Merge branch 'master' into mysql_ssl_connection

Gemfile.lock

@@ -152,7 +152,7 @@ GEM
     mustache (1.1.1)
     mysql2 (0.5.5)
     nenv (0.3.0)
-    nio4r (2.5.9)
+    nio4r (2.7.0)
     nokogiri (1.12.5)
       mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
@@ -169,7 +169,7 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.7)
-    puma (5.6.7)
+    puma (5.6.8)
       nio4r (~> 2.0)
     racc (1.7.1)
     rack (2.2.8)

Makefile

@@ -53,7 +53,6 @@ dist: clean man
 
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.yml
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.local.yml
-	@rm -rf $(NAME)-$(VERSION)/config/secrets.yml.*
 	@rm -rf $(NAME)-$(VERSION)/config/system_uuid
 
 	# don't package test tasks (fails to load because of rspec dependency)

app/services/repository_service.rb

@@ -37,6 +37,19 @@ def create_repository!(product, url, attributes, custom: false)
     repository
   end
 
+  def update_repository!(repo_data)
+    uri = URI(repo_data[:url])
+    auth_token = uri.query
+
+    Repository.find_by!(scc_id: repo_data[:id]).update!(
+      auth_token: auth_token,
+      enabled: repo_data[:enabled],
+      autorefresh: repo_data[:autorefresh],
+      external_url: "#{uri.scheme}://#{uri.host}#{uri.path}",
+      local_path: Repository.make_local_path(uri)
+    )
+  end
+
   def attach_product!(product, repository)
     RepositoriesServicesAssociation.find_or_create_by!(
       service_id: product.service.id,

config/application.rb

@@ -72,5 +72,16 @@ class Application < Rails::Application
       g.test_framework :rspec
     end
 
+    # Rails initialization process requires a secret key base present in either:
+    # - SECRET_KEY_BASE env
+    # - credentials.secret_key_base
+    # - secrets.secret_key_base
+    #
+    # Else the boot process will be halted. RMT does not use any of those
+    # facilities. Hardcoding it here keeps rails happy and allows the boot
+    # process to continue.
+    config.require_master_key = false
+    config.read_encrypted_secrets = false
+    config.secret_key_base = 'rmt-does-not-use-this'
   end
 end

config/environments/production.rb

@@ -15,11 +15,6 @@
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
-  config.read_encrypted_secrets = true
-
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?

lib/rmt/cli/repos_custom.rb

@@ -21,7 +21,7 @@ def add(url, name)
 
     error = nil
     if Repository.find_by(external_url: url)
-      error = _('A repository by the URL %{url} already exists.') % { url: url }
+      error = _('A repository by the URL %{url} already exists (ID %{id}).') % { url: url, id: Repository.find_by(external_url: url).friendly_id }
     elsif Repository.find_by(friendly_id: options.id.to_s)
       # When given an ID by a user, don't append to it to make a unique ID.
       error = _('A repository by the ID %{id} already exists.') % { id: friendly_id }

lib/rmt/scc.rb

@@ -18,8 +18,8 @@ def sync
     @logger.info(_('Downloading data from SCC'))
     scc_api_client = SUSE::Connect::Api.new(Settings.scc.username, Settings.scc.password)
 
-    @logger.info(_('Updating products'))
     data = scc_api_client.list_products
+    @logger.info(_('Updating products'))
     data.each { |item| create_product(item) }
     data.each { |item| migration_paths(item) }
 
@@ -132,8 +132,8 @@ def credentials_set?
 
   def update_repositories(repos)
     @logger.info _('Updating repositories')
-    repos.each do |item|
-      update_auth_token_enabled_attr(item)
+    repos.each do |repo|
+      repository_service.update_repository!(repo)
     end
   end
 
@@ -191,13 +191,6 @@ def create_service(item, product)
     end
   end
 
-  def update_auth_token_enabled_attr(item)
-    uri = URI(item[:url])
-    auth_token = uri.query
-
-    Repository.find_by!(scc_id: item[:id]).update! auth_token: auth_token, enabled: item[:enabled]
-  end
-
   def migration_paths(item)
     product = get_product(item[:id])
     ProductPredecessorAssociation.where(product_id: product.id).destroy_all

lib/suse/connect/api.rb

@@ -45,18 +45,22 @@ def list_orders
       end
 
       def list_products
+        @logger.info(_('Loading product data from SCC'))
         make_paginated_request(:get, "#{connect_api}/organizations/products")
       end
 
       def list_products_unscoped
+        @logger.info(_('Loading product data from SCC'))
         make_paginated_request(:get, "#{connect_api}/organizations/products/unscoped")
       end
 
       def list_repositories
+        @logger.info(_('Loading repository data from SCC'))
         make_paginated_request(:get, "#{connect_api}/organizations/repositories")
       end
 
       def list_subscriptions
+        @logger.info(_('Loading subscription data from SCC'))
         make_paginated_request(:get, "#{connect_api}/organizations/subscriptions")
       end
 

package/files/update_rmt_app_dir_permissions.sh

@@ -20,13 +20,6 @@ fi
 # Change secrets encrypted and key files to nginx readable
 secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc')
 
