Merge branch 'master' into test_yabeda

ngetahun · web-flow · commit 5454e26ec848 · 2024-11-07T11:16:41.000+01:00
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -30,8 +30,8 @@ GEM
       minitest (>= 5.1)
       tzinfo (~> 2.0)
       zeitwerk (~> 2.3)
-    addressable (2.8.6)
-      public_suffix (>= 2.0.2, < 6.0)
+    addressable (2.8.7)
+      public_suffix (>= 2.0.2, < 7.0)
     anyway_config (2.6.4)
       ruby-next-core (~> 1.0)
     ast (2.4.2)
@@ -138,13 +138,13 @@ GEM
       guard (~> 2.1)
       guard-compat (~> 1.1)
       rspec (>= 2.99.0, < 4.0)
-    hashdiff (1.1.0)
+    hashdiff (1.1.1)
     hpricot (0.8.6)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
     json (2.3.1)
     jsonapi-renderer (0.2.2)
-    jwt (2.9.0)
+    jwt (2.9.3)
       base64
     listen (3.6.0)
       rb-fsevent (~> 0.10, >= 0.10.3)
@@ -213,8 +213,7 @@ GEM
     responders (3.1.1)
       actionpack (>= 5.2)
       railties (>= 5.2)
-    rexml (3.3.6)
-      strscan
+    rexml (3.3.9)
     ronn (0.7.3)
       hpricot (>= 0.8.2)
       mustache (>= 0.7.0)
@@ -301,7 +300,6 @@ GEM
     sqlite3 (1.4.4)
     strong_migrations (0.7.9)
       activerecord (>= 5)
-    strscan (3.1.0)
     sync (0.5.0)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
@@ -322,7 +320,7 @@ GEM
       activesupport (>= 3)
       railties (>= 3)
       yard (~> 0.9.20)
-    webmock (3.23.1)
+    webmock (3.24.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
       hashdiff (>= 0.4.0, < 2.0.0)
diff --git a/db/migrate/20240821114908_change_local_path_type.rb b/db/migrate/20240821114908_change_local_path_type.rb
@@ -0,0 +1,13 @@
+class ChangeLocalPathType < ActiveRecord::Migration[6.1]
+  def up
+    safety_assured do
+      change_column :repositories, :local_path, :string, limit: 512
+      change_column :downloaded_files, :local_path, :string, limit: 512
+    end
+  end
+
+  def down
+    change_column :repositories, :local_path, :string
+    change_column :downloaded_files, :local_path, :string
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2024_07_29_103525) do
+ActiveRecord::Schema.define(version: 2024_08_21_114908) do
 
   create_table "activations", charset: "utf8", force: :cascade do |t|
     t.bigint "service_id", null: false
@@ -34,7 +34,7 @@
   create_table "downloaded_files", charset: "utf8", force: :cascade do |t|
     t.string "checksum_type"
     t.string "checksum"
-    t.string "local_path"
+    t.string "local_path", limit: 512
     t.bigint "file_size", unsigned: true
     t.index ["checksum_type", "checksum"], name: "index_downloaded_files_on_checksum_type_and_checksum"
     t.index ["local_path"], name: "index_downloaded_files_on_local_path", unique: true
@@ -104,7 +104,7 @@
     t.string "auth_token"
     t.boolean "installer_updates", default: false, null: false
     t.boolean "mirroring_enabled", default: false, null: false
-    t.string "local_path", null: false
+    t.string "local_path", limit: 512, null: false
     t.datetime "last_mirrored_at"
     t.string "friendly_id"
     t.index ["external_url"], name: "index_repositories_on_external_url", unique: true
diff --git a/engines/registry/app/models/access_scope.rb b/engines/registry/app/models/access_scope.rb
@@ -94,8 +94,8 @@ def allowed_paths(system = nil)
         }
         allowed_non_free_product_classes.each do |non_free_prod_class|
           activation_state = SccProxy.scc_check_subscription_expiration(
-            auth_header, system.login, system.system_token, Rails.logger, system.proxy_byos_mode, non_free_prod_class
-            )
+            auth_header, system, non_free_prod_class
+          )
           unless activation_state[:is_active]
             Rails.logger.info(
               "Access to #{non_free_prod_class} from system #{system.login} denied: #{activation_state[:message]}"
diff --git a/engines/registry/spec/app/models/access_scope_spec.rb b/engines/registry/spec/app/models/access_scope_spec.rb
@@ -215,22 +215,15 @@
             allow(SccProxy).to receive(:scc_check_subscription_expiration)
               .with(
                 header_expected,
-                system.login,
-                system.system_token,
-                Rails.logger,
-                system.proxy_byos_mode,
+                system,
                 'SLES15-SP4-LTSS-X86'
             ).and_return(scc_response)
           end
 
