Fixes #31049 - Introduce server CA file setting

Author: kamils-iRonin

app/models/setting.rb

@@ -15,7 +15,7 @@ class Setting < ApplicationRecord
   FROZEN_ATTRS = %w{name category}
   NONZERO_ATTRS = %w{puppet_interval idle_timeout entries_per_page outofsync_interval}
   BLANK_ATTRS = %w{ host_owner trusted_hosts login_delegation_logout_url root_pass default_location default_organization websockets_ssl_key websockets_ssl_cert oauth_consumer_key oauth_consumer_secret login_text oidc_audience oidc_issuer oidc_algorithm
-                    smtp_address smtp_domain smtp_user_name smtp_password smtp_openssl_verify_mode smtp_authentication sendmail_arguments sendmail_location http_proxy http_proxy_except_list default_locale default_timezone ssl_certificate ssl_ca_file ssl_priv_key default_pxe_item_global default_pxe_item_local oidc_jwks_url instance_title }
+                    smtp_address smtp_domain smtp_user_name smtp_password smtp_openssl_verify_mode smtp_authentication sendmail_arguments sendmail_location http_proxy http_proxy_except_list default_locale default_timezone ssl_certificate ssl_ca_file server_ca_file ssl_priv_key default_pxe_item_global default_pxe_item_local oidc_jwks_url instance_title }
   ARRAY_HOSTNAMES = %w{trusted_hosts}
   URI_ATTRS = %w{foreman_url unattended_url}
   URI_BLANK_ATTRS = %w{login_delegation_logout_url}

app/models/setting/auth.rb

@@ -15,6 +15,7 @@ def self.default_settings
       set('ssl_client_dn_env', N_('Environment variable containing the subject DN from a client SSL certificate'), 'SSL_CLIENT_S_DN', N_('SSL client DN env')),
       set('ssl_client_verify_env', N_('Environment variable containing the verification status of a client SSL certificate'), 'SSL_CLIENT_VERIFY', N_('SSL client verify env')),
       set('ssl_client_cert_env', N_("Environment variable containing a client's SSL certificate"), 'SSL_CLIENT_CERT', N_('SSL client cert env')),
+      set('server_ca_file', N_("SSL CA file that will be used in templates (to verify the connection to Foreman)"), nil, N_('Server CA file')),
       set('websockets_ssl_key', N_("Private key file that Foreman will use to encrypt websockets "), nil, N_('Websockets SSL key')),
       set('websockets_ssl_cert', N_("Certificate that Foreman will use to encrypt websockets "), nil, N_('Websockets SSL certificate')),
       # websockets_encrypt depends on key/cert when true, so initialize it last

lib/foreman/renderer/scope/macros/base.rb

@@ -334,20 +334,31 @@ def gem_version_compare(first, second)
             Gem::Version.new(first.to_s) <=> Gem::Version.new(second.to_s)
           end
 
-          apipie :method, "Returns content of 'SSL CA file' configured in Settings > Authentication" do
+          apipie :method, "Returns a combination of 'Server CA file' and 'SSL CA file' configured in Settings > Authentication" do
             example "SSL_CA_CERT=$(mktemp)
                      cat > $SSL_CA_CERT <<CA_CONTENT
                      <%= foreman_server_ca_cert %>
                      CA_CONTENT
-                     curl --cacert $SSL_CA_CERT https://smart-proxy.example.com:8443"
-          end
-          def foreman_server_ca_cert
-            if File.exist?(Setting[:ssl_ca_file])
-              File.read(Setting[:ssl_ca_file])
-            else
-              msg = N_("SSL CA file not found, check the 'SSL CA file' in Settings > Authentication")
-              raise Foreman::Exception.new(msg)
+                     curl --cacert $SSL_CA_CERT https://foreman.example.com:8443"
+          end
+          def foreman_server_ca_cert(server_ca_file_enabled: true, ssl_ca_file_enabled: true)
+            setting_values = []
+            setting_values << Setting[:server_ca_file] if server_ca_file_enabled
+            setting_values << Setting[:ssl_ca_file] if ssl_ca_file_enabled
+            files_content = setting_values.uniq.compact.map do |setting_value|
+              File.read(setting_value)
+            rescue StandardError => e
+              Foreman::Logging.logger('templates').warn("Failed to read CA file: #{e}")
+
+              nil
             end
+
+            result = files_content.compact.join("\n")
+
+            msg = N_("SSL CA file not found, check the 'Server CA file' and 'SSL CA file' in Settings > Authentication")
+            raise Foreman::Exception.new(msg) unless result.present?
+
+            result
           end
 
