settings, only: [:start_upload_blob, :upload_blob, :finish_upload_blob,
                                                  :chunk_upload_blob, :push_manifest]
     skip_before_action :authorize
-    before_action :optional_authorize, only: [:token]
-    before_action :registry_authorize, except: [:token, :v1_search]
+    before_action :optional_authorize, only: [:token, :catalog]
+    before_action :registry_authorize, except: [:token, :v1_search, :catalog]
     before_action :authorize_repository_read, only: [:pull_manifest, :tags_list]
     before_action :authorize_repository_write, only: [:push_manifest]
     skip_before_action :check_content_type, only: [:start_upload_blob, :upload_blob, :finish_upload_blob,
@@ -39,20 +39,7 @@ module Katello
                                              "scope=\"repository:registry:pull,push\""
     end
-    def optional_authorize
-      @repository = find_scope_repository
-      if @repository && (@repository.environment.registry_unauthenticated_pull || ssl_client_authorized?(@repository.organization.label))
-        true
-      else
-        authorize
-      end
-    end
-    def registry_authorize
-      @repository = find_readable_repository
-      return true if ['GET', 'HEAD'].include?(request.method) && @repository && !require_user_authorization?
-      token = request.headers['Authorization']
+    def set_user_by_token(token, redirect_on_failure = true)
       if token
         token_type, token = token.split
         if token_type == 'Bearer' && token
@@ -63,10 +50,34 @@ module Katello
           end
         elsif token_type == 'Basic' && token
           return true if authorize
-          redirect_authorization_headers
+          redirect_authorization_headers if redirect_on_failure
           return false
         end
       end
+      false
+    end
+    def optional_authorize
+      @repository = find_scope_repository
+      if @repository && (@repository.environment.registry_unauthenticated_pull || ssl_client_authorized?(@repository.organization.label))
+        true
+      elsif params['action'] == 'catalog'
+        set_user_by_token(request.headers['Authorization'], false)
+      elsif (params['action'] == 'token' && params['scope'].blank? && params['account'].blank?)
+        true
+      else
+        authorize
+      end
+    end
+    def registry_authorize
+      @repository = find_readable_repository
+      return true if ['GET', 'HEAD'].include?(request.method) && @repository && !require_user_authorization?
+      is_user_set = set_user_by_token(request.headers['Authorization'])
+      return true if is_user_set
       redirect_authorization_headers
       render_error('unauthorized', :status => :unauthorized)
       return false
@@ -87,12 +98,8 @@ module Katello
     # Also include repositories in lifecycle environments with registry_unauthenticated_pull=true
     def readable_repositories
       table_name = Repository.table_name
-      in_products = Repository.in_product(Katello::Product.authorized(:view_products)).select(:id)
-      in_environments = Repository.where(:environment_id => Katello::KTEnvironment.authorized(:view_lifecycle_environments)).select(:id)
       in_unauth_environments = Repository.joins(:environment).where("#{Katello::KTEnvironment.table_name}.registry_unauthenticated_pull" => true).select(:id)
-      in_content_views = Repository.joins(:content_view_repositories).where("#{ContentViewRepository.table_name}.content_view_id" => Katello::ContentView.readable).select(:id)
-      in_versions = Repository.joins(:content_view_version).where("#{Katello::ContentViewVersion.table_name}.content_view_id" => Katello::ContentView.readable).select(:id)
-      Repository.where("#{table_name}.id in (?) or #{table_name}.id in (?) or #{table_name}.id in (?) or #{table_name}.id in (?) or #{table_name}.id in (?)", in_products, in_content_views, in_versions, in_environments, in_unauth_environments)
+      Repository.readable.or(Repository.joins(:root).where("#{table_name}.id in (?)", in_unauth_environments))
     end
     def find_readable_repository
@@ -105,7 +112,8 @@ module Katello
     end
     def require_user_authorization?(repository = @repository)
-      !repository || (!repository.environment.registry_unauthenticated_pull && !ssl_client_authorized?(repository.organization.label))
+      !(params['action'] == 'token' && params['scope'].blank? && params['account'].blank?) &&
+        (!repository || (!repository.environment.registry_unauthenticated_pull && !ssl_client_authorized?(repository.organization.label)))
     end
     def ssl_client_authorized?(org_label)
@@ -293,6 +301,14 @@ module Katello
     end
     def v1_search
+      # Checks for podman client and issues a 404 in that case. Podman
+      # examines the response from a /v1_search request. If the result
+      # is a 4XX, it will then proceed with a request to /_catalog
+      if request.headers['HTTP_USER_AGENT'].downcase.include?('libpod')
+        render json: {}, status: :not_found
+        return
+      end
       authenticate # to set current_user, not to enforce
       options = {
         resource_class: Katello::Repository

