Merge branch 'master' into dev_support_sqlite

Gemfile

@@ -10,14 +10,14 @@ gem 'mysql2', '~> 0.5.3'
 gem 'sqlite3'
 
 gem 'nokogiri', '< 1.13' # Locked because of Ruby >= 2.6 dependency
-gem 'thor'
+gem 'thor', '<= 1.2.2' # Locked because of Ruby >= 2.6 dependency
 gem 'activesupport', '~> 6.1.7'
 gem 'actionpack', '~> 6.1.7'
 gem 'actionview', '~> 6.1.7'
 gem 'activemodel', '~> 6.1.7'
 gem 'activerecord', '~> 6.1.7'
 gem 'railties', '~> 6.1.7'
-gem 'repomd_parser', '~> 0.1.4'
+gem 'repomd_parser', '~> 0.1.6'
 
 # Build JSON APIs with ease. Read more: https://github.com/rails/jbuilder
 # gem 'jbuilder', '~> 2.5'
@@ -61,7 +61,7 @@ group :test do
   gem 'rspec-command', '1.0.3'
   gem 'rspec-rails', '~> 5.0'
   gem 'factory_bot_rails', '~> 6.2.0'
-  gem 'ffaker'
+  gem 'ffaker', '<= 2.21.0' # Locked because of Ruby >= 3.0 dependency
   gem 'rspec-its'
   gem 'fakefs', '~> 1.4', require: 'fakefs/safe'
   gem 'shoulda-matchers'
@@ -77,7 +77,7 @@ end
 gem 'simplecov', require: false, group: :test
 
 gem 'versionist'
-gem 'responders'
+gem 'responders', '~> 3.1.1'
 gem 'typhoeus'
 gem 'active_model_serializers'
 

Gemfile.lock

@@ -14,9 +14,9 @@ GEM
       erubi (~> 1.4)
       rails-dom-testing (~> 2.0)
       rails-html-sanitizer (~> 1.1, >= 1.2.0)
-    active_model_serializers (0.10.13)
-      actionpack (>= 4.1, < 7.1)
-      activemodel (>= 4.1, < 7.1)
+    active_model_serializers (0.10.14)
+      actionpack (>= 4.1)
+      activemodel (>= 4.1)
       case_transform (>= 0.2)
       jsonapi-renderer (>= 0.1.1.beta1, < 0.3)
     activemodel (6.1.7.6)
@@ -90,7 +90,7 @@ GEM
       dry-initializer (~> 3.0)
       dry-schema (~> 1.5, >= 1.5.2)
     erubi (1.12.0)
-    ethon (0.15.0)
+    ethon (0.16.0)
       ffi (>= 1.15.0)
     factory_bot (6.2.0)
       activesupport (>= 5.0.0)
@@ -100,7 +100,7 @@ GEM
     fakefs (1.8.0)
     fast_gettext (2.3.0)
     ffaker (2.21.0)
-    ffi (1.15.5)
+    ffi (1.16.3)
     formatador (0.2.5)
     forwardable (1.3.3)
     fuubar (2.5.1)
@@ -140,7 +140,7 @@ GEM
       rb-fsevent (~> 0.10, >= 0.10.3)
       rb-inotify (~> 0.9, >= 0.9.10)
     locale (2.1.3)
-    loofah (2.21.3)
+    loofah (2.21.4)
       crass (~> 1.0.2)
       nokogiri (>= 1.12.0)
     lumberjack (1.2.8)
@@ -152,7 +152,7 @@ GEM
     mustache (1.1.1)
     mysql2 (0.5.5)
     nenv (0.3.0)
-    nio4r (2.5.9)
+    nio4r (2.7.0)
     nokogiri (1.12.5)
       mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
@@ -169,7 +169,7 @@ GEM
       coderay (~> 1.1)
       method_source (~> 1.0)
     public_suffix (4.0.7)
-    puma (5.6.7)
+    puma (5.6.8)
       nio4r (~> 2.0)
     racc (1.7.1)
     rack (2.2.8)
@@ -194,9 +194,10 @@ GEM
       ffi (~> 1.0)
     rdiscount (2.2.0.2)
     regexp_parser (2.6.0)
-    repomd_parser (0.1.5)
+    repomd_parser (0.1.6)
       nokogiri (~> 1.8)
-    responders (3.1.0)
+      zstd-ruby (~> 1.3, >= 1.3.5.0)
+    responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
     rexml (3.2.6)
@@ -295,7 +296,7 @@ GEM
     timecop (0.9.8)
     tins (1.26.0)
       sync
-    typhoeus (1.4.0)
+    typhoeus (1.4.1)
       ethon (>= 0.9.0)
     tzinfo (2.0.6)
       concurrent-ruby (~> 1.0)
@@ -310,7 +311,8 @@ GEM
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
     yard (0.9.25)
-    zeitwerk (2.6.11)
+    zeitwerk (2.6.12)
+    zstd-ruby (1.5.5.0)
 
