smart_proxy_salt 4.0.0 → 5.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63743a9b37c7860b60af93db9735f210608221d87675c7d11764eb9f08348caa
-  data.tar.gz: 38fa3a0d210534f63d1f925790d0a062b20a907499dad0ba2bae1125a0bb8190
+  metadata.gz: b25650758e39a88cb8683f8ebe295d343c0752d0fff229fbe21f86ee585848c6
+  data.tar.gz: 9f26eb7258a77a426c1addf5e8ba949c432332f1b4b35897e193762cf1a60d3f
 SHA512:
-  metadata.gz: '008b29492b0f227e04ba281423df738e9334e040492f2fcf62172e866cccd931a80de5a5eac14d8e5b4c81a17dd26697e11f89aa696ab28670471f55be585e26'
-  data.tar.gz: 05a4afde3202a35328d2b2daa4cc2266808a9c7af01b53dae3876a4a8b033ef898fc07e1d86bfc9a22c05b7ab3bcdb924884c34b1d5546e1a8c93a39ec256623
+  metadata.gz: bd79c67ac4733c9b1f19a7e5f6a62a6019e39209d37abd21d7a67f48aea4e24da875bbdaecd3c8db574e566cb451038904fd9e21d045db61896df0a96ccab51e
+  data.tar.gz: 9c8640cc30f494fe2406b0a840643aacc2211c738fc25864c8c7e1024e4d2a6b6ad72e459eac947a2af9ac2b86ee14a87ba0cc84e27018742906d8a8ad50e18b

data/etc/foreman.conf.example

@@ -0,0 +1,65 @@
+# /etc/salt/master.d/foreman.config Example configuration
+#
+# This file summarizes configurations for the salt-master. Modify directories and
+# parameters to fit your setup. When you're done, remove the .example from the
+# filename so the salt-master will make use of it.
+# Have a look at the [Foreman Salt Plugin Documentation](https://theforeman.org/plugins/foreman_salt/) for detailed explanations.
+#
+# After editing this file, run the following command to active the changes:
+# $ systemctl restart salt-master
+
+
+##
+# Autosign
+autosign_grains_dir: /var/lib/foreman-proxy/salt/grains
+autosign_file: /etc/salt/autosign.conf
+# Uncomment the next line to make use of the autosign host name file (not recommended)
+# permissive_pki_access: True
+
+
+##
+# Node classifier
+master_tops:
+  ext_nodes: /usr/bin/foreman-node
+
+
+##
+# Pillar data access
+ext_pillar:
+  - puppet: /usr/bin/foreman-node
+
+
+##
+# Salt API access
+external_auth:
+  pam:
+    saltuser: # Username of your salt user
+      - '@runner'
+
+rest_cherrypy:
+  port: 9191
+  ssl_key: /etc/puppet/example.key # Add the path to your Puppet ssl key here
+  ssl_crt: /etc/puppet/example.crt # Add the path to your Puppet ssl certificate here
+
+
+##
+# Remote execution provider
+publisher_acl:
+  foreman-proxy:
+    - state.template_str
+
+
+##
+# Salt environment (optional)
+file_roots:
+  base:
+   - /srv/salt
+
+ 
+##
+# Reactors
+reactor:
+  - 'salt/auth': # Autosign reactor
+    - /var/lib/foreman-proxy/salt/reactors/foreman_minion_auth.sls
+  - 'salt/job/*/ret/*': # Report reactor
+    - /var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls

data/lib/smart_proxy_salt/cli.rb

@@ -62,54 +62,42 @@ module Proxy
         end
 
         def append_value_to_file(filepath, value)
-          result = false
-          begin
-            raise "No such file: #{filepath}" unless File.exist?(filepath)
-
-            file = open(filepath, File::RDWR)
-            found = false
-            file.each_line { |line| found = true if line.chomp == value }
-            file.puts value unless found
-            file.close
-
-            logger.info "Added an entry to '#{filepath}' successfully."
-            result = true
-          rescue SystemCallError => e
-            logger.info "Attempted to add an entry to '#{filepath}', but an exception occurred: #{e}"
+          File.open(filepath, File::CREAT|File::RDWR) do |file|
+            unless file.any? { |line| line.chomp == value}
+              file.puts value
+            end
           end
-          result
+          logger.info "Added an entry to '#{filepath}' successfully."
+          true
+        rescue IOError => e
+          logger.info "Attempted to add an entry to '#{filepath}', but an exception occurred: #{e}"
+          false
         end
 
