smart_proxy_openbolt 0.0.1

data/README.md

@@ -0,0 +1,16 @@
+# Smart Proxy - OpenBolt
+
+This plug-in adds support for OpenBolt to Foreman's Smart Proxy.
+
+# Things to be aware of
+* Any SSH keys to be used should be readable by the foreman-proxy user.
+* Results are currently stored on disk at /var/logs/foreman-proxy/openbolt by default (configurable in settings). Fetching old results is possible as long as the files stay on disk.
+
+## how to release
+
+* bump version in `lib/smart_proxy_openbolt/version.rb`
+* run `CHANGELOG_GITHUB_TOKEN=github_pat... bundle exec rake changelog`
+* create a PR
+* get a review & merge
+* create and push a tag
+* github actions will publish the tag

data/bundler.d/openbolt.rb

@@ -0,0 +1 @@
+gem 'smart_proxy_openbolt'

data/lib/smart_proxy_openbolt/api.rb

@@ -0,0 +1,90 @@
+require 'json'
+require 'sinatra'
+require 'smart_proxy_openbolt/plugin'
+require 'smart_proxy_openbolt/main'
+require 'smart_proxy_openbolt/error'
+
+module Proxy::OpenBolt
+
+  class Api < ::Sinatra::Base
+    include ::Proxy::Log
+    helpers ::Proxy::Helpers
+
+    # Require authentication
+    # These require foreman-proxy to be able to read Puppet's certs/CA, which
+    # by default are owned by puppet:puppet. Need to have installation figure out
+    # the best way to open them to foreman-proxy if we want to use this, I think.
+    #authorize_with_trusted_hosts
+    #authorize_with_ssl_client
+
+    # Call reload_tasks at class load so the first call to /tasks
+    # is potentially faster (if called after this finishes). Do it
+    # async so we don't block. The reload_tasks function uses a mutex
+    # so it will be safe to call /tasks before it completes.
+    Thread.new { Proxy::OpenBolt.tasks }
+
+    get '/tasks' do
+      catch_errors { Proxy::OpenBolt.tasks.to_json }
+    end
+
+    get '/tasks/reload' do
+      catch_errors { Proxy::OpenBolt.tasks(reload: true).to_json }
+    end
+
+    get '/tasks/options' do
+      catch_errors { Proxy::OpenBolt.openbolt_options.to_json}
+    end
+
+    post '/launch/task' do
+      catch_errors do
+        data = JSON.parse(request.body.read)
+        Proxy::OpenBolt.launch_task(data)
+      end
+    end
+
+    get '/job/:id/status' do |id|
+      catch_errors { Proxy::OpenBolt.get_status(id) }
+    end
+
+    get '/job/:id/result' do |id|
+      catch_errors { Proxy::OpenBolt.get_result(id) }
+    end
+
+    delete '/job/:id/artifacts' do |id|
+      catch_errors do
+        # Validate the job ID format to prevent directory traversal
+        unless id =~ /\A[a-f0-9\-]+\z/i
+          raise Proxy::OpenBolt::Error.new(message: "Invalid job ID format")
+        end
+
+        file_path = File.join(Proxy::OpenBolt::Plugin.settings.log_dir, "#{id}.json")
+
+        if File.exist?(file_path)
+          real_path = File.realpath(file_path)
+          expected_dir = File.realpath(Proxy::OpenBolt::Plugin.settings.log_dir)
+          raise Proxy::OpenBolt::Error.new(message: "Invalid file path") unless real_path.start_with?(expected_dir)
+
+          File.delete(file_path)
+          logger.info("Deleted artifacts for job #{id}")
+          { status: 'deleted', job_id: id, path: file_path }.to_json
+        else
+          logger.warning("Artifacts not found for job #{id}")
+          { status: 'not_found', job_id: id }.to_json
+        end
+      end
+    end
+
+    private
+
+    def catch_errors(&block)
+      begin
+        yield
+      rescue Proxy::OpenBolt::Error => e
+        e.to_json
+      rescue Exception => e
+        raise e
+        #Proxy::OpenBolt::Error.new(message: "Unhandled exception", exception: e).to_json
+      end
+    end
+  end
+end