 PLATFORMS
   ruby
@@ -329,7 +331,7 @@ DEPENDENCIES
   factory_bot_rails (~> 6.2.0)
   fakefs (~> 1.4)
   fast_gettext (~> 2.2)
-  ffaker
+  ffaker (<= 2.21.0)
   fuubar
   gettext
   gettext_i18n_rails
@@ -344,8 +346,8 @@ DEPENDENCIES
   public_suffix (< 5)
   puma (~> 5.6.2)
   railties (~> 6.1.7)
-  repomd_parser (~> 0.1.4)
-  responders
+  repomd_parser (~> 0.1.6)
+  responders (~> 3.1.1)
   ronn
   rspec-command (= 1.0.3)
   rspec-its
@@ -362,7 +364,7 @@ DEPENDENCIES
   sqlite3
   strong_migrations
   terminal-table (~> 3.0)
-  thor
+  thor (<= 1.2.2)
   timecop
   typhoeus
   vcr (~> 6.0)

Makefile

@@ -53,7 +53,6 @@ dist: clean man
 
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.yml
 	@rm -rf $(NAME)-$(VERSION)/config/rmt.local.yml
-	@rm -rf $(NAME)-$(VERSION)/config/secrets.yml.*
 	@rm -rf $(NAME)-$(VERSION)/config/system_uuid
 
 	# don't package test tasks (fails to load because of rspec dependency)

app/controllers/services_controller.rb

@@ -30,9 +30,15 @@ def show
 
     builder = Builder::XmlMarkup.new
     service_xml = builder.repoindex(ttl: ZYPPER_SERVICE_TTL) do
+      # NOTE: We only care to add the ?credentials parameter to the repository URL if
+      # we are *NOT* dealing with plain RMT but the authentication engine of Public Cloud.
+      # The engine requires to supply the service name to function properly, since repositories
+      # are authenticated in this case.
+      service_name = defined?(StrictAuthentication::Engine) ? service.name : nil
+
       repos.each do |repo|
         attributes = {
-          url: make_repo_url(request.base_url, repo.local_path, service.name),
+          url: make_repo_url(request.base_url, repo.local_path, service_name),
           alias: repo.name,
           name: repo.name,
           autorefresh: repo.autorefresh,

config/application.rb

@@ -72,5 +72,16 @@ class Application < Rails::Application
       g.test_framework :rspec
     end
 
+    # Rails initialization process requires a secret key base present in either:
+    # - SECRET_KEY_BASE env
+    # - credentials.secret_key_base
+    # - secrets.secret_key_base
+    #
+    # Else the boot process will be halted. RMT does not use any of those
+    # facilities. Hardcoding it here keeps rails happy and allows the boot
+    # process to continue.
+    config.require_master_key = false
+    config.read_encrypted_secrets = false
+    config.secret_key_base = 'rmt-does-not-use-this'
   end
 end

config/environments/production.rb

@@ -15,11 +15,6 @@
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"]
-  # or in config/master.key. This key is used to decrypt credentials (and other encrypted files).
-  # config.require_master_key = true
-  config.read_encrypted_secrets = true
-
   # Disable serving static files from the `/public` folder by default since
   # Apache or NGINX already handles this.
   config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present?

