From 5d8b04e02c1069cbf7e06949eacb6b5f6cf27d19 Mon Sep 17 00:00:00 2001
From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
Date: Wed, 14 Sep 2022 21:17:57 +0200
Subject: [PATCH] Implement a verification API

The goal of this is to have an end-to-end verification of compatibility
or provide concrete pointers to what failed.
---
 lib/proxy/verify_runtime.rb | 52 +++++++++++++++++++++++++++++++++++++
 modules/root/root_api.rb    |  7 +++++
 2 files changed, 59 insertions(+)
 create mode 100644 lib/proxy/verify_runtime.rb

diff --git a/lib/proxy/verify_runtime.rb b/lib/proxy/verify_runtime.rb
new file mode 100644
index 000000000..92ea485fa
--- /dev/null
+++ b/lib/proxy/verify_runtime.rb
@@ -0,0 +1,52 @@
+module Proxy
+  class VerifyRuntime
+    class << self
+      # RFC5737 declares 192.0.2.0/24 as TEST-NET-1
+      MOCK_IP = '192.0.2.42'
+
+      def settings
+        Proxy::SETTINGS
+      end
+
+      def verify
+        {
+          reverse_proxy: verify_reverse_proxy,
+        }
+      end
+
+      def verify_reverse_proxy
+        # It's valid if there is no Foreman URL
+        return true unless settings.foreman_url
+
+        # Only needed for templates / registration
+        # TODO: make this more generic
+        return true unless ::Proxy::Plugins.instance.any? { |p| p[:state] == :running && ['templates', 'registration'].include?(p[:name]) }
+
+        foreman = Proxy::HttpRequest::ForemanRequest.new
+        request = foreman.request_factory.create_get('/api/status', headers: {'X-Forwarded-For': MOCK_IP})
+        response = foreman.send_request(request)
+
+        if response.status != '200'
+          logger.info("Foreman status API returned #{response.status}")
+          return false
+        end
+
+        status = JSON.parse(response.body)
+        unless status.key?('remote_ip')
+          message = if ::Gem::Dependency.new('', '>= 3.5.0').match?('', status['version'])
+                      "Foreman Proxy authentication broken"
+                    else
+                      "Foreman status doesn't have a remote_ip because Foreman is too old"
+                    end
+          logger.info(message)
+          return false
+        end
+
+        status['remote_ip'] == MOCK_IP
+      rescue StandardError => e
+        logger.exception('Failed to verify Foreman reverse proxy setup', e)
+        false
+      end
+    end
+  end
+end
diff --git a/modules/root/root_api.rb b/modules/root/root_api.rb
index e45c3aa44..69a9369fe 100644
--- a/modules/root/root_api.rb
+++ b/modules/root/root_api.rb
@@ -1,3 +1,5 @@
+require 'proxy/verify_runtime'
+
 class Proxy::RootApi < Sinatra::Base
   helpers ::Proxy::Helpers
 
@@ -18,4 +20,9 @@ class Proxy::RootApi < Sinatra::Base
   rescue => e
     log_halt 400, e
   end
+
+  get "/verify" do
+    content_type :json
+    Proxy::VerifyRuntime.verify.to_json
+  end
 end