smart_proxy_container_gateway 3.3.0 → 3.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1965b68bd7795a23fafce6976458a33bf58f8ef67ccab714ab52edcd69558e4e
-  data.tar.gz: f025588bd31da08bbf6fc2bfd9b58924a4d99d86571b689f6bbfdfc2a7e458dd
+  metadata.gz: 470113167c3182629d62ee7babddf775b3e99e4c21ce0df5a9716894867dad86
+  data.tar.gz: 7adbe20e3c0dda9a9a3704501144c5f4134c7d9c266f36b19f24e83df09ad997
 SHA512:
-  metadata.gz: 8592a29f188ccc45ee9db74cf72579b5c63957ed4a9a64e015c7f3627bd2ee0fdf23e80efad608b690313fe5a4db28f2db0d5660a0a0a894736e500d1aa5bc78
-  data.tar.gz: eedefbd87696d56163aef9da0b6af8b4061bea74626054d4bf1c78b7d70425a61939db451a6081b79efdb42b17e248f1a8eaf037b5c882026bff7f5a79d87e62
+  metadata.gz: b017c8a19c575d9ddcae254500917089eef21739914b5dc73447ba39af9840679028a4401bf15fd1216ae7299b7da7f55c6200a87830d7553fd8b380bc6c821b
+  data.tar.gz: e37b37684d5eaace152ab018067f4fa9292a5f5663543e030ed07eba894e59d6486c6b43a0c465c11dd7de65af14599b2e54a22882ff541dd5cb45e1ae381776

data/lib/smart_proxy_container_gateway/container_gateway_api.rb

@@ -7,9 +7,11 @@ require 'sinatra'
 require 'smart_proxy_container_gateway/container_gateway'
 require 'smart_proxy_container_gateway/container_gateway_main'
 require 'smart_proxy_container_gateway/foreman_api'
+require 'smart_proxy_container_gateway/rhsm_client'
 
 module Proxy
   module ContainerGateway
+    # rubocop:disable Metrics/ClassLength
     class Api < ::Sinatra::Base
       include ::Proxy::Log
       helpers ::Proxy::Helpers
@@ -19,6 +21,35 @@ module Proxy
       inject_attr :database_impl, :database
       inject_attr :container_gateway_main_impl, :container_gateway_main
 
+      get '/index/static/?' do
+        client_cert = ::Cert::RhsmClient.new(cert_from_request) if valid_cert?
+        valid_uuid = client_cert&.uuid&.present?
+
+        pulp_response = container_gateway_main.flatpak_static_index(translated_headers_for_proxy, params)
+
+        if pulp_response.code.to_i >= 400
+          status pulp_response.code.to_i
+          body pulp_response.body
+        elsif valid_uuid
+          host = database.connection[:hosts][{ uuid: client_cert.uuid }]
+          if host.nil?
+            repo_response = ForemanApi.new.fetch_host_repositories(client_cert.uuid, request.params)
+            halt repo_response.code.to_i, repo_response.body unless repo_response.code.to_i == 200
+            container_gateway_main.update_host_repositories(client_cert.uuid,
+                                                            JSON.parse(repo_response.body)['repositories'])
+          end
+          catalog = container_gateway_main.host_catalog(client_cert.uuid).select_map(::Sequel[:repositories][:name])
+          pulp_index = JSON.parse(pulp_response.body)
+          halt 400, "Error: 'Results' key is missing in pulp_index" unless pulp_index.key?("Results")
+          pulp_index["Results"].select! { |result| catalog.include?(result["Name"]) }
+          status 200
+          body pulp_index.to_json
+        else
+          status pulp_response.code.to_i
+          body pulp_response.body
+        end
+      end
+
       get '/v1/_ping/?' do
         pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
         status pulp_response.code.to_i
@@ -26,7 +57,9 @@ module Proxy
       end
 
