Merge remote-tracking branch 'upstream/develop' into hdm

.github/dependabot.yml

@@ -0,0 +1,9 @@
+---
+version: 2
+updates:
+
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/test.yml

@@ -0,0 +1,69 @@
+---
+name: Test
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'develop'
+      - '*-stable'
+
+concurrency:
+  group: ${{ github.ref_name }}
+  cancel-in-progress: true
+
+jobs:
+  rubocop:
+    name: Rubocop
+    uses: theforeman/actions/.github/workflows/rubocop.yml@v0
+
+  test:
+    name: "Ruby ${{ matrix.ruby }} / Puppet ${{ matrix.puppet }}"
+    needs: rubocop
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - ruby: '2.7'
+            puppet: '7.0'
+          - ruby: '3.0'
+            puppet: '7.0'
+          - ruby: '3.2'
+            puppet: '8.0'
+    env:
+      PUPPET_VERSION: ${{ matrix.puppet }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install system dependencies
+        run: sudo apt-get install -y --no-install-recommends asciidoc
+      - name: Setup ruby
+        uses: ruby/setup-ruby@v1
+        with:
+          ruby-version: ${{ matrix.ruby }}
+          bundler-cache: true
+      - name: Archive Gemfile.lock
+        uses: actions/upload-artifact@v4
+        with:
+          name: Gemfile-ruby-${{ matrix.ruby }}-puppet-${{ matrix.puppet }}.lock
+          path: Gemfile.lock
+      - name: Run tests
+        run: bundle exec rake spec
+      - name: Test installer configuration
+        run: |
+          bundle exec rake install PREFIX=./local --trace
+          bundle exec rake installation_tests PREFIX=./local --trace
+      - name: Archive Puppetfile.lock
+        if: ${{ !cancelled() }}
+        uses: actions/upload-artifact@v4
+        with:
+          name: Puppetfile-ruby-${{ matrix.ruby }}-puppet-${{ matrix.puppet }}.lock
+          path: Puppetfile.lock
+
+  # A dummy job that you can mark as a required check instead of each individual test
+  test-suite:
+    needs: test
+    runs-on: ubuntu-latest
+    name: Test suite
+    steps:
+      - run: echo Test suite completed

.gitignore

@@ -35,3 +35,5 @@ config/foreman.migrations/.applied
 spec/fixtures/katello-certs-check/certs/*.csr
 spec/fixtures/katello-certs-check/ca.key
 spec/fixtures/katello-certs-check/certs/*.srl
+
+.xml

.gitlab-ci.yml

@@ -0,0 +1,55 @@
+---
+stages:
+  - lint
+  - test
+  - installation-tests
+
+variables:
+  RUBY_VERSION: "2.7"
+  RUBY_IMAGE: "ruby:${RUBY_VERSION}"
+  PUPPET_VERSION: "7.0"
+
+.common:
+  image: ${RUBY_IMAGE}
+  cache:
+    key: $CI_COMMIT_REF_SLUG
+    paths:
+      - vendor/ruby
+  before_script:
+    - bundle config set --local path 'vendor/ruby'
+    - bundle install -j $(nproc)
+
+lint:
+  extends: .common
+  stage: lint
+  script:
+    - bundle exec rubocop --format junit --out rubocop.xml --display-only-fail-level-offenses --fail-level=A
+  artifacts:
+    when: always
+    paths:
+      - rubocop.xml
+    reports:
+      junit: rubocop.xml
+
+test:
+  extends: .common
+  stage: test
+  script:
+    - bundle exec rspec --format RspecJunitFormatter --out rspec.xml
+  artifacts:
+    when: always
+    paths:
+      - rspec.xml
+    reports:
+      junit: rspec.xml
+
+installation-tests:
+  extends: .common
+  stage: installation-tests
+  variables:
+    PREFIX: "${RUBY_VERSION}"
+  script:
+    - apt update && apt install -y asciidoc-base docbook-xsl --no-install-recommends
+    - bundle exec rake install --trace
+    - bundle exec rake installation_tests --trace
+...

