Add frontends for advisor and vulnerability

Author: ehelms

src/requirements.yml

@@ -1,4 +1,5 @@
 collections:
+  - community.general
   - community.postgresql
   - community.crypto
   - community.general

src/roles/iop_advisor_frontend/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+iop_advisor_frontend_container_image: "quay.io/iop/advisor-frontend"
+iop_advisor_frontend_container_tag: "foreman-3.16"
+iop_advisor_frontend_assets_path: "/var/lib/foreman/public/assets/apps/advisor"
+iop_advisor_frontend_source_path: "/srv/dist/."

src/roles/iop_advisor_frontend/tasks/main.yaml

@@ -0,0 +1,91 @@
+---
+- name: Pull Advisor Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: present
+
+- name: Ensure parent assets directory exists
+  ansible.builtin.file:
+    path: /var/lib/foreman/public/assets/apps
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    image: "{{ iop_advisor_frontend_container_image }}:{{ iop_advisor_frontend_container_tag }}"
+    state: created
+
+- name: Extract advisor frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-advisor-frontend-temp
+    src: "{{ iop_advisor_frontend_source_path }}"
+    dest: "{{ iop_advisor_frontend_assets_path }}"
+    from_container: true
+
+- name: Restore SELinux context for advisor frontend assets
+  ansible.builtin.command:
+    cmd: restorecon -R "{{ iop_advisor_frontend_assets_path }}"
+  when: ansible_facts['selinux']['status'] == "enabled"
+  changed_when: false
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-advisor-frontend-temp
+    state: absent
+
+- name: Set ownership of advisor frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_advisor_frontend_assets_path }}"
+    owner: root
+    group: root
+    recurse: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for advisor frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/advisor-frontend.conf
+    content: |
+      # IOP Advisor Frontend Assets Configuration
+      Alias /assets/apps/advisor {{ iop_advisor_frontend_assets_path }}
+      ProxyPass /assets/apps/advisor !
+
+      <LocationMatch "^/assets/apps/advisor">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"

src/roles/iop_core/tasks/main.yaml

@@ -46,3 +46,16 @@
 - name: Deploy IOP Vulnerability service
   ansible.builtin.include_role:
     name: iop_vulnerability
+
+- name: Install foreman-selinux package for frontend assets
+  ansible.builtin.package:
+    name: foreman-selinux
+    state: present
+
+- name: Deploy IOP Advisor Frontend
+  ansible.builtin.include_role:
+    name: iop_advisor_frontend
+
+- name: Deploy IOP Vulnerability Frontend
+  ansible.builtin.include_role:
+    name: iop_vulnerability_frontend

src/roles/iop_vulnerability_frontend/defaults/main.yaml

@@ -0,0 +1,5 @@
+---
+iop_vulnerability_frontend_container_image: "quay.io/iop/vulnerability-frontend"
+iop_vulnerability_frontend_container_tag: "foreman-3.16"
+iop_vulnerability_frontend_assets_path: "/var/lib/foreman/public/assets/apps/vulnerability"
+iop_vulnerability_frontend_source_path: "/srv/dist/."

src/roles/iop_vulnerability_frontend/tasks/main.yaml

@@ -0,0 +1,91 @@
+---
+- name: Pull Vulnerability Frontend container image
+  containers.podman.podman_image:
+    name: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: present
+
+- name: Ensure parent assets directory exists
+  ansible.builtin.file:
+    path: /var/lib/foreman/public/assets/apps
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Ensure assets directory exists
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create temporary container for asset extraction
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    image: "{{ iop_vulnerability_frontend_container_image }}:{{ iop_vulnerability_frontend_container_tag }}"
+    state: created
+
+- name: Extract vulnerability frontend assets from container
+  containers.podman.podman_container_copy:
+    container: iop-vulnerability-frontend-temp
+    src: "{{ iop_vulnerability_frontend_source_path }}"
+    dest: "{{ iop_vulnerability_frontend_assets_path }}"
+    from_container: true
+
+- name: Restore SELinux context for vulnerability frontend assets
+  ansible.builtin.command:
+    cmd: restorecon -R "{{ iop_vulnerability_frontend_assets_path }}"
+  when: ansible_facts['selinux']['status'] == "enabled"
+  changed_when: false
+
+- name: Remove temporary container
+  containers.podman.podman_container:
+    name: iop-vulnerability-frontend-temp
+    state: absent
+
+- name: Set ownership of vulnerability frontend assets
+  ansible.builtin.file:
+    path: "{{ iop_vulnerability_frontend_assets_path }}"
+    owner: root
+    group: root
+    recurse: true
+
+- name: Ensure Apache SSL config directory exists
+  ansible.builtin.file:
+    path: /etc/httpd/conf.d/05-foreman-ssl.d
+    state: directory
+    mode: '0755'
+
+- name: Configure Apache for vulnerability frontend assets
+  ansible.builtin.copy:
+    dest: /etc/httpd/conf.d/05-foreman-ssl.d/vulnerability-frontend.conf
+    content: |
+      # IOP Vulnerability Frontend Assets Configuration
+      Alias /assets/apps/vulnerability {{ iop_vulnerability_frontend_assets_path }}
+      ProxyPass /assets/apps/vulnerability !
+
+      <LocationMatch "^/assets/apps/vulnerability">
+        Options SymLinksIfOwnerMatch
+        AllowOverride None
+        Require all granted
+
+        # Use standard http expire header for assets instead of ETag
+        <IfModule mod_expires.c>
+          Header unset ETag
+          FileETag None
+          ExpiresActive On
+          ExpiresDefault "access plus 1 year"
+        </IfModule>
+
+        # Return compressed assets if they are precompiled
+        RewriteEngine On
+        # Make sure the browser supports gzip encoding and file with .gz added
+        # does exist on disc before we rewrite with the extension
+        RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
+        RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
+        RewriteCond %{REQUEST_FILENAME}.gz -s
+        RewriteRule ^(.+) $1.gz [L]
+      </LocationMatch>
+    mode: '0644'
+  notify: "httpd : Restart httpd"