data/lib/smart_proxy_openbolt/error.rb

@@ -0,0 +1,43 @@
+module Proxy::OpenBolt
+  class Error < StandardError
+    def initialize(**fields)
+      fields.each { |key, val| instance_variable_set("@#{key}", val) }
+      super(fields[:message])
+    end
+
+    def to_json
+      details = {}
+      instance_variables.each do |var|
+        name = var.to_s.delete("@").to_sym
+        val = instance_variable_get(var)
+
+        next if val.nil?
+
+        if name == :exception && val.is_a?(Exception)
+          details[:exception] = {
+            class:     val.class.to_s,
+            message:   val.message,
+            backtrace: val.backtrace
+          }
+        else
+          details[name] = val
+        end
+      end
+      { error: details }.to_json
+    end
+  end
+
+  class CliError < Error
+    attr_accessor :exitcode, :stdout, :stderr, :command
+
+    def initialize(message:, exitcode:, stdout:, stderr:, command:)
+      super(
+        message:  message,
+        exitcode: exitcode,
+        stdout:   stdout,
+        stderr:   stderr,
+        command:  command,
+      )
+    end
+  end
+end

data/lib/smart_proxy_openbolt/executor.rb

@@ -0,0 +1,91 @@
+require 'concurrent'
+require 'securerandom'
+require 'singleton'
+require 'smart_proxy_openbolt/job'
+require 'smart_proxy_openbolt/task_job'
+
+module Proxy::OpenBolt
+  class Executor
+    include Singleton
+
+    SHUTDOWN_TIMEOUT = 30
+
+    def initialize
+      @pool = Concurrent::FixedThreadPool.new(Proxy::OpenBolt::Plugin.settings.workers.to_i)
+      @jobs = Concurrent::Map.new
+    end
+
+    def add_job(job)
+      raise ArgumentError, "Only Job instances can be added" unless job.is_a?(Job)
+      id = SecureRandom.uuid
+      job.id = id
+      @jobs[id] = job
+      @pool.post { job.process }
+      id
+    end
+
+    def status(id)
+      job = get_job(id)
+      return :invalid unless job
+      job&.status
+    end
+
+    def result(id)
+      job = get_job(id)
+      return :invalid unless job
+      job.result
+    end
+
+    # How many workers are currently busy
+    def num_running
+      @pool.length
+    end
+
+    # How many jobs are waiting in the queue
+    def queue_length
+      @pool.queue_length
+    end
+
+    # Total number of jobs completed since proxy start
+    def jobs_completed
+      @pool.completed_task_count
+    end
+
+    # Still accepting and running jobs, or shutting down?
+    def running?
+      @pool.running?
+    end
+
+    # Stop accepting tasks and wait up to SHUTDOWN_TIMEOUT seconds
+    # for in-flight jobs to finish. If timeout = nil, wait forever.
+    def shutdown(timeout)
+      @pool.shutdown
+      @pool.wait_for_termination(SHUTDOWN_TIMEOUT)
+    end
+
+    private
+
+    def get_job(id)
+      return @jobs[id] if @jobs.keys.include?(id)
+      # Look on disk for a past run that may have happened
+      job = nil
+      file = "#{Proxy::OpenBolt::Plugin.settings.log_dir}/#{id}.json"
+      if File.exist?(file)
+        begin
+          data = JSON.parse(File.read(file))
+          return nil if data['schema'].nil? || data['schema'] != 1
+          return nil if data['status'].nil?
+          # This is only for reading back status and result. Don't try
+          # to fill in the other arguments correctly, and don't assume
+          # they are there after execution.
+          job = Job.new(nil, nil, nil)
+          job.id = id
+          job.update_status(data['status'].to_sym)
+          @jobs[id] = job
+        rescue JSON::ParserError
+        end
+      end
+      job
+    end
+  end
+end