       get '/v2/?' do
-        if auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?)
+        client_cert = ::Cert::RhsmClient.new(cert_from_request) if valid_cert?
+        valid_uuid = client_cert&.uuid&.present?
+        if valid_uuid || (auth_header.present? && (auth_header.unauthorized_token? || auth_header.valid_user_token?))
           response.headers['Docker-Distribution-API-Version'] = 'registry/2.0'
           pulp_response = container_gateway_main.ping(translated_headers_for_proxy)
           status pulp_response.code.to_i
@@ -117,9 +150,18 @@ module Proxy
       end
 
       get '/v2/_catalog/?' do
+        client_cert = ::Cert::RhsmClient.new(cert_from_request) if valid_cert?
         catalog = []
-        if auth_header.present?
-          if auth_header.unauthorized_token?
+        if client_cert&.uuid&.present?
+          host = database.connection[:hosts][{ uuid: client_cert.uuid }]
+          if host.nil?
+            repo_response = ForemanApi.new.fetch_host_repositories(client_cert.uuid, request.params)
+            container_gateway_main.update_host_repositories(client_cert.uuid,
+                                                            JSON.parse(repo_response.body)['repositories'])
+          end
+          catalog = container_gateway_main.host_catalog(client_cert.uuid).select_map(::Sequel[:repositories][:name])
+        elsif auth_header.present?
+          if auth_header.unauthenticated_token? || auth_header.unauthorized_token?
             catalog = container_gateway_main.catalog.select_map(::Sequel[:repositories][:name])
           elsif auth_header.valid_user_token?
             catalog = container_gateway_main.catalog(auth_header.user).select_map(::Sequel[:repositories][:name])
@@ -150,42 +192,33 @@ module Proxy
           request.params['account'] ||= username if username.present?
         end
 
-        unless auth_header.present? && auth_header.basic_auth?
-          return { token: AuthorizationHeader::UNAUTHORIZED_TOKEN, issued_at: Time.now.rfc3339,
-                   expires_in: 1.year.seconds.to_i }.to_json
-        end
-
         token_response = ForemanApi.new.fetch_token(auth_header.raw_header, request.params)
-        if token_response.code.to_i != 200
-          halt token_response.code.to_i, token_response.body
-        else
-          # This returned token should follow OAuth2 spec. We need some minor conversion
-          # to store the token with the expires_at time (using rfc3339).
-          token_response_body = JSON.parse(token_response.body)
+        halt token_response.code.to_i, token_response.body unless token_response.code.to_i == 200
 
-          if token_response_body['token'].nil?
-            halt 502, "Recieved malformed token response"
-          end
+        token_response_body = JSON.parse(token_response.body)
+        halt 502, "Recieved malformed token response" if token_response_body['token'].nil?
+
+        # Check for unauthorized tokens and respond with 401
+        halt 401, "unauthorized" if token_response_body['token'] == AuthorizationHeader::UNAUTHORIZED_TOKEN
+
+        # Skip storing the token if it is unauthenticated
+        unless token_response_body['token'] == AuthorizationHeader::UNAUTHENTICATED_TOKEN
 
           # "issued_at" is an optional field. Per OAuth2 we assume time of token response as
           # the issue time if the field is ommitted.
           token_issue_time = (token_response_body["issued_at"] || token_response["Date"])&.to_time
-          if token_issue_time.nil?
-            halt 502, "Recieved malformed token response"
-          end
+          halt 502, "Recieved malformed token response" if token_issue_time.nil?
 
