File spacewalk-proxy-installer-git-0.484b753.obscpio of Package spacewalk-proxy-installer

07070100000000000041FD000000000000000000000002670D22FD00000000000000000000000000000000000000000000001A00000000spacewalk-proxy-installer07070100000001000081B4000000000000000000000001670D22FD000046AC000000000000000000000000000000000000002200000000spacewalk-proxy-installer/LICENSE                    GNU GENERAL PUBLIC LICENSE
                       Version 2, June 1991

 Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 Everyone is permitted to copy and distribute verbatim copies
 of this license document, but changing it is not allowed.

                            Preamble

  The licenses for most software are designed to take away your
freedom to share and change it.  By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users.  This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it.  (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.)  You can apply it to
your programs, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.

  To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.

  For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have.  You must make sure that they, too, receive or can get the
source code.  And you must show them these terms so they know their
rights.

  We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.

  Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software.  If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.

  Finally, any free program is threatened constantly by software
patents.  We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary.  To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.

  The precise terms and conditions for copying, distribution and
modification follow.

                    GNU GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

  0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License.  The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language.  (Hereinafter, translation is included without limitation in
the term "modification".)  Each licensee is addressed as "you".

Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope.  The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.

  1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.

  2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:

    a) You must cause the modified files to carry prominent notices
    stating that you changed the files and the date of any change.

    b) You must cause any work that you distribute or publish, that in
    whole or in part contains or is derived from the Program or any
    part thereof, to be licensed as a whole at no charge to all third
    parties under the terms of this License.

    c) If the modified program normally reads commands interactively
    when run, you must cause it, when started running for such
    interactive use in the most ordinary way, to print or display an
    announcement including an appropriate copyright notice and a
    notice that there is no warranty (or else, saying that you provide
    a warranty) and that users may redistribute the program under
    these conditions, and telling the user how to view a copy of this
    License.  (Exception: if the Program itself is interactive but
    does not normally print such an announcement, your work based on
    the Program is not required to print an announcement.)

These requirements apply to the modified work as a whole.  If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works.  But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.

In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.

  3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:

    a) Accompany it with the complete corresponding machine-readable
    source code, which must be distributed under the terms of Sections
    1 and 2 above on a medium customarily used for software interchange; or,

    b) Accompany it with a written offer, valid for at least three
    years, to give any third party, for a charge no more than your
    cost of physically performing source distribution, a complete
    machine-readable copy of the corresponding source code, to be
    distributed under the terms of Sections 1 and 2 above on a medium
    customarily used for software interchange; or,

    c) Accompany it with the information you received as to the offer
    to distribute corresponding source code.  (This alternative is
    allowed only for noncommercial distribution and only if you
    received the program in object code or executable form with such
    an offer, in accord with Subsection b above.)

The source code for a work means the preferred form of the work for
making modifications to it.  For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable.  However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.

  4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License.  Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.

  5. You are not required to accept this License, since you have not
signed it.  However, nothing else grants you permission to modify or
distribute the Program or its derivative works.  These actions are
prohibited by law if you do not accept this License.  Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.

  6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions.  You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

  7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all.  For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.

If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.

It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices.  Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.

This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.

  8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded.  In such case, this License incorporates
the limitation as if written in the body of this License.

  9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time.  Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.

Each version is given a distinguishing version number.  If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation.  If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.

  10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission.  For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this.  Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.

                            NO WARRANTY

  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.

  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.

                     END OF TERMS AND CONDITIONS

            How to Apply These Terms to Your New Programs

  If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.

  To do so, attach the following notices to the program.  It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.

    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>

    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License along
    with this program; if not, write to the Free Software Foundation, Inc.,
    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.

Also add information on how to contact you by electronic and paper mail.

If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:

    Gnomovision version 69, Copyright (C) year name of author
    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
    This is free software, and you are welcome to redistribute it
    under certain conditions; type `show c' for details.

The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License.  Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.

You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary.  Here is a sample; alter the names:

  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
  `Gnomovision' (which makes passes at compilers) written by James Hacker.

  <signature of Ty Coon>, 1 April 1989
  Ty Coon, President of Vice

This General Public License does not permit incorporating your program into
proprietary programs.  If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library.  If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
07070100000002000081B4000000000000000000000001670D22FD00000339000000000000000000000000000000000000002A00000000spacewalk-proxy-installer/Makefile.pythonTHIS_MAKEFILE := $(realpath $(lastword $(MAKEFILE_LIST)))
CURRENT_DIR := $(dir $(THIS_MAKEFILE))
include $(CURRENT_DIR)../../rel-eng/Makefile.python

# Docker tests variables
DOCKER_CONTAINER_BASE = uyuni-master
DOCKER_REGISTRY       = registry.mgr.suse.de
DOCKER_RUN_EXPORT     = "PYTHONPATH=$PYTHONPATH"
DOCKER_VOLUMES        = -v "$(CURDIR)/../../:/manager"

__pylint ::
	$(call update_pip_env)
	pylint --rcfile=pylintrc $(shell find -name '*.py') > reports/pylint.log || true

docker_pylint ::
	docker run --rm -e $(DOCKER_RUN_EXPORT) $(DOCKER_VOLUMES) $(DOCKER_REGISTRY)/$(DOCKER_CONTAINER_BASE)-pgsql /bin/sh -c "cd /manager/proxy/installer/; make -f Makefile.python __pylint"

docker_shell ::
	docker run -t -i --rm -e $(DOCKER_RUN_EXPORT) $(DOCKER_VOLUMES) $(DOCKER_REGISTRY)/$(DOCKER_CONTAINER_BASE)-pgsql /bin/bash
07070100000003000081B4000000000000000000000001670D22FD000004C2000000000000000000000000000000000000002600000000spacewalk-proxy-installer/answers.txt# example of answer file for configure-proxy.sh
# for full list of possible option see
# man configure-proxy.sh

VERSION=1.2
RHN_PARENT=your.susemanager.org
TRACEBACK_EMAIL=your@email.com
SSL_EMAIL=$TRACEBACK_EMAIL
FORCE_OWN_CA=
SSL_BUILD_DIR=/root/ssl-build
SSL_ORG="Your Org"
SSL_ORGUNIT="Spacewalk"
SSL_COMMON="CommonName"
SSL_CITY=Raleigh
SSL_STATE=NC
SSL_COUNTRY=US
SSL_PASSWORD=spacewalk-ssl-cert-password
CA_CHAIN=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP_PROXY=
HTTP_USERNAME=
HTTP_PASSWORD=

