Fixes #36688 - Provide option to use wget for the new Register Host f…

…eature
theforeman · Sep 2, 2024 · cf7c278 · cf7c278
1 parent cd1ea00
commit cf7c278
Show file tree

Hide file tree

Showing 22 changed files with 426 additions and 46 deletions.
diff --git a/.eslintrc b/.eslintrc
@@ -182,6 +182,7 @@
           "vnc",
           "vnic",
           "webpack",
+          "wget",
           "wss",
           "x86_64",
           "xml",

diff --git a/app/controllers/api/v2/registration_commands_controller.rb b/app/controllers/api/v2/registration_commands_controller.rb
@@ -15,7 +15,7 @@ class RegistrationCommandsController < V2::BaseController
         param :setup_insights, :bool, desc: N_("Set 'host_registration_insights' parameter for the host. If it is set to true, insights client will be installed and registered on Red Hat family operating systems")
         param :setup_remote_execution, :bool, desc: N_("Set 'host_registration_remote_execution' parameter for the host. If it is set to true, SSH keys will be installed on the host")
         param :jwt_expiration, :number, desc: N_("Expiration of the authorization token (in hours), 0 means 'unlimited'.")
-        param :insecure, :bool, desc: N_("Enable insecure argument for the initial curl")
+        param :insecure, :bool, desc: N_("Enable insecure argument for the initial curl/wget")
         param :packages, String, desc: N_("Packages to install on the host when registered. Can be set by `host_packages` parameter, example: `pkg1 pkg2`")
         param :update_packages, :bool, desc: N_("Update all packages on the host")
         param :repo, String, desc: N_("DEPRECATED, use the `repo_data` param instead."), deprecated: true
@@ -25,6 +25,7 @@ class RegistrationCommandsController < V2::BaseController
           param :repo, String, desc: N_("Repository URL / details, for example, for Debian OS family: 'deb http://deb.example.com/ buster 1.0', for Red Hat and SUSE OS family: 'http://yum.theforeman.org/client/latest/el8/x86_64/'")
           param :repo_gpg_key_url, String, desc: N_("URL of the GPG key for the repository")
         end
+        param :download_utility, ["curl", "wget"], desc: N_("The download utility to use during host registration")
       end
       def create
         unless os_with_template?

diff --git a/app/controllers/api/v2/registration_controller.rb b/app/controllers/api/v2/registration_controller.rb
@@ -30,6 +30,7 @@ class RegistrationController < V2::BaseController
         param :repo, String, desc: N_("Repository URL / details, for example, for Debian OS family: 'deb http://deb.example.com/ buster 1.0', for Red Hat OS family: 'http://yum.theforeman.org/client/latest/el8/x86_64/'")
         param :repo_gpg_key_url, String, desc: N_("URL of the GPG key for the repository")
       end
+      param :download_utility, ["curl", "wget"], desc: N_("The download utility to use during host registration")
       def global
         find_global_registration
 

diff --git a/app/controllers/concerns/foreman/controller/registration.rb b/app/controllers/concerns/foreman/controller/registration.rb
@@ -41,6 +41,7 @@ def global_registration_vars
       packages: params['packages'],
       update_packages: params['update_packages'],
       repo_data: repo_data,
+      download_utility: params['download_utility'],
     }
 
     params.permit(permitted)

diff --git a/app/controllers/concerns/foreman/controller/registration_commands.rb b/app/controllers/concerns/foreman/controller/registration_commands.rb
@@ -9,7 +9,7 @@ module Foreman::Controller::RegistrationCommands
 
   def command
     args_query = "?#{registration_args.to_query}"
-    "set -o pipefail && curl -sS #{insecure} '#{registration_url(@smart_proxy)}#{args_query if args_query != '?'}' #{command_headers} | bash"
+    "set -o pipefail && #{utility[:download_command]} #{utility[:output_pipe]} #{insecure} '#{registration_url(@smart_proxy)}#{args_query if args_query != '?'}' #{command_headers} | bash"
   end
 
   def registration_args
@@ -19,8 +19,12 @@ def registration_args
                        .permit!
   end
 
+  def utility
+    Foreman.download_utilities.fetch(registration_params['download_utility'] || 'curl')
+  end
+
   def insecure
-    registration_params['insecure'] ? '--insecure' : ''
+    registration_params['insecure'] ? utility[:insecure] : ''
   end
 
   def registration_url(proxy = nil)
@@ -65,7 +69,7 @@ def command_headers
     else
       invalid_expiration_error
     end
-    "-H 'Authorization: Bearer #{User.current.jwt_token!(**jwt_args)}'"
+    "--header 'Authorization: Bearer #{User.current.jwt_token!(**jwt_args)}'"
   end
 
   def host_config_params

diff --git a/app/services/foreman/renderer/configuration.rb b/app/services/foreman/renderer/configuration.rb
@@ -80,7 +80,8 @@ class Configuration
         :host_puppet_environment,
         :host_enc,
         :install_packages,
-        :update_packages
+        :update_packages,
+        :generate_web_request
       ]
 
