Add frontends for advisor and vulnerability

ehelms · ehelms · commit ae5d9a5fcdac · 2025-12-17T16:28:55.000-05:00
diff --git a/src/roles/iop_advisor_frontend/defaults/main.yaml b/src/roles/iop_advisor_frontend/defaults/main.yaml
@@ -0,0 +1,5 @@
+---
+iop_advisor_frontend_container_image: "quay.io/iop/advisor-frontend"
+iop_advisor_frontend_container_tag: "foreman-3.16"
+iop_advisor_frontend_assets_path: "/var/lib/foreman/public/assets/apps/advisor"
+iop_advisor_frontend_source_path: "/srv/dist/."
diff --git a/src/roles/iop_advisor_frontend/tasks/main.yaml b/src/roles/iop_advisor_frontend/tasks/main.yaml
@@ -0,0 +1,90 @@
+---
+- name: Pull Advisor Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: present
+
+- name: Ensure parent assets directory exists
+  ansible.builtin.file:
+    path: /var/lib/foreman/public/assets/apps
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    image: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: created
+
+- name: Extract advisor frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-advisor-frontend-temp
+    src: "{{ iop_advisor_frontend_source_path }}"
+    dest: "{{ iop_advisor_frontend_assets_path }}"
+    from_container: true
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    state: absent
+
+- name: Set ownership of advisor frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    owner: foreman
+    group: foreman
+    recurse: true
+
+- name: Set SELinux context for advisor frontend assets
+  ansible.builtin.command:
+    cmd: "chcon -R -t httpd_exec_t {{ iop_advisor_frontend_assets_path }}"
+  changed_when: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for advisor frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/advisor-frontend.conf
+    content: |
+      # IOP Advisor Frontend Assets Configuration
+      Alias /assets/apps/advisor {{ iop_advisor_frontend_assets_path }}
+      ProxyPass /assets/apps/advisor !
+
+      <LocationMatch "^/assets/apps/advisor">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"
diff --git a/src/roles/iop_core/tasks/main.yaml b/src/roles/iop_core/tasks/main.yaml
@@ -46,3 +46,11 @@
 - name: Deploy IOP Vulnerability service
   ansible.builtin.include_role:
     name: iop_vulnerability
+
+- name: Deploy IOP Advisor Frontend
+  ansible.builtin.include_role:
+    name: iop_advisor_frontend
+
+- name: Deploy IOP Vulnerability Frontend
+  ansible.builtin.include_role:
+    name: iop_vulnerability_frontend
diff --git a/src/roles/iop_vulnerability_frontend/defaults/main.yaml b/src/roles/iop_vulnerability_frontend/defaults/main.yaml
@@ -0,0 +1,5 @@
+---
+iop_vulnerability_frontend_container_image: "quay.io/iop/vulnerability-frontend"
+iop_vulnerability_frontend_container_tag: "foreman-3.16"
+iop_vulnerability_frontend_assets_path: "/var/lib/foreman/public/assets/apps/vulnerability"
+iop_vulnerability_frontend_source_path: "/srv/dist/."
diff --git a/src/roles/iop_vulnerability_frontend/tasks/main.yaml b/src/roles/iop_vulnerability_frontend/tasks/main.yaml
@@ -0,0 +1,90 @@
+---
+- name: Pull Vulnerability Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: present
+
+- name: Ensure parent assets directory exists
+  ansible.builtin.file:
+    path: /var/lib/foreman/public/assets/apps
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    state: directory
+    owner: foreman
+    group: foreman
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    image: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: created
+
+- name: Extract vulnerability frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-vulnerability-frontend-temp
+    src: "{{ iop_vulnerability_frontend_source_path }}"
+    dest: "{{ iop_vulnerability_frontend_assets_path }}"
+    from_container: true
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    state: absent
+
+- name: Set ownership of vulnerability frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    owner: foreman
+    group: foreman
+    recurse: true
+
+- name: Set SELinux context for vulnerability frontend assets
+  ansible.builtin.command:
+    cmd: "chcon -R -t httpd_exec_t {{ iop_vulnerability_frontend_assets_path }}"
+  changed_when: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for vulnerability frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/vulnerability-frontend.conf
+    content: |
+      # IOP Vulnerability Frontend Assets Configuration
+      Alias /assets/apps/vulnerability {{ iop_vulnerability_frontend_assets_path }}
+      ProxyPass /assets/apps/vulnerability !
+
+      <LocationMatch "^/assets/apps/vulnerability">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"
diff --git a/tests/fixtures/help/checks.txt b/tests/fixtures/help/checks.txt
diff --git a/tests/iop/test_advisor_frontend.py b/tests/iop/test_advisor_frontend.py
@@ -0,0 +1,49 @@
+import pytest
+
+
+def test_advisor_frontend_assets_directory(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/advisor")
+    assert assets_dir.exists
+    assert assets_dir.is_directory
+    assert assets_dir.mode == 0o755
+
+
+def test_advisor_frontend_assets_ownership(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/advisor")
+    assert assets_dir.user == "foreman"
+    assert assets_dir.group == "foreman"
+
+
+def test_advisor_frontend_app_info_file(server):
+    app_info_file = server.file("/var/lib/foreman/public/assets/apps/advisor/app.info.json")
+
+    assert app_info_file.exists
+    assert app_info_file.is_file
+    assert app_info_file.user == "foreman"
+    assert app_info_file.group == "foreman"
+
+
+def test_advisor_frontend_asset_accessible_via_https(server):
+    result = server.run("curl -s -o /dev/null -w '%{http_code}' -k https://localhost/assets/apps/advisor/ 2>/dev/null || echo '000'")
+    assert result.succeeded
+    http_code = result.stdout.strip()
+    assert http_code != "000"
+    assert http_code in ["200", "301", "302", "403"]
+
+
+def test_advisor_frontend_static_file_content_type(server):
+    result = server.run("curl -s -I http://localhost/assets/apps/advisor/ 2>/dev/null | grep -i 'content-type' || echo 'no-content-type'")
+    assert result.succeeded
+    assert "no-content-type" not in result.stdout
+    assert "content-type" in result.stdout.lower()
+
+
+def test_advisor_frontend_javascript_assets_accessible(server):
+    result = server.run("find /var/lib/foreman/public/assets/apps/advisor -name '*.js' | head -1")
+    assert result.succeeded
+    assert result.stdout.strip()
+    js_file = result.stdout.strip().replace("/var/lib/foreman/public", "")
+    curl_result = server.run(f"curl -s -o /dev/null -w '%{{http_code}}' -k https://localhost{js_file} 2>/dev/null || echo '000'")
+    assert curl_result.succeeded
+    http_code = curl_result.stdout.strip()
+    assert http_code in ["200", "403", "404"]
diff --git a/tests/iop/test_kafka.py b/tests/iop/test_kafka.py
@@ -43,23 +43,23 @@ def test_kafka_config_content(server):
 
