Merge branch 'master' into rmt_deb_codesprint

SUSE · Mar 12, 2024 · 5447f34 · 5447f34
2 parents cb11945 + b8e05db
commit 5447f34
Show file tree

Hide file tree

Showing 10 changed files with 89 additions and 42 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -34,6 +34,7 @@ GEM
       public_suffix (>= 2.0.2, < 6.0)
     ast (2.4.2)
     awesome_print (1.9.2)
+    base64 (0.2.0)
     bigdecimal (3.1.6)
     builder (3.2.4)
     byebug (11.1.3)
@@ -50,7 +51,7 @@ GEM
       term-ansicolor (~> 1.3)
       thor (>= 0.19.4, < 2.0)
       tins (~> 1.6)
-    crack (0.4.6)
+    crack (1.0.0)
       bigdecimal
       rexml
     crass (1.0.6)
@@ -137,7 +138,8 @@ GEM
       concurrent-ruby (~> 1.0)
     json (2.3.1)
     jsonapi-renderer (0.2.2)
-    jwt (2.7.1)
+    jwt (2.8.0)
+      base64
     listen (3.6.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
@@ -174,7 +176,7 @@ GEM
     puma (5.6.8)
       nio4r (~> 2.0)
     racc (1.7.1)
-    rack (2.2.8)
+    rack (2.2.8.1)
     rack-test (2.1.0)
       rack (>= 1.3)
     rails-dom-testing (2.2.0)
@@ -308,7 +310,7 @@ GEM
       activesupport (>= 3)
       railties (>= 3)
       yard (~> 0.9.20)
-    webmock (3.20.0)
+    webmock (3.23.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)

diff --git a/db/migrate/20240129140413_remove_obsolete_res7_repositories.rb b/db/migrate/20240129140413_remove_obsolete_res7_repositories.rb
@@ -6,9 +6,13 @@ def change
     # This migration removes the now obsolete repositories, since RMT does
     # not remove these automatically.
 
+    # NOTE: We have a check in the repository model to stop users from
+    #       deleting SUSE repositories. This is why need to run delete
+    #       directly rather then destroying as usual.
+
     # Affected repositories are:
     # - 1963: https://updates.suse.com/repo/$RCE/RES7/src/
     # - 1736: https://updates.suse.com/repo/$RCE/RES7/x86_64/
-    Repository.where(scc_id: [1963, 1736]).destroy_all
+    Repository.where(scc_id: [1963, 1736]).delete_all
   end
 end
diff --git a/engines/instance_verification/lib/instance_verification/engine.rb b/engines/instance_verification/lib/instance_verification/engine.rb
@@ -1,8 +1,9 @@
 module InstanceVerification
-  def self.update_cache(remote_ip, system_login, product_id)
+  def self.update_cache(remote_ip, system_login, product_id, is_byos)
     cache_key = [remote_ip, system_login, product_id].join('-')
     # caches verification result to be used by zypper auth plugin
-    Rails.cache.write(cache_key, true, expires_in: 20.minutes)
+    expire_cache_time = is_byos ? 24.hours : 20.minutes
+    Rails.cache.write(cache_key, true, expires_in: expire_cache_time)
   end
 
   class Engine < ::Rails::Engine
@@ -94,7 +95,7 @@ def verify_base_product_activation(product)
           )
 
           raise 'Unspecified error' unless verification_provider.instance_valid?
-          InstanceVerification.update_cache(request.remote_ip, @system.login, product.id)
+          InstanceVerification.update_cache(request.remote_ip, @system.login, product.id, @system.proxy_byos)
         end
 
         # Verify that the base product doesn't change in the offline migration

diff --git a/...es/instance_verification/spec/requests/api/connect/v3/systems/products_controller_spec.rb b/...es/instance_verification/spec/requests/api/connect/v3/systems/products_controller_spec.rb
@@ -16,15 +16,6 @@
       arch: product.arch
     }
   end
-  let(:payload_byos) do
-    {
-      identifier: product.identifier,
-      version: product.version,
-      arch: product.arch,
-      email: 'foo',
-      token: 'bar'
-    }
-  end
 