# Use the following variables to import custom SSL keys/certificates
USE_EXISTING_CERTS=N
CA_CERT=/root/my_ca.crt
SERVER_CERT=/root/my_server.key
SERVER_KEY=/root/my_server.crt

# If you want to populate configuration channel
# and want to have really silent installation, then
# you must run rhncfg-manager to enter your login
# and password first. Otherwise you will be asked for
# these during proxy activation.
POPULATE_CONFIG_CHANNEL=Y

# if you do not want to start services after configuration
# set this variable to 0 or N
START_SERVICES=Y

# cname aliases for proxy, this MUST be in parentheses and separated by space
# do not put here the original hostname
#SSL_CNAME=(cname.alias.com another.alias.com)
07070100000004000081B4000000000000000000000001670D22FD000001BA000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/cobbler-proxy.confProxyPass /cobbler_api https://$RHN_PARENT/download/cobbler_api
ProxyPassReverse /cobbler_api https://$RHN_PARENT/download/cobbler_api
RewriteRule ^/cblr/svc/op/ks/(.*)$ /download/$0 [P,L]
RewriteRule ^/cblr/svc/op/autoinstall/(.*)$ /download/$0 [P,L]
ProxyPass /cblr https://$RHN_PARENT/cblr
ProxyPassReverse /cblr https://$RHN_PARENT/cblr
ProxyPass /cobbler https://$RHN_PARENT/cobbler
ProxyPassReverse /cobbler https://$RHN_PARENT/cobbler
07070100000005000081FD000000000000000000000001670D22FD000057B4000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/configure-proxy.sh#!/bin/bash

if [ 0$UID -gt 0 ]; then
    echo Run as root.
    exit 1
fi

if [ ! -e /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT -a -e /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT ]; then
    ln -s /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
fi

print_help() {
    cat <<HELP
usage: configure-proxy.sh [options]

options:
  --activate-SLP
            activate the SLP server so SUSE Manager proxy gets advertised
  --answer-file=filename
            Indicates the location of an answer file to be use for answering
            questions asked during the installation process. See man page for
            for an example and documentation.
  --force-own-ca
            Do not use parent CA and force to create your own.
  -h, --help
            show this help message and exit
  --http-password=HTTP_PASSWORD
            The password to use for an authenticated proxy.
  --http-proxy=HTTP_PROXY
            HTTP proxy in host:port format, e.g. squid.redhat.com:3128
  --http-username=HTTP_USERNAME
            The username for an authenticated proxy.
  --non-interactive
            For use only with --answer-file. If the --answer-file doesn't
            provide a required response, default answer is used.
  --populate-config-channel
            Create config chanel and save configuration files to that channel.
            Configuration channel name is rhn_proxy_config_\${SYSTEM_ID}.
  --rhn-password=RHN_PASSWORD
            Red Hat Network or Spacewalk password.
  --rhn-user=RHN_USER
            Red Hat Network or Spacewalk user account.
  --ssl-build-dir=SSL_BUILD_DIR
            The directory where we build SSL certificate. Default is /root/ssl-build
  --ssl-city=SSL_CITY
            City to be used in SSL certificate.
  --ssl-common=SSL_COMMON
            Common name to be used in SSL certificate.
  --ssl-country=SSL_COUNTRY
            Two letters country code to be used in SSL certificate.
  --ssl-email=SSL_EMAIL
            Email to be used in SSL certificate.
  --ssl-org=SSL_ORG
            Organization name to be used in SSL certificate.
  --ssl-orgunit=SSL_ORGUNIT
            Organization unit name to be used in SSL certificate.
  --ssl-password=SSL_PASSWORD
            Password to be used for SSL CA certificate.
  --ssl-state=SSL_STATE
            State to be used in SSL certificate.
  --ssl-cname=CNAME_ALIAS
            Cname alias of the machine. Can be specified multiple times.
  --start-services[=N]
            1 or Y to start all services after configuration. This is default.
            0 or N to not start services after configuration.
  --traceback-email=TRACEBACK_EMAIL
            Email to which tracebacks should be sent.
  --ssl-use-existing-certs
            Use custom SSL certificates instead of generating new ones (use
            --ssl-ca-cert, --ssl-server-key and --ssl-server-cert parameters to
            specify paths).
  --ssl-ca-cert
            Use a custom CA certificate from the given file.
  --ssl-server-key
            Use a server private SSL key from the given file.
  --ssl-server-cert
            Use a server public SSL certificate from the given file.
  --version=VERSION
            Version of Spacewalk Proxy Server you want to activate.
HELP
    exit 1
}

open_firewall_ports() {
echo "Open needed firewall ports..."
if [ -x /usr/bin/firewall-cmd ]; then
  firewall-cmd --state 2> /dev/null
  if [ $? -eq 0 ]; then
    firewall-cmd --permanent --zone=public --add-service=suse-manager-proxy
    firewall-cmd --reload
  else
    firewall-offline-cmd --zone=public --add-service=suse-manager-proxy
  fi
else
  echo "firewalld not installed" >&2
fi
}

parse_answer_file() {
    local FILE="$1"
    local ALIAS
    if [ ! -r "$FILE" ] ; then
       echo "Answer file '$FILE' is not readable."
       exit 1
    fi
    . "$FILE"
    for ALIAS in ${SSL_CNAME[@]}; do
        SSL_CNAME_PARSED[CNAME_INDEX++]=--set-cname=$ALIAS
    done
}

set_value() {
    local OPTION="$1"
    local VAR="$2"
    local ARG="$3"
    [[ "$ARG" =~ ^- ]] \
        && echo "$0: option $OPTION requires argument! Use answer file if your argument starts with '-'." \
        && print_help
    eval "$(printf "%q=%q" "$VAR" "$ARG")"
}

yes_no() {
    case "$1" in
        Y|y|Y/n|n/Y|1)
            echo 1
            ;;
        *)
            echo 0
            ;;
    esac
}

