redhat_access 2.0.0

data/app/helpers/redhat_access/log_viewer_helper.rb

@@ -0,0 +1,4 @@
+module RedhatAccess
+  module LogViewerHelper
+  end
+end

data/app/helpers/redhat_access/logs_helper.rb

@@ -0,0 +1,4 @@
+module RedhatAccess
+  module LogsHelper
+  end
+end

data/app/helpers/redhat_access/redhat_access_helper.rb

@@ -0,0 +1,4 @@
+module RedhatAccess
+  module RedhatAccessHelper
+  end
+end

data/app/helpers/redhat_access/search_helper.rb

@@ -0,0 +1,4 @@
+module RedhatAccess
+  module SearchHelper
+  end
+end

data/app/helpers/redhat_access/telemetry_configuration_helper.rb

@@ -0,0 +1,4 @@
+module RedhatAccess
+  module TelemetryConfigurationHelper
+  end
+end

data/app/models/redhat_access/concerns/organization_extensions.rb

@@ -0,0 +1,10 @@
+module RedhatAccess
+  module Concerns
+    module OrganizationExtensions
+      extend ActiveSupport::Concern
+      included do
+        has_one :telemetry_configuration, :class_name => "RedhatAccess::TelemetryConfiguration", :dependent => :destroy
+      end
+    end
+  end
+end

data/app/models/redhat_access/telemetry_configuration.rb

@@ -0,0 +1,11 @@
+module RedhatAccess
+  class TelemetryConfiguration < ActiveRecord::Base
+    include Encryptable
+    belongs_to :organization ,:class_name => "Organization", :inverse_of => :telemetry_configuration
+    encrypts :portal_password
+    self.include_root_in_json = false
+    def name
+      return "TelemetryConfiguration"
+    end
+  end
+end

data/app/models/redhat_access/telemetry_proxy_credentials.rb

@@ -0,0 +1,10 @@
+module RedhatAccess
+  class TelemetryProxyCredentials < ActiveRecord::Base
+    include Encryptable
+    encrypts :password
+
+    def name
+      return "TelemetryProxyCredentials"
+    end
+  end
+end

data/app/services/redhat_access/authentication/client_authentication.rb

@@ -0,0 +1,80 @@
+# This is code is based on the katello project
+#
+require 'active_support'
+require 'openssl'
+require 'base64'
+
+
+module RedhatAccess
+  module Authentication
+    module ClientAuthentication
+
+      def authenticate_client
+        set_client_user
+        require_login unless User.current
+        User.current.present?
+      end
+
+      def deny_access
+        render json: { :message => "Permission Denied." }, :status => 403
+      end
+
+      def set_client_user
+        if cert_present?
+          client_cert = RedhatAccess::Authentication::Cert.new(cert_from_request)
+          uuid = client_cert.uuid
+          Rails.logger.debug("Client cert UUID is : #{uuid}")
+          User.current =  CertUser.new(:login => uuid)
+        else
+          Rails.logger.debug("Client cert not present in request")
+        end
+      end
+
+      def cert_present?
+        ssl_client_cert = cert_from_request
+        !ssl_client_cert.nil? && !ssl_client_cert.empty? && ssl_client_cert != "(null)"
+      end
+
+      def cert_from_request
+        request.env['HTTP_X_RHSM_SSL_CLIENT_CERT'] ||
+          request.env['SSL_CLIENT_CERT'] ||
+          request.env['HTTP_SSL_CLIENT_CERT'] ||
+          ENV['HTTP_X_RHSM_SSL_CLIENT_CERT'] ||
+          ENV['SSL_CLIENT_CERT'] ||
+          ENV['HTTP_SSL_CLIENT_CERT']
+      end
+    end
+
+    class CertUser < ::User
+    end
+
+    class Cert
+      attr_accessor :cert
+      def initialize(cert)
+        self.cert = extract(cert)
+      end
+      def uuid
+        drop_cn_prefix_from_subject(@cert.subject.to_s)
+      end
+      private
+      def extract(cert)
+        if cert.empty?
+          fail('Invalid cert provided. Ensure that the provided cert is not empty.')
+        else
+          cert = strip_cert(cert)
+          cert = Base64.decode64(cert)
+          OpenSSL::X509::Certificate.new(cert)
+        end
+      end
+      def drop_cn_prefix_from_subject(subject_string)
+        subject_string.sub(/\/CN=/i, '')
+      end
+      def strip_cert(cert)
+        cert = cert.to_s.gsub("-----BEGIN CERTIFICATE-----", "").gsub("-----END CERTIFICATE-----", "")
+        cert.gsub!(' ', '')
+        cert.gsub!(/\n/, '')
+        cert
+      end
+    end
+  end
+end