data/app/controllers/katello/api/rhsm/candlepin_proxies_controller.rb CHANGED

@@ -268,8 +268,8 @@ module Katello
     end
     def get_parent_host(headers)
-      hostnames = headers["HTTP_X_FORWARDED_SERVER"]
-      host = hostnames.split(",")[0] if hostnames
+      hostnames = headers["HTTP_X_FORWARDED_HOST"]
+      host = hostnames.split(/[\,,:]/)[0].strip if hostnames
       host || URI.parse(Setting[:foreman_url]).host
     end
@@ -480,7 +480,7 @@ module Katello
         else
           User.consumer? || ::User.current.can?(:view_organizations, self)
         end
-      when "rhsm_proxy_owner_servicelevels_path"
+      when "rhsm_proxy_owner_servicelevels_path", "rhsm_proxy_owner_system_purpose_path"
         (User.consumer? || ::User.current.can?(:view_organizations, self))
       when "rhsm_proxy_consumer_accessible_content_path", "rhsm_proxy_consumer_certificates_path",
            "rhsm_proxy_consumer_releases_path", "rhsm_proxy_certificate_serials_path",

data/app/controllers/katello/api/v2/api_controller.rb CHANGED

@@ -5,6 +5,7 @@ module Katello
     include Api::V2::Rendering
     include Api::V2::ErrorHandling
     include ::Foreman::Controller::CsvResponder
+    include Concerns::Api::V2::AssociationsPermissionCheck
     # support for session (thread-local) variables must be the last filter in this class
     include Foreman::ThreadSession::Cleaner

data/app/controllers/katello/api/v2/content_view_filters_controller.rb CHANGED

@@ -37,6 +37,8 @@ module Katello
     param :type, String, :desc => N_("type of filter (e.g. rpm, package_group, erratum, docker, modulemd)"), :required => true
     param :original_packages, :bool, :desc => N_("add all packages without errata to the included/excluded list. " \
                                                        "(package filter only)")
+    param :original_module_streams, :bool, :desc => N_("add all module streams without errata to the included/excluded list. " \
+                                                       "(module stream filter only)")
     param :inclusion, :bool, :desc => N_("specifies if content should be included or excluded, default: inclusion=false")
     param :repository_ids, Array, :desc => N_("list of repository ids")
     param :description, String, :desc => N_("description of the filter")
@@ -60,6 +62,8 @@ module Katello
     param :name, String, :desc => N_("new name for the filter")
     param :original_packages, :bool, :desc => N_("add all packages without errata to the included/excluded list. " \
                                                        "(package filter only)")
+    param :original_module_streams, :bool, :desc => N_("add all module streams without errata to the included/excluded list. " \
+                                                       "(module stream filter only)")
     param :inclusion, :bool, :desc => N_("specifies if content should be included or excluded, default: inclusion=false")
     param :repository_ids, Array, :desc => N_("list of repository ids")
     param :description, String, :desc => N_("description of the filter"), :required => false
@@ -95,7 +99,7 @@ module Katello
     end
     def filter_params
-      params.require(:content_view_filter).permit(:name, :inclusion, :original_packages, :description, :repository_ids => [])
+      params.require(:content_view_filter).permit(:name, :inclusion, :original_packages, :original_module_streams, :description, :repository_ids => [])
     end
   end
 end

data/app/controllers/katello/api/v2/content_view_versions_controller.rb CHANGED

@@ -143,6 +143,9 @@ module Katello
       end
     end
     def incremental_update
+      if params[:add_content].values.flatten.empty?
+        fail HttpErrors::BadRequest, _("Incremental update requires at least one content unit")
+      end
       any_environments = params[:content_view_version_environments].any? { |cvve| cvve[:environment_ids].try(:any?) }
       if params[:add_content]&.key?(:errata_ids) && params[:update_hosts] && any_environments
         hosts = calculate_hosts_for_incremental(params[:update_hosts], params[:propagate_to_composites])

