Fixes #32678 - Updates & Jail for URI::Generic

theforeman · Jun 1, 2021 · 494360f · 494360f
1 parent 9de0f7f
commit 494360f
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 61 deletions.
diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb
@@ -91,11 +91,7 @@ def url
   end
 
   def context_urls
-    { url: url,
-      url_host: url.host,
-      url_port: url.port,
-      registration_url: URI.join(url, 'register'),
-    }
+    { url: url, registration_url: URI.join(url, 'register') }
   end
 
   def host_setup_insights

diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb
@@ -112,53 +112,53 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then
 <%= "          --data 'remote_execution_interface=#{@remote_execution_interface}' \\\n" if @remote_execution_interface.present? -%>
 <%= "          --data 'packages=#{@packages}' \\\n" if @packages.present? -%>
 
-}
-
-  <% if @force -%>
-  yum remove -y katello-ca-consumer*
-  <% end -%>
-
-  KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/<%= @url_host %>.pem
-  CFG=/etc/rhsm/rhsm.conf
-
-  if ! command -v subscription-manager &> /dev/null
-  then
-    yum install -y subscription-manager
-  fi
-
-  if ! [ -f $CFG ] ; then
-    echo "'$CFG' not found, cannot configure subscription-manager"
-    exit 1
-  fi
-
-  # Prepare SSL certificate
-  cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
-  chmod 644 $KATELLO_SERVER_CA_CERT
-
-  if [ -d /etc/pki/ca-trust/source/anchors ]; then
-    update-ca-trust enable
-    cp -f $KATELLO_SERVER_CA_CERT /etc/pki/ca-trust/source/anchors
-    update-ca-trust
-  fi
-
-  # Configure subscription-manager
-  test -f $CFG.BAK || cp $CFG $CFG.BAK
-  subscription-manager config \
-    --server.hostname="<%= @url_host %>" \
-    --server.port="<%= @url_port %>" \
-    --server.prefix="/rhsm" \
-    --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
-    --rhsm.baseurl="<%= @url %>pulp/content/"
-
-  if grep --quiet full_refresh_on_yum $CFG; then
-    sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $CFG
-  else
-    full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
-    sed -i "/baseurl/a $full_refresh_config" $CFG
-  fi
-
-  subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
-  register_katello_host | bash
+    }
+
+    <% if @force -%>
+    yum remove -y katello-ca-consumer* subscription-manager
+    <% end -%>
+
+    KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/<%= @url.host %>.pem
+    RHSM_CFG=/etc/rhsm/rhsm.conf
+
+    if ! command -v subscription-manager &> /dev/null
+    then
+      yum install -y subscription-manager
+    fi
+
+    if ! [ -f $RHSM_CFG ] ; then
+      echo "'$RHSM_CFG' not found, cannot configure subscription-manager"
+      exit 1
+    fi
+
+    # Prepare SSL certificate
+    cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT
+    chmod 644 $KATELLO_SERVER_CA_CERT
+
+    if [ -d /etc/pki/ca-trust/source/anchors ]; then
+      update-ca-trust enable
+      cp -f $KATELLO_SERVER_CA_CERT /etc/pki/ca-trust/source/anchors
+      update-ca-trust
+    fi
+
+    # Configure subscription-manager
+    test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak
+    subscription-manager config \
+      --server.hostname="<%= @url.host %>" \
+      --server.port="<%= @url.port %>" \
+      --server.prefix="/rhsm" \
+      --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \
+      --rhsm.baseurl="<%= @url %>pulp/content"
+
+    if grep --quiet full_refresh_on_yum $RHSM_CFG; then
+      sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG
+    else
+      full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1"
+      sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG
+    fi
+
+    subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %>
+    register_katello_host | bash
 else
     register_host | bash
 fi

diff --git a/config/initializers/uri_jail.rb b/config/initializers/uri_jail.rb
@@ -0,0 +1,3 @@
+class URI::Generic::Jail < Safemode::Jail
+  allow :host, :path, :port, :query, :scheme
+end
diff --git a/test/unit/foreman/renderer/scope/macros/base_test.rb b/test/unit/foreman/renderer/scope/macros/base_test.rb
@@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase
     end
   end
 
+  test 'URI::Generic jail test' do
+    allowed = [:host, :path, :port, :query, :scheme]
+    allowed.each do |m|
+      assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed."
+    end
+  end
+
   context 'subnet helpers' do
     setup do
       host = FactoryBot.build(:host, :with_puppet)

diff --git a/todo_subman_community.sh b/todo_subman_community.sh