INTERACTIVE=1
INTERACTIVE_RETRIES=3
CNAME_INDEX=0
MANUAL_ANSWERS=0

OPTS=$(getopt --longoptions=help,activate-SLP,answer-file:,non-interactive,version:,traceback-email:,force-own-ca,http-proxy:,http-username:,http-password:,rhn-user:,rhn-password:,ssl-build-dir:,ssl-org:,ssl-orgunit:,ssl-common:,ssl-city:,ssl-state:,ssl-country:,ssl-email:,ssl-password:,ssl-cname:,ssl-use-existing-certs::,ssl-ca-cert:,ssl-server-key:,ssl-server-cert:,rhn-user:,rhn-password:,populate-config-channel::,start-services:: -n ${0##*/} -- h "$@")

if [ $? != 0 ] ; then
    print_help
fi

# It is getopt's responsibility to make this safe
eval set -- "$OPTS"

while : ; do
    case "$1" in
        --help|-h)  print_help;;
        --activate-SLP) ACTIVATE_SLP=1;;
        --answer-file) set_value "$1" ANSWER_FILE "$2";
                       parse_answer_file "$ANSWER_FILE"; shift;;
        --non-interactive) INTERACTIVE=0;;
        --version) set_value "$1" VERSION "$2"; shift;;
        --traceback-email) set_value "$1" TRACEBACK_EMAIL "$2"; shift;;
        --force-own-ca) FORCE_OWN_CA=1;;
        --http-proxy) set_value "$1" HTTP_PROXY "$2"; shift;;
        --http-username) set_value "$1" HTTP_USERNAME "$2"; shift;;
        --http-password) set_value "$1" HTTP_PASSWORD "$2"; shift;;
        --ssl-build-dir) set_value "$1" SSL_BUILD_DIR "$2"; shift;;
        --ssl-org) set_value "$1" SSL_ORG "$2"; shift;;
        --ssl-orgunit) set_value "$1" SSL_ORGUNIT "$2"; shift;;
        --ssl-common) set_value "$1" SSL_COMMON "$2"; shift;;
        --ssl-city) set_value "$1" SSL_CITY "$2"; shift;;
        --ssl-state) set_value "$1" SSL_STATE "$2"; shift;;
        --ssl-country) set_value "$1" SSL_COUNTRY "$2"; shift;;
        --ssl-email) set_value "$1" SSL_EMAIL "$2"; shift;;
        --ssl-password) set_value "$1" SSL_PASSWORD "$2"; shift;;
        --ssl-cname) SSL_CNAME_PARSED[CNAME_INDEX++]="--set-cname=$2"; shift;;
        --start-services) START_SERVICES="${2:-Y}"; shift;;
        --rhn-user) set_value "$1" RHN_USER "$2"; shift;;
        --rhn-password) set_value "$1" RHN_PASSWORD "$2"; shift;;
        --ssl-use-existing-certs) USE_EXISTING_CERTS="${2:-Y}"; shift;;
        --ssl-ca-cert) set_value "$1" CA_CERT "$2"; shift;;
        --ssl-server-key) set_value "$1" SERVER_KEY "$2"; shift;;
        --ssl-server-cert) set_value "$1" SERVER_CERT "$2"; shift;;
        --) shift;
            if [ $# -gt 0 ] ; then
                echo "Error: Extra arguments found: $@"
                print_help
                exit 1
            fi
            break;;
        *) echo Error: Invalid option $1; exit 1;;
    esac
    shift
done

# params dep check
if [[ $INTERACTIVE == 0 && -z $ANSWER_FILE ]]; then
    echo "Option --non-interactive is for use only with option --answer-file."
    exit 1
fi

ACCUMULATED_ANSWERS=""

generate_answers() {
    if [ "$INTERACTIVE" = 1 -a "$MANUAL_ANSWERS" = 1 ]; then
        local WRITE_ANSWERS
        echo "There were some answers you had to enter manually."
        echo "Would you like to have written those into file"
        echo -n "formatted as answers file? [Y/n]: "
        read WRITE_ANSWERS
        WRITE_ANSWERS=$(yes_no ${WRITE_ANSWERS:-Y})
        if [ "$WRITE_ANSWERS" = 1 ]; then
            local tmp=$(mktemp proxy-answers.txt.XXXXX)
            echo "Writing $tmp"
            echo "# Answer file generated by ${0##*/} at $(date)$ACCUMULATED_ANSWERS" > $tmp
        fi
    fi
}

default_or_input() {
    local MSG="$1"
    local VARIABLE="$2"
    local DEFAULT="$3"

    local INPUT
    local CURRENT_VALUE=${!VARIABLE}
    #in following code is used not so common expansion
    #var_a=${var_b:-word}
    #which is like: var_a = $var_b ? word
    DEFAULT=${CURRENT_VALUE:-$DEFAULT}
    local VARIABLE_ISSET=$(set | grep "^$VARIABLE=")

    echo -n "$MSG [$DEFAULT]: "
    if [ "$INTERACTIVE" = "1" -a  -z "$VARIABLE_ISSET" ]; then
        MANUAL_ANSWERS=1
        read INPUT
    elif [ -z "$VARIABLE_ISSET" ]; then
        echo "$DEFAULT"
    else
        DEFAULT=${!VARIABLE}
        echo "$DEFAULT"
    fi
    if [ -z "$INPUT" ]; then
        if [ "$DEFAULT" = "y/N" -o "$DEFAULT" = "Y/n" ]; then
            INPUT=$(yes_no "$DEFAULT")
        else
            INPUT="$DEFAULT"
        fi
    fi
    ACCUMULATED_ANSWERS+=$(printf "\n%q=%q" "$VARIABLE" "${INPUT:-$DEFAULT}")
    eval "$(printf "%q=%q" "$VARIABLE" "$INPUT")"
}

config_error() {
    if [ $1 -gt 0 ]; then
        echo "$2 Installation interrupted."
        /usr/sbin/rhn-proxy-activate \
            --server="$RHN_PARENT" \
            --http-proxy="$HTTP_PROXY" \
            --http-proxy-username="$HTTP_USERNAME" \
            --http-proxy-password="$HTTP_PASSWORD" \
            --ca-cert="$CA_CHAIN" \
            --deactivate --non-interactive
        generate_answers
        exit $1
    fi
}