       DEFAULT_ALLOWED_VARIABLES = [

diff --git a/app/services/foreman/renderer/scope/macros/helpers.rb b/app/services/foreman/renderer/scope/macros/helpers.rb
@@ -155,6 +155,32 @@ def truthy?(value = nil)
           def falsy?(value = nil)
             Foreman::Cast.to_bool(value) == false
           end
+
+          apipie :method, 'Generate a web request' do
+            keyword :utility, String, desc: 'The utility to use for the web request ("curl" or "wget").'
+            keyword :url, String, desc: 'The URL for the web request.'
+            keyword :ssl_ca_cert, String, desc: 'The path to the SSL certificate.', default: nil
+            keyword :headers, Array, of: String, desc: 'Array containing the headers for the web request starting with "--header".', default: nil
+            keyword :params, Array, of: String, desc: 'Array containing the POST parameters for the web request.', default: nil
+            keyword :output_file, String, desc: 'The path were the result of the web request will be stored.', default: nil
+            returns String, desc: 'The web request.'
+            example 'generate_web_request(utility: "curl", url: "https://www.example.com/register", ssl_ca_cert: "/etc/ssl/custom_certs/ca_cert.crt", headers: ["--header \'Authorization: Bearer <my_token>\'"], params: ["host[build]=false", "host[organization_id]=1"])'
+            example 'generate_web_request(utility: "curl", url: "https://www.example.com/keys/client.asc", output_file: "/etc/apt/trusted.gpg.d/client1.asc")'
+          end
+          def generate_web_request(utility:, url:, ssl_ca_cert: nil, headers: nil, params: nil, output_file: nil)
+            utility = Foreman.download_utilities.fetch(utility || 'curl')
+            command = ["#{utility[:download_command]} #{url}"]
+            command << "#{utility[:ca_cert]} #{ssl_ca_cert}" if ssl_ca_cert
+            command << utility[:request_type_post] if params && utility[:request_type_post]
+            if output_file
+              command << "#{utility[:output_file]} #{output_file}"
+            elsif utility[:output_pipe]
+              command << utility[:output_pipe]
+            end
+            headers&.each { |header| command << header }
+            utility[:format_params].call(params).each { |param| command << param } if params
+            command.join(" \\\n  ")
+          end
         end
       end
     end

diff --git a/app/services/foreman/template_snapshot_service.rb b/app/services/foreman/template_snapshot_service.rb
@@ -54,6 +54,10 @@ def self.windows10_dhcp
       new.windows10_dhcp
     end
 
+    def self.registration_template
+      new.registration_template
+    end
+
     def self.render_template(template, host_name = :host4dhcp)
       host_stub = send(host_name.to_sym)
       source = Foreman::Renderer::Source::Snapshot.new(template)
@@ -217,6 +221,17 @@ def windows10_dhcp
       define_host_params(host)
     end
 
+    def registration_template
+      Setting[:server_ca_file] = Rails.root.join('test/static_fixtures/certificates/example.com.crt')
+      Setting[:ssl_ca_file] =  Rails.root.join('test/static_fixtures/certificates/example2.com.crt')
+
+      host = FactoryBot.build(:host_for_snapshots_ipv4_dhcp_rocky9,
+        name: 'snapshot-ipv4-dhcp-rocky9',
+        subnet: FactoryBot.build(:subnet_ipv4_dhcp_for_snapshots),
+        interfaces: [ipv4_interface])
+      define_host_params(host)
+    end
+
     private
 
     def files

diff --git a/app/views/unattended/provisioning_templates/registration/global_registration.erb b/app/views/unattended/provisioning_templates/registration/global_registration.erb
@@ -2,6 +2,8 @@
 kind: registration
 name: Global Registration
 model: ProvisioningTemplate
+test_on:
+- registration_template
 description: |
   The registration template used to render OS agnostic script that any host can use to register to
   this Foreman instance. It is rendered as a response in the registration API endpoint. The resulting
@@ -14,7 +16,7 @@ description: |
 # Make sure, all command output can be parsed (e.g. from subscription-manager)
 export LC_ALL=C LANG=C
 <%
-    headers = ["-H 'Authorization: Bearer #{@auth_token}'"]
+    headers = ["--header 'Authorization: Bearer #{@auth_token}'"]
     activation_keys = [(@hostgroup.params['kt_activation_keys'] if @hostgroup), @activation_keys].compact.join(',')
 -%>
 