data/app/controllers/katello/api/v2/content_views_controller.rb CHANGED

@@ -22,6 +22,13 @@ module Katello
       param :solve_dependencies, :bool, :desc => N_("Solve RPM dependencies by default on Content View publish, defaults to false")
     end
+    def filtered_associations
+      {
+        :component_ids => Katello::ContentViewVersion,
+        :repository_ids => Katello::Repository
+      }
+    end
     api :GET, "/organizations/:organization_id/content_views", N_("List content views")
     api :GET, "/content_views", N_("List content views")
     param :organization_id, :number, :desc => N_("organization identifier")

data/app/controllers/katello/api/v2/host_tracer_controller.rb CHANGED

@@ -2,11 +2,6 @@ module Katello
   class Api::V2::HostTracerController < Api::V2::ApiController
     before_action :find_host, :only => :index
-    resource_description do
-      api_version 'v2'
-      api_base_url "/api"
-    end
     api :GET, "/hosts/:host_id/traces", N_("List services that need restarting on the host")
     param :host_id, :number, :required => true, :desc => N_("ID of the host")
     def index

data/app/controllers/katello/api/v2/products_bulk_actions_controller.rb CHANGED

@@ -50,6 +50,21 @@ module Katello
       respond_for_async :resource => task
     end
+    api :PUT, "/products/bulk/verify_checksum", N_("Verify checksum for one or more products")
+    param :ids, Array, :desc => N_("List of product ids"), :required => true
+    def verify_checksum_products
+      repairable_products = @products.syncable
+      repairable_roots = RootRepository.where(:product_id => repairable_products).
+        where(:content_type => ::Katello::Repository::YUM_TYPE).has_url.select { |r| r.library_instance }.uniq
+      repairable_repositories = Katello::Repository.where(:root_id => repairable_roots)
+      task = async_task(::Actions::BulkAction,
+                        ::Actions::Katello::Repository::VerifyChecksum,
+                        repairable_repositories)
+      respond_for_async :resource => task
+    end
     api :PUT, "/products/bulk/http_proxy", N_("Update the HTTP proxy configuration on the repositories of one or more products.")
     param :ids, Array, :desc => N_("List of product ids"), :required => true
     param :http_proxy_policy, ::Katello::RootRepository::HTTP_PROXY_POLICIES, :desc => N_("policy for HTTP proxy for content sync")

data/app/controllers/katello/api/v2/repositories_controller.rb CHANGED

@@ -15,7 +15,7 @@ module Katello
     before_action :find_organization_from_product, :only => [:create]
     before_action :find_repository, :only => [:show, :update, :destroy, :sync, :export,
                                               :remove_content, :upload_content, :republish,
-                                              :import_uploads, :gpg_key_content]
+                                              :import_uploads, :gpg_key_content, :verify_checksum]
     before_action :find_content, :only => :remove_content
     before_action :find_organization_from_repo, :only => [:update]
     before_action :error_on_rh_product, :only => [:create]
@@ -294,6 +294,15 @@ module Katello
       raise HttpErrors::BadRequest, e.message
     end
+    api :POST, "/repositories/:id/verify_checksum", N_("Verify checksum of repository contents")
+    param :id, :number, :required => true, :desc => N_("repository ID")
+    def verify_checksum
+      task = async_task(::Actions::Katello::Repository::VerifyChecksum, @repository)
+      respond_for_async :resource => task
+    rescue Errors::InvalidActionOptionError => e
+      raise HttpErrors::BadRequest, e.message
+    end
     api :POST, "/repositories/:id/export", N_("Export a repository")
     param :id, :number, :desc => N_("Repository identifier"), :required => true
     param :export_to_iso, :bool, :desc => N_("Export to ISO format"), :required => false

data/app/controllers/katello/concerns/api/v2/associations_permission_check.rb ADDED