# Return 0 if rhnParent is Hosted. Otherwise return 1.
is_hosted() {
    return 1
}

check_ca_conf() {
    if [ -f /root/ssl-build/rhn-ca-openssl.cnf ] \
        && awk '/^[[:space:]]*\[[[:space:]]*[_[:alnum:]]*[[:space:]]*]/ {CORRECT_SECTION=0} \
        /^[[:space:]]*\[[[:space:]]*CA_default[[:space:]]*]/ {CORRECT_SECTION=1} \
        /^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy/ && CORRECT_SECTION==1 {exit 1}' \
        /root/ssl-build/rhn-ca-openssl.cnf > /dev/null \
            && [ ${#SSL_CNAME_PARSED[@]} -gt 0 ]; then
            cat <<WARNING
It seems you tried to use the --set-cname option. On inspection we noticed that the openssl configuration file we use is missing a critically important option. Without this option, not only will multi host SSL certificates not work, but the planet Earth will implode in a massive rip in the time/space continuum. To avoid this failure, we choose to gracefully exit here and request for you to edit the openssl configuration file
 /root/ssl-build/rhn-ca-openssl.cnf
and add this line:
 copy_extensions = copy
in
 [ CA_default ]
section.
Then re-run this script again.
WARNING
            generate_answers
            exit 3
    fi
}

YUM="yum install"
UPGRADE="yum upgrade"
# add -y for non-interactive installation
if [ "$INTERACTIVE" = "0" ]; then
    YUM="$YUM -y"
    UPGRADE="$UPGRADE -y"
fi
if [ -x /usr/bin/zypper ]; then
	YUM="zypper install"
	UPGRADE="zypper update"
	# add --non-interactive for non-interactive installation
	if [ "$INTERACTIVE" = "0" ]; then
		YUM="zypper --non-interactive install"
		UPGRADE="zypper --non-interactive update"
	fi
fi
SYSCONFIG_DIR=/etc/sysconfig/rhn
RHNCONF_DIR=/etc/rhn
HTTPDCONF_DIR=/etc/apache2
HTTPDCONFD_DIR=/etc/apache2/conf.d
#HTMLPUB_DIR=/var/www/html/pub
HTMLPUB_DIR=/srv/www/htdocs/pub
SQUID_DIR=/etc/squid
UP2DATE_FILE=$SYSCONFIG_DIR/up2date
SYSTEMID_PATH=$(awk -F '=[[:space:]]*' '/^[[:space:]]*systemIdPath[[:space:]]*=/ {print $2}' $UP2DATE_FILE)

PYTHON_CMD=""
systemctl is-active --quiet salt-minion && PYTHON_CMD="/usr/bin/python3"
systemctl is-active --quiet venv-salt-minion && PYTHON_CMD="/usr/lib/venv-salt-minion/bin/python"

if [[ -n $PYTHON_CMD ]]; then
    $PYTHON_CMD /usr/share/rhn/proxy-installer/fetch-certificate.py $SYSTEMID_PATH
    MASTER_CONF=/etc/salt/minion.d/susemanager.conf
    if [ -f /etc/venv-salt-minion/minion.d/susemanager.conf ]; then
        MASTER_CONF=/etc/venv-salt-minion/minion.d/susemanager.conf
    fi
    PROPOSED_PARENT=$(grep ^[[:blank:]]*master $MASTER_CONF | sed -e "s/.*:[[:blank:]]*//")
else
    PROPOSED_PARENT=$(awk -F= '/serverURL=/ {split($2, a, "/")} END { print a[3]}' $UP2DATE_FILE)
fi

if [ ! -r $SYSTEMID_PATH ]; then
    echo ERROR: This machine does not appear to be registered with SUSE Manager Server
    exit 2
fi

SYSTEM_ID=$(/usr/bin/xsltproc /usr/share/rhn/get_system_id.xslt $SYSTEMID_PATH | cut -d- -f2)

DIR=/usr/share/rhn/proxy-template
HOSTNAME=$(hostname -f)

default_or_input "SUSE Manager Parent" RHN_PARENT $PROPOSED_PARENT

sed -i -e "s/^serverURL=.*/serverURL=https:\/\/$RHN_PARENT\/XMLRPC/" /etc/sysconfig/rhn/up2date

CA_CHAIN=$(awk -F'[=;]' '/sslCACert=/ {a=$2} END {print a}' $UP2DATE_FILE)
echo "Using CA Chain (from $UP2DATE_FILE): $CA_CHAIN"

if ! /bin/su nobody -s /bin/sh --command="[ -r $CA_CHAIN ]" ; then

    echo Error: File $CA_CHAIN is not readable by nobody user.
    exit 1
fi

default_or_input "HTTP Proxy" HTTP_PROXY ''

if [ "$HTTP_PROXY" != "" ]; then

    default_or_input "HTTP username" HTTP_USERNAME ''

    if [ "$HTTP_USERNAME" != "" ]; then
        default_or_input "HTTP password" HTTP_PASSWORD ''
    fi
fi

VERSION=$(rpm -q --queryformat %{version} spacewalk-proxy-installer|cut -d. -f1-2)
ACCUMULATED_ANSWERS+=$(printf "\n%q=%q" "VERSION" "$VERSION")

default_or_input "Traceback email" TRACEBACK_EMAIL ''

# lets do SSL stuff
cat <<SSLCERT
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
SSLCERT

default_or_input "Do you want to import existing certificates?" \
    USE_EXISTING_CERTS "y/N"
USE_EXISTING_CERTS=$(yes_no $USE_EXISTING_CERTS)

FORCE_OWN_CA=$(yes_no $FORCE_OWN_CA)

SSL_BUILD_DIR=${SSL_BUILD_DIR:-/root/ssl-build}
if ! [ -d $SSL_BUILD_DIR ] && [ 0$FORCE_OWN_CA -eq 0 ] && [ 0$USE_EXISTING_CERTS -eq 0 ]; then
    mkdir -p $SSL_BUILD_DIR
fi

if [ 0$FORCE_OWN_CA -eq 0 ] && \
    [ 0$USE_EXISTING_CERTS -eq 0 ] && \
    ! is_hosted "$RHN_PARENT" && \
    [ ! -f /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY ] && \
    ! diff $CA_CHAIN /root/ssl-build/RHN-ORG-TRUSTED-SSL-KEY &>/dev/null; then
        cat <<CA_KEYS

Please do copy your CA key and public certificate from $RHN_PARENT to
/root/ssl-build directory. You may want to execute this command:

 scp 'root@$RHN_PARENT:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' $SSL_BUILD_DIR

Please note that you need to re-run the proxy configure script after copying the certificate!