           private

test/fixtures/settings.yml

@@ -22,17 +22,17 @@ attributes4:
   description: Enable safe mode config templates rendinging(recommended)
 attributes5:
   name: ssl_certificate
-  category: Setting::Provisioning
+  category: Setting::Auth
   default: /var/lib/puppet/ssl/certs/some.host.fqdn
   description: SSL Certificate path that foreman would use to communicate with its proxies
 attributes6:
   name: ssl_ca_file
-  category: Setting::Provisioning
+  category: Setting::Auth
   default: /var/lib/puppet/ssl/certs/ca.pem
   description: SSL CA file that foreman would use to communicate with its proxies
 attributes7:
   name: ssl_priv_key
-  category: Setting::Provisioning
+  category: Setting::Auth
   default: /var/lib/puppet/ssl/private_keys/super.some.host.fqdn.pem
   description: SSL Private Key file that foreman would use to communicate with its proxies
 attributes8:
@@ -428,3 +428,8 @@ attribute94:
   category: Setting::Provisioning
   default: 'Global Registration'
   description: "Default Global registration template"
+attributes95:
+  name: server_ca_file
+  category: Setting::Auth
+  default: /var/lib/puppet/ssl/certs/ca.pem
+  description: SSL CA file that will be used in templates (to verify the connection to Foreman)

test/static_fixtures/certificates/example2.com.crt

@@ -0,0 +1,33 @@
+-----BEGIN CERTIFICATE-----
+MIIFrTCCA5WgAwIBAgIJAOzdk0zTsuBPMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
+BAYTAlhYMRAwDgYDVQQIEwdFeGFtcGxlMRAwDgYDVQQHEwdFeGFtcGxlMRQwEgYD
+VQQKEwtFeGFtcGUgSW5jLjEUMBIGA1UEAxMLZXhhbXBsZS5jb20wHhcNMTcxMDA2
+MTMxMzMyWhcNMTgxMDA2MTMxMzMyWjBdMQswCQYDVQQGEwJYWDEQMA4GA1UECBMH
+RXhhbXBsZTEQMA4GA1UEBxMHRXhhbXBsZTEUMBIGA1UEChMLRXhhbXBlIEluYy4x
+FDASBgNVBAMTC2V4YW1wbGUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAslMkcsSL4hhnTLBJ/ZD3qldyD+7qTE9cB5dk9MH0Vj2GEezPnnUYZ0Cu
+v0029+ZbwzOb7If8XzGxGU5tnqItZLfihrM3SKqshgJFaCjWEuLXfwRzHF2+jSk8
+mkG69Z0JtewIeQ7SqUReeZb4cV47Hag6gO5LVTnFXlHjGPrz98SH+Ho80XtIdmk0
+6fCzVXUZY+0EtXIul00LwnqsNc8UupuRpNC3VIG6ZCq5snwQ9Va1u+RP77nJlGQz
+bKh5/yYaMd9WU3LDREkY0kSzJzcqzzQzEJr1JAY1zmtm5+NLdU2LPZjMAU6UiuJ4
+ABNdHwlvUWQ0SyPDqH2pnaytFlHgAH3G6brOj51Jpp86hOa/3iJ+M6gGtbNcYshd
+LYTpr+kl34qri0677VQtpM3uVwM5om4rGrCGbhuse8DtMdOAv4jAvF79SrLGK5k+
+sCWxtPXGIJgt+AXS3HJev3lRGWjNm5yYL6fTwgjbWceh05hBGOro/fDFPyAOpCek
+KPqOhu/MpJz7x+48rBny0GIl/CsMqojQ8spFH1Xp9dKoV886ZdzDKMlvDYfSHrj4
+9A9aIOT3+W5VCsPMgSIrr0MFhv3bkIEGleo3IioHeLxIylW4FLl0D7AdXQeiqe99
+Y+Jf+w0FNoVlmykpcQ7qXmQTzHiG7VB+o3wOWaP3K7Sj0jpIjoUCAwEAAaNwMG4w
+CQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwVAYDVR0RBE0wS4IPd3d3LmV4YW1wbGUu
+Y29tgg93d3cuZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxlLm9yZ4cEwKgBAYcQIAEN
+uAAAAAAAAAAAAAAAATANBgkqhkiG9w0BAQsFAAOCAgEAiirO6rvirqxB5nfziEdd
+Tn9BltiBDKg38MspsWSfSGJNHdmbZkBKhoJ89p9oewa8yOMqM3jrUjg2hn0J0nZG
+t4dXix3Y7jHswaqr15mJEoLFGflkiOIOVJc1efxlSweXmyC+x6O5gAarmWHb+T6B
+qxL/Z72N/Tua3foFQzlzR6lQ/++QglBHeBADtmZg6uPMPmWJ6iUA1OLpzW8cg4/0
+Q2UxKsD3WaN+37JbEJnNuuamCpCXoyHIpzxDccUKzmjAWOxUHuYuiOvSc55w4Ww3
+GXMmRgu6ElVxL938LgJfTnHTBZoN3TjAlWXTRMtLV+cUlUJhBA7wnDkZK9mfXvk8
+d7XCFq9WsRQ0B7+4raMt8fn7M20ckz5J9mnt3d1I8FQRluyTKOfzs7L++OP/AagD
+ZCUrI5IrxroWqrf6f65t0HyqNDJy3ZKK2drsaf+emR3X3GVeeWVV0RzhUaIu6NJS
+br7erBLX9J5s6ZrAf6LbbeKtF2x9AGF8SUYCCUNVAHQxf/fTBKQAtrB7BxOmZiY1
+fplNEWaMnDChPWlzdzmH+MsCAA5025+Sr7Eb/CS9wKZDV5z6FtqkQKPeZ/eHjtJV
+SylVI2XfadJwxM4gj6Jcq1L8LxURS/NpTinoXDd3xfkZYy3WrMNAsP6Cz6GvcU/n
+SBq3Hxpl4HptdDg+JyI1RIg=
+-----END CERTIFICATE-----