-          # rubocop:disable RSpec/ExampleLength
           it 'returns no actions allowed' do
             expect(SccProxy).to receive(:scc_check_subscription_expiration).with(
               header_expected,
-              system.login,
-              system.system_token,
-              Rails.logger,
-              system.proxy_byos_mode,
+              system,
               'SLES15-SP4-LTSS-X86'
             )
             yaml_string = access_policy_content
@@ -250,7 +243,6 @@
               }
             )
           end
-          # rubocop:enable RSpec/ExampleLength
         end
       end
 
diff --git a/engines/registry/spec/requests/api/connect/v3/systems/activations_controller_spec.rb b/engines/registry/spec/requests/api/connect/v3/systems/activations_controller_spec.rb
@@ -3,7 +3,7 @@
   include_context 'version header', 3
 
   describe '#activations' do
-    let(:system) { FactoryBot.create(:system, :with_activated_product) }
+    let(:system) { FactoryBot.create(:system, :payg, :with_activated_product) }
     let(:headers) { auth_header.merge(version_header) }
 
     context 'without valid repository cache' do
@@ -57,5 +57,68 @@
         expect(data[0]['service']['url']).to match(%r{^plugin:/susecloud})
       end
     end
+
+    context 'system is hybrid' do
+      let(:system) { FactoryBot.create(:system, :hybrid, :with_activated_product) }
+      let(:plugin_double) { instance_double('InstanceVerification::Providers::Example') }
+      let(:cache_name) { "repo/cache/127.0.0.1-#{system.login}-#{system.products.first.id}" }
+      let(:scc_systems_activations_url) { 'https://scc.suse.com/connect/systems/activations' }
+      let(:body_active) do
+        {
+          id: 1,
+          regcode: '631dc51f',
+          name: 'Subscription 1',
+          type: 'FULL',
+          status: 'ACTIVE',
+          starts_at: 'null',
+          expires_at: '2014-03-14T13:10:21.164Z',
+          system_limit: 6,
+          systems_count: 1,
+          service: {
+            product: {
+              id: system.activations.first.product.id
+            }
+          }
+        }
+      end
+
+      before do
+        allow(InstanceVerification::Providers::Example).to receive(:new).and_return(plugin_double)
+
+        allow(plugin_double).to(
+          receive(:instance_valid?).and_return(true)
+        )
+        allow(File).to receive(:join).and_call_original
+        allow(InstanceVerification).to receive(:update_cache)
+        allow(ZypperAuth).to receive(:verify_instance).and_call_original
+        stub_request(:get, scc_systems_activations_url).to_return(status: 200, body: [body_active].to_json, headers: {})
+        headers['X-Instance-Data'] = 'IMDS'
+      end
+
+      context 'no registry' do
+        it 'refreshes registry cache key only' do
+          FileUtils.mkdir_p('repo/cache')
+          expect(InstanceVerification).to receive(:update_cache).with('127.0.0.1', system.login, system.activations.first.product.id)
+          get '/connect/systems/activations', headers: headers
+          FileUtils.rm_rf('repo/cache')
+          data = JSON.parse(response.body)
+          expect(SccProxy).not_to receive(:product_path_access)
+          expect(data[0]['service']['url']).to match(%r{^plugin:/susecloud})
+        end
+      end
+
+      context 'registry' do
+        it 'refreshes registry cache key only' do
+          FileUtils.mkdir_p('repo/cache')
+          FileUtils.touch(cache_name)
+          expect(InstanceVerification).to receive(:update_cache).with('127.0.0.1', system.login, nil, registry: true)
+          get '/connect/systems/activations', headers: headers
+          FileUtils.rm_rf('repo/cache')
+          data = JSON.parse(response.body)
+          expect(SccProxy).not_to receive(:product_path_access)
+          expect(data[0]['service']['url']).to match(%r{^plugin:/susecloud})
+        end
+      end
+    end
   end
 end
diff --git a/engines/scc_proxy/lib/scc_proxy/engine.rb b/engines/scc_proxy/lib/scc_proxy/engine.rb
@@ -201,14 +201,19 @@ def parse_error(error_message, token = nil, email = nil)
       error_message
     end
 