CA_KEYS
        exit 1
fi

check_ca_conf


if [ -n "$SSL_PASSWORD" ] ; then
    # use SSL_PASSWORD if already set
    RHN_SSL_TOOL_PASSWORD_OPTION="--password"
    RHN_SSL_TOOL_PASSWORD="$SSL_PASSWORD"
elif [ "$INTERACTIVE" = "0" ] && [ 0$USE_EXISTING_CERTS -eq 0 ] ; then
    # non-interactive mode but no SSL_PASSWORD :(
    config_error 4 "Please define SSL_PASSWORD."
fi

# get input for generating CA/server certs
if [ 0$USE_EXISTING_CERTS -eq 0 ]; then
    default_or_input "Organization" SSL_ORG ''
    default_or_input "Organization Unit" SSL_ORGUNIT "$HOSTNAME"
    default_or_input "Common Name" SSL_COMMON "$HOSTNAME"
    default_or_input "City" SSL_CITY ''
    default_or_input "State" SSL_STATE ''
    default_or_input "Country code" SSL_COUNTRY ''
    default_or_input "Email" SSL_EMAIL "$TRACEBACK_EMAIL"
    if [ ${#SSL_CNAME_PARSED[@]} -eq 0 ]; then
        VARIABLE_ISSET=$(set | grep "^SSL_CNAME=")
        if [ -z $VARIABLE_ISSET ]; then
            default_or_input "Cname aliases (separated by space)" SSL_CNAME_ASK ''
            CNAME=($SSL_CNAME_ASK)
            for ALIAS in ${CNAME[@]}; do
                SSL_CNAME_PARSED[CNAME_INDEX++]=--set-cname=$ALIAS
            done
            check_ca_conf
        fi
    fi
fi

if [ "$USE_EXISTING_CERTS" -eq "1" ]; then
    default_or_input "Path to CA SSL certificate:" CA_CERT ""
    if [ ! -e $CA_CERT ]; then
        config_error 1 "Given file doesn't exist!"
    fi

    default_or_input "Path to the Proxy Server's SSL key:" SERVER_KEY ""
    if [ ! -e $SERVER_KEY ]; then
        config_error 1 "Given file doesn't exist!"
    fi

    default_or_input "Path to the Proxy Server's SSL certificate:" SERVER_CERT ""
    if [ ! -e $SERVER_CERT ]; then
        config_error 1 "Given file doesn't exist!"
    fi
else
    if [ ! -f $SSL_BUILD_DIR/RHN-ORG-PRIVATE-SSL-KEY ]; then
        echo "Generating CA key and public certificate:"
        /usr/bin/rhn-ssl-tool --gen-ca --no-rpm -q \
            --dir="$SSL_BUILD_DIR" \
            --set-common-name="$SSL_COMMON" \
            --set-country="$SSL_COUNTRY" \
            --set-city="$SSL_CITY" \
            --set-state="$SSL_STATE" \
            --set-org="$SSL_ORG" \
            --set-org-unit="$SSL_ORGUNIT" \
            --set-email="$SSL_EMAIL" \
            $RHN_SSL_TOOL_PASSWORD_OPTION $RHN_SSL_TOOL_PASSWORD
        config_error $? "CA certificate generation failed!"
    fi
    CA_CERT=$SSL_BUILD_DIR/RHN-ORG-TRUSTED-SSL-CERT
fi

if [ "$USE_EXISTING_CERTS" -eq "0" ]; then
    echo "Using CA key at $SSL_BUILD_DIR/RHN-ORG-PRIVATE-SSL-KEY."

    IFS="."; arrIN=($HOSTNAME); unset IFS
    unset 'arrIN[${#arrIN[@]}-1]'
    unset 'arrIN[${#arrIN[@]}-1]'
    SYS_NAME=$(IFS=. eval 'echo "${arrIN[*]}"')

    echo "Generating SSL key and public certificate."
    /usr/bin/rhn-ssl-tool --gen-server -q --no-rpm \
        --set-hostname "$HOSTNAME" \
        --dir="$SSL_BUILD_DIR" \
        --set-country="$SSL_COUNTRY" \
        --set-city="$SSL_CITY" \
        --set-state="$SSL_STATE" \
        --set-org="$SSL_ORG" \
        --set-org-unit="$SSL_ORGUNIT" \
        --set-email="$SSL_EMAIL" \
        ${SSL_CNAME_PARSED[@]} \
        $RHN_SSL_TOOL_PASSWORD_OPTION $RHN_SSL_TOOL_PASSWORD
    config_error $? "SSL key generation failed!"
    SERVER_KEY=$SSL_BUILD_DIR/$SYS_NAME/server.key
    SERVER_CERT=$SSL_BUILD_DIR/$SYS_NAME/server.crt
fi

echo "Installing SSL certificates:"
/usr/bin/mgr-ssl-cert-setup --root-ca-file=$CA_CERT --server-cert-file=$SERVER_CERT --server-key-file=$SERVER_KEY

/usr/sbin/rhn-proxy-activate --server="$RHN_PARENT" \
                            --http-proxy="$HTTP_PROXY" \
                            --http-proxy-username="$HTTP_USERNAME" \
                            --http-proxy-password="$HTTP_PASSWORD" \
                            --ca-cert="$CA_CHAIN" \
                            --version="$VERSION" \
                            --non-interactive
config_error $? "Proxy activation failed!"

rpm -q rhn-apache >/dev/null
if [ $? -eq 0 ]; then
    echo "Package rhn-apache present - assuming upgrade:"
    echo "Force removal of /etc/httpd/conf/httpd.conf - backed up to /etc/httpd/conf/httpd.conf.rpmsave"
    mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.rpmsave
fi

if [ -x /usr/sbin/rhn-proxy ]; then
    /usr/sbin/rhn-proxy stop
fi

$YUM spacewalk-proxy-management
# check if package install successfully
rpm -q spacewalk-proxy-management >/dev/null
if [ $? -ne 0 ]; then
    config_error 2 "Installation of package spacewalk-proxy-management failed."
fi
$UPGRADE