data/app/services/redhat_access/telemetry/look_ups.rb

@@ -0,0 +1,233 @@
+begin
+  # TODO: fix dirty hack
+  require '/usr/share/foreman/lib/satellite/version.rb'
+rescue LoadError
+  # don't need to do anything
+  Rails.logger.debug("Unable to load version file.")
+end
+module RedhatAccess
+  module Telemetry
+    module LookUps
+      class  RecordNotFound < StandardError
+      end
+
+      def can_unregister_system(user)
+        # TODO: move this to an auth class?
+        return false if user.nil?
+        return true if user.admin
+        permissions = user.cached_roles.collect(&:permissions).flatten.map!(&:name)
+        # Rails.logger.debug("User can unregister telemetry hosts : #{ permissions.include?("rh_telemetry_configurations")}")
+        # for now we allow all.
+        true
+      end
+
+      def can_mask_rules(user)
+        # #TODO move this to an auth class?
+        # TODO move this to an auth class?
+        return false if user.nil?
+        return true if user.admin
+        permissions = user.cached_roles.collect(&:permissions).flatten.map!(&:name)
+        Rails.logger.debug("User can mask telemetry hosts : #{permissions.include?("rh_telemetry_configurations")}")
+        permissions.include?("rh_telemetry_configurations")
+      end
+
+      def is_susbcribed_to_redhat?(org)
+        if org
+          upstream = org.owner_details['upstreamConsumer']
+          return upstream && upstream['idCert'] ? true : false
+        end
+        false
+      end
+
+      def is_org_selected?
+        Organization.current.nil? ? false : true
+      end
+
+      def get_telemetry_config(org)
+        TelemetryConfiguration.find_or_create_by(:organization_id => org.id) do |conf|
+          conf.enable_telemetry = true
+        end
+      end
+
+      def telemetry_enabled?(org)
+        if org
+          conf = get_telemetry_config(org)
+          return conf.nil? ? false : conf.enable_telemetry
+        else
+          raise(RecordNotFound, 'Host not found or invalid')
+        end
+      end
+
+      def telemetry_enabled_for_uuid?(uuid)
+        telemetry_enabled?(get_organization(uuid))
+      end
+
+      def get_content_host_by_fqdn(name)
+        Katello::System.first(:conditions => {:name => name})
+      end
+
+      def disconnected_org?(org)
+        if org
+          # TODO: fix hard coding
+          org.redhat_repository_url != 'https://cdn.redhat.com'
+        else
+          raise(RecordNotFound, 'Organization not found or invalid')
+        end
+      end
+
+      def get_leaf_id(uuid)
+        system = get_content_host(uuid)
+        if system.nil?
+          ldebug('Host not found or invalid')
+          raise(RecordNotFound, 'Host not found or invalid')
+        end
+        uuid
+      end
+
+      def get_branch_id_for_org(org)
+        if org
+          if !org.owner_details['upstreamConsumer'] || !org.owner_details['upstreamConsumer']['uuid']
+            # ldebug('Org manifest not found or invalid in get_branch_id')
+            raise(RecordNotFound, 'Branch ID not found for organization')
+          else
+            branch_id =  org.owner_details['upstreamConsumer']['uuid']
+          end
+        else
+          raise(RecordNotFound, 'Organization not found or invalid')
+        end
+      end
+
+      def get_ssl_options_for_uuid(uuid, ca_file)
+        org = get_organization(uuid)
+        get_ssl_options_for_org(org, ca_file)
+      end
+
+      def use_basic_auth?
+        REDHAT_ACCESS_CONFIG[:enable_telemetry_basic_auth]
+      end
+
+      def get_ssl_options_for_org(org, ca_file)
+        if org
+          verify_peer = REDHAT_ACCESS_CONFIG[:telemetry_ssl_verify_peer] ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE
+          ssl_version = REDHAT_ACCESS_CONFIG[:telemetry_ssl_verify_peer] ? REDHAT_ACCESS_CONFIG[:telemetry_ssl_verify_peer] : nil
+          ca_file = ca_file ? ca_file : get_default_ssl_ca_file
+          Rails.logger.debug("Verify peer #{verify_peer}")
+          if use_basic_auth?
+            Rails.logger.debug("Using basic auth for portal communication")
