Add frontends for advisor and vulnerability

ehelms · ehelms · commit 7581ccf5597e · 2025-12-16T21:19:24.000-05:00
diff --git a/src/roles/iop_advisor_frontend/defaults/main.yaml b/src/roles/iop_advisor_frontend/defaults/main.yaml
@@ -0,0 +1,5 @@
+---
+iop_advisor_frontend_container_image: "quay.io/iop/advisor-frontend"
+iop_advisor_frontend_container_tag: "foreman-3.16"
+iop_advisor_frontend_assets_path: "/var/lib/foreman/public/assets/apps/advisor"
+iop_advisor_frontend_source_path: "/srv/dist/."
diff --git a/src/roles/iop_advisor_frontend/tasks/main.yaml b/src/roles/iop_advisor_frontend/tasks/main.yaml
@@ -0,0 +1,91 @@
+---
+- name: Create foreman user
+  ansible.builtin.user:
+    name: foreman
+    state: present
+    system: true
+    shell: /sbin/nologin
+    home: /var/lib/foreman
+    create_home: true
+
+- name: Pull Advisor Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: present
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    image: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: created
+
+- name: Extract advisor frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-advisor-frontend-temp
+    src: "{{ iop_advisor_frontend_source_path }}"
+    dest: "{{ iop_advisor_frontend_assets_path }}"
+    from_container: true
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    state: absent
+
+- name: Set ownership of advisor frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    owner: foreman
+    group: foreman
+    recurse: true
+
+- name: Set SELinux context for advisor frontend assets
+  ansible.builtin.command:
+    cmd: "chcon -R -t httpd_exec_t {{ iop_advisor_frontend_assets_path }}"
+  changed_when: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for advisor frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/advisor-frontend.conf
+    content: |
+      # IOP Advisor Frontend Assets Configuration
+      Alias /assets/apps/advisor {{ iop_advisor_frontend_assets_path }}
+      ProxyPass /assets/apps/advisor !
+
+      <LocationMatch "^/assets/apps/advisor">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"
diff --git a/src/roles/iop_core/tasks/main.yaml b/src/roles/iop_core/tasks/main.yaml
@@ -46,3 +46,11 @@
 - name: Deploy IOP Vulnerability service
   ansible.builtin.include_role:
     name: iop_vulnerability
+
+- name: Deploy IOP Advisor Frontend
+  ansible.builtin.include_role:
+    name: iop_advisor_frontend
+
+- name: Deploy IOP Vulnerability Frontend
+  ansible.builtin.include_role:
+    name: iop_vulnerability_frontend
diff --git a/src/roles/iop_vulnerability_frontend/defaults/main.yaml b/src/roles/iop_vulnerability_frontend/defaults/main.yaml
@@ -0,0 +1,5 @@
+---
+iop_vulnerability_frontend_container_image: "quay.io/iop/vulnerability-frontend"
+iop_vulnerability_frontend_container_tag: "foreman-3.16"
+iop_vulnerability_frontend_assets_path: "/var/lib/foreman/public/assets/apps/vulnerability"
+iop_vulnerability_frontend_source_path: "/srv/dist/."
diff --git a/src/roles/iop_vulnerability_frontend/tasks/main.yaml b/src/roles/iop_vulnerability_frontend/tasks/main.yaml
@@ -0,0 +1,91 @@
+---
+- name: Create foreman user
+  ansible.builtin.user:
+    name: foreman
+    state: present
+    system: true
+    shell: /sbin/nologin
+    home: /var/lib/foreman
+    create_home: true
+
+- name: Pull Vulnerability Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: present
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    image: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: created
+
+- name: Extract vulnerability frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-vulnerability-frontend-temp
+    src: "{{ iop_vulnerability_frontend_source_path }}"
+    dest: "{{ iop_vulnerability_frontend_assets_path }}"
+    from_container: true
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    state: absent
+
+- name: Set ownership of vulnerability frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    owner: foreman
+    group: foreman
+    recurse: true
+
+- name: Set SELinux context for vulnerability frontend assets
+  ansible.builtin.command:
+    cmd: "chcon -R -t httpd_exec_t {{ iop_vulnerability_frontend_assets_path }}"
+  changed_when: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for vulnerability frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/vulnerability-frontend.conf
+    content: |
+      # IOP Vulnerability Frontend Assets Configuration
+      Alias /assets/apps/vulnerability {{ iop_vulnerability_frontend_assets_path }}
+      ProxyPass /assets/apps/vulnerability !