# size of squid disk cache will be 60% of free space on /var/cache/squid
# df -P give free space in kB
# * 60 / 100 is 60% of that space
# / 1024 is to get value in MB
SQUID_SIZE=$(df -P /var/cache/squid | awk '{a=$4} END {printf("%d", a * 60 / 100 / 1024)}')
SQUID_REWRITE="s|cache_dir ufs /var/cache/squid 15000 16 256|cache_dir ufs /var/cache/squid $SQUID_SIZE 16 256|g;"
SQUID_VER_MAJOR=$(squid -v | awk -F'[ .]' '/Version/ {print $4}')
if [ $SQUID_VER_MAJOR -ge 3 ] ; then
    # squid 3.X has acl 'all' built-in
    SQUID_REWRITE="$SQUID_REWRITE s/^acl all.*//;"
    # squid 3.2 and later need none instead of -1 for range_offset_limit
    SQUID_VER_MINOR=$(squid -v | awk -F'[ .]' '/Version/ {print $5}')
    if [[ $SQUID_VER_MAJOR -ge 4 || ( $SQUID_VER_MAJOR -eq 3 && $SQUID_VER_MINOR -ge 2 ) ]] ; then
        SQUID_REWRITE="$SQUID_REWRITE s/^range_offset_limit.*/range_offset_limit none/;"
    fi
fi
sed "$SQUID_REWRITE" < $DIR/squid.conf  > $SQUID_DIR/squid.conf
sed -e "s|\${session.ca_chain:/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT}|$CA_CHAIN|g" \
    -e "s/\${session.http_proxy}/$HTTP_PROXY/g" \
    -e "s/\${session.http_proxy_username}/$HTTP_USERNAME/g" \
    -e "s/\${session.http_proxy_password}/$HTTP_PASSWORD/g" \
    -e "s/\${session.rhn_parent}/$RHN_PARENT/g" \
    -e "s/\${session.traceback_mail}/$TRACEBACK_EMAIL/g" \
    < $DIR/rhn.conf  > $RHNCONF_DIR/rhn.conf

# systemid need to be readable by apache/proxy
for file in $SYSTEMID_PATH $UP2DATE_FILE; do
    chown root:www $file
    chmod 0640 $file
done

#Setup the cobbler stuff, needed to use koan through a proxy
sed -e "s/\$RHN_PARENT/$RHN_PARENT/g" < $DIR/cobbler-proxy.conf > $HTTPDCONFD_DIR/cobbler-proxy.conf

default_or_input "Do you want to use an existing ssh key for proxying ssh-push Salt minions ?" USE_EXISTING_SSH_PUSH_KEY 'y/N'
USE_EXISTING_SSH_PUSH_KEY=$(yes_no $USE_EXISTING_SSH_PUSH_KEY)

if [ "$USE_EXISTING_SSH_PUSH_KEY" -eq "1" ]; then
    default_or_input "Private SSH key for connecting to the next proxy in the chain (if any) for ssh-push minions" EXISTING_SSH_KEY ''
    while [[ -z "$EXISTING_SSH_KEY" || ( ! -r "$EXISTING_SSH_KEY" || ! -r "${EXISTING_SSH_KEY}.pub" ) ]]; do
        echo "'$EXISTING_SSH_KEY' or '${EXISTING_SSH_KEY}.pub' don't exist or are not readable."
        unset EXISTING_SSH_KEY
        default_or_input "Supply a valid path" EXISTING_SSH_KEY ''
    done
    /usr/sbin/mgr-proxy-ssh-push-init -k $EXISTING_SSH_KEY
else
    /usr/sbin/mgr-proxy-ssh-push-init
fi

open_firewall_ports

default_or_input "Activate advertising proxy via SLP?" ACTIVATE_SLP "Y/n"
ACTIVATE_SLP=$(yes_no $ACTIVATE_SLP)
if [ $ACTIVATE_SLP -ne 0 ]; then
    if [ -x /usr/bin/firewall-cmd ]; then
      firewall-cmd --state 2> /dev/null
      if [ $? -eq 0 ]; then
        firewall-cmd --permanent --zone=public --add-service=slp
        firewall-cmd --reload
      else
        firewall-offline-cmd --zone=public --add-service=slp
      fi
    else
      echo "firewalld not installed" >&2
    fi
    /usr/bin/systemctl enable slpd
    /usr/bin/systemctl start slpd
fi

echo "Enabling Spacewalk Proxy."
for service in squid apache2 salt-broker; do
    /usr/bin/systemctl enable $service
done

# default is 1
START_SERVICES=$(yes_no ${START_SERVICES:-1})
if [ "$START_SERVICES" = "1" ]; then
    /usr/sbin/rhn-proxy restart
else
    echo Skipping start of services.
    echo Use "/usr/sbin/rhn-proxy start" to manually start proxy.
fi

echo "Restarting salt-broker."
/usr/bin/systemctl restart salt-broker

# do not tell admin to configure proxy on next login anymore
rm -f /etc/motd

generate_answers
07070100000006000081B4000000000000000000000001670D22FD00003102000000000000000000000000000000000000003200000000spacewalk-proxy-installer/configure-proxy.sh.sgml<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V3.1//EN" [
<!ENTITY RHNPROXY "Spacewalk Proxy Server">
<!ENTITY SCRIPTCOMMAND "configure-proxy.sh">

]>
<refentry>

<RefMeta>
<RefEntryTitle>&SCRIPTCOMMAND;</RefEntryTitle><manvolnum>8</manvolnum>
<RefMiscInfo>Version 1.6</RefMiscInfo>
</RefMeta>

<RefNameDiv>
<RefName><command>&SCRIPTCOMMAND;</command></RefName>
<RefPurpose>
Configures and activates &RHNPROXY;.
</RefPurpose>
</RefNameDiv>

