smart_proxy_salt 4.0.0 → 5.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 63743a9b37c7860b60af93db9735f210608221d87675c7d11764eb9f08348caa
-  data.tar.gz: 38fa3a0d210534f63d1f925790d0a062b20a907499dad0ba2bae1125a0bb8190
+  metadata.gz: 4ba18b31812c408bbbef40601e2f7279ee6f04d55a62b999b7b993f0158aede8
+  data.tar.gz: 82822b47407c7c5e66151627a7935d294566c6e5dc17c4bbf7c2674890653826
 SHA512:
-  metadata.gz: '008b29492b0f227e04ba281423df738e9334e040492f2fcf62172e866cccd931a80de5a5eac14d8e5b4c81a17dd26697e11f89aa696ab28670471f55be585e26'
-  data.tar.gz: 05a4afde3202a35328d2b2daa4cc2266808a9c7af01b53dae3876a4a8b033ef898fc07e1d86bfc9a22c05b7ab3bcdb924884c34b1d5546e1a8c93a39ec256623
+  metadata.gz: d95ddd85199c088db57c6248d99d7a370e36c74191aeda0d74fd4f7fb7d573ee50a0b4a107092d2f8f6c3018c131e6127236cc5818f84c835eecabd0b21ef6bf
+  data.tar.gz: d9866d18feed738e03d0e47784ee75b41921b65bcbbd33e88aec5856cfd5160e4b0b5e5485d5c25c3a6c601d6c519bde984599b734f7f081b7adce9de53c3277

data/etc/foreman.conf.example

@@ -0,0 +1,65 @@
+# /etc/salt/master.d/foreman.config Example configuration
+#
+# This file summarizes configurations for the salt-master. Modify directories and
+# parameters to fit your setup. When you're done, remove the .example from the
+# filename so the salt-master will make use of it.
+# Have a look at the [Foreman Salt Plugin Documentation](https://theforeman.org/plugins/foreman_salt/) for detailed explanations.
+#
+# After editing this file, run the following command to active the changes:
+# $ systemctl restart salt-master
+
+
+##
+# Autosign
+autosign_grains_dir: /var/lib/foreman-proxy/salt/grains
+autosign_file: /etc/salt/autosign.conf
+# Uncomment the next line to make use of the autosign host name file (not recommended)
+# permissive_pki_access: True
+
+
+##
+# Node classifier
+master_tops:
+  ext_nodes: /usr/bin/foreman-node
+
+
+##
+# Pillar data access
+ext_pillar:
+  - puppet: /usr/bin/foreman-node
+
+
+##
+# Salt API access
+external_auth:
+  pam:
+    saltuser: # Username of your salt user
+      - '@runner'
+
+rest_cherrypy:
+  port: 9191
+  ssl_key: /etc/puppet/example.key # Add the path to your Puppet ssl key here
+  ssl_crt: /etc/puppet/example.crt # Add the path to your Puppet ssl certificate here
+
+
+##
+# Remote execution provider
+publisher_acl:
+  foreman-proxy:
+    - state.template_str
+
+
+##
+# Salt environment (optional)
+file_roots:
+  base:
+   - /srv/salt
+
+ 
+##
+# Reactors
+reactor:
+  - 'salt/auth': # Autosign reactor
+    - /var/lib/foreman-proxy/salt/reactors/foreman_minion_auth.sls
+  - 'salt/job/*/ret/*': # Report reactor
+    - /var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls

data/lib/smart_proxy_salt/cli.rb

@@ -62,54 +62,42 @@ module Proxy
         end
 
         def append_value_to_file(filepath, value)
-          result = false
-          begin
-            raise "No such file: #{filepath}" unless File.exist?(filepath)
-
-            file = open(filepath, File::RDWR)
-            found = false
-            file.each_line { |line| found = true if line.chomp == value }
-            file.puts value unless found
-            file.close
-
-            logger.info "Added an entry to '#{filepath}' successfully."
-            result = true
-          rescue SystemCallError => e
-            logger.info "Attempted to add an entry to '#{filepath}', but an exception occurred: #{e}"
+          File.open(filepath, File::CREAT|File::RDWR) do |file|
+            unless file.any? { |line| line.chomp == value}
+              file.puts value
+            end
           end
-          result
+          logger.info "Added an entry to '#{filepath}' successfully."
+          true
+        rescue IOError => e
+          logger.info "Attempted to add an entry to '#{filepath}', but an exception occurred: #{e}"
+          false
         end
 