   describe '#activate' do
     let(:plugin_double) { instance_double('InstanceVerification::Providers::Example') }
@@ -119,6 +110,10 @@
         before do
           expect(InstanceVerification::Providers::Example).to receive(:new)
             .with(be_a(ActiveSupport::Logger), be_a(ActionDispatch::Request), payload_sap, instance_data).and_call_original
+
+          expect(Rails.cache).to receive(:write).with(
+            ['127.0.0.1', system.login, product_sap.id].join('-'), true, expires_in: 20.minutes
+            )
           post url, params: payload_sap, headers: headers
         end
 

diff --git a/engines/scc_proxy/lib/scc_proxy/engine.rb b/engines/scc_proxy/lib/scc_proxy/engine.rb
@@ -157,6 +157,7 @@ def scc_check_subscription_expiration(headers, login, system_token, logger)
       uri = URI.parse(SYSTEMS_ACTIVATIONS_URL)
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = true
+      uri.query = URI.encode_www_form({ byos: true })
       scc_request = Net::HTTP::Get.new(uri.path, headers(auth, system_token))
       response = http.request(scc_request)
       unless response.code_type == Net::HTTPOK
@@ -274,7 +275,7 @@ def scc_activate_product
               raise ActionController::TranslatedError.new(error['error'])
             end
             logger.info "Product #{@product.product_string} successfully activated with SCC"
-            InstanceVerification.update_cache(request.remote_ip, @system.login, @product.id)
+            InstanceVerification.update_cache(request.remote_ip, @system.login, @product.id, @system.proxy_byos)
           end
         end
       end

diff --git a/engines/scc_proxy/spec/requests/api/connect/v3/systems/products_controller_spec.rb b/engines/scc_proxy/spec/requests/api/connect/v3/systems/products_controller_spec.rb
@@ -110,10 +110,13 @@
                 body: '{"id": "bar"}',
                 headers: {}
               )
-            post url, params: payload_byos, headers: headers
           end
 
           it 'renders service JSON' do
+            expect(Rails.cache).to receive(:write).twice.with(
+              ['127.0.0.1', system.login, product.id].join('-'), true, expires_in: 24.hours
+              )
+            post url, params: payload_byos, headers: headers
             expect(response.body).to eq(serialized_service_json)
           end
         end

diff --git a/engines/zypper_auth/lib/zypper_auth/engine.rb b/engines/zypper_auth/lib/zypper_auth/engine.rb
@@ -24,14 +24,14 @@ def verify_instance(request, logger, system)
       )
 
       is_valid = verification_provider.instance_valid?
-      InstanceVerification.update_cache(request.remote_ip, system.login, base_product.id)
+      InstanceVerification.update_cache(request.remote_ip, system.login, base_product.id, system.proxy_byos)
       is_valid
     rescue InstanceVerification::Exception => e
       message = ''
       if system.proxy_byos
         result = SccProxy.scc_check_subscription_expiration(request.headers, system.login, system.system_token, logger)
         if result[:is_active]
-          InstanceVerification.update_cache(request.remote_ip, system.login, base_product.id)
+          InstanceVerification.update_cache(request.remote_ip, system.login, base_product.id, system.proxy_byos)
           return true
         end
 

diff --git a/engines/zypper_auth/spec/requests/strict_authentication/authentication_controller_spec.rb b/engines/zypper_auth/spec/requests/strict_authentication/authentication_controller_spec.rb
@@ -125,6 +125,7 @@
         context 'when subscription is active' do
           before do
             stub_request(:get, scc_systems_activations_url).to_return(status: 200, body: [body_active].to_json, headers: {})
+            expect(URI).to receive(:encode_www_form).with({ byos: true })
             get '/api/auth/check', headers: headers
           end
 
@@ -134,6 +135,7 @@
         context 'when subscription is expired' do
           before do
             stub_request(:get, scc_systems_activations_url).to_return(status: 200, body: [body_expired].to_json, headers: {})
+            expect(URI).to receive(:encode_www_form).with({ byos: true })
             get '/api/auth/check', headers: headers
           end
 
@@ -143,6 +145,7 @@
         context 'when product is not activated' do
           before do
             stub_request(:get, scc_systems_activations_url).to_return(status: 200, body: [body_not_activated].to_json, headers: {})
+            expect(URI).to receive(:encode_www_form).with({ byos: true })
             get '/api/auth/check', headers: headers
           end
 