.packit.yaml

@@ -25,7 +25,6 @@ actions:
     - bundle config set --local without development:test
     - bundle install
     - bundle exec rake pkg:generate_source
-    - bash -c "ls -1t pkg/*.tar.bz2 | head -n 1"
 
 jobs:
   - job: copr_build

.rubocop.yml

@@ -1,11 +1,15 @@
+inherit_from: .rubocop_todo.yml
+
 AllCops:
-  TargetRubyVersion: 2.5
+  TargetRubyVersion: 2.7
+  NewCops: enable
   Exclude:
-    - '_build/**/*'
-    - 'pkg/**/*'
-    - 'Gemfile'
-    - 'Puppetfile'
-    - 'Rakefile'
+    - "_build/**/*"
+    - "pkg/**/*"
+    - "Gemfile"
+    - "Puppetfile"
+    - "Rakefile"
+    - 'vendor/**/*'
 
 Bundler/OrderedGems:
   Enabled: false

.rubocop_todo.yml

@@ -0,0 +1,21 @@
+# This configuration was generated by
+# `rubocop --auto-gen-config`
+# on 2024-04-12 16:14:26 +0530 using RuboCop version 0.80.1.
+# The point is for the user to remove these configuration records
+# one by one as the offenses are removed from the code base.
+# Note that changes in the inspected code, or installation of new
+# versions of RuboCop, may require this file to be generated again.
+
+# Offense count: 1
+# Cop supports --auto-correct.
+Lint/RedundantCopDisableDirective:
+  Exclude:
+    - 'hooks/boot/05-environment.rb'
+
+# Offense count: 1
+# Cop supports --auto-correct.
+# Configuration parameters: EnforcedStyle.
+# SupportedStyles: both, prefix, postfix
+Style/NegatedIf:
+  Exclude:
+    - 'hooks/pre_validations/01-reset_data.rb'

Gemfile

@@ -12,13 +12,17 @@ gem 'facter', '>= 3.0', '!= 4.0.52'
 gem 'puppet-strings'
 gem 'rake'
 
+gem 'racc' if RUBY_VERSION >= '3.3'
+
+gem 'semverse', groups: [:development, :test]
+
 group :test do
   gem 'rspec'
+  gem 'rspec_junit_formatter'
   gem 'rubocop', '~> 0.80.0'
 end
 
 group :development do
   # Dependencies for rake pin_modules
   gem 'puppet_forge'
-  gem 'semverse'
 end

Puppetfile

@@ -1,11 +1,10 @@
 forge 'https://forgeapi.puppet.com/'
 
 # HTTP/2 and SSL support for settings in Hiera
-# Our modules aren't yet compatible with 12 and the builds fail
-mod 'puppetlabs/apache',               '>= 8.3', '< 12'
+mod 'puppetlabs/apache',               '>= 8.3'
 
-# Ensure Debian 11 support
-mod 'puppetlabs/postgresql',           '>= 7.4.0'
+# SCRAM password support
+mod 'puppetlabs/postgresql',           '>= 10.1'
 
 # Dnfmodule support for Redis 6+ support
 mod 'puppet/redis',                    '>= 8.5.0'
@@ -23,7 +22,6 @@ mod 'theforeman/tftp',                 :git => 'https://github.com/theforeman/pu
 # Katello dependencies
 mod 'katello/candlepin',               :git => 'https://github.com/theforeman/puppet-candlepin'
 mod 'theforeman/pulpcore',             :git => 'https://github.com/theforeman/puppet-pulpcore'
-mod 'katello/qpid',                    :git => 'https://github.com/theforeman/puppet-qpid'
 
 # Top-level modules
 mod 'theforeman/foreman',              :git => 'https://github.com/theforeman/puppet-foreman'

Rakefile

@@ -15,56 +15,6 @@ rescue LoadError
   puts 'Rubocop not loaded'
 end
 
-begin
-  require 'puppet_forge'
-  require 'semverse'
-
-  class FakePuppetfile
-    def initialize
-      @new_content = []
-    end
-
-    def forge(url)
-      @new_content << ['forge', url, nil]
-      PuppetForge.host = url
-    end
-
-    def mod(name, options = nil)
-      if options.is_a?(Hash) && !options.include?(:ref)
-        release = PuppetForge::Module.find(name.tr('/', '-')).current_release
-        @new_content << ['mod', name, "~> #{release.version}"]
-      else
-        @new_content << ['mod', name, options]
-      end
-    end
-
-    def content
-      max_length = @new_content.select { |type, _value| type == 'mod' }.map { |_type, value| value.length }.max
-
-      @new_content.each do |type, value, options|
-        if type == 'forge'
-          yield "forge '#{value}'"
-          yield ""
-        elsif type == 'mod'
-          if options.nil?
-            yield "mod '#{value}'"
-          elsif options.is_a?(String)
-            padding = ' ' * (max_length - value.length)
-            yield "mod '#{value}', #{padding}'#{options}'"
-          else
-            padding = ' ' * (max_length - value.length)
-            yield "mod '#{value}', #{padding}#{options.map { |k, v| ":#{k} => '#{v}'" }.join(', ')}"
-          end
-        end
-      end
-    end
-  end
-
-  pin_task = true
-rescue LoadError
-  pin_task = false
-end
-
 BUILD_KATELLO = !ENV.key?('EXCLUDE_KATELLO')
 