         def remove_value_from_file(filepath, value)
-          result = false
-          begin
-            raise "No such file: #{filepath}" unless File.exist?(filepath)
-
-            found = false
-            entries = open(filepath, File::RDONLY).readlines.collect do |l|
-              entry = l.chomp
-              if entry == value
-                found = true
-                nil
-              elsif entry == ""
-                nil
-              else
-                l
-              end
-            end.uniq.compact
-            if found
-              file = open(filepath, File::TRUNC | File::RDWR)
-              file.write entries.join()
-              file.close
-              logger.info "Removed an entry from '#{filepath}' successfully."
-              result = true
+
+          return true unless File.exist?(filepath)
+
+          found = false
+          entries = File.readlines(filepath).collect do |line|
+            entry = line.chomp
+            if entry == value
+              found = true
+              nil
+            elsif entry == ""
+              nil
             else
-              raise Proxy::Salt::NotFound.new("Attempt to remove non-existent entry.")
+              line
             end
-          rescue SystemCallError => e
-            logger.info "Attempted to remove an entry from '#{filepath}', but an exception occurred: #{e}"
+          end.uniq.compact
+          if found
+            File.write(filepath, entries.join())
+            logger.info "Removed an entry from '#{filepath}' successfully."
           end
-          result
+          true
+        rescue IOError => e
+          logger.info "Attempted to remove an entry from '#{filepath}', but an exception occurred: #{e}"
+          false
         end
 
         def highstate(host)

data/lib/smart_proxy_salt/version.rb

@@ -3,6 +3,6 @@
 module Proxy
   # Salt module
   module Salt
-    VERSION = '4.0.0'.freeze
+    VERSION = '5.0.1'.freeze
   end
 end

data/salt/minion_auth/README.md

@@ -17,13 +17,13 @@ If '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config,
 /srv/salt/_runners/foreman_https.py
 ```
 
-Check if the reactor ('foreman_minion_auth.sls') is at the appropriated location and set the correct smart proxy address in the reactor file:
+Check if the reactor ('foreman_minion_auth.sls') is at the appropriated location:
 
 ```
 /var/lib/foreman-proxy/salt/reactors/foreman_minion_auth.sls
 ```
 
-After changing the Salt master, restart the salt-master service:
+Restart the salt-master service:
 
 ```
 systemctl restart salt-master

data/salt/minion_auth/foreman_minion_auth.sls

@@ -3,22 +3,8 @@
 {% if salt['saltutil.runner']('foreman_file.check_key', (data['id'], 100)) == True %}
 {%- do salt.log.info('Minion authenticated successfully, starting HTTPS request to delete autosign key.') -%}
 remove_autosign_key_custom_runner:
-  runner.foreman_https.query_cert:
-    - method: PUT
-    - host: example.proxy.com # set smart proxy address
-    - path: /salt/api/v2/salt_autosign_auth?name={{ data['id'] }}
-    - cert: /etc/pki/katello/puppet/puppet_client.crt # default cert location
-    - key: /etc/pki/katello/puppet/puppet_client.key # default key location
-    - port: 443
-# Uncomment the following lines in case you want to use username + password authentication (not recommended)
-# call_foreman_salt_custom_runner:
-#   runner.foreman_https.query_user:
-#     - method: PUT
-#     - host: example.proxy.com # set smart proxy address
-#     - path: /salt/api/v2/salt_autosign_auth?name={{ data['id']  }}
-#     - username: my_username # set username
-#     - password: my_password # set password
-#     - port: 443
+  runner.foreman_https.remove_key:
+    - minion: {{ data['id'] }}
 {% endif %}
 {% endif %}
 {% endif %}

data/salt/minion_auth/srv/salt/_runners/foreman_file.py

@@ -1,10 +1,13 @@
-#!/usr/bin/env python
+"""
+Salt runner to check the age of a minion key file.
+"""
 
 import os
 import time
 
 SALT_KEY_PATH = "/etc/salt/pki/master/minions/"
 