tests/fixtures/help/checks.txt

@@ -0,0 +1,26 @@
+import pytest
+
+
+def test_advisor_frontend_assets_directory(server):
+    assets_dir = server.file("/var/lib/foreman/public/assets/apps/advisor")
+    assert assets_dir.exists
+    assert assets_dir.is_directory
+    assert assets_dir.mode == 0o755
+
+
+def test_advisor_frontend_app_info_file(server):
+    app_info_file = server.file("/var/lib/foreman/public/assets/apps/advisor/app.info.json")
+
+    assert app_info_file.exists
+    assert app_info_file.is_file
+
+
+def test_advisor_frontend_javascript_assets_accessible(server):
+    result = server.run("find /var/lib/foreman/public/assets/apps/advisor -name '*.js' | head -1")
+    assert result.succeeded
+    assert result.stdout.strip()
+    js_file = result.stdout.strip().replace("/var/lib/foreman/public", "")
+    curl_result = server.run(f"curl -s -o /dev/null -w '%{{http_code}}' -k https://localhost{js_file}")
+    assert curl_result.succeeded
+    http_code = curl_result.stdout.strip()
+    assert http_code in ["200"]

tests/iop/test_advisor_frontend.py

@@ -43,23 +43,23 @@ def test_kafka_config_content(server):
 
 def test_kafka_topic_creation(server):
     topics = [
-        "platform.upload.available",
+        "platform.engine.results",
+        "platform.insights.rule-hits",
+        "platform.insights.rule-deactivation",
         "platform.inventory.events",
-        "platform.system-profile",
-        "advisor.recommendations",
-        "advisor.payload-tracker",
-        "advisor.rules-results",
-        "remediations.updates",
-        "remediations.status",
-        "vulnerability.uploads",
-        "vulnerability.evaluator",
-        "vulnerability.manager",
-        "vmaas.vulnerability.updates",
-        "vmaas.package.updates",
-        "puptoo.opening",
-        "puptoo.validation",
-        "yuptoo.opening",
-        "yuptoo.validation"
+        "platform.inventory.host-ingress",
+        "platform.sources.event-stream",
+        "platform.playbook-dispatcher.runs",
+        "platform.upload.announce",
+        "platform.upload.validation",
+        "platform.logging.logs",
+        "platform.payload-status",
+        "platform.remediation-updates.vulnerability",
+        "vulnerability.evaluator.results",
+        "vulnerability.evaluator.recalc",
+        "vulnerability.evaluator.upload",
+        "vulnerability.grouper.inventory.upload",
+        "vulnerability.grouper.advisor.upload"
     ]
 
     result = server.run("podman exec iop-core-kafka /opt/kafka/bin/kafka-topics.sh --bootstrap-server iop-core-kafka:9092 --list")

tests/iop/test_kafka.py

@@ -172,7 +172,7 @@ def test_vulnerability_fdw_user_mapping_exists(server):
 
 
 def test_vulnerability_fdw_foreign_table_exists(server):
-    result = server.run("podman exec postgresql psql vulnerability_db -c \"SELECT * FROM information_schema.foreign_tables WHERE foreign_table_schema = 'inventory_remote' AND foreign_table_name = 'hosts';\"")
+    result = server.run("podman exec postgresql psql vulnerability_db -c \"SELECT * FROM information_schema.foreign_tables WHERE foreign_table_schema = 'inventory_source' AND foreign_table_name = 'hosts';\"")
     assert result.succeeded
     assert "hosts" in result.stdout