From 494360fded96804a4a63c7b320a52fed601d7ff8 Mon Sep 17 00:00:00 2001 From: Stejskal Leos Date: Tue, 1 Jun 2021 14:10:26 +0000 Subject: [PATCH] Fixes #32678 - Updates & Jail for URI::Generic --- .../foreman/controller/registration.rb | 6 +- .../registration/global_registration.erb | 94 +++++++++---------- config/initializers/uri_jail.rb | 3 + .../renderer/scope/macros/base_test.rb | 7 ++ todo_subman_community.sh | 9 -- 5 files changed, 58 insertions(+), 61 deletions(-) create mode 100644 config/initializers/uri_jail.rb delete mode 100644 todo_subman_community.sh diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb index 1deaa741835a..818ce8d625ae 100644 --- a/app/controllers/concerns/foreman/controller/registration.rb +++ b/app/controllers/concerns/foreman/controller/registration.rb @@ -91,11 +91,7 @@ def url end def context_urls - { url: url, - url_host: url.host, - url_port: url.port, - registration_url: URI.join(url, 'register'), - } + { url: url, registration_url: URI.join(url, 'register') } end def host_setup_insights diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb index da364d3487cd..60623f61e48f 100644 --- a/app/views/unattended/provisioning_templates/registration/global_registration.erb +++ b/app/views/unattended/provisioning_templates/registration/global_registration.erb @@ -112,53 +112,53 @@ if [ x$ID = xrhel ] || [ x$ID = xcentos ]; then <%= " --data 'remote_execution_interface=#{@remote_execution_interface}' \\\n" if @remote_execution_interface.present? -%> <%= " --data 'packages=#{@packages}' \\\n" if @packages.present? -%> -} - - <% if @force -%> - yum remove -y katello-ca-consumer* - <% end -%> - - KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/<%= @url_host %>.pem - CFG=/etc/rhsm/rhsm.conf - - if ! command -v subscription-manager &> /dev/null - then - yum install -y subscription-manager - fi - - if ! [ -f $CFG ] ; then - echo "'$CFG' not found, cannot configure subscription-manager" - exit 1 - fi - - # Prepare SSL certificate - cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT - chmod 644 $KATELLO_SERVER_CA_CERT - - if [ -d /etc/pki/ca-trust/source/anchors ]; then - update-ca-trust enable - cp -f $KATELLO_SERVER_CA_CERT /etc/pki/ca-trust/source/anchors - update-ca-trust - fi - - # Configure subscription-manager - test -f $CFG.BAK || cp $CFG $CFG.BAK - subscription-manager config \ - --server.hostname="<%= @url_host %>" \ - --server.port="<%= @url_port %>" \ - --server.prefix="/rhsm" \ - --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \ - --rhsm.baseurl="<%= @url %>pulp/content/" - - if grep --quiet full_refresh_on_yum $CFG; then - sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $CFG - else - full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1" - sed -i "/baseurl/a $full_refresh_config" $CFG - fi - - subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %> - register_katello_host | bash + } + + <% if @force -%> + yum remove -y katello-ca-consumer* subscription-manager + <% end -%> + + KATELLO_SERVER_CA_CERT=/etc/rhsm/ca/<%= @url.host %>.pem + RHSM_CFG=/etc/rhsm/rhsm.conf + + if ! command -v subscription-manager &> /dev/null + then + yum install -y subscription-manager + fi + + if ! [ -f $RHSM_CFG ] ; then + echo "'$RHSM_CFG' not found, cannot configure subscription-manager" + exit 1 + fi + + # Prepare SSL certificate + cp -f $SSL_CA_CERT $KATELLO_SERVER_CA_CERT + chmod 644 $KATELLO_SERVER_CA_CERT + + if [ -d /etc/pki/ca-trust/source/anchors ]; then + update-ca-trust enable + cp -f $KATELLO_SERVER_CA_CERT /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + # Configure subscription-manager + test -f $RHSM_CFG.bak || cp $RHSM_CFG $RHSM_CFG.bak + subscription-manager config \ + --server.hostname="<%= @url.host %>" \ + --server.port="<%= @url.port %>" \ + --server.prefix="/rhsm" \ + --rhsm.repo_ca_cert="$KATELLO_SERVER_CA_CERT" \ + --rhsm.baseurl="<%= @url %>pulp/content" + + if grep --quiet full_refresh_on_yum $RHSM_CFG; then + sed -i "s/full_refresh_on_yum\s*=.*$/full_refresh_on_yum = 1/g" $RHSM_CFG + else + full_refresh_config="#config for on-premise management\nfull_refresh_on_yum = 1" + sed -i "/baseurl/a $full_refresh_config" $RHSM_CFG + fi + + subscription-manager register <%= '--force' if @force %> --org='<%= @organization.label %>' --activationkey='<%= activation_keys %>' || <%= @ignore_subman_errors ? 'true' : 'exit 1' %> + register_katello_host | bash else register_host | bash fi diff --git a/config/initializers/uri_jail.rb b/config/initializers/uri_jail.rb new file mode 100644 index 000000000000..f56f031061d8 --- /dev/null +++ b/config/initializers/uri_jail.rb @@ -0,0 +1,3 @@ +class URI::Generic::Jail < Safemode::Jail + allow :host, :path, :port, :query, :scheme +end diff --git a/test/unit/foreman/renderer/scope/macros/base_test.rb b/test/unit/foreman/renderer/scope/macros/base_test.rb index cf05acccfafc..1dd3b8d68d82 100644 --- a/test/unit/foreman/renderer/scope/macros/base_test.rb +++ b/test/unit/foreman/renderer/scope/macros/base_test.rb @@ -139,6 +139,13 @@ class BaseMacrosTest < ActiveSupport::TestCase end end + test 'URI::Generic jail test' do + allowed = [:host, :path, :port, :query, :scheme] + allowed.each do |m| + assert URI::HTTP::Jail.allowed?(m), "Method #{m} is not available in URI::HTTP::Jail while should be allowed." + end + end + context 'subnet helpers' do setup do host = FactoryBot.build(:host, :with_puppet) diff --git a/todo_subman_community.sh b/todo_subman_community.sh deleted file mode 100644 index bc4a05c29c6a..000000000000 --- a/todo_subman_community.sh +++ /dev/null @@ -1,9 +0,0 @@ -Subman on debian & ubuntu - -apt-get -y install ca-certificates gpg -echo "deb https://apt.atix.de/Debian10/ stable main" >> /etc/apt/sources.list.d/foreman_registration.list -curl -sS https://apt.atix.de/atix_gpg.pub | apt-key add - -apt-get update -apt-get install -y python-subscription-manager - -And nothing happened, no errors in the installation log and `python-subscription-manager` is not installed (or `subscription-manager`)