+
 def time_secs(path):
     stat = os.stat(path)
     return stat.st_mtime
@@ -18,5 +21,6 @@ def younger_than_secs(path, seconds):
         return True
     return False
 
+
 def check_key(hostname, seconds):
     return younger_than_secs(SALT_KEY_PATH + hostname, seconds)

data/salt/minion_auth/srv/salt/_runners/foreman_https.py

@@ -1,13 +1,65 @@
-#!/usr/bin/env python
+"""
+Salt runner to make generic https requests or perform directly
+an autosign key removal.
+"""
+
 
 from http.client import HTTPSConnection
 import ssl
 import base64
 import json
+import logging
+import yaml
+
+FOREMAN_CONFIG = '/etc/salt/foreman.yaml'
+log = logging.getLogger(__name__)
+
+
+def salt_config():
+    """
+    Read the foreman configuratoin from FOREMAN_CONFIG
+    """
+    with open(FOREMAN_CONFIG, 'r') as config_file:
+        config = yaml.load(config_file.read())
+    return config
+
+
+def remove_key(minion):
+    """
+    Perform an HTTPS request to the configured foreman host and trigger
+    the autosign key removal process.
+    """
+    config = salt_config()
+    host_name = config[':host']
+    port = config[':port']
+    timeout = config[':timeout']
+    method = 'PUT'
+    path = '/salt/api/v2/salt_autosign_auth?name=%s' % minion
+
+    # Differentiate between cert and user authentication
+    if config[':proto'] == 'https':
+        query_cert(host=host_name,
+                   path=path,
+                   port=port,
+                   method=method,
+                   cert=config[':ssl_cert'],
+                   key=config[':ssl_key'],
+                   timeout=timeout)
+    else:
+        query_user(host=host_name,
+                   path=path,
+                   port=port,
+                   method=method,
+                   username=config[':username'],
+                   password=config[':password'],
+                   timeout=timeout)
 
 
 def query_cert(host, path, port, method, cert, key,
                payload=None, timeout=10):
+    """
+    Perform an HTTPS query with certificate credentials.
+    """
 
     headers = {"Accept": "application/json"}
 
@@ -38,6 +90,9 @@ def query_cert(host, path, port, method, cert, key,
 
 def query_user(host, path, port, method, username, password,
                payload=None, timeout=10):
+    """
+    Perform an HTTPS query with user credentials.
+    """
 
     auth = "{}:{}".format(username, password)
     token = base64.b64encode(auth.encode('utf-8')).decode('ascii')

data/salt/report_upload/README.md

@@ -1,19 +1,24 @@
 # Foreman Salt Report Upload
 
 Currently, there are two possibilites to upload the salt report to Foreman:
-1. Use /usr/sbin/upload-salt-reports which is called by a cron job every 10 minutes by default
-2. Upload the report immediately by using a Salt Reactor.
+1. Upload the report immediately by using a Salt Reactor (recommended).
+2. Use /usr/sbin/upload-salt-reports manually (or set up a cronjob, see `/cron/smart_proxy_salt`).
 
-This README, handles the second option and how to configure it
+This README handles the first option and how to configure it
 
 ## Setup
 Add the content of 'master.snippet' to '/etc/salt/master' which configures a reactor. 
 In case there is already a reactor configured, you need to adapt it using the options mentioned in 'master.snippet'.
 
-In case '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config, setup the necessary salt state file and Salt runner functions:
+Check the reactor file to be in the following folder (or a different one depending on your master configuration):
+
+```
+/var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls
+```
+
+In case '/srv/salt' is configured as 'file_roots' in your '/etc/salt/master' config, setup the necessary Salt runner:
 
 ```
-/srv/salt/foreman_report_upload.sls
 /srv/salt/_runners/foreman_report_upload.py
 ```
 

data/salt/report_upload/master.snippet

@@ -1,3 +1,3 @@
 reactor:
   - 'salt/job/*/ret/*':
-    - /srv/salt/foreman_report_upload.sls
+    - /var/lib/foreman-proxy/salt/reactors/foreman_report_upload.sls

data/salt/report_upload/srv/salt/_runners/foreman_report_upload.py

@@ -4,13 +4,16 @@ Uploads reports from the Salt job cache to Foreman
 '''
 from __future__ import absolute_import, print_function, unicode_literals
 