+            get_basic_auth_options(org, ca_file, verify_peer, ssl_version)
+          else
+            Rails.logger.debug("Using SSL auth for portal communication")
+            get_mutual_tls_auth_options(org, ca_file, verify_peer, ssl_version)
+          end
+        else
+          raise(RecordNotFound, 'Organization not found or invalid')
+        end
+      end
+
+      def get_default_ssl_ca_file
+        "#{RedhatAccess::Engine.root}/ca/rh_cert-api_chain.pem"
+      end
+
+      def get_mutual_tls_auth_options(org, ca_file, verify_peer, ssl_version)
+        upstream = org.owner_details['upstreamConsumer']
+        if !upstream || !upstream['idCert'] || !upstream['idCert']['cert'] || !upstream['idCert']['key']
+          raise(RecordNotFound, 'Unable to get portal SSL credentials. Missing org manifest?')
+        else
+          opts = {
+            :ssl_client_cert => OpenSSL::X509::Certificate.new(upstream['idCert']['cert']),
+            :ssl_client_key  => OpenSSL::PKey::RSA.new(upstream['idCert']['key']),
+            :ssl_ca_file     => ca_file,
+            :verify_ssl      => verify_peer
+          }
+          opts[:ssl_version] = ssl_version if ssl_version
+          Rails.logger.debug("Telemetry ssl options => ca_file:#{opts[:ssl_ca_file]} , peer verify #{opts[:verify_ssl]}")
+          opts
+        end
+      end
+
+      def get_basic_auth_options(org, ca_file, verify_peer, ssl_version)
+        opts = {
+          :user        => org.telemetry_configuration.portal_user,
+          :password    => org.telemetry_configuration.portal_password,
+          :ssl_ca_file => ca_file,
+          :verify_ssl  => verify_peer
+        }
+        opts[:ssl_version] = ssl_version if ssl_version
+        opts
+      end
+
+      def get_branch_id_for_uuid(uuid)
+        org = get_organization(uuid)
+        get_branch_id_for_org org
+      end
+
+      def get_organization(uuid)
+        system = get_content_host(uuid)
+        system.nil? ? nil : system.organization
+      end
+
+      def get_content_host(uuid = nil)
+        uuid ||= params[:id]
+        facet = Katello::Host::SubscriptionFacet.where(:uuid => uuid).first
+        if facet.nil?
+          User.as_anonymous_admin { Resources::Candlepin::Consumer.get(uuid) }
+          raise HttpErrors::NotFound, _("Couldn't find consumer '%s'") % uuid
+        end
+        @host = facet.host
+      end
+
+      def get_content_hosts(org)
+        if org
+          org_id = org.id
+          environment_ids = Organization.find(org_id).kt_environments.pluck(:id)
+          hosts =  Katello::System.readable.where(:environment_id => environment_ids).pluck(:uuid).compact.sort
+        else
+          raise(RecordNotFound, 'Organization not found or invalid')
+        end
+      end
+
+      def get_portal_http_proxy
+        proxy = nil
+        if SETTINGS[:katello][:cdn_proxy] && SETTINGS[:katello][:cdn_proxy][:host]
+          proxy_config = SETTINGS[:katello][:cdn_proxy]
+          uri = URI('')
+          uri.scheme = URI.parse(proxy_config[:host]).scheme
+          uri.host = URI.parse(proxy_config[:host]).host
+          uri.port = proxy_config[:port] if proxy_config[:port]
+          uri.user =  ERB::Util.url_encode(proxy_config[:user]) if proxy_config[:user]
+          uri.password = ERB::Util.url_encode(proxy_config[:password]) if proxy_config[:password]
+          proxy = uri.to_s
+        end
+        proxy
+      end
+
+      # TODO: move version and name methods to generic utility
+      def get_rha_plugin_name
+        'redhat_access'
+      end
+
+      def get_rha_plugin_rpm_name
+        'foreman-redhat_access'
+      end
+
+
+      def get_rha_plugin_version
+        RedhatAccess::VERSION
+      end
+
+      def get_plugin_parent_name
+        if defined? ForemanThemeSatellite::SATELLITE_VERSION
+          return 'Satellite'
+        end
+        'Foreman'
+      end
+
+      def get_plugin_parent_version
+        if defined? ForemanThemeSatellite::SATELLITE_VERSION
+          return ForemanThemeSatellite::SATELLITE_VERSION.gsub(/[a-zA-Z ]/, "")
+        end
+        Foreman::Version.new.to_s
+      end
+    end
+  end
+end

