Skip to content

Commit

Permalink
Fixes #32678 - katello_ca_consumer in registration template
Browse files Browse the repository at this point in the history
Move `rhsm_reconfigure` script from `katello_consumer.rpm` to
`global_registration` template so the `rpm` is not needed anymore

Migrated script is without support of RHEL5 and older
`subscription-manager` versions (0.96 and bellow)
  • Loading branch information
stejskalleos committed Jun 15, 2021
1 parent b55d3ed commit 909bf1c
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 24 deletions.
15 changes: 7 additions & 8 deletions app/controllers/concerns/foreman/controller/registration.rb
Original file line number Diff line number Diff line change
Expand Up @@ -26,8 +26,6 @@ def global_registration_vars
location: (location || User.current.default_location || User.current.my_locations.first),
hostgroup: host_group,
operatingsystem: operatingsystem,
url_host: registration_url.host,
registration_url: registration_url,
setup_insights: ActiveRecord::Type::Boolean.new.deserialize(params['setup_insights']),
setup_remote_execution: ActiveRecord::Type::Boolean.new.deserialize(params['setup_remote_execution']),
packages: params['packages'],
Expand All @@ -39,6 +37,7 @@ def global_registration_vars
.to_h
.symbolize_keys
.merge(context)
.merge(context_urls)
end

def safe_render(template)
Expand Down Expand Up @@ -82,19 +81,19 @@ def not_found(options = nil)
false
end

def registration_url
uri = if params[:url].present?
URI.join(params[:url], '/register')
else
URI(register_url)
end
def url
uri = URI(params[:url] || root_url)

return uri if uri.scheme && uri.host

msg = N_('URL in :url parameter is missing a scheme, please set http:// or https://')
fail Foreman::Exception.new(msg)
end

def context_urls
{ url: url, registration_url: URI.join(url, 'register') }
end

def host_setup_insights
return if params['setup_insights'].to_s.blank?

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,11 @@ cat << EOF > $SSL_CA_CERT
<%= foreman_server_ca_cert %>
EOF

cleanup_and_exit() {
rm -f $SSL_CA_CERT
exit $1
}

<% unless @repo.blank? -%>
echo '#'
echo '# Adding repository'
Expand Down Expand Up @@ -70,7 +75,7 @@ EOF

else
echo "Unsupported operating system, can't add repository."
exit 1
cleanup_and_exit 1
fi
<% end -%>

Expand Down Expand Up @@ -100,7 +105,7 @@ echo "#"
if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then
register_katello_host(){
UUID=$(subscription-manager identity | head -1 | awk '{print $3}')
curl --silent --show-error --cacert $SSL_CA_CERT --request POST "<%= @registration_url %>" \
curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \
--data "uuid=$UUID" \
<%= headers.join(' ') %> \
<%= " --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
Expand All @@ -112,31 +117,70 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then
<%= " --data 'remote_execution_interface=#{@remote_execution_interface}' \\\n" if @remote_execution_interface.present? -%>
<%= " --data 'packages=#{@packages}' \\\n" if @packages.present? -%>

}
}

<% if @force -%>
yum remove -y katello-ca-consumer*
<% end -%>
KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/katello-server-ca.pem
RHSM_CFG=/etc/rhsm/rhsm.conf

# Prepare SSL certificate
cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
chmod 644 $KATELLO_SERVER_CA_CERT

CONSUMER_RPM=$(mktemp --suffix .rpm)
curl --silent --show-error --output $CONSUMER_RPM <%= subscription_manager_configuration_url(hostname: @url_host) %>
# Prepare subscription-manager
yum remove -y katello-ca-consumer*

# Workaround for systems with enabled FIPS,
# where installation of RPM generated on RHEL7 cause 'no digest' error
# See https://projects.theforeman.org/issues/32068
if [ "$(cat /proc/sys/crypto/fips_enabled)" = "1" ]; then
rpm -ivh --nodigest --nofiledigest $CONSUMER_RPM
if ! [ -x "$(command -v subscription-manager)" ] ; then
if [ "${VERSION_ID:0:1}" -gt 7 ]; then
dnf install -y subscription-manager
else
yum install -y subscription-manager
fi
else
yum localinstall $CONSUMER_RPM -y
if [ "${VERSION_ID:0:1}" -gt 7 ]; then
dnf upgrade -y subscription-manager
else
yum upgrade -y subscription-manager
fi
fi

rm -f $CONSUMER_RPM
if ! [ -f $RHSM_CFG ] ; then
echo "'$RHSM_CFG' not found, cannot configure subscription-manager"
cleanup_and_exit 1
fi

subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
# Configure subscription-manager
test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak
subscription-manager config \
--server.hostname="<%= @url.host %>" \
--server.port="<%= @url.port %>" \
--server.prefix="/rhsm" \
--rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
--rhsm.baseurl="<%= @url %>pulp/content"

# Older versions of subscription manager may not recognize
# report_package_profile and package_profile_on_trans options.
# So set them separately and redirect out & error to /dev/null
# to fail silently.
subscription-manager config --rhsm.package_profile_on_trans=1 > /dev/null 2>&1 || true
subscription-manager config --rhsm.report_package_profile=1 > /dev/null 2>&1 || true

# Configuration for EL6
if grep --quiet full_refresh_on_yum $RHSM_CFG; then
sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG
else
full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG
fi

subscription-manager register <%= '--force' if @force %> \
--org='<%= @organization.label %>' \
--activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'cleanup_and_exit 1' %>
register_katello_host | bash
else
register_host | bash
fi
<% else -%>
register_host | bash
<% end -%>

cleanup_and_exit
3 changes: 3 additions & 0 deletions config/initializers/uri_jail.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
class URI::Generic::Jail < Safemode::Jail
allow :host, :path, :port, :query, :scheme
end
7 changes: 7 additions & 0 deletions test/unit/foreman/renderer/scope/macros/base_test.rb
Original file line number Diff line number Diff line change
Expand Up @@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase
end
end

test 'URI::Generic jail test' do
allowed = [:host, :path, :port, :query, :scheme]
allowed.each do |m|
assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed."
end
end

context 'subnet helpers' do
setup do
host = FactoryBot.build(:host, :with_puppet)
Expand Down

0 comments on commit 909bf1c

Please sign in to comment.