-for secretFile in $secret_key_files; do
-  file_path="$app_dir/$secretFile"
-  if [[ -e $file_path ]]; then
-    if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then
-      chmod 0640 $file_path
-      chown -h root:nginx $file_path
-    fi
-  fi
-
+for secretFile in ${secret_key_files[@]}; do
+  rm -f "$app_dir/$secretFile"
 done

package/obs/rmt-server.changes

@@ -4,8 +4,10 @@ Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <[email protected]>
 - Version 2.15:
   * Moving system hardware information to systems database table to
     allow transmitting system information dynamically. (jsc#PED-3734)
-  * Fix secrets access for server user (bsc#1215176)
+  * Dropping Rails Secrets facilities and related config files (bsc#1215176)
   * rmt-client-setup-res script: fix for CentOS8 clients (bsc#1214709)
+  * Updated supportconfig script (bsc#1216389)
+
 -------------------------------------------------------------------
 Thu Jun 06 15:44:00 UTC 2023 - Luís Caparroz <[email protected]>
 

package/obs/rmt-server.spec

@@ -322,11 +322,6 @@ getent passwd %{rmt_user} >/dev/null || \
 %post
 %service_add_post rmt-server.target rmt-server.service rmt-server-migration.service rmt-server-mirror.service rmt-server-sync.service rmt-server-systems-scc-sync.service
 
-# Rails by default creates `secrets.yml.key` with `0600` file mode, see here
-# https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
-
 # Run only on install
 if [ $1 -eq 1 ]; then
   echo "Please run the YaST RMT module (or 'yast2 rmt' from the command line) to complete the configuration of your RMT" >> /dev/stdout

spec/lib/rmt/cli/repos_custom_spec.rb

@@ -104,10 +104,10 @@
 
       it 'does not update previous repository if non-custom' do
         expect(described_class).to receive(:exit)
+        existing_repo = create :repository, external_url: external_url, name: 'foobar'
         expect do
-          create :repository, external_url: external_url, name: 'foobar'
           described_class.start(argv)
-        end.to output("\e[31mA repository by the URL #{external_url} already exists.\e[0m\nCouldn't add custom repository.\n")
+        end.to output("\e[31mA repository by the URL #{external_url} already exists (ID #{existing_repo.friendly_id}).\e[0m\nCouldn't add custom repository.\n")
                    .to_stderr
                    .and output('').to_stdout
         expect(Repository.find_by(external_url: external_url).name).to eq('foobar')
@@ -119,20 +119,21 @@
         expect do
           described_class.start(%w[add http://example.com/repo/ foo])
         end.to output("Successfully added custom repository.\n").to_stdout.and output('').to_stderr
-
+        existing_repo = Repository.find_by(external_url: 'http://example.com/repo/')
         expect do
           described_class.start(%w[add http://example.com/repo foo])
-        end.to output("\e[31mA repository by the URL http://example.com/repo/ already exists.\e[0m\nCouldn't add custom repository.\n")
+        end.to output("\e[31mA repository by the URL http://example.com/repo/ already exists (ID #{existing_repo.friendly_id})." \
+          "\e[0m\nCouldn't add custom repository.\n")
                    .to_stderr
                    .and output('').to_stdout
       end
 
       it 'does not update previous repository if custom' do
         expect(described_class).to receive(:exit)
+        existing_repo = create :repository, :custom, external_url: external_url, name: 'foobar'
         expect do
-          create :repository, :custom, external_url: external_url, name: 'foobar'
           described_class.start(argv)
-        end.to output("\e[31mA repository by the URL #{external_url} already exists.\e[0m\nCouldn't add custom repository.\n")
+        end.to output("\e[31mA repository by the URL #{external_url} already exists (ID #{existing_repo.friendly_id}).\e[0m\nCouldn't add custom repository.\n")
                    .to_stderr
                    .and output('').to_stdout
         expect(Repository.find_by(external_url: external_url).name).to eq('foobar')

spec/lib/rmt/scc_spec.rb

@@ -113,6 +113,17 @@
       include_examples 'saves in database'
     end
 
+    context 'with changed repo url in SCC' do
+      before do
+        allow(Settings).to receive(:scc).and_return OpenStruct.new(username: 'foo', password: 'bar')
+        described_class.new.sync
+        Repository.first.update(external_url: 'https://outdated.com/')
+        described_class.new.sync
+      end
+
+      include_examples 'saves in database'
+    end
+
     context 'with SLES15 product tree' do
       let(:products) { JSON.parse(file_fixture('products/sle15_tree.json').read, symbolize_names: true) }
       let(:subscriptions) { [] }
@@ -155,7 +166,8 @@
           id: 999999,
           url: 'http://example.com/extension-without-base',
           name: 'Repo of an extension without base',
-          enabled: true
+          enabled: true,
+          autorefresh: true
         }
       end
       let(:extra_product) do

support/README.md

@@ -1,7 +1,7 @@
 Supportconfig plugin development notes
 ======================================
 
-Library of useful functions is installed by supportutils at: /usr/lib/supportconfig/resources/scplugin.rc
+Library of useful functions is installed by supportutils at: /usr/lib/supportconfig/resources/supportconfig.rc
 
 plugin functions begin with 'p'.