<RefSynopsisDiv>
<Synopsis>
    <cmdsynopsis>
        <command>&SCRIPTCOMMAND;</command>
        <arg>options <replaceable>...</replaceable></arg>
    </cmdsynopsis>
</Synopsis>
</RefSynopsisDiv>

<RefSect1><Title>Description</Title>
<para>
This script asks all necessary questions to configure &RHNPROXY;
and then deploys configuration files and activates the &RHNPROXY;.
</para>
<para>
You may run this script without any parameters and then you are interactively asked.
Alternatively you may set variables in answers file or set the option on comman line. See section Answer File for more info.
</para>
</RefSect1>

<RefSect1><Title>Options</Title>
<variablelist>
    <varlistentry>
        <term>--answer-file</term>
        <listitem>
            <para>Indicates the location of an answer file to be used for answering
 questions asked during the installation process. See section Answer File for more details.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>-h, --help</term>
        <listitem>
            <para>Display the help screen with a list of options.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--non-interactive</term>
        <listitem>
            <para>For use only with --answer-file. If the --answer-file doesn't
provide a required response, default answer is used.</para>
        </listitem>
    </varlistentry>
</variablelist>
<para>Following options can be set using answer file as well. See section ANSWER FILE.
</para>
<variablelist>
    <varlistentry>
        <term>--force-own-ca</term>
        <listitem>
            <para>Do not use parent CA and force to create your own.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-password=HTTP_PASSWORD</term>
        <listitem>
            <para>The password to use for an authenticated proxy.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-proxy=HTTP_PROXY</term>
        <listitem>
            <para>HTTP proxy in host:port format, e.g. squid.redhat.com:3128</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-username=HTTP_USERNAME</term>
        <listitem>
            <para>The username for an authenticated proxy.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--populate-config-channel=Y</term>
        <listitem>
            <para>Y if config chanel should be created and configuration files in that channel updated. Configuration channel will be named rhn_proxy_config_${SYSTEM_ID}</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--rhn-password=RHN_PASSWORD</term>
        <listitem>
            <para>Red Hat Network or Spacewalk password.</para>
	</listitem>
    </varlistentry>
    <varlistentry>
        <term>--rhn-user=RHN_USER</term>
        <listitem>
            <para>Red Hat Network or Spacewalk user account.</para>
	</listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-build-dir=SSL_BUILD_DIR</term>
        <listitem>
            <para>The directory where we build SSL certificate. Default is /root/ssl-build.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-city=SSL_CITY</term>
        <listitem>
            <para>City to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-cname=SSL_CNAME</term>
        <listitem>
            <para>Cname alias of machine. This will allow you to generate multihost SSL certificate.
            Can be specified multiple times.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-common=SSL_COMMON</term>
        <listitem>
            <para>Common name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-country=SSL_COUNTRY</term>
        <listitem>
            <para>Two letters country code to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-email=SSL_EMAIL</term>
        <listitem>
            <para>Email to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-org=SSL_ORG</term>
        <listitem>
            <para>Organization name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-orgunit=SSL_ORGUNIT</term>
        <listitem>
            <para>Organization unit name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-password=SSL_PASSWORD</term>
        <listitem>
            <para>Password to be used for SSL CA certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-state=SSL_STATE</term>
        <listitem>
            <para>State to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--start-services=START</term>
        <listitem>
            <para>1 or Y to start all services after configuration. This is default.</para>
            <para>0 or N to not start services after configuration.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--traceback-email=TRACEBACK_EMAIL</term>
        <listitem>
            <para>Email to which tracebacks should be sent.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-use-existing-certs=USE_EXISTING_CERTS</term>
        <listitem>
            <para>Use custom SSL certificates instead of generating new ones (use --ssl-ca-cert, --ssl-server-key and --ssl-server-cert parameters or corresponding variables to specify paths).</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-ca-cert=CA_CERT</term>
        <listitem>
            <para>(If --ssl-use-existing-certs=1) use a custom CA certificate from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-server-key=SERVER_KEY</term>
        <listitem>
            <para>(If --ssl-use-existing-certs=1) use a server private SSL key from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ssl-server-cert=SERVER_CERT</term>
        <listitem>
            <para>(If --ssl-use-existing-certs=1) use a server public SSL certificate from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--version=VERSION</term>
        <listitem>
            <para>Version of Spacewalk Proxy Server you want to activate.</para>
        </listitem>
    </varlistentry>
</variablelist>
</RefSect1>

<RefSect1><Title>Answer File</Title>
<para>Answer File is interpreted as normal shell script. Following variables can be set there:</para>
<variablelist>
    <varlistentry>
        <term>VERSION</term>
        <listitem>
           <para>Version of &RHNPROXY; you want to activate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>RHN_PASSWORD</term>
        <listitem>
            <para>Red Hat Network or Spacewalk password.</para>
	</listitem>
    </varlistentry>
    <varlistentry>
        <term>RHN_USER</term>
        <listitem>
            <para>Red Hat Network or Spacewalk user account.</para>
	</listitem>
    </varlistentry>
    <varlistentry>
        <term>TRACEBACK_EMAIL</term>
        <listitem>
           <para>Email to which tracebacks should be sent.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>USE_EXISTING_CERTS</term>
        <listitem>
           <para>Use custom SSL certificates instead of generating new ones (use CA_CERT, SERVER_KEY and SERVER_CERT variables to specify paths).</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>CA_CERT</term>
        <listitem>
            <para>(If USE_EXISTING_CERTS=1) use a custom CA certificate from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SERVER_KEY</term>
        <listitem>
            <para>(If USE_EXISTING_CERTS=1) use a server private SSL key from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SERVER_CERT</term>
        <listitem>
            <para>(If USE_EXISTING_CERTS=1) use a server public SSL certificate from the given file.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>FORCE_OWN_CA</term>
        <listitem>
           <para>Do not use parent CA and force to create your own.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>HTTP_PROXY</term>
        <listitem>
           <para>HTTP proxy in host:port format, e.g. squid.redhat.com:3128</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>HTTP_USERNAME</term>
        <listitem>
           <para>The username for an authenticated proxy.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>HTTP_PASSWORD</term>
        <listitem>
           <para>The password to use for an authenticated proxy.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_BUILD_DIR</term>
        <listitem>
           <para>The directory where we build SSL certificate. Default is /root/ssl-build.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_CNAME</term>
        <listitem>
           <para>Cname alias of machine. This will allow you to generate multihost SSL certificate.
            Has to be specified in format: (cname.alias.com cname.alias2.com ...)</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_ORG</term>
        <listitem>
           <para>Organization name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_ORGUNIT</term>
        <listitem>
           <para>Organization unit name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_COMMON</term>
        <listitem>
           <para>Common name to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_CITY</term>
        <listitem>
           <para>City to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_STATE</term>
        <listitem>
           <para>State to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_COUNTRY</term>
        <listitem>
           <para>Two letters country code to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_EMAIL</term>
        <listitem>
           <para>Email to be used in SSL certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>SSL_PASSWORD</term>
        <listitem>
           <para>Password to be used for SSL CA certificate.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>START_SERVICES</term>
        <listitem>
           <para>1 or Y to start all services after configuration. This is default.</para>
           <para>0 or N to not start services after configuration.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>POPULATE_CONFIG_CHANNEL</term>
        <listitem>
           <para>Y if config chanel should be created and configuration files in that channel updated.
Configuration channel will be named rhn_proxy_config_${SYSTEM_ID}.</para>
        </listitem>
    </varlistentry>
</variablelist>
</RefSect1>