test/unit/foreman/renderer/renderers_shared_tests.rb

@@ -205,18 +205,70 @@ module RenderersSharedTests
       assert_equal(renderer.render(source, @scope), '-1')
     end
 
-    test "foreman_server_ca_cert - existing file" do
-      cert_path = Rails.root.join('test/static_fixtures/certificates/example.com.crt')
-      Setting[:ssl_ca_file] = cert_path
-      source = OpenStruct.new(content: '<%= foreman_server_ca_cert %>')
-      assert_equal(renderer.render(source, @scope), File.read(cert_path))
-    end
+    describe '#foreman_server_ca_cert' do
+      subject { renderer.render(source, @scope) }
 
-    test "foreman_server_ca_cert - not existing file" do
-      Setting[:ssl_ca_file] = 'not-existing-file'
-      source = OpenStruct.new(content: '<%= foreman_server_ca_cert %>')
-      assert_raise Foreman::Exception do
-        renderer.render(source, @scope)
+      let(:source) { OpenStruct.new(content: '<%= foreman_server_ca_cert %>') }
+      let(:cert_path) { Rails.root.join('test/static_fixtures/certificates/example.com.crt') }
+      let(:cert_2_path) { Rails.root.join('test/static_fixtures/certificates/example2.com.crt') }
+      let(:cert_file_content) { File.read(cert_path) }
+      let(:cert_2_file_content) { File.read(cert_2_path) }
+
+      test "load server_ca_file" do
+        Setting[:server_ca_file] = cert_path
+        Setting[:ssl_ca_file] = 'not-existing-file'
+
+        assert_equal subject, cert_file_content
+      end
+
+      test "load ssl_ca_file" do
+        Setting[:server_ca_file] = 'not-existing-file'
+        Setting[:ssl_ca_file] = cert_path
+
+        assert_equal subject, cert_file_content
+      end
+
+      test "load server_ca_file and ssl_ca_file" do
+        Setting[:server_ca_file] = cert_path
+        Setting[:ssl_ca_file] = cert_2_path
+
+        expected = "#{cert_file_content}\n#{cert_2_file_content}"
+        assert_equal subject, expected
+      end
+
+      test "do not load any files and raise exception" do
+        Setting[:server_ca_file] = 'not-existing-file'
+        Setting[:ssl_ca_file] = 'not-existing-file'
+
+        assert_raise Foreman::Exception do
+          subject
+        end
+      end
+
+      context 'when server_ca_file is disabled' do
+        let(:source) { OpenStruct.new(content: '<%= foreman_server_ca_cert(server_ca_file_enabled: false) %>') }
+
+        test "do not load server_ca_file and raise exception" do
+          Setting[:server_ca_file] = cert_path
+          Setting[:ssl_ca_file] = 'not-existing-file'
+
+          assert_raise Foreman::Exception do
+            subject
+          end
+        end
+      end
+
+      context 'when ssl_ca_file is disabled' do
+        let(:source) { OpenStruct.new(content: '<%= foreman_server_ca_cert(ssl_ca_file_enabled: false) %>') }
+
+        test "do not load ssl_ca_file and raise exception" do
+          Setting[:server_ca_file] = 'not-existing-file'
+          Setting[:ssl_ca_file] = cert_path
+
+          assert_raise Foreman::Exception do
+            subject
+          end
+        end
       end
     end