@@ -152,6 +155,7 @@
         context 'when status from SCC is unknown' do
           before do
             stub_request(:get, scc_systems_activations_url).to_return(status: 200, body: [body_unknown_status].to_json, headers: {})
+            expect(URI).to receive(:encode_www_form).with({ byos: true })
             get '/api/auth/check', headers: headers
           end
 
@@ -161,6 +165,7 @@
         context 'when SCC request fails' do
           before do
             stub_request(:get, scc_systems_activations_url).to_return(status: 401, body: [body_expired].to_json, headers: {})
+            expect(URI).to receive(:encode_www_form).with({ byos: true })
             get '/api/auth/check', headers: headers
           end
 

diff --git a/package/obs/rmt-server.changes b/package/obs/rmt-server.changes
@@ -1,5 +1,5 @@
 -------------------------------------------------------------------
-Thu Feb 08 15:33:00 UTC 2024 - Felix Schnizlein <fschnizlein@suse.com>
+Thu Mar 07 15:33:00 UTC 2024 - Likhitha Priya <likhitha.priyad@suse.com>
 
 - Version 2.16:
   * Add support for debian repositories using flat or nested structures
@@ -14,9 +14,13 @@ Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <[email protected]>
   * Updated supportconfig script (bsc#1216389)
   * Support zstd compression for repository metadata (bsc#1218775)
   * Do not add credential handling to normal repository URLs (bsc#1219153)
+  * Fix for SUSE Liberty registration script to allow RHEL7/SLL7/CentOS7 clients to register to RMT servers
+  * Provide user/group symbol for user created during pre (boo#1219540)
   * Disable authentication for license files in pubcloud context
   * Higher registration sharing timeout
-  * Provide user/group symbol for user created during pre (boo#1219540)
+  * rmt-server-pubcloud:
+    * Extend cache expiration time for BYOS systems (PAYG: 20 min, BYOS: 24 hours)
+    * Include byos parameter when checking subscription validity for BYOS systems with SCC
 
 -------------------------------------------------------------------
 Thu Jun 06 15:44:00 UTC 2023 - Luís Caparroz <[email protected]>

diff --git a/public/tools/rmt-client-setup-res b/public/tools/rmt-client-setup-res
@@ -10,6 +10,9 @@ SUSECONNECT=/usr/bin/SUSEConnect
 RPM=/usr/bin/rpm
 DNF=/usr/bin/dnf
 CURL=/usr/bin/curl
+YUM=/usr/bin/yum
+YUM_CONFIG_MGR=/usr/bin/yum-config-manager
+
 TEMPFILE="/etc/pki/ca-trust/source/anchors/rmt.crt"
 UPDATE_CA_TRUST=/usr/bin/update-ca-trust
 RPM_GPG_KEY_LOCATION="/etc/pki/rpm-gpg"
@@ -74,7 +77,7 @@ fi
 
 if [ -z "$REGURL" ]; then
     echo "Missing registration URL. Abort."
-    usage
+    exit 1
 fi
 
 if [ ! -x $RPM ]; then
@@ -87,6 +90,11 @@ if [ ! -x $CURL ]; then
     exit 1
 fi
 
+if  [[ ! -e /etc/os-release ]]; then
+    echo "/etc/os-release file not found. Couldn't determine OS. Abort."
+    exit 1
+fi
+
 # Import Self-signed CERT as Trusted
 if [ -z "$REGCERT" ]; then
     CERTURL=`echo "$REGURL" | awk -F/ '{print "https://" $3 "/rmt.crt"}'`
@@ -112,43 +120,43 @@ if [ -x $UPDATE_CA_TRUST ]; then
 fi
 
 SLL_version=`cat /etc/os-release | grep "VERSION_ID" | cut -d\" -f2 | cut -d\. -f1`
-if [[ ${SLL_version} > 8 ]]; then                                                                                                       
+if [[ ${SLL_version} > 8 ]]; then
    SLL_name="SLL";                                                                                                                
    SLL_release_package="sll-release"                                                                                              
+elif [[ ${SLL_version} -eq 7 ]]; then
+   SLL_name="RES";
+   SLL_release_package="sles_es-release-server"
+elif [[ ${SLL_version} -eq 8 ]]; then
+    SLL_name="RES";                      
+    SLL_release_package="sles_es-release"
 else                                                                                                                                 
-   SLL_name="RES";                                                                                                                
-   SLL_release_package="sles_es-release"                                                                                       
+   echo "Unsupported or unknown base version. Abort";
+   exit 1
 fi                                                                                                                                   
 
 echo "detect ${SLL_name} version... ${SLL_version}"                                                                                  
 