+LAST_UPLOADED = '/etc/salt/last_uploaded'
 FOREMAN_CONFIG = '/etc/salt/foreman.yaml'
+LOCK_FILE = '/var/lock/salt-report-upload.lock'
 
 try:
     from http.client import HTTPConnection, HTTPSConnection
 except ImportError:
     from httplib import HTTPSConnection, HTTPSConnection
 
+import io
 import ssl
 import json
 import yaml
@@ -24,12 +27,21 @@ import logging
 log = logging.getLogger(__name__)
 
 
+if sys.version_info.major == 3:
+    unicode = str
+
+
 def salt_config():
     with open(FOREMAN_CONFIG, 'r') as f:
         config = yaml.load(f.read())
     return config
 
 
+def write_last_uploaded(last_uploaded):
+    with io.open(LAST_UPLOADED, 'w+') as f:
+        f.write(unicode(last_uploaded))
+
+
 def upload(report):
     config = salt_config()
     headers = {'Accept': 'application/json',
@@ -55,6 +67,7 @@ def upload(report):
     response = connection.getresponse()
 
     if response.status == 200:
+        write_last_uploaded(report['job']['job_id'])
         info_msg = 'Success {0}: {1}'.format(report['job']['job_id'], response.read())
         log.info(info_msg)
     else:
@@ -81,7 +94,7 @@ def create_report(json_str):
                 return {'job':
                      {
                        'result': {
-                         msg['id']: entry['changes']['ret'],
+                         msg['id']: next(iter(entry['changes'].values())),
                        },
                        'function': 'state.highstate',
                        'job_id': msg['jid']
@@ -90,6 +103,18 @@ def create_report(json_str):
     raise Exception('No state.highstate found')
 
 
+def get_lock():
+    if os.path.isfile(LOCK_FILE):
+        raise Exception("Unable to obtain lock.")
+    else:
+        io.open(LOCK_FILE, 'w+').close()
+
+
+def release_lock():
+    if os.path.isfile(LOCK_FILE):
+        os.remove(LOCK_FILE)
+
+
 def now(highstate):
     '''
     Upload a highstate to Foreman
@@ -100,7 +125,10 @@ def now(highstate):
 
     try:
         report = create_report(base64.b64decode(highstate))
+        get_lock()
         upload(report)
     except Exception as exc:
         log.error('Exception encountered: %s', exc)
+    finally:
+        release_lock()
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: smart_proxy_salt
 version: !ruby/object:Gem::Version
-  version: 4.0.0
+  version: 5.0.1
 platform: ruby
 authors:
 - Michael Moll
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-08-02 00:00:00.000000000 Z
+date: 2022-11-28 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: test-unit
@@ -124,7 +124,7 @@ files:
 - bin/foreman-node
 - bin/salt_python_wrapper
 - bundler.d/salt.rb
-- cron/smart_proxy_salt
+- etc/foreman.conf.example
 - etc/foreman.yaml.example
 - lib/smart_proxy_salt.rb
 - lib/smart_proxy_salt/api_request.rb
@@ -142,9 +142,9 @@ files:
 - salt/minion_auth/srv/salt/_runners/foreman_file.py
 - salt/minion_auth/srv/salt/_runners/foreman_https.py
 - salt/report_upload/README.md
+- salt/report_upload/foreman_report_upload.sls
 - salt/report_upload/master.snippet
 - salt/report_upload/srv/salt/_runners/foreman_report_upload.py
-- salt/report_upload/srv/salt/foreman_report_upload.sls
 - sbin/upload-salt-reports
 - settings.d/salt.saltfile.example
 - settings.d/salt.yml.example

data/cron/smart_proxy_salt

@@ -1,5 +0,0 @@
-SHELL=/bin/sh
-PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-
-# Check every 10 minutes for new Salt reports to upload to Foreman
-*/10 * * * * root /usr/sbin/upload-salt-reports >>/var/log/foreman-proxy/salt-cron.log 2>&1