data/app/services/redhat_access/telemetry/portal_client.rb

@@ -0,0 +1,39 @@
+require 'redhat_access_lib'
+
+module RedhatAccess
+  module Telemetry
+    class PortalClient < RedHatSupportLib::TelemetryApi::Client
+
+      include RedhatAccess::Telemetry::LookUps
+
+      def initialize(upload_url,api_url, creds, context, optional)
+        super(upload_url,api_url, creds, optional)
+        @context = context
+      end
+
+      def get_machines
+        @context.get_machines
+      end
+
+      # Returns the branch id of the current org/account
+      def get_branch_id
+        return get_branch_id_for_org(Organization.current)
+      end
+
+      def get_auth_opts(creds)
+        # #temp implementation##########################
+        # if creds.is_a?(User) and  User.current.is_a? RedhatAccess::Authentication::CertUser
+        #   opts = get_ssl_options_for_uuid(User.current.login)
+        # elsif creds.is_a?(TelemetryProxyCredentials)
+        #   opts = {
+        #     :user     => creds.username,
+        #     :password => creds.password
+        #   }
+        # end
+        #end temp implementation######################
+        #TODO enable below for cert based auth
+        return @context.get_auth_opts()
+      end
+    end
+  end
+end

data/app/views/redhat_access/analytics_dashboard/configuration.html.erb

@@ -0,0 +1,85 @@
+<div class="section">
+    <div class="row margin-top">
+        <div class="col-sm-12">
+            <h1 class="page-title">Manage</h1>
+        </div>
+    </div>
+    <div class="row row-short">
+        <div class="col-sm-12">
+            <div class="panel panel-default">
+                <div class="panel-heading">Access Insights Service Configuration</div>
+                <div>
+                    <i ng-show="loading" class="fa fa-spinner fa-spin fa-1-5x"></i>
+                </div>
+                <div class="panel-body">
+                    <form class="form-horizontal">
+                        <div class="form-group">
+                            <label for="rha-insights-enabled" class="col-lg-3 control-label">Enable Service </label>
+                            <div class="col-lg-6">
+                                <div class="checkbox">
+                                    <input id="rha-insights-enabled" type="checkbox" ng-model="config.enable_telemetry" ng-disabled="loading" />
+                                </div>
+                            </div>
+                        </div>
+                        <div class="form-group" ng-show="env.enableBasicAuth">
+                            <label for="rha-insights-password" class="col-lg-3 control-label">Customer Portal Username</label>
+                            <div class="col-lg-6">
+                                <input id="rha-insights-password" type="text" size="32" ng-model="config.portal_user" ng-disabled="loading" class="form-control" />
+                            </div>
+                        </div>
+                        <div class="form-group" ng-show="env.enableBasicAuth">
+                            <label for="rha-insights-password" class="col-lg-3 control-label">Customer Portal Password</label>
+                            <div class="col-lg-6">
+                                <input id="rha-insights-password" type="password" size="32" ng-model="config.portal_password" ng-disabled="loading" class="form-control" />
+                            </div>
+                        </div>
+                        <div class="form-group">
+                            <div class="col-lg-offset-3 col-lg-6">
+                                <input type="submit" value="Save" ng-click="update()" ng-hide="disableUpdateButton()" class="btn btn-success" />
+                            </div>
+                        </div>
+                    </form>
+                </div>
+            </div>
+            <div class="panel panel-default" ng-show="showConnectionStatus()">
+                <div class="panel-heading">Insights Engine Connection</div>
+                <div>
+                    <i ng-show="accountLoading" class="fa fa-spinner fa-spin fa-1-5x"></i>
+                </div>
+                <div class="panel-body">
+                    <form class="form-horizontal">
+                        <div class="form-group">
+                            <label class="control-label col-sm-2" for="connectionStatus">Status:</label>
+                            <div class="col-sm-10">
+                                <p class="form-control-static"> {{portalAccount.connectionStatus}} </p>
+                            </div>
+                        </div>
+                        <div class="form-group">
+                            <label class="control-label col-sm-2" for="account">Account Number:</label>
+                            <div class="col-sm-10">
+                                <p class="form-control-static">{{portalAccount.account}}</p>
+                            </div>
+                        </div>
+                        <div class="form-group" ng-show="portalAccount.company">
+                            <label class="control-label col-sm-2" for="company">Company:</label>
+                            <div class="col-sm-10">
+                                <p class="form-control-static"> {{portalAccount.company}} </p>
+                            </div>
+                        </div>
+                        <div class="form-group" ng-show="portalAccount.orgId">
+                            <label class="control-label col-sm-2" for="orgid">Organization ID:</label>
+                            <div class="col-sm-10">
+                                <p class="form-control-static"> {{portalAccount.orgId}} </p>
+                            </div>
+                        </div>
+                        <div class="form-group">
+                            <div class="col-sm-offset-2 col-sm-2">
+                                <input type="submit" value="Check Connection" ng-click="getAccountInfo()" ng-hide="accountLoading" class="btn btn-success" />
+                            </div>
+                        </div>
+                    </form>
+                </div>
+            </div>
+        </div>
+    </div>
+</div>