+          # This returned token should follow OAuth2 spec. We need some minor conversion
+          # to store the token with the expires_at time (using rfc3339).
           # 'expires_in' is an optional field. If not provided, assume 60 seconds per OAuth2 spec
           expires_in = token_response_body.fetch("expires_in", 60)
           expires_at = token_issue_time + expires_in.seconds
-          if request.params['account'].present?
-            container_gateway_main.insert_token(
-              request.params['account'],
-              token_response_body['token'],
-              expires_at.rfc3339
-            )
-          else
-            halt 401, "unauthorized"
-          end
+          container_gateway_main.insert_token(
+            request.params['account'],
+            token_response_body['token'],
+            expires_at.rfc3339
+          )
 
           repo_response = ForemanApi.new.fetch_user_repositories(auth_header.raw_header, request.params)
           if repo_response.code.to_i != 200
@@ -194,10 +227,10 @@ module Proxy
             container_gateway_main.update_user_repositories(request.params['account'],
                                                             JSON.parse(repo_response.body)['repositories'])
           end
-
-          # Return the original token response from Katello
-          return token_response.body
         end
+
+        # Return the original token response from Katello
+        return token_response.body
       end
 
       get '/users/?' do
@@ -222,12 +255,51 @@ module Proxy
         {}
       end
 
+      put '/update_hosts/?' do
+        do_authorize_any
+        hosts = params['hosts'] || []
+        # Refresh hosts table
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          hosts_table = database.connection[:hosts]
+          hosts_table.delete
+          hosts_table.import(%i[uuid], hosts.map { |host| [host['uuid']] })
+        end
+        {}
+      end
+
+      put '/host_repository_mapping/?' do
+        do_authorize_any
+        container_gateway_main.update_host_repo_mapping(params)
+        {}
+      end
+
+      put '/update_host_repositories/?' do
+        do_authorize_any
+        params['hosts'].flat_map do |host_map|
+          host_map.filter_map do |host_uuid, repos|
+            if repos.nil? || repos.empty?
+              repo_names = []
+            else
+              repo_names = repos
+                           .select { |repo| repo['auth_required'].to_s.downcase == "true" }
+                           .map { |repo| repo['repository'] }
+            end
+            container_gateway_main.update_host_repositories(host_uuid, repo_names)
+          end
+        end
+        {}
+      end
+
       private
 
       def flatpak_client?
         request.user_agent&.downcase&.include?('flatpak')
       end
 
+      def valid_cert?
+        cert_from_request.present? && !cert_from_request.empty? && !cert_from_request.include?('null')
+      end
+
       def head_or_get_blobs
         repository = params[:splat][0]
         digest = params[:splat][1]
@@ -281,6 +353,8 @@ module Proxy
       end
 
       def handle_repo_auth(repository, auth_header, request)
+        return if handle_client_cert_auth(repository)
+
         user_token_is_valid = false
         if auth_header.present? && auth_header.valid_user_token?
           user_token_is_valid = true
@@ -288,19 +362,33 @@ module Proxy
           # For flatpak client, header doesn't contain user name. Extract it from token.
           username ||= container_gateway_main.token_user(@value.split(' ')[1]) if flatpak_client?
         end
-        username = request.params['account'] if username.nil?
+        username ||= request.params['account']
 
         return if container_gateway_main.authorized_for_repo?(repository, user_token_is_valid, username)
 
+        handle_unauthorized_access(username)
+      end
+
+      def handle_unauthorized_access(username)
         redirect_authorization_headers
+        halt 401, "unauthorized" if flatpak_client? && username.nil?
+        throw_repo_not_found_error
+      end
 
-        # If username couldn't be determined from the token or auth_headers
-        # which is case for first flatpak request, halt with 401 instead of 404
-        if flatpak_client? && username.nil?
-          halt 401, "unauthorized"
+      def handle_client_cert_auth(repository)
+        client_cert = ::Cert::RhsmClient.new(cert_from_request) if valid_cert?
+        valid_uuid = client_cert&.uuid&.present?
+        if valid_uuid
+          host = database.connection[:hosts][{ uuid: client_cert.uuid }]
+          if host.nil?
+            repo_response = ForemanApi.new.fetch_host_repositories(client_cert.uuid, request.params)
+            container_gateway_main.update_host_repositories(client_cert.uuid,
+                                                            JSON.parse(repo_response.body)['repositories'])
+          end
+          halt 401, "unauthorized" unless container_gateway_main.cert_authorized_for_repo?(repository, client_cert.uuid)
+          return true
         end
-
-        throw_repo_not_found_error
+        false
       end
 
       def redirect_authorization_headers
@@ -310,6 +398,15 @@ module Proxy
                                                "scope=\"repository:registry:pull,push\""
       end
 