+
+      <LocationMatch "^/assets/apps/vulnerability">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"
diff --git a/tests/iop/test_advisor_frontend.py b/tests/iop/test_advisor_frontend.py
@@ -0,0 +1,49 @@
+import pytest
+
+
+def test_advisor_frontend_assets_directory(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/advisor")
+    assert assets_dir.exists
+    assert assets_dir.is_directory
+    assert assets_dir.mode == 0o755
+
+
+def test_advisor_frontend_assets_ownership(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/advisor")
+    assert assets_dir.user == "foreman"
+    assert assets_dir.group == "foreman"
+
+
+def test_advisor_frontend_app_info_file(server):
+    app_info_file = server.file("/var/lib/foreman/public/assets/apps/advisor/app.info.json")
+
+    assert app_info_file.exists
+    assert app_info_file.is_file
+    assert app_info_file.user == "foreman"
+    assert app_info_file.group == "foreman"
+
+
+def test_advisor_frontend_asset_accessible_via_https(server):
+    result = server.run("curl -s -o /dev/null -w '%{http_code}' -k https://localhost/assets/apps/advisor/ 2>/dev/null || echo '000'")
+    assert result.succeeded
+    http_code = result.stdout.strip()
+    assert http_code != "000"
+    assert http_code in ["200", "301", "302", "403"]
+
+
+def test_advisor_frontend_static_file_content_type(server):
+    result = server.run("curl -s -I http://localhost/assets/apps/advisor/ 2>/dev/null | grep -i 'content-type' || echo 'no-content-type'")
+    assert result.succeeded
+    assert "no-content-type" not in result.stdout
+    assert "content-type" in result.stdout.lower()
+
+
+def test_advisor_frontend_javascript_assets_accessible(server):
+    result = server.run("find /var/lib/foreman/public/assets/apps/advisor -name '*.js' | head -1")
+    assert result.succeeded
+    assert result.stdout.strip()
+    js_file = result.stdout.strip().replace("/var/lib/foreman/public", "")
+    curl_result = server.run(f"curl -s -o /dev/null -w '%{{http_code}}' -k https://localhost{js_file} 2>/dev/null || echo '000'")
+    assert curl_result.succeeded
+    http_code = curl_result.stdout.strip()
+    assert http_code in ["200", "403", "404"]
diff --git a/tests/iop/test_vulnerability_frontend.py b/tests/iop/test_vulnerability_frontend.py
@@ -0,0 +1,33 @@
+import pytest
+
+
+def test_vulnerability_frontend_assets_directory(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/vulnerability")
+    assert assets_dir.exists
+    assert assets_dir.is_directory
+    assert assets_dir.mode == 0o755
+
+
+def test_vulnerability_frontend_assets_ownership(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/vulnerability")
+    assert assets_dir.user == "foreman"
+    assert assets_dir.group == "foreman"
+
+
+def test_vulnerability_frontend_app_info_file(server):
+    app_info_file = server.file("/var/lib/foreman/public/assets/apps/vulnerability/app.info.json")
+    assert app_info_file.exists
+    assert app_info_file.is_file
+    assert app_info_file.user == "foreman"
+    assert app_info_file.group == "foreman"
+
+
+def test_vulnerability_frontend_javascript_assets_accessible(server):
+    result = server.run("find /var/lib/foreman/public/assets/apps/vulnerability -name '*.js' | head -1")
+    assert result.succeeded
+    assert result.stdout.strip()
+    js_file = result.stdout.strip().replace("/var/lib/foreman/public", "")
+    curl_result = server.run(f"curl -s -o /dev/null -w '%{{http_code}}' -k https://localhost{js_file}")
+    assert curl_result.succeeded
+    http_code = curl_result.stdout.strip()
+    assert http_code in ["200"]
