From 5a66daa44921e63522bb90d01f8924b6cd4abcd5 Mon Sep 17 00:00:00 2001 From: Stejskal Leos Date: Tue, 1 Jun 2021 06:37:20 +0000 Subject: [PATCH] Fixes #32678 - katello_ca_consumer in registration template Move `rhsm_reconfigure` script from `katello_consumer.rpm` to `global_registration` template so the `rpm` is not needed anymore Migrated script is without support of RHEL5 and older `subscription-manager` versions (0.96 and bellow) --- .../foreman/controller/registration.rb | 7 +- .../registration/global_registration.erb | 76 +++++++++++++++---- config/initializers/uri_jail.rb | 3 + .../renderer/scope/macros/base_test.rb | 7 ++ 4 files changed, 75 insertions(+), 18 deletions(-) create mode 100644 config/initializers/uri_jail.rb diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb index 8e687bf32267..3105510c683f 100644 --- a/app/controllers/concerns/foreman/controller/registration.rb +++ b/app/controllers/concerns/foreman/controller/registration.rb @@ -26,8 +26,6 @@ def global_registration_vars location: (location || User.current.default_location || User.current.my_locations.first), hostgroup: host_group, operatingsystem: operatingsystem, - url_host: registration_url.host, - registration_url: registration_url, setup_insights: ActiveRecord::Type::Boolean.new.deserialize(params['setup_insights']), setup_remote_execution: ActiveRecord::Type::Boolean.new.deserialize(params['setup_remote_execution']), packages: params['packages'], @@ -40,6 +38,7 @@ def global_registration_vars .to_h .symbolize_keys .merge(context) + .merge(context_urls) end def safe_render(template) @@ -96,6 +95,10 @@ def registration_url fail Foreman::Exception.new(msg) end + def context_urls + { registration_url: registration_url } + end + def setup_host_params setup_host_param('host_registration_insights', params['setup_insights']) setup_host_param('host_registration_remote_execution', params['setup_remote_execution']) diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb index 300157c967bc..c75b13286bc0 100644 --- a/app/views/unattended/provisioning_templates/registration/global_registration.erb +++ b/app/views/unattended/provisioning_templates/registration/global_registration.erb @@ -42,6 +42,11 @@ cat << EOF > $SSL_CA_CERT <%= foreman_server_ca_cert %> EOF +cleanup_and_exit() { + rm -f $SSL_CA_CERT + exit $1 +} + <% unless @repo.blank? -%> echo '#' echo '# Adding repository' @@ -71,7 +76,7 @@ EOF else echo "Unsupported operating system, can't add repository." - exit 1 + cleanup_and_exit 1 fi <% end -%> @@ -102,7 +107,7 @@ echo "#" if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then register_katello_host(){ UUID=$(subscription-manager identity | head -1 | awk '{print $3}') - curl --silent --show-error --cacert $SSL_CA_CERT --request POST "<%= @registration_url %>" \ + curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \ --data "uuid=$UUID" \ <%= headers.join(' ') %> \ <%= " --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%> @@ -115,11 +120,10 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then <%= " --data 'packages=#{@packages}' \\\n" if @packages.present? -%> <%= " --data 'update_packages=#{@update_packages}' \\\n" unless @update_packages.nil? -%> -} + } - <% if @force -%> - yum remove -y katello-ca-consumer* - <% end -%> + KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/katello-server-ca.pem + RHSM_CFG=/etc/rhsm/rhsm.conf # rhn-client-tools conflicts with subscription-manager package # since rhn tools replaces subscription-manager, we need to explicitly @@ -129,21 +133,59 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ] || [ x$ID = xol ]; then yum install -y --setopt=obsoletes=0 subscription-manager fi - CONSUMER_RPM=$(mktemp --suffix .rpm) - curl --silent --show-error --output $CONSUMER_RPM <%= subscription_manager_configuration_url(hostname: @url_host) %> + # Prepare SSL certificate + cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT + chmod 644 $KATELLO_SERVER_CA_CERT + + # Prepare subscription-manager + yum remove -y katello-ca-consumer* - # Workaround for systems with enabled FIPS, - # where installation of RPM generated on RHEL7 cause 'no digest' error - # See https://projects.theforeman.org/issues/32068 - if [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]; then - rpm -ivh --nodigest --nofiledigest $CONSUMER_RPM + if ! [ -x "$(command -v subscription-manager)" ] ; then + if [ "${VERSION_ID%.*}" -gt 7 ]; then + dnf install -y subscription-manager + else + yum install -y subscription-manager + fi else - yum localinstall $CONSUMER_RPM -y + if [ "${VERSION_ID%.*}" -gt 7 ]; then + dnf upgrade -y subscription-manager + else + yum upgrade -y subscription-manager + fi fi - rm -f $CONSUMER_RPM + if ! [ -f $RHSM_CFG ] ; then + echo "'$RHSM_CFG' not found, cannot configure subscription-manager" + cleanup_and_exit 1 + fi - subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %> + # Configure subscription-manager + test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak + subscription-manager config \ + --server.hostname="<%= @rhsm_url.host %>" \ + --server.port="<%= @rhsm_url.port %>" \ + --server.prefix="<%= @rhsm_url.path %>" \ + --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \ + --rhsm.baseurl="<%= @pulp_content_url %>" + + # Older versions of subscription manager may not recognize + # report_package_profile and package_profile_on_trans options. + # So set them separately and redirect out & error to /dev/null + # to fail silently. + subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true + subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true + + # Configuration for EL6 + if grep --quiet full_refresh_on_yum $RHSM_CFG; then + sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG + else + full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1" + sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG + fi + + subscription-manager register <%= '--force' if @force %> \ + --org='<%= @organization.label %>' \ + --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'cleanup_and_exit 1' %> register_katello_host | bash else register_host | bash @@ -151,3 +193,5 @@ fi <% else -%> register_host | bash <% end -%> + +cleanup_and_exit diff --git a/config/initializers/uri_jail.rb b/config/initializers/uri_jail.rb new file mode 100644 index 000000000000..f56f031061d8 --- /dev/null +++ b/config/initializers/uri_jail.rb @@ -0,0 +1,3 @@ +class URI::Generic::Jail < Safemode::Jail + allow :host, :path, :port, :query, :scheme +end diff --git a/test/unit/foreman/renderer/scope/macros/base_test.rb b/test/unit/foreman/renderer/scope/macros/base_test.rb index a1d64438206c..75a628df10fe 100644 --- a/test/unit/foreman/renderer/scope/macros/base_test.rb +++ b/test/unit/foreman/renderer/scope/macros/base_test.rb @@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase end end + test 'URI::Generic jail test' do + allowed = [:host, :path, :port, :query, :scheme] + allowed.each do |m| + assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed." + end + end + context 'subnet helpers' do setup do host = FactoryBot.build(:host)