data/app/views/redhat_access/analytics_dashboard/error.html.erb

@@ -0,0 +1,13 @@
+<div class="section">
+    <section>
+        <h3>
+           <i ng-class="severityClass" class="fa i-error fa-times-circle"></i>
+           Error communicating with Red Hat Access Insights Service
+        </h3>
+        <p></p>
+        <p>
+           Please verify that you hava a valid subscription manifest in your organization and that your Satellite server is configured to allow HTTPS communications to <i>cert-api.redhat.access.com</i>.
+        </p>
+       
+    </section>
+</div>

data/app/views/redhat_access/analytics_dashboard/help.html.erb

@@ -0,0 +1,16 @@
+<div class="section">
+    <section>
+        <h3>
+           General Information
+        </h3>
+        <p>
+          For an overview of the Red Hat Insights service, please refer to the <a href="https://access.redhat.com/insights/info/" target="_blank">general information page</a>.
+        </p>
+        <h3>
+           Getting Started
+        </h3>
+        <p>
+          For help with configuring and enabling the Red Hat Insights service in Satellite 6, please refer to the <a href="https://access.redhat.com/insights/getting-started/satellite/6/" target="_blank">Getting Started Guide</a>.
+        </p>
+    </section>
+</div>

data/app/views/redhat_access/analytics_dashboard/index.html.erb

@@ -0,0 +1,69 @@
+<% if ((!help_path? && !manage_path?) || (manage_path? && !is_org_selected?)) && (!is_org_selected? || !telemetry_enabled?(Organization.current) || !is_susbcribed_to_redhat?(Organization.current) || disconnected_org?(Organization.current)) %>
+    <article id='content'>
+    <%if !is_org_selected? && !help_path %>
+      <section>
+        <h1>
+          <%= _("Organization Selection Required") %>
+        </h1>
+        <p>
+          <%= _("Please choose an organization using the selector located at the far left of the menu.") %>
+        </p>
+      </section>
+    <%elsif !telemetry_enabled?(Organization.current) %>
+        <section>
+          <h1>
+            <%= _("The Red Hat Insights service is disabled for this organization.") %>
+          </h1>
+          <p>
+            <%= _("Please contact your organization's administrator to enable the service.") %>
+          </p>
+        </section>
+    <%elsif !is_susbcribed_to_redhat?(Organization.current) %>
+      <section>
+        <h1>
+          <%= _("No Red Hat Subscriptions found!") %>
+        </h1>
+        <p>
+          <%= (_("A Red Hat Subscription is required to access this service, please import a manifest <a href='/subscriptions' data-no-turbolink>here</a>.")).html_safe %>
+        </p>
+      </section>
+    <%else%>
+      <section>
+        <h1>
+          <%= _("Organization is configured in disconnected mode.") %>
+        </h1>
+        <p>
+          <%= _("A network connection to the Red Hat Customer portal is required for this feature.")%>
+        </p>
+      </section>
+    <%end%>
+  </article>
+<%else%>
+  <% content_for(:head) do %>
+    <base href="/redhat_access/insights/"/>
+
+  <% end %>