         def remove_value_from_file(filepath, value)
-          result = false
-          begin
-            raise "No such file: #{filepath}" unless File.exist?(filepath)
-
-            found = false
-            entries = open(filepath, File::RDONLY).readlines.collect do |l|
-              entry = l.chomp
-              if entry == value
-                found = true
-                nil
-              elsif entry == ""
-                nil
-              else
-                l
-              end
-            end.uniq.compact
-            if found
-              file = open(filepath, File::TRUNC | File::RDWR)
-              file.write entries.join()
-              file.close
-              logger.info "Removed an entry from '#{filepath}' successfully."
-              result = true
+
+          return true unless File.exist?(filepath)
+
+          found = false
+          entries = File.readlines(filepath).collect do |line|
+            entry = line.chomp
+            if entry == value
+              found = true
+              nil
+            elsif entry == ""
+              nil
             else
-              raise Proxy::Salt::NotFound.new("Attempt to remove non-existent entry.")
+              line
             end
-          rescue SystemCallError => e
-            logger.info "Attempted to remove an entry from '#{filepath}', but an exception occurred: #{e}"
+          end.uniq.compact
+          if found
+            File.write(filepath, entries.join())
+            logger.info "Removed an entry from '#{filepath}' successfully."
           end
-          result
+          true
+        rescue IOError => e
+          logger.info "Attempted to remove an entry from '#{filepath}', but an exception occurred: #{e}"
+          false
         end
 
         def highstate(host)

data/lib/smart_proxy_salt/version.rb

@@ -3,6 +3,6 @@
 module Proxy
   # Salt module
   module Salt
-    VERSION = '4.0.0'.freeze
+    VERSION = '5.0.0'.freeze
   end
 end

data/salt/minion_auth/README.md

@@ -17,13 +17,13 @@ If '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config,
 /srv/salt/_runners/foreman_https.py
 ```
 
-Check if the reactor ('foreman_minion_auth.sls') is at the appropriated location and set the correct smart proxy address in the reactor file:
+Check if the reactor ('foreman_minion_auth.sls') is at the appropriated location:
 
 ```
 /var/lib/foreman-proxy/salt/reactors/foreman_minion_auth.sls
 ```
 
-After changing the Salt master, restart the salt-master service:
+Restart the salt-master service:
 
 ```
 systemctl restart salt-master

data/salt/minion_auth/foreman_minion_auth.sls

@@ -3,22 +3,8 @@
 {% if salt['saltutil.runner']('foreman_file.check_key', (data['id'], 100)) == True %}
 {%- do salt.log.info('Minion authenticated successfully, starting HTTPS request to delete autosign key.') -%}
 remove_autosign_key_custom_runner:
-  runner.foreman_https.query_cert:
-    - method: PUT
-    - host: example.proxy.com # set smart proxy address
-    - path: /salt/api/v2/salt_autosign_auth?name={{ data['id'] }}
-    - cert: /etc/pki/katello/puppet/puppet_client.crt # default cert location
-    - key: /etc/pki/katello/puppet/puppet_client.key # default key location
-    - port: 443
-# Uncomment the following lines in case you want to use username + password authentication (not recommended)
-# call_foreman_salt_custom_runner:
-#   runner.foreman_https.query_user:
-#     - method: PUT
-#     - host: example.proxy.com # set smart proxy address
-#     - path: /salt/api/v2/salt_autosign_auth?name={{ data['id']  }}
-#     - username: my_username # set username
-#     - password: my_password # set password
-#     - port: 443
+  runner.foreman_https.remove_key:
+    - minion: {{ data['id'] }}
 {% endif %}
 {% endif %}
 {% endif %}

data/salt/minion_auth/srv/salt/_runners/foreman_file.py

@@ -1,10 +1,13 @@
-#!/usr/bin/env python
+"""
+Salt runner to check the age of a minion key file.
+"""
 
 import os
 import time
 
 SALT_KEY_PATH = "/etc/salt/pki/master/minions/"
 
+
 def time_secs(path):
     stat = os.stat(path)
     return stat.st_mtime
@@ -18,5 +21,6 @@ def younger_than_secs(path, seconds):
         return True
     return False
 