@@ -0,0 +1,67 @@
+module Katello
+  module Concerns
+    module Api::V2::AssociationsPermissionCheck
+      extend ActiveSupport::Concern
+      # The purpose of this module is to protect a controller from a user creating or updating some association
+      # when they do not have permissions to view the associated items.  An example would be adding random repository ids to
+      # content view.
+      # To support this, within the controller define a method such as:
+      #     def filtered_associations
+      #       {
+      #         :component_ids => Katello::ContentViewVersion,
+      #         :repository_ids => Katello::Repository
+      #       }
+      #     end
+      # This assumes that the parameters are 'wrapped'.  So the above in the content_views_controller, actually looks at
+      #  a subhash of 'content_view'
+      included do
+        before_action :check_association_ids, :only => [:create, :update]
+      end
+      def check_association_ids
+        if filtered_associations
+          wrapped_params = params[self._wrapper_options.name]
+          find_param_arrays(wrapped_params).each do |key_path|
+            if (model_class = filtered_associations.with_indifferent_access.dig(*key_path))
+              param_ids = wrapped_params.dig(*key_path)
+              filtered_ids = model_class.readable.where(:id => param_ids).pluck(:id)
+              if (unfound_ids = param_ids_missing(param_ids, filtered_ids)).any?
+                fail HttpErrors::NotFound, _("One or more ids (%{ids}) were not found for %{assoc}.  You may not have permissions to see them.") %
+                    {ids: unfound_ids, assoc: key_path.last}
+              end
+            else
+              fail _("Unfiltered params array: %s.") % key_path
+            end
+          end
+        else
+          Rails.logger.warn("#{self.class.name} may has unprotected associations, see associations_permission_check.rb for details.") if ENV['RAILS_ENV'] == 'development'
+        end
+      end
+      def filtered_associations
+        #should return {} when supported by all controllers
+        nil
+      end
+      def param_ids_missing(param_ids, filtered_ids)
+        param_ids.map(&:to_i).uniq - filtered_ids.map(&:to_i).uniq
+      end
+      #returns an array of list of keys pointing to an array in a params hash i.e.:
+      # {"a"=> {"b" => [3]}}  =>  [["a", "b"]]
+      def find_param_arrays(hash = params)
+        list_of_paths = []
+        hash.each do |key, value|
+          if value.is_a?(ActionController::Parameters) || value.is_a?(Hash)
+            list_of_paths += find_param_arrays(value).compact.map { |inner_keys| [key] + inner_keys }
+          elsif value.is_a?(Array)
+            list_of_paths << [key]
+          end
+        end
+        list_of_paths.compact
+      end
+    end
+  end
+end

data/app/controllers/katello/concerns/hosts_controller_extensions.rb CHANGED

@@ -19,11 +19,17 @@ module Katello
         prepend Overrides
         def update_multiple_taxonomies(type)
-          registered_host = @hosts.detect { |host| host.subscription_facet }
-          unless registered_host.nil?
-            error _("Unregister host %s before assigning an organization") % registered_host.name
-            redirect_back_or_to hosts_path
-            return
+          if type == :organization
+            new_org_id = params.dig(type, 'id')
+            if new_org_id
+              registered_host = @hosts.where.not(organization_id: new_org_id).joins(:subscription_facet).first
+              if registered_host
+                error _("Unregister host %s before assigning an organization") % registered_host.name
+                redirect_back_or_to hosts_path
+                return
+              end
+            end
           end
           super

data/app/helpers/katello/content_view_helper.rb ADDED

@@ -0,0 +1,15 @@
+module Katello
+  module ContentViewHelper
+    def separated_repo_mapping(repo_mapping)
+      separated_mapping = { :pulp3_yum => {}, :other => {} }
+      repo_mapping.each do |source_repos, dest_repo|
+        if dest_repo.content_type == "yum" && SmartProxy.pulp_master.pulp3_support?(dest_repo)
+          separated_mapping[:pulp3_yum][source_repos] = dest_repo
+        else
+          separated_mapping[:other][source_repos] = dest_repo
+        end
+      end
+      separated_mapping
+    end
+  end
+end

data/app/lib/actions/katello/capsule_content/refresh_repos.rb CHANGED

@@ -10,6 +10,10 @@ module Actions
           fail NotImplementedError
         end
+        def rescue_strategy
+          Dynflow::Action::Rescue::Skip if self.state == 'error'
+        end
         def plan(smart_proxy, options = {})
           plan_self(:smart_proxy_id => smart_proxy.id,
                     :environment_id => options[:environment]&.id,
@@ -33,7 +37,7 @@ module Actions
           current_repos_on_capsule = smart_proxy_service.current_repositories(environment, content_view)
           current_repos_on_capsule_ids = current_repos_on_capsule.pluck(:id)
-          list_of_repos_to_sync = smart_proxy_helper.repos_available_to_capsule(environment, content_view, repository)
+          list_of_repos_to_sync = smart_proxy_helper.combined_repos_available_to_capsule(environment, content_view, repository)
           list_of_repos_to_sync.each do |repo|
             if repo.is_a?(Katello::ContentViewPuppetEnvironment)
               repo = repo.nonpersisted_repository

