Fixes #TBFL - Prevent spurious proxy calls when accessing host parameters

adamruzicka · adamruzicka · commit b7e4b06385e9 · 2026-03-30T19:46:21.000+02:00
diff --git a/app/models/concerns/foreman_remote_execution/host_extensions.rb b/app/models/concerns/foreman_remote_execution/host_extensions.rb
@@ -109,11 +109,11 @@ def remote_execution_proxies(provider, authorized = true)
 
     def remote_execution_ssh_keys
       # only include public keys from SSH proxies that don't have SSH cert verification configured
-      remote_execution_proxies(%w(SSH Script), false).values.flatten.uniq.map { |proxy| proxy.pubkey if proxy.ca_pubkey.blank? }.compact.uniq
+      remote_execution_proxies(%w(SSH Script), false).values.flatten.uniq.map { |proxy| proxy.pubkey(refresh: false) if proxy.ca_pubkey(refresh: false).blank? }.compact.uniq
     end
 
     def remote_execution_ssh_ca_keys
-      remote_execution_proxies(%w(SSH Script), false).values.flatten.uniq.map { |proxy| proxy.ca_pubkey }.compact.uniq
+      remote_execution_proxies(%w(SSH Script), false).values.flatten.uniq.map { |proxy| proxy.ca_pubkey(refresh: false) }.compact.uniq
     end
 
     def drop_execution_interface_cache
diff --git a/test/unit/concerns/host_extensions_test.rb b/test/unit/concerns/host_extensions_test.rb
@@ -11,8 +11,10 @@ class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
     let(:sshkey) { 'ssh-rsa AAAAB3NzaC1yc2EAAAABJQ foo@example.com' }
 
     before do
-      SmartProxy.any_instance.stubs(:pubkey).returns(sshkey)
-      SmartProxy.any_instance.stubs(:ca_pubkey).returns(nil)
+      host.subnet.remote_execution_proxies.each do |proxy|
+        proxy.update_column(:pubkey, sshkey)
+        proxy.update_column(:ca_pubkey, nil)
+      end
       Setting[:remote_execution_ssh_user] = 'root'
       Setting[:remote_execution_effective_user_method] = 'sudo'
     end
@@ -60,6 +62,17 @@ class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
       User.current = nil
       assert_includes host.remote_execution_ssh_keys, sshkey
     end
+
+    it 'triggers no calls to the proxy' do
+      host.subnet.remote_execution_proxies.each do |proxy|
+        proxy.update_column(:pubkey, nil)
+      end
+
+      SmartProxy.any_instance.expects(:update_pubkey).never
+      SmartProxy.any_instance.expects(:update_ca_pubkey).never
+
+      host.host_param('remote_execution_ssh_keys')
+    end
   end
 
   describe 'has ssh CA key configured' do
@@ -68,8 +81,10 @@ class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
     let(:ca_sshkey) { 'ssh-rsa AAAAB3NzaC1yc2EAAAABJE bar@example.com' }
 
     before do
-      SmartProxy.any_instance.stubs(:pubkey).returns(sshkey)
-      SmartProxy.any_instance.stubs(:ca_pubkey).returns(ca_sshkey)
+      host.subnet.remote_execution_proxies.each do |proxy|
+        proxy.update_column(:pubkey, sshkey)
+        proxy.update_column(:ca_pubkey, ca_sshkey)
+      end
       Setting[:remote_execution_ssh_user] = 'root'
       Setting[:remote_execution_effective_user_method] = 'sudo'
     end
@@ -102,6 +117,17 @@ class ForemanRemoteExecutionHostExtensionsTest < ActiveSupport::TestCase
       assert_includes host.host_param('remote_execution_ssh_ca_keys'), key
       assert_includes host.host_param('remote_execution_ssh_ca_keys'), ca_sshkey
     end
+
+    it 'triggers no calls to the proxy' do
+      host.subnet.remote_execution_proxies.each do |proxy|
+        proxy.update_column(:ca_pubkey, nil)
+      end
+
+      SmartProxy.any_instance.expects(:update_pubkey).never
+      SmartProxy.any_instance.expects(:update_ca_pubkey).never
+
+      host.host_param('remote_execution_ssh_ca_keys')
+    end
   end
 
   context 'host has multiple nics' do