+  <div class="container main-content insights-main-content insights-app-overview">
+  <div class="form-group">
+    <h1><%= 'Red Hat Insights' %></h1>
+  </div>
+  <div ng-app="RedhatAccessInsights">
+    <div ui-view="" class="wrapper ng-cloak in-prod"></div>
+    <actionbar></actionbar>
+  </div>
+  </div>
+    <% content_for(:stylesheets) do %>
+        <%= stylesheet "insights/application" %>
+    <% end %>
+    <% content_for(:javascripts) do %>
+        <%= javascript_tag do %>
+            var REDHAT_ACCESS_SETTINGS = REDHAT_ACCESS_SETTINGS || {};
+            REDHAT_ACCESS_SETTINGS.Insights = {};
+            REDHAT_ACCESS_SETTINGS.Insights.allowBasicAuth = <%= REDHAT_ACCESS_CONFIG[:enable_telemetry_basic_auth] %> ;
+            REDHAT_ACCESS_SETTINGS.Insights.canUnregisterSystems = <%= can_unregister_system(User.current) %>;
+            REDHAT_ACCESS_SETTINGS.Insights.canIgnoreRules = <%= can_mask_rules(User.current) %>;
+            REDHAT_ACCESS_SETTINGS.currentLocale = '<%= (I18n.locale)[0..1] %>';
+        <%end%>
+        <%= javascript_include_tag "insights/application" %>
+    <% end %>
+<%end%>

data/app/views/redhat_access/analytics_dashboard/welcome.html.erb

@@ -0,0 +1,8 @@
+<div id="welcome">
+  <p>
+    <%= _("Red Hat Insights is not enabled for your organization.") %>
+  </p>
+  <p>
+    <%= _("Enable this functionality using the functionality here").html_safe %>
+  </p>
+</div>

data/app/views/redhat_access/redhat_access/index.html.erb

@@ -0,0 +1,34 @@
+<% content_for(:head) do %>
+  <base href="/redhat_access/"/>
+<% end %>
+<div ng-app="RedhatAccess">
+  <div ui-view autoscroll="false"></div>
+</div>
+<%= stylesheet_link_tag 'redhat_access/application'%>
+<%= javascript_include_tag 'redhat_access/application' %>
+<%= javascript_tag do %>
+  $.ajaxPrefilter(function(options, originalOptions, jqXHR) {
+    var strataHost = "<%=  REDHAT_ACCESS_CONFIG[:strata_host] %>";
+    var strataUrlPrefix = 'https://api.'+strataHost + '/';
+    var strataProxyUrl = window.location.protocol +"//"+ window.location.hostname + ':'+ window.location.port + '/redhat_access/strata/';
+    if (options.url.startsWith(strataUrlPrefix)){
+        var s = options.url.replace(strataUrlPrefix, strataProxyUrl);
+        options.url = options.url.replace(strataUrlPrefix, strataProxyUrl);
+        options.crossDomain = false;
+    }
+    if (options.url.startsWith(strataProxyUrl)){ //option.crossDomain check not reliable
+        var token = $('meta[name="csrf-token"]').attr('content');
+        if (token) {
+            return jqXHR.setRequestHeader('X-CSRF-Token', token);
+        }
+    }
+  });
+  $(document).on('ajaxError', function(event, xhr) {
+    if (xhr.status === 401 || xhr.status === 403) {
+        window.location.href = "/users/login";
+    }
+  });
+  angular.module('RedhatAccess').value('currentLocale', '<%= (I18n.locale)[0..1] %>');
+  strata.setPortalHostname('<%=  REDHAT_ACCESS_CONFIG[:strata_host] %>');
+  strata.setRedhatClientID('<%=  "foreman_plugin_#{REDHAT_ACCESS_CONFIG[:deployment]}_#{RedhatAccess::VERSION}" %>');
+<% end %>