+      def cert_from_request
+        request.env['HTTP_X_RHSM_SSL_CLIENT_CERT'] ||
+          request.env['SSL_CLIENT_CERT'] ||
+          request.env['HTTP_SSL_CLIENT_CERT'] ||
+          ENV['HTTP_X_RHSM_SSL_CLIENT_CERT'] ||
+          ENV['SSL_CLIENT_CERT'] ||
+          ENV['HTTP_SSL_CLIENT_CERT']
+      end
+
       def auth_header
         AuthorizationHeader.new(request.env['HTTP_AUTHORIZATION'])
       end
@@ -320,6 +417,7 @@ module Proxy
         inject_attr :database_impl, :database
         inject_attr :container_gateway_main_impl, :container_gateway_main
         UNAUTHORIZED_TOKEN = 'unauthorized'.freeze
+        UNAUTHENTICATED_TOKEN = 'unauthenticated'.freeze
 
         def initialize(value)
           @value = value || ''
@@ -345,6 +443,10 @@ module Proxy
           @value.split(' ')[1] == UNAUTHORIZED_TOKEN
         end
 
+        def unauthenticated_token?
+          @value.split(' ')[1] == UNAUTHENTICATED_TOKEN
+        end
+
         def token_auth?
           @value.split(' ')[0] == 'Bearer'
         end
@@ -367,5 +469,6 @@ module Proxy
         end
       end
     end
+    # rubocop:enable Metrics/ClassLength
   end
 end

data/lib/smart_proxy_container_gateway/container_gateway_main.rb

@@ -1,6 +1,7 @@
 require 'net/http'
 require 'uri'
 require 'digest'
+require 'erb'
 require 'smart_proxy_container_gateway/dependency_injection'
 require 'sequel'
 module Proxy
@@ -40,6 +41,14 @@ module Proxy
         end
       end
 
+      def flatpak_static_index(headers, params = {})
+        uri = URI.parse("#{@pulp_endpoint}/pulpcore_registry/index/static")
+        unless params.empty?
+          uri.query = params.map { |k, v| "#{ERB::Util.url_encode(k.to_s)}=#{ERB::Util.url_encode(v.to_s)}" }.join('&')
+        end
+        pulp_registry_request(uri, headers)
+      end
+
       def ping(headers)
         uri = URI.parse("#{@pulp_endpoint}/pulpcore_registry/v2/")
         pulp_registry_request(uri, headers)
@@ -101,6 +110,17 @@ module Proxy
         end
       end
 
+      def host_catalog(host_uuid = nil)
+        if host_uuid.nil?
+          unauthenticated_repos
+        else
+          database.connection[:repositories].
+            left_join(:hosts_repositories, repository_id: :id).
+            left_join(:hosts, ::Sequel[:hosts][:id] => :host_id).where(uuid: host_uuid).
+            or(Sequel[:repositories][:auth_required] => false).order(::Sequel[:repositories][:name])
+        end
+      end
+
       def unauthenticated_repos
         database.connection[:repositories].where(auth_required: false).order(:name)
       end
@@ -163,6 +183,66 @@ module Proxy
         end
       end
 