 def test_kafka_topic_creation(server):
     topics = [
-        "platform.upload.available",
+        "platform.engine.results",
+        "platform.insights.rule-hits",
+        "platform.insights.rule-deactivation",
         "platform.inventory.events",
-        "platform.system-profile",
-        "advisor.recommendations",
-        "advisor.payload-tracker",
-        "advisor.rules-results",
-        "remediations.updates",
-        "remediations.status",
-        "vulnerability.uploads",
-        "vulnerability.evaluator",
-        "vulnerability.manager",
-        "vmaas.vulnerability.updates",
-        "vmaas.package.updates",
-        "puptoo.opening",
-        "puptoo.validation",
-        "yuptoo.opening",
-        "yuptoo.validation"
+        "platform.inventory.host-ingress",
+        "platform.sources.event-stream",
+        "platform.playbook-dispatcher.runs",
+        "platform.upload.announce",
+        "platform.upload.validation",
+        "platform.logging.logs",
+        "platform.payload-status",
+        "platform.remediation-updates.vulnerability",
+        "vulnerability.evaluator.results",
+        "vulnerability.evaluator.recalc",
+        "vulnerability.evaluator.upload",
+        "vulnerability.grouper.inventory.upload",
+        "vulnerability.grouper.advisor.upload"
     ]
 
     result = server.run("podman exec iop-core-kafka /opt/kafka/bin/kafka-topics.sh --bootstrap-server iop-core-kafka:9092 --list")
diff --git a/tests/iop/test_vulnerability.py b/tests/iop/test_vulnerability.py
@@ -172,7 +172,7 @@ def test_vulnerability_fdw_user_mapping_exists(server):
 
 
 def test_vulnerability_fdw_foreign_table_exists(server):
-    result = server.run("podman exec postgresql psql vulnerability_db -c \"SELECT * FROM information_schema.foreign_tables WHERE foreign_table_schema = 'inventory_remote' AND foreign_table_name = 'hosts';\"")
+    result = server.run("podman exec postgresql psql vulnerability_db -c \"SELECT * FROM information_schema.foreign_tables WHERE foreign_table_schema = 'inventory_source' AND foreign_table_name = 'hosts';\"")
     assert result.succeeded
     assert "hosts" in result.stdout
 
diff --git a/tests/iop/test_vulnerability_frontend.py b/tests/iop/test_vulnerability_frontend.py
@@ -0,0 +1,33 @@
+import pytest
+
+
+def test_vulnerability_frontend_assets_directory(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/vulnerability")
+    assert assets_dir.exists
+    assert assets_dir.is_directory
+    assert assets_dir.mode == 0o755
+
+
+def test_vulnerability_frontend_assets_ownership(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/vulnerability")
+    assert assets_dir.user == "foreman"
+    assert assets_dir.group == "foreman"
+
+
+def test_vulnerability_frontend_app_info_file(server):
+    app_info_file = server.file("/var/lib/foreman/public/assets/apps/vulnerability/app.info.json")
+    assert app_info_file.exists
+    assert app_info_file.is_file
+    assert app_info_file.user == "foreman"
+    assert app_info_file.group == "foreman"
+
+
+def test_vulnerability_frontend_javascript_assets_accessible(server):
+    result = server.run("find /var/lib/foreman/public/assets/apps/vulnerability -name '*.js' | head -1")
+    assert result.succeeded
+    assert result.stdout.strip()
+    js_file = result.stdout.strip().replace("/var/lib/foreman/public", "")
+    curl_result = server.run(f"curl -s -o /dev/null -w '%{{http_code}}' -k https://localhost{js_file}")
+    assert curl_result.succeeded
+    http_code = curl_result.stdout.strip()
+    assert http_code in ["200"]