@@ -35,6 +37,7 @@ export LC_ALL=C LANG=C
 <%= "\n# Ignore subman errors: [#{@ignore_subman_errors}]" unless @ignore_subman_errors.nil? -%>
 <%= "\n# Lifecycle environment id: [#{@lifecycle_environment_id}]" if @lifecycle_environment_id.present? -%>
 <%= "\n# Activation keys: [#{activation_keys}]" if activation_keys.present? -%>
+<%= "\n# Download utility: [#{@download_utility}]" unless @download_utility.nil? -%>
 
 
 if ! [ $(id -u) = 0 ]; then
@@ -91,11 +94,11 @@ elif [ -f /etc/debian_version ]; then
 <% if repo_gpg_key_url.present? -%>
 <%# "apt 1.2.35" on Ubuntu 16.04 does not support storing GPG public keys in "/etc/apt/trusted.gpg.d/" in ASCII format -%>
   if [ "$(. /etc/os-release ; echo "$VERSION_ID")" = "16.04" ]; then
-    $PKG_MANAGER_INSTALL ca-certificates curl gnupg
-    curl --silent --show-error <%= shell_escape repo_gpg_key_url %> | gpg --dearmor > /etc/apt/trusted.gpg.d/client<%= index %>.gpg
+    $PKG_MANAGER_INSTALL ca-certificates gnupg
+    <%= indent(4, skip1: true) { generate_web_request(utility: @download_utility, url: shell_escape(repo_gpg_key_url)) } %> | gpg --dearmor > /etc/apt/trusted.gpg.d/client<%= index %>.gpg
   else
-    $PKG_MANAGER_INSTALL ca-certificates curl
-    curl --silent --show-error --output /etc/apt/trusted.gpg.d/client<%= index %>.asc <%= shell_escape repo_gpg_key_url %>
+    $PKG_MANAGER_INSTALL ca-certificates
+    <%= indent(4, skip1: true) { generate_web_request(utility: @download_utility, url: shell_escape(repo_gpg_key_url), output_file: "/etc/apt/trusted.gpg.d/client#{index}.asc") } %>
   fi
 <% end -%>
   apt-get update
@@ -108,22 +111,22 @@ fi
 <% end -%>
 
 register_host() {
-  curl --silent --show-error --cacert $SSL_CA_CERT --request POST <%= @registration_url %> \
-       <%= headers.join(' ') %> \
-       --data "host[name]=$(hostname --fqdn)" \
-       --data "host[build]=false" \
-       --data "host[managed]=false" \
-<%= "       --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
-<%= "       --data 'host[location_id]=#{@location.id}' \\\n" if @location -%>
-<%= "       --data 'host[hostgroup_id]=#{@hostgroup.id}' \\\n" if @hostgroup -%>
-<%= "       --data 'host[operatingsystem_id]=#{@operatingsystem.id}' \\\n" if @operatingsystem -%>
-<%= "       --data host[interfaces_attributes][0][identifier]=#{shell_escape(@remote_execution_interface)} \\\n" if @remote_execution_interface.present? -%>
-<%= "       --data 'setup_insights=#{@setup_insights}' \\\n" unless @setup_insights.nil? -%>
-<%= "       --data 'setup_remote_execution=#{@setup_remote_execution}' \\\n" unless @setup_remote_execution.nil? -%>
-<%= "       --data remote_execution_interface=#{shell_escape(@remote_execution_interface)} \\\n" if @remote_execution_interface.present? -%>
-<%= "       --data packages=#{shell_escape(@packages)} \\\n" if @packages.present? -%>
-<%= "       --data 'update_packages=#{@update_packages}' \\\n" unless @update_packages.nil? -%>
-
+<%
+  params = ["host[name]=$(hostname --fqdn)"]
+  params << "host[build]=false"
+  params << "host[managed]=false"
+  params << "host[organization_id]=#{@organization.id}" if @organization
+  params << "host[location_id]=#{@location.id}" if @location
+  params << "host[hostgroup_id]=#{@hostgroup.id}" if @hostgroup
+  params << "host[operatingsystem_id]=#{@operatingsystem.id}" if @operatingsystem
+  params << "host[interfaces_attributes][0][identifier]=#{shell_escape(@remote_execution_interface)}" if @remote_execution_interface.present?
+  params << "setup_insights=#{@setup_insights}" unless @setup_insights.nil?
+  params << "setup_remote_execution=#{@setup_remote_execution}" unless @setup_remote_execution.nil?
+  params << "remote_execution_interface=#{shell_escape(@remote_execution_interface)}" if @remote_execution_interface.present?
+  params << "packages=#{shell_escape(@packages)}" if @packages.present?
+  params << "update_packages=#{@update_packages}" unless @update_packages.nil?
+-%>
+  <%= indent(2, skip1: true) { generate_web_request(utility: @download_utility, url: @registration_url, ssl_ca_cert: "$SSL_CA_CERT", headers: headers, params: params) } %>
 }
 
 echo "#"
@@ -132,22 +135,22 @@ echo "#"
 