-    def get_scc_activations(headers, system_token, mode)
+    def get_scc_activations(headers, system)
       auth = headers['HTTP_AUTHORIZATION'] if headers && headers.include?('HTTP_AUTHORIZATION')
       uri = URI.parse(SYSTEMS_ACTIVATIONS_URL)
       http = Net::HTTP.new(uri.host, uri.port)
       http.use_ssl = true
-      uri.query = URI.encode_www_form({ byos_mode: mode })
-      scc_request = Net::HTTP::Get.new(uri.path, headers(auth, system_token))
-      http.request(scc_request)
+      uri.query = URI.encode_www_form({ byos_mode: system.proxy_byos_mode })
+      scc_request = Net::HTTP::Get.new(uri.path, headers(auth, system.system_token))
+      response = http.request(scc_request)
+      unless response.code_type == Net::HTTPOK
+        Rails.logger.info "Could not get the system (#{system.login}) activations, error: #{response.message} #{response.code}"
+        raise ActionController::TranslatedError.new(response.body)
+      end
+      JSON.parse(response.body)
     end
 
     def product_path_access(x_original_uri, products_ids)
@@ -236,11 +241,17 @@ def product_class_access(scc_systems_activations, product)
       end
     end
 
+    # rubocop:disable Metrics/PerceivedComplexity
     def activations_fail_state(scc_systems_activations, headers, product = nil)
       return SccProxy.product_class_access(scc_systems_activations, product) unless product.nil?
 
       active_products_ids = scc_systems_activations.map { |act| act['service']['product']['id'] if act['status'].casecmp('active').zero? }.flatten
       x_original_uri = headers.fetch('X-Original-URI', '')
+      # if there is no product info to compare the activations with
+      # probably means the query is to refresh credentials
+      # in any case, verification is true if ALL activations are ACTIVE
+      return { is_active: (scc_systems_activations.length == active_products_ids.length) } if x_original_uri.empty?
+
       if SccProxy.product_path_access(x_original_uri, active_products_ids)
         { is_active: true }
       else
@@ -265,15 +276,10 @@ def activations_fail_state(scc_systems_activations, headers, product = nil)
         end
       end
     end
+    # rubocop:enable Metrics/PerceivedComplexity
 
-    def scc_check_subscription_expiration(headers, login, system_token, logger, mode, product = nil) # rubocop:disable Metrics/ParameterLists
-      response = SccProxy.get_scc_activations(headers, system_token, mode)
-      unless response.code_type == Net::HTTPOK
-        logger.info "Could not get the system (#{login}) activations, error: #{response.message} #{response.code}"
-        response.message = SccProxy.parse_error(response.message) if response.message.include? 'json'
-        return { is_active: false, message: response.message }
-      end
-      scc_systems_activations = JSON.parse(response.body)
+    def scc_check_subscription_expiration(headers, system, product = nil)
+      scc_systems_activations = SccProxy.get_scc_activations(headers, system)
       return { is_active: false, message: 'No activations.' } if scc_systems_activations.empty?
 
       no_status_products_ids = scc_systems_activations.map do |act|
@@ -282,6 +288,8 @@ def scc_check_subscription_expiration(headers, login, system_token, logger, mode
       return { is_active: true } unless no_status_products_ids.all?(&:nil?)
 
       SccProxy.activations_fail_state(scc_systems_activations, headers, product)
+    rescue StandardError
+      { is_active: false, message: 'Could not check the activations from SCC' }
     end
 
     def scc_upgrade(auth, product, system_login, mode, logger)
@@ -299,7 +307,6 @@ def scc_upgrade(auth, product, system_login, mode, logger)
     end
   end
 
