Fixes #TBFL - Prevent spurious calls to proxy when rendering api responses

The previous "return stored value or fetch a fresh one if missing"
approach used for pubkey and ca_pubkey could cause calls to the proxy in
unexpected situations. This could lead to problems like not being able
to list smart proxies if the proxy which didn't have one of the pubkey
fields filled was down.

This change more strictly separates when values are only read and when
values can be updated as part of reading.

Author: adamruzicka

app/models/concerns/foreman_remote_execution/smart_proxy_extensions.rb

@@ -7,12 +7,12 @@ def self.prepended(base)
       end
     end
 
-    def pubkey
-      self[:pubkey] || update_pubkey
+    def pubkey(refresh: true)
+      self[:pubkey] || (refresh && update_pubkey || nil)
     end
 
-    def ca_pubkey
-      self[:ca_pubkey] || update_ca_pubkey
+    def ca_pubkey(refresh: true)
+      self[:ca_pubkey] || (refresh && update_ca_pubkey || nil)
     end
 
     def update_pubkey

app/views/api/v2/smart_proxies/ca_pubkey.json.rabl

@@ -1 +1 @@
-attribute :ca_pubkey => :remote_execution_ca_pubkey
+node(:remote_execution_ca_pubkey) { |p| p.ca_pubkey(refresh: false) }

app/views/api/v2/smart_proxies/pubkey.json.rabl

@@ -1 +1 @@
-attribute :pubkey => :remote_execution_pubkey
+node(:remote_execution_pubkey) { |p| p.pubkey(refresh: false) }

test/unit/concerns/smart_proxy_extensions_test.rb

@@ -0,0 +1,87 @@
+require 'test_plugin_helper'
+
+# rubocop:disable Rails/SkipsModelValidations
+class ForemanRemoteExecutionSmartProxyExtensionsTest < ActiveSupport::TestCase
+  let(:proxy) { FactoryBot.create(:smart_proxy, :ssh) }
+
+  describe '#pubkey' do
+    context 'when key is cached in the database' do
+      it 'returns the cached key without fetching from proxy' do
+        proxy.expects(:update_pubkey).never
+        assert_equal 'ssh-rsa AAAAB3N...', proxy.pubkey
+        assert_equal 'ssh-rsa AAAAB3N...', proxy.pubkey(refresh: false)
+      end
+    end
+
+    context 'when key is not cached' do
+      before { proxy.update_column(:pubkey, nil) }
+
+      it 'fetches from proxy by default' do
+        proxy.expects(:update_pubkey).returns('ssh-rsa FETCHED...')
+        assert_equal 'ssh-rsa FETCHED...', proxy.pubkey
+      end
+
+      it 'returns nil without fetching when refresh: false' do
+        proxy.expects(:update_pubkey).never
+        assert_nil proxy.pubkey(refresh: false)
+      end
+    end
+  end
+
+  describe '#ca_pubkey' do
+    context 'when key is cached in the database' do
+      before { proxy.update_column(:ca_pubkey, 'ssh-rsa CA_KEY...') }
+
+      it 'returns the cached key without fetching from proxy' do
+        proxy.expects(:update_ca_pubkey).never
+        assert_equal 'ssh-rsa CA_KEY...', proxy.ca_pubkey
+        assert_equal 'ssh-rsa CA_KEY...', proxy.ca_pubkey(refresh: false)
+      end
+    end
+
+    context 'when key is not cached' do
+      before { proxy.update_column(:ca_pubkey, nil) }
+
+      it 'fetches from proxy by default' do
+        proxy.expects(:update_ca_pubkey).returns('ssh-rsa FETCHED_CA...')
+        assert_equal 'ssh-rsa FETCHED_CA...', proxy.ca_pubkey
+      end
+
+      it 'returns nil without fetching when refresh: false' do
+        proxy.expects(:update_ca_pubkey).never
+        assert_nil proxy.ca_pubkey(refresh: false)
+      end
+    end
+  end
+
+  describe '#refresh' do
+    context 'when the key is cached' do
+      before do
+        proxy.update_column(:pubkey, 'ssh-rsa KEY...')
+        proxy.update_column(:ca_pubkey, 'ssh-rsa CA_KEY...')
+      end
+
+      it 'fetches the keys' do
+        proxy.expects(:update_pubkey).once
+        proxy.expects(:update_ca_pubkey).once
+
+        proxy.refresh
+      end
+    end
+
+    context 'when the key is not cached' do
+      before do
+        proxy.update_column(:pubkey, nil)
+        proxy.update_column(:ca_pubkey, nil)
+      end
+
+      it 'fetches the keys' do
+        proxy.expects(:update_pubkey).once
+        proxy.expects(:update_ca_pubkey).once
+
+        proxy.refresh
+      end
+    end
+  end
+end
+# rubocop:enable Rails/SkipsModelValidations