+
 def check_key(hostname, seconds):
     return younger_than_secs(SALT_KEY_PATH + hostname, seconds)

data/salt/minion_auth/srv/salt/_runners/foreman_https.py

@@ -1,13 +1,65 @@
-#!/usr/bin/env python
+"""
+Salt runner to make generic https requests or perform directly
+an autosign key removal.
+"""
+
 
 from http.client import HTTPSConnection
 import ssl
 import base64
 import json
+import logging
+import yaml
+
+FOREMAN_CONFIG = '/etc/salt/foreman.yaml'
+log = logging.getLogger(__name__)
+
+
+def salt_config():
+    """
+    Read the foreman configuratoin from FOREMAN_CONFIG
+    """
+    with open(FOREMAN_CONFIG, 'r') as config_file:
+        config = yaml.load(config_file.read())
+    return config
+
+
+def remove_key(minion):
+    """
+    Perform an HTTPS request to the configured foreman host and trigger
+    the autosign key removal process.
+    """
+    config = salt_config()
+    host_name = config[':host']
+    port = config[':port']
+    timeout = config[':timeout']
+    method = 'PUT'
+    path = '/salt/api/v2/salt_autosign_auth?name=%s' % minion
+
+    # Differentiate between cert and user authentication
+    if config[':proto'] == 'https':
+        query_cert(host=host_name,
+                   path=path,
+                   port=port,
+                   method=method,
+                   cert=config[':ssl_cert'],
+                   key=config[':ssl_key'],
+                   timeout=timeout)
+    else:
+        query_user(host=host_name,
+                   path=path,
+                   port=port,
+                   method=method,
+                   username=config[':username'],
+                   password=config[':password'],
+                   timeout=timeout)
 
 
 def query_cert(host, path, port, method, cert, key,
                payload=None, timeout=10):
+    """
+    Perform an HTTPS query with certificate credentials.
+    """
 
     headers = {"Accept": "application/json"}
 
@@ -38,6 +90,9 @@ def query_cert(host, path, port, method, cert, key,
 
 def query_user(host, path, port, method, username, password,
                payload=None, timeout=10):
+    """
+    Perform an HTTPS query with user credentials.
+    """
 
     auth = "{}:{}".format(username, password)
     token = base64.b64encode(auth.encode('utf-8')).decode('ascii')

data/salt/report_upload/README.md

@@ -10,10 +10,15 @@ This README, handles the second option and how to configure it
 Add the content of 'master.snippet' to '/etc/salt/master' which configures a reactor. 
 In case there is already a reactor configured, you need to adapt it using the options mentioned in 'master.snippet'.
 
-In case '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config, setup the necessary salt state file and Salt runner functions:
+Check the reactor file to be in the following folder (or a different one depending on your master configuration):
+
+```
+/var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls
+```
+
+In case '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config, setup the necessary Salt runner:
 
 ```
-/srv/salt/foreman_report_upload.sls
 /srv/salt/_runners/foreman_report_upload.py
 ```
 

data/salt/report_upload/master.snippet

@@ -1,3 +1,3 @@
 reactor:
   - 'salt/job/*/ret/*':
-    - /srv/salt/foreman_report_upload.sls
+    - /var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_salt
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 5.0.0
 platform: ruby
 authors:
 - Michael Moll
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-02 00:00:00.000000000 Z
+date: 2022-02-14 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -125,6 +125,7 @@ files:
 - bin/salt_python_wrapper
 - bundler.d/salt.rb
 - cron/smart_proxy_salt
+- etc/foreman.conf.example
 - etc/foreman.yaml.example
 - lib/smart_proxy_salt.rb
 - lib/smart_proxy_salt/api_request.rb
@@ -142,9 +143,9 @@ files:
 - salt/minion_auth/srv/salt/_runners/foreman_file.py
 - salt/minion_auth/srv/salt/_runners/foreman_https.py
 - salt/report_upload/README.md
+- salt/report_upload/foreman_report_upload.sls
 - salt/report_upload/master.snippet
 - salt/report_upload/srv/salt/_runners/foreman_report_upload.py
-- salt/report_upload/srv/salt/foreman_report_upload.sls
 - sbin/upload-salt-reports
 - settings.d/salt.saltfile.example
 - settings.d/salt.yml.example