 <% if plugin_present?('katello') && activation_keys.present? -%>
 register_katello_host(){
-    UUID=$(subscription-manager identity | grep --max-count 1 --only-matching '\([[:xdigit:]]\{8\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{12\}\)')
-    curl --silent --show-error --cacert $KATELLO_SERVER_CA_CERT --request POST "<%= @registration_url %>" \
-         <%= headers.join(' ') %> \
-         --data "uuid=$UUID" \
-         --data "host[build]=false" \
-<%= "      --data 'host[organization_id]=#{@organization.id}' \\\n" if @organization -%>
-<%= "      --data 'host[location_id]=#{@location.id}' \\\n" if @location -%>
-<%= "      --data 'host[hostgroup_id]=#{@hostgroup.id}' \\\n" if @hostgroup -%>
-<%= "      --data 'host[lifecycle_environment_id]=#{@lifecycle_environment_id}' \\\n" if @lifecycle_environment_id.present? -%>
-<%= "      --data 'setup_insights=#{@setup_insights}' \\\n" unless @setup_insights.nil? -%>
-<%= "      --data 'setup_remote_execution=#{@setup_remote_execution}' \\\n" unless @setup_remote_execution.nil? -%>
-<%= "      --data remote_execution_interface=#{shell_escape(@remote_execution_interface)} \\\n" if @remote_execution_interface.present? -%>
-<%= "      --data 'setup_remote_execution_pull=#{@setup_remote_execution_pull}' \\\n" unless @setup_remote_execution_pull.nil? -%>
-<%= "      --data packages=#{shell_escape(@packages)} \\\n" if @packages.present? -%>
-<%= "      --data 'update_packages=#{@update_packages}' \\\n" unless @update_packages.nil? -%>
-
+<%
+  params = ["uuid=$UUID"]
+  params << "host[build]=false"
+  params << "host[organization_id]=#{@organization.id}" if @organization
+  params << "host[location_id]=#{@location.id}" if @location
+  params << "host[hostgroup_id]=#{@hostgroup.id}" if @hostgroup
+  params << "host[lifecycle_environment_id]=#{@lifecycle_environment_id}" if @lifecycle_environment_id.present?
+  params << "setup_insights=#{@setup_insights}" unless @setup_insights.nil?
+  params << "setup_remote_execution=#{@setup_remote_execution}" unless @setup_remote_execution.nil?
+  params << "remote_execution_interface=#{shell_escape(@remote_execution_interface)}" if @remote_execution_interface.present?
+  params << "setup_remote_execution_pull=#{@setup_remote_execution_pull}" unless @setup_remote_execution_pull.nil?
+  params << "packages=#{shell_escape(@packages)}" if @packages.present?
+  params << "update_packages=#{@update_packages}" unless @update_packages.nil?
+-%>
+  UUID=$(subscription-manager identity | grep --max-count 1 --only-matching '\([[:xdigit:]]\{8\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{4\}-[[:xdigit:]]\{12\}\)')
+  <%= indent(2, skip1: true) { generate_web_request(utility: @download_utility, url: @registration_url, ssl_ca_cert: "$KATELLO_SERVER_CA_CERT", headers: headers, params: params) } %>
 }
 
 # Set up subscription-manager

diff --git a/lib/foreman.rb b/lib/foreman.rb
@@ -45,4 +45,25 @@ def self.input_types_registry
   def self.settings
     SettingRegistry.instance
   end
+
+  def self.download_utilities
+    {
+      'curl' => {
+        :ca_cert => '--cacert',
+        :download_command => 'curl --silent --show-error',
+        :insecure => '--insecure',
+        :output_file => '--output',
+        :request_type_post => '--request POST',
+        :format_params => proc { |params| params.map { |param| "--data #{param}" } },
+      },
+      'wget' => {
+        :ca_cert => '--ca-certificate',
+        :download_command => 'wget --no-verbose --no-hsts',
+        :insecure => '--no-check-certificate',
+        :output_file => '--output-document',
+        :output_pipe => '--output-document -',
+        :format_params => proc { |params| ["--post-data #{params.join('\&')}"] },
+      },
+    }.freeze
+  end
 end
diff --git a/test/controllers/api/v2/registration_commands_controller_test.rb b/test/controllers/api/v2/registration_commands_controller_test.rb
@@ -7,8 +7,8 @@ class Api::V2::RegistrationCommandsControllerTest < ActionController::TestCase
       assert_response :success
       response = ActiveSupport::JSON.decode(@response.body)['registration_command']
 