data/lib/smart_proxy_openbolt/http_config.ru

@@ -0,0 +1,5 @@
+require 'smart_proxy_openbolt/api'
+
+map '/openbolt' do
+  run Proxy::OpenBolt::Api
+end

data/lib/smart_proxy_openbolt/job.rb

@@ -0,0 +1,131 @@
+require 'net/http'
+require 'smart_proxy_openbolt/result'
+require 'thread'
+
+module Proxy::OpenBolt
+  class Job
+    attr_accessor :id
+    attr_reader :name, :parameters, :options, :status
+
+    # Valid statuses are
+    #  :pending - waiting to run
+    #  :running - in progress
+    #  :success - job finished as was completely successful
+    #  :failure - job finished and had one or more failures
+    #  :exception - command exited with an unexpected code
+
+    def initialize(name, parameters, options)
+      @id         = nil
+      @name       = name
+      @parameters = parameters
+      @options    = options
+      @status     = :pending
+      @mutex      = Mutex.new
+    end
+
+    def execute
+      raise NotImplementedError, "You must call #execute on a subclass of Job"
+    end
+
+    # Called by worker. The 'execute' function should return a
+    # Proxy::OpenBolt::Result object
+    def process
+      update_status(:running)
+      begin
+        result = execute
+        update_status(result.status)
+        store_result(result)
+      rescue => e
+        # This should never happen, but just in case we made a coding error,
+        # expose something in the result.
+        update_status(:exception)
+        store_result({message: e.full_message, backtrace: e.backtrace})
+      end
+    end
+
+    def update_status(value)
+      @mutex.synchronize { @status = value }
+    end
+
+    def store_result(value)
+      # On disk
+      results_file = "#{Proxy::OpenBolt::Plugin.settings.log_dir}/#{@id}.json"
+      File.open(results_file, 'w') { |f| f.write(value.to_json) }
+
+      # Send to reports API
+      #reports = get_reports(value)
+
+      # TODO: Figure out how to authenticate with the /api/config_reports endpoint
+      #reports.each do |report|
+      #  foreman = Proxy::SETTINGS.foreman_url
+        # Send it
+      #  puts foreman
+      #end
+    end
+
+    def log_item(text, level)
+      { 
+        'log': {
+          'sources': {
+            'source': 'OpenBolt'
+          },
+          'messages': {
+            'message': text
+          },
+          'level': level
+        }
+      }
+    end
+
+    def get_reports(value)
+      command = value.command
+      log = value.log
+      items = value.value['items']
+      return nil if items.nil?
+      timestamp = Time.now.utc
+
+      source = { 'sources': { 'source': 'OpenBolt' } }
+      items.map do |item|
+        target = item['target']
+        status = item['status']
+        data = item['value']
+        message = item['message']
+        logs = [log_item("Command: #{command}", 'info')]
+        if data['_error']
+          kind = data.dig('_error','kind')
+          msg = data.dig('_error', 'msg')
+          issue_code = data.dig('_error', 'issue_code')
+          logs << log_item("Error kind: #{kind}", 'error')
+          logs << log_item("Error mesage: #{msg}", 'error')
+          logs << log_item("Error issue code: #{issue_code}", 'error')
+        end
+        logs << log_item("Result: #{data}", 'info')
+        logs << log_item("Task run log: #{log}", 'info') if log
+        logs << log_item("Message: #{message}", 'info') if message
+        {
+          'config_report': {
+            'host': target,
+            'reported_at': timestamp,
+            'status': {
+              "applied": status == 'success' ? 1 : 0,
+              "failed": status == 'failure' ? 1 : 0,
+            },
+            'logs': logs
+          }
+        }
+      end
+      items
+    end
+        
+        
+
+
+    # At the moment, always read back from the file so we don't store a bunch
+    # of huge results in memory. Once we are database-backed, this is less
+    # cumbersome and problematic.
+    def result
+      results_file = "#{Proxy::OpenBolt::Plugin.settings.log_dir}/#{@id}.json"
+      JSON.parse(File.read(results_file))
+    end
+  end
+end