 BUILDDIR = File.expand_path(ENV['BUILDDIR'] || '_build')
@@ -339,6 +289,14 @@ CLEAN.include [
   PKGDIR,
 ]
 
+task :installation_tests do
+  sh "bundle exec #{PREFIX}/sbin/foreman-installer --help --scenario foreman --trace"
+  sh "bundle exec #{PREFIX}/sbin/foreman-installer --help --scenario foreman-proxy-content --trace"
+  sh "bundle exec #{PREFIX}/sbin/foreman-installer --help --scenario katello --trace"
+  sh "bundle exec #{PREFIX}/sbin/foreman-proxy-certs-generate --help --trace"
+  sh "bundle exec #{PREFIX}/sbin/foreman-proxy-certs-generate --help | grep -q certs-update-server"
+end
+
 namespace :pkg do
   desc 'Generate package source tar.bz2'
   task :generate_source => [PKGDIR, "#{BUILDDIR}/modules"] do
@@ -355,7 +313,11 @@ namespace :pkg do
   end
 end
 
-if pin_task
+begin
+  require_relative 'util/fake_puppet_file'
+rescue LoadError
+  # Some dependency missing
+else
   desc 'Pin all the modules in Puppetfile to released versions instead of git branches'
   task :pin_modules do
     filename = 'Puppetfile'

VERSION

@@ -1 +1 @@
-3.10.0-develop
+3.12.0-develop

bin/create-migration

@@ -8,7 +8,7 @@ end
 
 migration_name = ARGV[0]
 directories = ARGV[1..-1]
-content = (STDIN.tty? || STDIN.closed?) ? nil : STDIN.read
+content = ($stdin.tty? || $stdin.closed?) ? nil : $stdin.read
 
 directories.each do |directory|
   unless File.directory?(directory)

bin/foreman-proxy-certs-generate

@@ -15,11 +15,7 @@ Kafo::KafoConfigure.hooking.register_pre(:init) do
     data = YAML.load_file(LAST_SCENARIO_PATH)
     if data && data[:answer_file] && File.file?(data[:answer_file])
       scenario = YAML.load_file(data[:answer_file])
-      organization = begin
-                       scenario['foreman']['initial_organization']
-                     rescue StandardError
-                       nil
-                     end
+      organization = scenario&.dig('foreman', 'initial_organization')
     end
   end
 

bin/katello-certs-check

@@ -164,7 +164,7 @@ function check-ca-bundle () {
         error 4 "The $CA_BUNDLE_FILE does not verify the $CERT_FILE"
         echo -e "${CHECK/OK/}\n"
     else
-       success
+        success
     fi
 }
 
@@ -173,12 +173,24 @@ function check-ca-bundle-size () {
     CHECK=$(grep -c "^--*BEGIN" $CA_BUNDLE_FILE)
     printf $CHECK
     if [[ $CHECK -lt $CABUNDLE_MAX_ISSUERS ]]; then
-		success
+        success
+    else
+        CERRTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
+        error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
+        echo $CERTISSUER
+        echo
+    fi
+}
+
+function check-ca-bundle-trust-rules () {
+    printf "Checking if CA bundle has trust rules: "
+    CHECK=$(grep 'BEGIN TRUSTED CERTIFICATE'  $CA_BUNDLE_FILE| wc -l)
+    printf $CHECK
+    if [[ $CHECK -lt 1 ]]; then
+        success
     else
-		CERTISSUER=$(openssl x509 -noout -in $CERT_FILE -issuer 2>&1)
-		error 10 "The CA bundle counts $CHECK issuers. Please trim your CA bundle and include only the certs relevant to your cert file"
-		echo $CERTISSUER
-		echo
+        error 10 "The CA bundle contains $CHECK certificate(s) with trust rules. This may create problems for older systems to trust the bundle. Please, recreate the bundle using certificates without trust rules"
+        echo
     fi
 }
 
@@ -251,6 +263,7 @@ check-passphrase
 check-priv-key
 check-ca-bundle
 check-ca-bundle-size
+check-ca-bundle-trust-rules
 check-cert-san
 check-cert-usage-key-encipherment
 check-shortname