-  # rubocop:disable Metrics/ClassLength
   class Engine < ::Rails::Engine
     isolate_namespace SccProxy
     config.generators.api_only = true
@@ -440,26 +447,17 @@ def scc_deactivate_product
           elsif @system.hybrid? && @product.extension?
             # check if product is on SCC and
             # if it is -> de-activate it
-            scc_systems_activations = find_hybrid_activations_on_scc(request.headers)
-            if scc_systems_activations.map { |act| act['service']['product']['id'] == @product.id }.present?
+            scc_hybrid_system_activations = SccProxy.get_scc_activations(headers, @system)
+            if scc_hybrid_system_activations.map { |act| act['service']['product']['id'] == @product.id }.present?
               # if product is found on SCC, regardless of the state
               # it is OK to remove it from SCC
               SccProxy.deactivate_product_scc(auth, @product, @system.system_token, logger)
-              make_system_payg(auth) if scc_systems_activations.reject { |act| act['service']['product']['id'] == @product.id }.blank?
+              make_system_payg(auth) if scc_hybrid_system_activations.reject { |act| act['service']['product']['id'] == @product.id }.blank?
             end
           end
           logger.info "Product '#{@product.friendly_name}' successfully deactivated from SCC"
         end
 
-        def find_hybrid_activations_on_scc(headers)
-          response = SccProxy.get_scc_activations(headers, @system.system_token, @system.proxy_byos_mode)
-          unless response.code_type == Net::HTTPOK
-            logger.info "Could not get the system (#{@system.login}) activations, error: #{response.message} #{response.code}"
-            raise ActionController::TranslatedError.new(response.body)
-          end
-          JSON.parse(response.body)
-        end
-
         def make_system_payg(auth)
           # if the system does not have more products activated on SCC
           # switch it back to payg
@@ -542,6 +540,5 @@ def get_system(systems)
       end
     end
   end
-  # rubocop:enable Metrics/ClassLength
 end
 # rubocop:enable Metrics/ModuleLength
diff --git a/engines/zypper_auth/lib/zypper_auth/engine.rb b/engines/zypper_auth/lib/zypper_auth/engine.rb
@@ -6,7 +6,7 @@ def auth_logger
       Thread.current[:logger]
     end
 
-    def verify_instance(request, logger, system)
+    def verify_instance(request, logger, system, params_product_id = nil)
       return false unless request.headers['X-Instance-Data']
 
       instance_data = Base64.decode64(request.headers['X-Instance-Data'].to_s)
@@ -31,12 +31,13 @@ def verify_instance(request, logger, system)
       )
 
       is_valid = verification_provider.instance_valid?
-      return false if is_valid && system.hybrid? && !handle_scc_subscription(request, system, verification_provider, logger)
+      return false if is_valid && system.hybrid? && !handle_scc_subscription(request, system, verification_provider, params_product_id)
+
       # update repository and registry cache
       InstanceVerification.update_cache(request.remote_ip, system.login, base_product.id)
       is_valid
     rescue InstanceVerification::Exception => e
-      return handle_scc_subscription(request, system, verification_provider, logger) if system.byos?
+      return handle_scc_subscription(request, system, verification_provider) if system.byos?
 
       ZypperAuth.zypper_auth_message(request, system, verification_provider, e.message)
       false
@@ -49,8 +50,9 @@ def verify_instance(request, logger, system)
       false
     end
 
-    def handle_scc_subscription(request, system, verification_provider, logger)
-      result = SccProxy.scc_check_subscription_expiration(request.headers, system.login, system.system_token, logger, system.proxy_byos_mode)
+    def handle_scc_subscription(request, system, verification_provider, params_product_id = nil)
+      product_class = Product.find_by(id: params_product_id).product_class if params_product_id.present?
+      result = SccProxy.scc_check_subscription_expiration(request.headers, system, product_class)
       return true if result[:is_active]
 
       ZypperAuth.zypper_auth_message(request, system, verification_provider, result[:message])
@@ -128,7 +130,7 @@ def make_repo_url(base_url, repo_local_path, service_name = nil)
         # additional validation for zypper service XML controller
         before_action :verify_instance
         def verify_instance
-          unless ZypperAuth.verify_instance(request, logger, @system)
+          unless ZypperAuth.verify_instance(request, logger, @system, params.fetch('id', nil))
             render(xml: { error: 'Instance verification failed' }, status: 403)
           end
         end
diff --git a/engines/zypper_auth/spec/requests/strict_authentication/authentication_controller_spec.rb b/engines/zypper_auth/spec/requests/strict_authentication/authentication_controller_spec.rb
diff --git a/package/obs/rmt-server.changes b/package/obs/rmt-server.changes
