Fixes #32678 - katello_ca_consumer in registration template

Move `rhsm_reconfigure` script from `katello_consumer.rpm` to `global_registration` template so the `rpm` is not needed anymore Migrated script is without support of RHEL5 and older `subscription-manager` versions (0.96 and bellow)
theforeman · Jul 21, 2021 · 5a66daa · 5a66daa
1 parent f4e690c
commit 5a66daa
Show file tree

Hide file tree

Showing 4 changed files with 75 additions and 18 deletions.
diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb
@@ -26,8 +26,6 @@ def global_registration_vars
       location: (location || User.current.default_location || User.current.my_locations.first),
       hostgroup: host_group,
       operatingsystem: operatingsystem,
-      url_host: registration_url.host,
-      registration_url: registration_url,
       setup_insights: ActiveRecord::Type::Boolean.new.deserialize(params['setup_insights']),
       setup_remote_execution: ActiveRecord::Type::Boolean.new.deserialize(params['setup_remote_execution']),
       packages: params['packages'],
@@ -40,6 +38,7 @@ def global_registration_vars
           .to_h
           .symbolize_keys
           .merge(context)
+          .merge(context_urls)
   end
 
   def safe_render(template)
@@ -96,6 +95,10 @@ def registration_url
     fail Foreman::Exception.new(msg)
   end
 
+  def context_urls
+    { registration_url: registration_url }
+  end
+
   def setup_host_params
     setup_host_param('host_registration_insights', params['setup_insights'])
     setup_host_param('host_registration_remote_execution', params['setup_remote_execution'])

diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb
@@ -42,6 +42,11 @@ cat << EOF > $SSL_CA_CERT
 <%= foreman_server_ca_cert %>
 EOF
 
+cleanup_and_exit() {
+  rm -f $SSL_CA_CERT
+  exit $1
+}
+
 <% unless @repo.blank? -%>
 echo '#'
 echo '# Adding repository'
@@ -71,7 +76,7 @@ EOF
 
 else
   echo "Unsupported operating system, can't add repository."
-  exit 1
+  cleanup_and_exit 1
 fi
 <% end -%>
 
@@ -102,7 +107,7 @@ echo "#"
 if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then
     register_katello_host(){
         UUID=$(subscription-manager identity | head -1 | awk '{print $3}')
-        curl --silent --show-error --cacert $SSL_CA_CERT --request POST "<%= @registration_url %>" \
+        curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \
              --data "uuid=$UUID" \
              <%= headers.join(' ') %> \
 <%= "          --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
@@ -115,11 +120,10 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then
 <%= "          --data 'packages=#{@packages}' \\\n" if @packages.present? -%>
 <%= "          --data 'update_packages=#{@update_packages}' \\\n" unless @update_packages.nil? -%>
 
-}
+    }
 
-    <% if @force -%>
-    yum remove -y katello-ca-consumer*
-    <% end -%>
+    KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/katello-server-ca.pem
+    RHSM_CFG=/etc/rhsm/rhsm.conf
 
     # rhn-client-tools conflicts with subscription-manager package
     # since rhn tools replaces subscription-manager, we need to explicitly
@@ -129,25 +133,65 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then
       yum install -y --setopt=obsoletes=0 subscription-manager
     fi
 
-    CONSUMER_RPM=$(mktemp --suffix .rpm)
-    curl --silent --show-error --output $CONSUMER_RPM <%= subscription_manager_configuration_url(hostname: @url_host) %>
+    # Prepare SSL certificate
+    cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
+    chmod 644 $KATELLO_SERVER_CA_CERT
+
+    # Prepare subscription-manager
+    yum remove -y katello-ca-consumer*
 
-    # Workaround for systems with enabled FIPS,
-    # where installation of RPM generated on RHEL7 cause 'no digest' error
-    # See https://projects.theforeman.org/issues/32068
-    if [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]; then
-        rpm -ivh --nodigest --nofiledigest $CONSUMER_RPM
+    if ! [ -x "$(command -v subscription-manager)" ] ; then
+      if [ "${VERSION_ID%.*}" -gt 7 ]; then
+        dnf install -y subscription-manager
+      else
+        yum install -y subscription-manager
+      fi
     else
-        yum localinstall $CONSUMER_RPM -y
+      if [ "${VERSION_ID%.*}" -gt 7 ]; then
+        dnf upgrade -y subscription-manager
+      else
+        yum upgrade -y subscription-manager
+      fi
     fi
 
-    rm -f $CONSUMER_RPM
+    if ! [ -f $RHSM_CFG ] ; then
+      echo "'$RHSM_CFG' not found, cannot configure subscription-manager"
+      cleanup_and_exit 1
+    fi
 
-    subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
+    # Configure subscription-manager
+    test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak
+    subscription-manager config \
+      --server.hostname="<%= @rhsm_url.host %>" \
+      --server.port="<%= @rhsm_url.port %>" \
+      --server.prefix="<%= @rhsm_url.path %>" \
+      --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
+      --rhsm.baseurl="<%= @pulp_content_url %>"
+
+    # Older versions of subscription manager may not recognize
+    # report_package_profile and package_profile_on_trans options.
+    # So set them separately and redirect out & error to /dev/null
+    # to fail silently.
+    subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
+    subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true
+
+    # Configuration for EL6
+    if grep --quiet full_refresh_on_yum $RHSM_CFG; then
+      sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG
+    else
+      full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
+      sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG
+    fi
+
+    subscription-manager register <%= '--force' if @force %> \
+      --org='<%= @organization.label %>' \
+      --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'cleanup_and_exit 1' %>
     register_katello_host | bash
 else
     register_host | bash
 fi
 <% else -%>
 register_host | bash
 <% end -%>
+
+cleanup_and_exit
diff --git a/config/initializers/uri_jail.rb b/config/initializers/uri_jail.rb
@@ -0,0 +1,3 @@
+class URI::Generic::Jail < Safemode::Jail
+  allow :host, :path, :port, :query, :scheme
+end
diff --git a/test/unit/foreman/renderer/scope/macros/base_test.rb b/test/unit/foreman/renderer/scope/macros/base_test.rb
@@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase
     end
   end
 
+  test 'URI::Generic jail test' do
+    allowed = [:host, :path, :port, :query, :scheme]
+    allowed.each do |m|
+      assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed."
+    end
+  end
+
   context 'subnet helpers' do
     setup do
       host = FactoryBot.build(:host)