+      # Replaces the entire host-repo mapping for all hosts.
+      # Assumes host is present in the DB.
+      def update_host_repo_mapping(host_repo_maps)
+        # Get DB tables
+        hosts_repositories = database.connection[:hosts_repositories]
+
+        # Build list of [repository_id, host_id] pairs
+        entries = build_host_repository_mapping(host_repo_maps)
+
+        # Insert all in a single transaction
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          hosts_repositories.delete
+          hosts_repositories.import(%i[repository_id host_id], entries)
+        end
+      end
+
+      def build_host_repository_mapping(host_repo_maps)
+        hosts = database.connection[:hosts]
+        repositories = database.connection[:repositories]
+        entries = host_repo_maps['hosts'].flat_map do |host_map|
+          host_map.filter_map do |host_uuid, repos|
+            host = hosts[{ uuid: host_uuid }]
+            next unless host
+
+            repo_names = repos
+                         .select { |repo| repo['auth_required'].to_s.downcase == "true" }
+                         .map { |repo| repo['repository'] }
+
+            repositories
+              .where(name: repo_names, auth_required: true)
+              .select(:id)
+              .map { |repo| [repo[:id], host[:id]] }
+          end
+        end
+        entries.flatten!(1)
+      end
+
+      def update_host_repositories(uuid, repositories)
+        host = find_or_create_host(uuid)
+        hosts_repositories = database.connection[:hosts_repositories]
+        database.connection.transaction(isolation: :serializable,
+                                        retry_on: [Sequel::SerializationFailure],
+                                        num_retries: 10) do
+          hosts_repositories.where(host_id: host[:id]).delete
+          return if repositories.nil? || repositories.empty?
+
+          hosts_repositories.import(
+            %i[repository_id host_id],
+            database.connection[:repositories].where(name: repositories, auth_required: true).select(:id).map do |repo|
+              [repo[:id], host[:id]]
+            end
+          )
+        end
+      end
+
+      def find_or_create_host(uuid)
+        database.connection[:hosts].insert_conflict(target: :uuid, action: :ignore).insert(uuid: uuid)
+        database.connection[:hosts][{ uuid: uuid }]
+      end
+
       # Returns:
       # true if the user is authorized to access the repo, or
       # false if the user is not authorized to access the repo or if it does not exist
@@ -185,6 +265,20 @@ module Proxy
         false
       end
 
+      def cert_authorized_for_repo?(repo_name, uuid)
+        database.connection.transaction(isolation: :serializable, retry_on: [Sequel::SerializationFailure]) do
+          repository = database.connection[:repositories][{ name: repo_name }]
+          return false if repository.nil?
+          return true unless repository[:auth_required]
+
+          database.connection[:hosts_repositories]
+                  .where(repository_id: repository[:id])
+                  .join(:hosts, id: :host_id)
+                  .where(Sequel[:hosts][:uuid] => uuid)
+                  .any?
+        end
+      end
+
       def token_user(token)
         database.connection[:users][{
           id: database.connection[:authentication_tokens].where(token_checksum: checksum(token)).select(:user_id)

data/lib/smart_proxy_container_gateway/foreman_api.rb

@@ -1,15 +1,17 @@
 require 'uri'
+require 'openssl'
 
 module Proxy
   module ContainerGateway
     class ForemanApi
-      def registry_request(auth_header, params, suffix)
+      def registry_request(auth_header, params, suffix, uuid: '', cert: false)
         uri = URI.join(Proxy::SETTINGS.foreman_url, Proxy::ContainerGateway::Plugin.settings.katello_registry_path, suffix)
         uri.query = process_params(params)
 
         req = Net::HTTP::Get.new(uri)
-        req.add_field('Authorization', auth_header)
+        req.add_field('Authorization', auth_header) unless cert
         req.add_field('Accept', 'application/json')
+        req.add_field('HostUUID', uuid) if cert
         req.content_type = 'application/json'
         http = Net::HTTP.new(uri.hostname, uri.port)
         http.use_ssl = true
@@ -29,6 +31,10 @@ module Proxy
       def fetch_user_repositories(auth_header, params)
         registry_request(auth_header, params, '_catalog')
       end
+
+      def fetch_host_repositories(uuid, params)
+        registry_request(nil, params, '_catalog', uuid: uuid, cert: true)
+      end
     end
   end
 end