db/migrate/20240129140413_remove_obsolete_res7_repositories.rb

@@ -0,0 +1,14 @@
+class RemoveObsoleteRes7Repositories < ActiveRecord::Migration[6.1]
+  def change
+    # RES7 was historically a product managed by Novell. With the upcoming
+    # SUSE Liberty 7, RES7 was moved into IBS (SUSE build service).
+    # This resulted in repositories being renamed.
+    # This migration removes the now obsolete repositories, since RMT does
+    # not remove these automatically.
+
+    # Affected repositories are:
+    # - 1963: https://updates.suse.com/repo/$RCE/RES7/src/
+    # - 1736: https://updates.suse.com/repo/$RCE/RES7/x86_64/
+    Repository.where(scc_id: [1963, 1736]).destroy_all
+  end
+end

lib/rmt/misc.rb

@@ -4,6 +4,9 @@ module RMT
   module Misc
     def self.make_repo_url(base_url, local_path, service_name = nil)
       uri = URI.join(base_url, File.join(RMT::DEFAULT_MIRROR_URL_PREFIX, local_path))
+      # NOTE: Make sure to only add the credentials where necessary (Pubcloud? or SMT?)
+      # In all other cases do not add them, since this will break other repository
+      # managers such as yum!
       uri.query = "credentials=#{service_name}" if service_name
       uri.to_s
     end

package/files/update_rmt_app_dir_permissions.sh

@@ -20,13 +20,6 @@ fi
 # Change secrets encrypted and key files to nginx readable
 secret_key_files=('config/secrets.yml.key' 'config/secrets.yml.enc')
 
-for secretFile in $secret_key_files; do
-  file_path="$app_dir/$secretFile"
-  if [[ -e $file_path ]]; then
-    if [[ "$(stat -c "%U %G" $file_path)" == "root root" ]]; then
-      chmod 0640 $file_path
-      chown -h root:nginx $file_path
-    fi
-  fi
-
+for secretFile in ${secret_key_files[@]}; do
+  rm -f "$app_dir/$secretFile"
 done

package/obs/rmt-server.changes

@@ -1,11 +1,15 @@
 -------------------------------------------------------------------
-Wed Oct 04 13:23:00 UTC 2023 - Felix Schnizlein <[email protected]>
+Thu Jan 25 17:40:00 UTC 2024 - Felix Schnizlein <[email protected]>
 
 - Version 2.15:
   * Moving system hardware information to systems database table to
     allow transmitting system information dynamically. (jsc#PED-3734)
-  * Fix secrets access for server user (bsc#1215176)
+  * Dropping Rails Secrets facilities and related config files (bsc#1215176)
   * rmt-client-setup-res script: fix for CentOS8 clients (bsc#1214709)
+  * Updated supportconfig script (bsc#1216389)
+  * Support zstd compression for repository metadata (bsc#1218775)
+  * Do not add credential handling to normal repository URLs (#1219153)
+
 -------------------------------------------------------------------
 Thu Jun 06 15:44:00 UTC 2023 - Luís Caparroz <[email protected]>
 

package/obs/rmt-server.spec

@@ -322,11 +322,6 @@ getent passwd %{rmt_user} >/dev/null || \
 %post
 %service_add_post rmt-server.target rmt-server.service rmt-server-migration.service rmt-server-mirror.service rmt-server-sync.service rmt-server-systems-scc-sync.service
 
-# Rails by default creates `secrets.yml.key` with `0600` file mode, see here
-# https://github.com/rails/rails/blob/6-0-stable/railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_encryption_key >/dev/null RAILS_ENV=production && \
-cd %{_datadir}/rmt && runuser -u root -g %{rmt_group} -- bin/rails rmt:secrets:create_secret_key_base >/dev/null RAILS_ENV=production && \
-
 # Run only on install
 if [ $1 -eq 1 ]; then
   echo "Please run the YaST RMT module (or 'yast2 rmt' from the command line) to complete the configuration of your RMT" >> /dev/stdout

spec/requests/services_controller_spec.rb

@@ -31,7 +31,7 @@
 
       let(:model_urls) do
         service.repositories.reject(&:installer_updates).map do |repo|
-          RMT::Misc.make_repo_url('http://www.example.com', repo.local_path, service.name)
+          RMT::Misc.make_repo_url('http://www.example.com', repo.local_path)
         end
       end