-      assert_includes response, "curl -sS  'http://test.host/register'"
-      assert_includes response, "-H 'Authorization: Bearer"
+      assert_includes response, "curl --silent --show-error   'http://test.host/register'"
+      assert_includes response, "--header 'Authorization: Bearer"
     end
 
     test 'with params' do
@@ -50,7 +50,7 @@ class Api::V2::RegistrationCommandsControllerTest < ActionController::TestCase
       assert_response :success
 
       response = ActiveSupport::JSON.decode(@response.body)['registration_command']
-      assert_includes response, "curl -sS --insecure '#{proxy.url}/register'"
+      assert_includes response, "curl --silent --show-error  --insecure '#{proxy.url}/register'"
     end
 
     test 'os without host_init_config template' do
@@ -65,5 +65,32 @@ class Api::V2::RegistrationCommandsControllerTest < ActionController::TestCase
       post :create, params: { smart_proxy_id: smart_proxies(:one).id }
       assert_response :unprocessable_entity
     end
+
+    test 'using wget' do
+      params = {
+        download_utility: 'wget',
+      }
+
+      post :create, params: params
+      assert_response :success
+
+      response = ActiveSupport::JSON.decode(@response.body)['registration_command']
+      assert_includes response, "wget --no-verbose --no-hsts --output-document -  'http://test.host/register?download_utility=wget'"
+      assert_includes response, "--header 'Authorization: Bearer"
+    end
+
+    test 'using wget with insecure option' do
+      params = {
+        download_utility: 'wget',
+        insecure: true,
+      }
+
+      post :create, params: params
+      assert_response :success
+
+      response = ActiveSupport::JSON.decode(@response.body)['registration_command']
+      assert_includes response, "wget --no-verbose --no-hsts --output-document - --no-check-certificate 'http://test.host/register?download_utility=wget'"
+      assert_includes response, "--header 'Authorization: Bearer"
+    end
   end
 end
diff --git a/test/controllers/api/v2/registration_controller_test.rb b/test/controllers/api/v2/registration_controller_test.rb
@@ -26,6 +26,7 @@ class Api::V2::RegistrationControllerTest < ActionController::TestCase
         location_id: taxonomies(:location1).id,
         hostgroup_id: hostgroups(:common).id,
         operatingsystem_id: operatingsystems(:centos5_3).id,
+        download_utility: 'wget',
       }
 
       get :global, params: params, session: set_session_user
@@ -38,6 +39,7 @@ class Api::V2::RegistrationControllerTest < ActionController::TestCase
       assert_equal operatingsystems(:centos5_3), vars[:operatingsystem]
       assert_equal users(:admin), vars[:user]
       assert_equal register_url, vars[:registration_url].to_s
+      assert_equal 'wget', vars[:download_utility].to_s
     end
 
     test "should not pass unpermitted params to template" do

diff --git a/test/controllers/registration_commands_controller_test.rb b/test/controllers/registration_commands_controller_test.rb
@@ -37,6 +37,7 @@ class RegistrationCommandsControllerTest < ActionController::TestCase
         hostgroupId: hostgroups(:common).id,
         operatingsystemId: operatingsystems(:redhat).id,
         update_packages: true,
+        download_utility: 'wget',
       }
       post :create, params: params, session: set_session_user
       command = JSON.parse(@response.body)['command']
@@ -46,6 +47,7 @@ class RegistrationCommandsControllerTest < ActionController::TestCase
       assert_includes command, 'hostgroupId='
       assert_includes command, 'operatingsystemId='
       assert_includes command, 'update_packages=true'
+      assert_includes command, 'download_utility=wget'
     end
 
     test 'with params ignored in URL' do
@@ -61,7 +63,7 @@ class RegistrationCommandsControllerTest < ActionController::TestCase
       post :create, params: params, session: set_session_user
       command = JSON.parse(@response.body)['command']
 
-      assert_includes command, "curl -sS --insecure '#{proxy.url}/register"
+      assert_includes command, "curl --silent --show-error  --insecure '#{proxy.url}/register"
       refute command.include?('smart_proxy_id')
       refute command.include?('insecure=true')
       refute command.include?('jwt_expiration')