data/app/lib/actions/katello/capsule_content/sync.rb CHANGED

@@ -31,8 +31,8 @@ module Actions
           fail _("Action not allowed for the default smart proxy.") if smart_proxy.pulp_master?
           smart_proxy_helper = ::Katello::SmartProxyHelper.new(smart_proxy)
-          repositories = smart_proxy_helper.repos_available_to_capsule(environment, content_view, repository)
-          smart_proxy.ping_pulp3 if repositories.any? { |repo| smart_proxy.pulp3_support?(repo) }
+          repositories = smart_proxy_helper.combined_repos_available_to_capsule(environment, content_view, repository)
           smart_proxy.ping_pulp if repositories.any? { |repo| !smart_proxy.pulp3_support?(repo) }
           refresh_options = options.merge(content_view: content_view,
@@ -40,14 +40,11 @@ module Actions
                                              repository: repository)
           sequence do
             plan_action(Actions::Pulp::Orchestration::Repository::RefreshRepos, smart_proxy, refresh_options)
+            plan_action(Actions::Pulp3::CapsuleContent::RefreshContentGuard, smart_proxy) if repositories.any? { |repo| smart_proxy.pulp3_support?(repo) }
             plan_action(Actions::Pulp3::Orchestration::Repository::RefreshRepos, smart_proxy, refresh_options) if smart_proxy.pulp3_enabled?
             plan_action(SyncCapsule, smart_proxy, refresh_options)
           end
         end
-        def rescue_strategy
-          Dynflow::Action::Rescue::Skip
-        end
       end
     end
   end

data/app/lib/actions/katello/capsule_content/sync_capsule.rb CHANGED

@@ -10,31 +10,45 @@ module Actions
           repository = options[:repository]
           skip_metadata_check = options.fetch(:skip_metadata_check, false)
-          smart_proxy_helper = ::Katello::SmartProxyHelper.new(smart_proxy)
-          concurrence do
-            smart_proxy_helper.repos_available_to_capsule(environment, content_view, repository).each do |repo|
-              plan_pulp_action([Actions::Pulp::Orchestration::Repository::SmartProxySync,
-                                Actions::Pulp3::CapsuleContent::Sync],
-                                 repo, smart_proxy,
-                                 skip_metadata_check: skip_metadata_check)
+          sequence do
+            repos = repos_to_sync(smart_proxy, environment, content_view, repository)
+            repos.in_groups_of(Setting[:foreman_proxy_content_batch_size], false) do |repo_batch|
+              concurrence do
+                repo_batch.each do |repo|
+                  plan_pulp_action([Actions::Pulp::Orchestration::Repository::SmartProxySync,
+                                    Actions::Pulp3::CapsuleContent::Sync],
+                                     repo, smart_proxy,
+                                     skip_metadata_check: skip_metadata_check)
-              if repo.is_a?(::Katello::Repository) &&
-                repo.distribution_bootable? &&
-                repo.download_policy == ::Runcible::Models::YumImporter::DOWNLOAD_ON_DEMAND
-                plan_action(Katello::Repository::FetchPxeFiles,
-                            id: repo.id,
-                            capsule_id: smart_proxy.id)
+                  if repo.is_a?(::Katello::Repository) &&
+                    repo.distribution_bootable? &&
+                    repo.download_policy == ::Runcible::Models::YumImporter::DOWNLOAD_ON_DEMAND
+                    plan_action(Katello::Repository::FetchPxeFiles,
+                                id: repo.id,
+                                capsule_id: smart_proxy.id)
+                  end
+                end
               end
             end
           end
         end
-        def resource_locks
-          :link
+        def repos_to_sync(smart_proxy, environment, content_view, repository)
+          smart_proxy_helper = ::Katello::SmartProxyHelper.new(smart_proxy)
+          smart_proxy_helper.lifecycle_environment_check(environment, repository)
+          if repository
+            [repository]
+          else
+            repositories = smart_proxy_helper.repositories_available_to_capsule(environment, content_view).by_rpm_count
+            puppet_envs = smart_proxy_helper.puppet_environments_available_to_capsule(environment, content_view)
+            repositories + puppet_envs
+          end
         end
-        def rescue_strategy
-          Dynflow::Action::Rescue::Skip
+        def resource_locks
+          :link
         end
       end
     end