Fixes #29974 - allow subnet helpers

[lzap]

SSIA

[theforeman-bot]

Issues: #29974

[ekohl]

Can it be a problem that Katello also defines the hostname?
https://github.com/Katello/katello/blob/a9abccc2c10f5f2c1194d564834d131d57b28401/app/models/katello/concerns/smart_proxy_extensions.rb#L336-L338

Either way, after merging this that can be removed.

[tbrisker]

why do we need the hosts_count?

[lzap]

I will do a followup PR into Katello.

That hosts_count was added by accident, not needed.

[lzap]

Done: Katello/katello#8748

[timogoebel]

Does setting allow to retrieve any secret settings?

[adamruzicka]

It allows retrieving settings of a smart proxy feature. I don't think those contain any secrets

[ekohl]

Should we perhaps expose those explicitly? Features are just strings and exposed on the individual proxies without any authentication so that's IMHO safe. If you're talking about exposed settings from a proxy then those can contain private information and they're only available via an authenticated endpoint (though I'm not aware of any secrets being passed now).

[adamruzicka]

From my testing machine:

SmartProxyFeature.all.each { |f| puts "#{f.feature.name}: #{f.settings}" }
Pulp: {"pulp_url"=>"https://centos7-katello-nightly-stable.example.com/pulp"}
Pulpcore: {"pulp_url"=>"https://centos7-katello-nightly-stable.example.com", "mirror"=>false, "content_app_url"=>"https://centos7-katello-nightly-stable.example.com/pulp/content"}
TFTP: {"tftp_servername"=>nil}
Puppet CA: {"puppet_url"=>"https://centos7-katello-nightly-stable.example.com:8140", "use_provider"=>["puppetca_hostname_whitelisting", "puppetca_http_api"]}
Puppet: {"puppet_url"=>"https://centos7-katello-nightly-stable.example.com:8140", "use_provider"=>["puppet_proxy_puppet_api"]}
Logs: {}
Templates: {}
HTTPBoot: {"http_port"=>8000, "https_port"=>9090}

it looks like those don't contain any secrets, but that is no guarrantee that they never will

[ekohl]

https://github.com/theforeman/smart_proxy_pulp/blob/55ff29f4cfab971f71bc00273c7623ee8dc5af96/lib/smart_proxy_pulp_plugin/pulpcore_plugin.rb#L17-L18 does expose a username/password. It's mostly used in the development workflow if you don't have certificates set up so you won't see it in production, but exposing this is a security risk.

Another thing to consider is that these settings are IMHO internal implementation details. You should always wrap them in high level logic. For example, the puppet server url has a one that also provides compatibility with older releases which didn't expose this:

foreman/app/models/concerns/host_common.rb

Lines 95 to 100 in c356041

	def puppet_server_uri
	return unless puppet_proxy
	url = puppet_proxy.setting('Puppet', 'puppet_url')
	url ||= "https://#{puppet_proxy}:8140"
	URI(url)
	end

That particular helper should be exposed rather than raw settings.

👎 on exposing setting.

[lzap]

Ok how about that, I have implemented whitelisting.

[adamruzicka]

This shows what settings are allowed, but not which setting was actually requested

::Foreman::Exception.new(N_("Setting is not whitelisted: %s"), ALLOWED_SETTINGS).message
=> "ERF42-4295 [Foreman::Exception]: Setting is not whitelisted: [\"http_port\", \"https_port\"]"

[lzap]

Fixing and adding tests for this.

[lzap]

Rebased, can I get a quick blessing for this @tbrisker and @ekohl ? This patch is actually needed to have bootdisk working with EFI HTTP BOOT. Added tests so we are safe.

[ekohl]

👎 because I still think explicit wrappers are better. For example, this doesn't look at the feature at all. You will also end up with duplicated logic.

foreman/app/models/operatingsystem.rb

Lines 229 to 240 in c356041

	if host.subnet&.httpboot?
	if host.pxe_loader =~ /UEFI HTTPS/
	port = host.subnet.httpboot.setting(:HTTPBoot, 'https_port') || raise(::Foreman::Exception.new(N_("HTTPS boot requires proxy with httpboot feature and https_port exposed setting")))
	else
	port = host.subnet.httpboot.setting(:HTTPBoot, 'http_port') || raise(::Foreman::Exception.new(N_("HTTP boot requires proxy with httpboot feature and http_port exposed setting")))
	end
	hostname = URI.parse(host.subnet.httpboot.url).hostname
	self.class.all_loaders_map(architecture, "#{hostname}:#{port}")[host.pxe_loader]
	else
	raise(::Foreman::Exception.new(N_("HTTP UEFI boot requires proxy with httpboot feature"))) if host.pxe_loader =~ /UEFI HTTP/
	self.class.all_loaders_map(architecture)[host.pxe_loader]
	end

That logic block contains a lot of the same things. We've already seen multiple times that users couldn't even manage to debug that error message. If we expose raw settings it'll be even harder. The wrapper can raise a proper error.

[lzap]

Okay, I've extracted this into two methods. How about now?

[lzap]

Tests are passing now @ekohl

[adamruzicka]

It exposes all the settings we need in a safe manner without exposing things we don't need. 👍 from me

[ekohl]

Thanks! @tbrisker any last thoughts?

[timogoebel]

Do we need to check if the proxy has the appropriate feature?

[ekohl]

IIRC the data model is that the settings are stored in the Feature model. So having a setting implies the feature. It may be useful to check it separate when you want to raise more explicit exceptions. I can imagine a FeatureMissingException or something. However, that's not a requirement for this PR.

[lzap]

The code actually does this. Method settings uses try. If you scroll to the right, you will see the error saying either feature is missing or port is not exposed.

[adamruzicka]

Katello failures seem unrelated, merging

[adamruzicka]

Thank you @lzap!

[lzap]

• CP 2.1: Fixes #29974 - allow subnet helpers (CP 2.1) #7722