data/lib/smart_proxy_container_gateway/rhsm_client.rb

@@ -0,0 +1,33 @@
+require 'openssl'
+require 'base64'
+
+module Cert
+  class RhsmClient
+    attr_accessor :cert
+
+    def initialize(cert)
+      self.cert = extract(cert)
+    end
+
+    def uuid
+      @uuid ||= @cert.subject.to_a.find { |entry| entry[0] == 'CN' }&.[](1)
+    end
+
+    private
+
+    def extract(cert)
+      raise('Invalid cert provided. Ensure that the provided cert is not empty.') if cert.empty?
+
+      cert = strip_cert(cert)
+      cert = Base64.decode64(cert)
+      OpenSSL::X509::Certificate.new(cert)
+    end
+
+    def strip_cert(cert)
+      cert = cert.to_s.gsub("-----BEGIN CERTIFICATE-----", "").gsub("-----END CERTIFICATE-----", "")
+      cert.delete!(' ')
+      cert.delete!("\n")
+      cert
+    end
+  end
+end

data/lib/smart_proxy_container_gateway/sequel_migrations/005_host_repositories.rb

@@ -0,0 +1,24 @@
+Sequel.migration do
+  up do
+    # Create the hosts table
+    create_table(:hosts) do
+      primary_key :id
+      String :uuid, null: false, unique: true
+    end
+
+    # Create the hosts_repositories join table
+    create_table(:hosts_repositories) do
+      foreign_key :host_id, :hosts, on_delete: :cascade
+      foreign_key :repository_id, :repositories, on_delete: :cascade
+      primary_key %i[host_id repository_id]
+    end
+  end
+
+  down do
+    # Drop the hosts_repositories join table
+    drop_table(:hosts_repositories)
+
+    # Drop the hosts table
+    drop_table(:hosts)
+  end
+end

data/lib/smart_proxy_container_gateway/version.rb

@@ -1,5 +1,5 @@
 module Proxy
   module ContainerGateway
-    VERSION = '3.3.0'.freeze
+    VERSION = '3.4.0'.freeze
   end
 end

data/lib/smart_proxy_container_gateway.rb

@@ -2,3 +2,4 @@ require 'smart_proxy_container_gateway/version'
 require 'smart_proxy_container_gateway/database'
 require 'smart_proxy_container_gateway/container_gateway'
 require 'smart_proxy_container_gateway/container_gateway_main'
+require 'smart_proxy_container_gateway/rhsm_client'

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_container_gateway
 version: !ruby/object:Gem::Version
-  version: 3.3.0
+  version: 3.4.0
 platform: ruby
 authors:
 - Ian Ballou
-autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-04-04 00:00:00.000000000 Z
+date: 1980-01-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: activesupport
@@ -77,8 +76,8 @@ email: ianballou67@gmail.com
 executables: []
 extensions: []
 extra_rdoc_files:
-- README.md
 - LICENSE
+- README.md
 files:
 - LICENSE
 - README.md
@@ -91,17 +90,18 @@ files:
 - lib/smart_proxy_container_gateway/database.rb
 - lib/smart_proxy_container_gateway/dependency_injection.rb
 - lib/smart_proxy_container_gateway/foreman_api.rb
+- lib/smart_proxy_container_gateway/rhsm_client.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/001_initial.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/002_auth_tokens.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/003_authorization_reorg.rb
 - lib/smart_proxy_container_gateway/sequel_migrations/004_users_repositories_cascade_delete.rb
+- lib/smart_proxy_container_gateway/sequel_migrations/005_host_repositories.rb
 - lib/smart_proxy_container_gateway/version.rb
 - settings.d/container_gateway.yml.example
 homepage: https://github.com/Katello/smart_proxy_container_gateway
 licenses:
 - GPL-3.0-only
 metadata: {}
-post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -116,8 +116,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.21
-signing_key:
+rubygems_version: 3.6.7
 specification_version: 4
 summary: Pulp 3 container registry support for Foreman/Katello Smart-Proxy
 test_files: []