Fixes #31049 - Introduce server CA file setting

[kamils-iRonin]

No description provided.

[theforeman-bot]

Issues: #31049

[ezr-ondrej]

Do we have installer PR for this?

[ekohl]

I'm concerned that this would break registration via Smart Proxies. Should we introduce a different macro for that?

[ares]

I think @ekohl is right about breaking the through proxy registration. However with this new setting, the macro should load certificates from both files. That way, we'd make sure the user can use whatever method if they deploy certificates provided by this macro.

The other option is to go with what is proposed here and introduce a second macro to provide the same for proxies and then pick whichever is needed in the template. However the added value of this imho doesn't outbalance the effort. I'd lean towards the existing macro providing certs from both files.

[ekohl]

Not needed here, but I also thought about introducing something like /ca-bundle.pem as a route. It would return a bundle to connect to Foreman and the Smart Proxies. This does feel like a good place to suggest it. Thoughts on it are welcome :)

[ares]

introducing something like /ca-bundle.pem

should it be served by the application or rather just apache from /public? Anyway that's not in scope for this PR. Next steps I think are

1. do we need an installer change for this and if so, is there already some PR for that?
2. the foreman_server_ca_cert should load content from both settings now, to avoid breaking through proxy registration

@kamils-iRonin please let me know if there are any questions from your side, thanks!

[kamils-iRonin]

2. the foreman_server_ca_cert should load content from both settings now, to avoid breaking through proxy registration

@ares @ekohl we could introduce server_ca_file_enabled and ssl_ca_file_enabled flags (which are true by default), so that you can load exactly the file you want, something like:

def foreman_server_ca_cert(server_ca_file_enabled: true, ssl_ca_file_enabled: true)
  if server_ca_file_enabled && File.exist?(Setting[:server_ca_file])
    File.read(Setting[:server_ca_file])
  elsif ssl_ca_file_enabled && File.exist?(Setting[:ssl_ca_file])
    File.read(Setting[:ssl_ca_file])
  else
    msg = N_("SSL CA file not found, check the 'Server CA file' in Settings > Authentication")
    raise Foreman::Exception.new(msg)
  end
end

[ekohl]

From the signature I would expect it concat both when both are true but the implementation only returns one. I think curl is happy to have both CA bundles together and use whatever validates it.

[ekohl]

Mostly some readability suggestions. Overall I think it looks good but let me know if you want to apply the suggestions.

[ekohl]

LGTM. @ares want to have a look at latest iteration?

[ares]

I'm sorry it took me a while to get back to this. I have one little ask about error handling, otherwise I tested and it works well indeed. Ready to merge after that comments is resolved.

[ares]

We should rescue the File.read for more exceptions, if I specify wrong path (e.g. a directory) it's not catched by this.
I'd recommend wrapping the File.read in begin end block and just rescue instead of trying to list all Errno::* here. Also I'd say we should log something in case of such error, currently we silently ignore this and admin has no way to find out the set file is not accessible. This would deserve a warning in a log I think.

[kamils-iRonin]

I've added logger and rescue from StandardError

[ares]

Also reiterating a question around the installer PR that ondrej asked. This settings work out of the box so it's not strictly necessary, but I wonder if we should preconfigure this setting from the installer and if someone started working on that already or we need to look into it.

[laugmanuel]

Also reiterating a question around the installer PR that ondrej asked. This settings work out of the box so it's not strictly necessary, but I wonder if we should preconfigure this setting from the installer and if someone started working on that already or we need to look into it.

I've opened a first draft here: theforeman/puppet-foreman#910
@ares / @ezr-ondrej, let me know if this is what you were asking about. I'm open for comments or other ideas.

[ekohl]

Small nits, otherwise it looks OK to me.

[ares]

my appologies, this now requires a rebase, I think the installer PR is ready so this can get in once rebased

[ekohl]

CI fails with:

NameError: undefined local variable or method `error' for #<Class:0x000000000e8e98e8>
/home/jenkins/workspace/test_develop_pr_core/database/postgresql/ruby/2.5/slave/fast/test/unit/foreman/renderer/renderers_shared_tests.rb:274:in `block (2 levels) in <module:RenderersSharedTests>'

I'm not sure if it's related, but would you mind taking a look?

[ezr-ondrej]

[test foreman][test upgrade]

[ezr-ondrej]

Just trying to push this forward, I think I found the cause of test failures.

[ezr-ondrej]

This could be bit more specific by adding assertion for the message

Suggested change

	assert_raise Foreman::Exception do
	assert_raise Foreman::Exception, '<expected message>' do

[ezr-ondrej]

This seems to be quite forgotten and I belive that makes the tests to fail.

[ezr-ondrej]

@ares tests seems to be 🍏 now ^_^

[ezr-ondrej]

Works for me 👍 Thanks @kamils-iRonin

Addressed

[ares]

Thanks @kamils-iRonin and @ezr-ondrej for taking care of the merge.

[ekohl]

Note to self: we can introduce some URL to expose this. It would replace Katello's http[s]://$HOSTNAME/pub/katello-server-ca.crt.