-echo "Disabling all repositories"
-dnf config-manager --disable $(dnf repolist -q | awk '{ print $1 }' | grep -v repo)
-#sed -i 's/^enabled=1/enabled=0/' /etc/yum.repos.d/*           
-
-# on Centos /usr/share/redhat-release is a file, on RHEL and RES it is a directory
-# so this is CentOS only workaround
-if [ -f /usr/share/redhat-release ] | [ -h /usr/share/redhat-release ]; then
-   rm -f /usr/share/redhat-release;
-fi
-
-# on RHEL9 (not RHEL8) redhat-release is protected and cannot be updated to sll-release
-if [ -f /etc/dnf/protected.d/redhat-release.conf ]; then
-    rm -f /etc/dnf/protected.d/redhat-release.conf;
-fi
-
 echo "Importing repomd.xml.key"
 $CURL --silent --show-error --insecure  ${REGURL}/repo/SUSE/Updates/${SLL_name}/${SLL_version}/x86_64/update/repodata/repomd.xml.key --output repomd.xml.key
 $RPM --import repomd.xml.key
 
 if [ ! -x $SUSECONNECT ]; then
     echo "Downloading SUSEConnect"
+if [[ ${SLL_version} > 7 ]]; then
 
     if [ ! -x $DNF ]; then
         echo "dnf command not found. Abort."
         exit 1
     fi
 
+echo "Disabling all repositories"
+$DNF config-manager --disable $(dnf repolist -q | awk '{ print $1 }' | grep -v repo)
+#sed -i 's/^enabled=1/enabled=0/' /etc/yum.repos.d/*           
+# on RHEL9 (not RHEL8) redhat-release is protected and cannot be updated to sll-release
+if [ -f /etc/dnf/protected.d/redhat-release.conf ]; then
+    rm -f /etc/dnf/protected.d/redhat-release.conf;
+fi
+
     $DNF config-manager --add-repo ${REGURL}/repo/SUSE/Updates/${SLL_name}/${SLL_version}/x86_64/update
     $DNF config-manager --add-repo ${REGURL}/repo/SUSE/Updates/${SLL_name}-AS/${SLL_version}/x86_64/update
     $DNF install --allowerasing ${SLL_release_package}
@@ -161,6 +169,30 @@ if [ ! -x $SUSECONNECT ]; then
     $DNF install SUSEConnect librepo
     $DNF config-manager --set-disabled "${RMTNAME}_repo_SUSE_Updates_${SLL_name}_${SLL_version}_x86_64_update"
     $DNF config-manager --set-disabled "${RMTNAME}_repo_SUSE_Updates_${SLL_name}-AS_${SLL_version}_x86_64_update"
+
+elif [[ ${SLL_version} -eq 7 ]]; then
+    # For SLL7 we need to have yum, yum_config_mgr, sles_os-release-server, etc.. 
+	if [ ! -x "$YUM_CONFIG_MGR" ]; then
+	    	echo "YUM config manager is not installed. Please install yum-config-manager and retry. Abort."
+		exit 1
+	fi	
+
+	echo "Disabling all repositories"
+	$YUM_CONFIG_MGR --disable \* > /dev/null
+
+	# on Centos /usr/share/redhat-release is a file, on RHEL and RES it is a directory
+	# so this is CentOS only workaround (on some system it is a normal file, on some systems a symlink)
+	if [ -f /usr/share/redhat-release ] | [ -h /usr/share/redhat-release ]; then
+	   rm -f /usr/share/redhat-release;
+	fi
+
+	 $YUM_CONFIG_MGR --add-repo ${REGURL}/repo/SUSE/Updates/${SLL_name}/${SLL_version}/x86_64/update
+	 $YUM_CONFIG_MGR --enable *suse.* > /dev/null
+
+	$YUM install sles_es-release-server suseconnect-ng librepo
+
+
+fi
 elif [[ ${SLL_version} -eq 8 ]]; then
     # For SLL8, the release package is already installed, just import the keys
     import_rpm_signing_keys