Suma payg rhui via payg client connection

[mcalmer]

What does this PR change?

Support RHUI configuration via Pay-as-you-Go client connection in the cloud

Replace #7050
Port of https://github.com/SUSE/spacewalk/pull/21590

GUI diff

No difference.

• DONE

Documentation

• automatically setup and update RHUI repos uyuni-docs#2274

• DONE

Test coverage

• Unit tests were added

• DONE

Changelogs

Make sure the changelogs entries you are adding are compliant with https://github.com/uyuni-project/uyuni/wiki/Contributing#changelogs and https://github.com/uyuni-project/uyuni/wiki/Contributing#uyuni-projectuyuni-repository

If you don't need a changelog check, please mark this checkbox:

• No changelog needed

If you uncheck the checkbox after the PR is created, you will need to re-run changelog_test (see below)

Re-run a test

If you need to re-run a test, please mark the related checkbox, it will be unchecked automatically once it has re-run:

• Re-run test "changelog_test"
• Re-run test "backend_unittests_pgsql"
• Re-run test "java_pgsql_tests"
• Re-run test "schema_migration_test_pgsql"
• Re-run test "susemanager_unittests"
• Re-run test "javascript_lint"
• Re-run test "spacecmd_unittests"

[github-actions]

Suggested tests to cover this Pull Request

• minssh_salt_install_package
• min_deblike_monitoring
• srv_power_management
• min_salt_mgrcompat_state
• srv_sync_channels
• proxy_cobbler_pxeboot
• allcli_software_channels_dependencies
• srv_content_lifecycle
• minkvm_guests
• srv_task_status_engine
• srv_patches_page
• srv_logfile
• srv_rename_hostname
• srv_docker_cve_audit
• srv_enable_sync_products
• srv_create_repository
• srv_cobbler_profile
• min_empty_system_profiles
• min_ansible_control_node
• srv_reportdb
• min_retracted_patches
• srv_add_rocky8_repositories
• srv_organization_credentials
• allcli_reboot
• min_bootstrap_ssh_key
• srv_manage_activationkey
• min_deblike_salt_install_package
• buildhost_docker_build_image
• srv_custom_system_info
• minssh_bootstrap_api
• srv_advanced_search
• srv_cobbler_distro
• srv_scc_user_credentials
• min_rhlike_ssh
• allcli_update_activationkeys
• srv_datepicker
• min_salt_openscap_audit
• srv_change_password
• srv_user_preferences
• srv_cobbler_sync
• min_salt_install_with_staging
• allcli_config_channel
• min_salt_software_states
• srv_channels_add
• min_bootstrap_api
• min_bootstrap_reactivation
• min_rhlike_monitoring
• srv_distro_cobbler
• min_rhlike_salt_install_package_and_patch
• min_config_state_channel_api
• buildhost_osimage_build_image
• srv_group_union_intersection
• allcli_action_chain
• min_salt_pkgset_beacon
• buildhost_bootstrap
• proxy_branch_network
• srv_virtual_host_manager
• min_cve_id_new_syntax
• allcli_sanity
• min_deblike_ssh
• srv_check_channels_page
• srv_dist_channel_mapping
• min_config_state_channel
• srv_change_task_schedule
• min_salt_minions_page
• srv_delete_channel_with_tool
• srv_notifications
• min_deblike_remote_command
• sle_ssh_minion
• srv_wait_for_reposync
• srv_salt
• min_custom_pkg_download_endpoint
• allcli_software_channels
• srv_maintenance_windows
• sle_minion
• srv_cobbler_buildiso
• minssh_move_from_and_to_proxy
• srv_users
• srv_user_api
• srv_push_package
• min_docker_api
• srv_check_sync_source_packages
• srv_sync_products
• allcli_system_group
• srv_handle_config_channels_with_ISS_v2
• srv_delete_channel_from_ui
• srv_restart
• srv_power_management_redfish
• srv_user_configuration_salt_states
• min_bootstrap_negative
• min_activationkey
• srv_clone_channel_npn
• min_rhlike_salt
• min_salt_formulas_advanced
• srv_handle_software_channels_with_ISS_v2
• srv_manage_channels_page
• srv_mainpage
• min_salt_migration
• min_recurring_action
• proxy_as_pod_basic_tests
• min_salt_minion_details
• min_salt_lock_packages
• min_deblike_openscap_audit
• srv_menu_filter
• srv_check_reposync
• min_check_patches_install
• min_virthost
• srv_power_management_api
• min_move_from_and_to_proxy
• min_project_lotus
• min_config_state_channel_subscriptions
• srv_payg_ssh_connection
• min_timezone
• min_salt_user_states
• srv_activationkey_api
• minssh_ansible_control_node
• min_deblike_salt
• srv_docker
• buildhost_docker_auth_registry
• srv_monitoring
• min_deblike_salt_install_with_staging
• min_cve_audit
• min_rhlike_remote_command
• srv_channel_api
• proxy_retail_pxeboot_and_mass_import
• min_bootstrap_script
• min_rhlike_openscap_audit
• srv_docker_advanced_content_management
• srv_salt_download_endpoint
• proxy_register_as_minion_with_script
• min_salt_install_package
• srv_menu
• min_monitoring
• min_change_software_channel
• min_action_chain
• srv_osimage
• srv_first_settings
• minssh_action_chain
• srv_create_activationkey
• min_salt_formulas
• allcli_overview_systems_details
• srv_disable_local_repos_off
• min_ssh_tunnel

[parlt91]

Since this is a port of an already reviewed PR I am going to approve without full review. If you want a proper code review please re-request the review.

[agraul]

I just looked at the Python code and left a few comments. The biggest question mark for me is about the certificates and the changes around that. Is RHUI not setting a subject common name? Do we want to relax the dates check from "all" to "any"?

[agraul]

Can we catch the relevant exception instead of everything (including Ctrl+C) ?

[mcalmer]

It is not easy to find out which one it is. It happens in one of the clouds, but we need to retest all of them.
I would suggest to keep this, and when you refactor reposync, we can maybe get rid of this whole paramater.
I think it is not needed, but I am not 100% sure.

[agraul]

I think it's always an AttributeError, just like when you try to access subject.FOO

>>> cert = X509.load_cert_string(c)
>>> subject = cert.get_subject()
>>> subject.FOO
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib64/python3.11/site-packages/M2Crypto/X509.py", line 359, in __getattr__
    raise AttributeError(self, attr)
AttributeError: (<M2Crypto.X509.X509_Name object at 0x7f22a0ba1bd0>, 'FOO')

[mcalmer]

Ok, I have changed it

[agraul]

IMO it's not easy to read conditional expressions with multiple conditions. Can we move that out of the function call and do something like:

repo_url = "baseurl"
if mirrorlist and not plugin_used:
    repo_url = "mirrorlist"
repo_conf_file.write(repo_cfg.format(...))

[agraul]

Do I understand this change correctly that we change the date verification from "all certs have valid dates" to "any cert has an valid date"?

If that's the intention, we could also short-circuit the loop and return True as soon as we find the first valid cert.

[mcalmer]

I have to run certificate bundles with this funktion.
And RedHat has some expired certificates in the bundle.
So if 1 cert is provided, it must be valid. If multiple are provided, it is ok if one has a valid date.

[mcalmer]

I change this to return on the first valid certificate

[agraul]

Python code LGTM!