<RefSect1><Title>See Also</Title>
<simplelist>
    <member>rhn-proxy-activate(8)</member>
</simplelist>
</RefSect1>

<RefSect1><Title>Authors</Title>
<simplelist>
    <member>Miroslav Suchý <email>msuchy@redhat.com</email></member>
</simplelist>
</RefSect1>
</RefEntry>
07070100000007000081B4000000000000000000000001670D22FD00000800000000000000000000000000000000000000002F00000000spacewalk-proxy-installer/fetch-certificate.py#pylint: disable=invalid-name

import os
import sys
import argparse


RETRIES = 20
WAIT_RESPONSE = 10
REQUEST_TAG = 'suse/systemid/generate'
RESPONSE_TAG = 'suse/systemid/generated'


if __name__ == "__main__":
    try:
        import salt.config
        import salt.utils.event
    except ImportError as err:
        print("Unable to use Salt on this machine. Assuming traditional client.")
        sys.exit(0)

    parser = argparse.ArgumentParser()
    parser.add_argument('destination', default='/etc/sysconfig/rhn/systemid')
    args = parser.parse_args()
    if os.path.exists('/etc/venv-salt-minion/minion'):
        opts = salt.config.minion_config('/etc/venv-salt-minion/minion', cache_minion_id=True)
    else:
        opts = salt.config.minion_config('/etc/salt/minion', cache_minion_id=True)

    if not os.path.isdir(os.path.dirname(args.destination)):
        print("There is a problem with the provided destination.")
        sys.exit(1)

    event = salt.utils.event.get_event(
        'minion',
        sock_dir=opts['sock_dir'],
        transport=opts['transport'],
        listen=True,
        opts=opts)
    event.subscribe(tag=RESPONSE_TAG, match_type='fnmatch')

    for idx in range(RETRIES):
        print("Requesting certificate from server. [{0}/{1}]".format(idx+1, RETRIES))
        event.fire_master({}, REQUEST_TAG)  # send event to master
        data = event.get_event(
            full=False, auto_reconnect=True, no_block=False, match_type='fnmatch', tag=RESPONSE_TAG, wait=WAIT_RESPONSE)
        if data:
            try:
                with open(args.destination, 'wb') as _file:
                    _file.write(data['data'].encode('utf8'))
                    print("Certificate saved to: {0}".format(args.destination))
            except Exception as ex: # pylint: disable=broad-except
                print("Unable to write to destination: " + ex.message) # pylint: disable=no-member
                sys.exit(1)
            sys.exit(0)
    print("Certificate not received from server. Exit.")
    sys.exit(1)
07070100000008000081B4000000000000000000000001670D22FD00000143000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/get_system_id.xslt<?xml version="1.0" ?>
<xsl:stylesheet
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  version="1.0">
  <xsl:output method="text"/>

  <xsl:template match="/">
    <xsl:value-of select="/params/param/value/struct/member[name/text()='system_id']/value"/>
    <xsl:text></xsl:text>

  </xsl:template>

</xsl:stylesheet>
07070100000009000081B4000000000000000000000001670D22FD00000081000000000000000000000000000000000000002E00000000spacewalk-proxy-installer/insights-proxy.confProxyPass   /redhat_access $PROTO://$RHN_PARENT/redhat_access
ProxyPassReverse /redhat_access $PROTO://$RHN_PARENT/redhat_access
0707010000000A000081B4000000000000000000000001670D22FD00001397000000000000000000000000000000000000002300000000spacewalk-proxy-installer/pylintrc# installer package pylint configuration

[MASTER]

# Profiled execution.
profile=no

# Pickle collected data for later comparisons.
persistent=no


[MESSAGES CONTROL]

# Disable the message(s) with the given id(s).


disable=I0011,
	C0302,
	C0111,
	R0801,
	R0902,
	R0903,
	R0904,
	R0912,
	R0913,
	R0914,
	R0915,
	R0921,
	R0922,
	W0142,
	W0403,
	W0603,
	C1001,
	W0121,
	useless-else-on-loop,
	bad-whitespace,
	unpacking-non-sequence,
	superfluous-parens,
	cyclic-import,
	redefined-variable-type,
	no-else-return,

        # Uyuni disabled
	E0203,
	E0611,
	E1101,
	E1102

# list of disabled messages:
#I0011: 62: Locally disabling R0201
#C0302:  1: Too many lines in module (2425)
#C0111:  1: Missing docstring
#R0902: 19:RequestedChannels: Too many instance attributes (9/7)
#R0903:  Too few public methods
#R0904: 26:Transport: Too many public methods (22/20)
#R0912:171:set_slots_from_cert: Too many branches (59/20)
#R0913:101:GETServer.__init__: Too many arguments (11/10)
#R0914:171:set_slots_from_cert: Too many local variables (38/20)
#R0915:171:set_slots_from_cert: Too many statements (169/50)
#W0142:228:MPM_Package.write: Used * or ** magic
#W0403: 28: Relative import 'rhnLog', should be 'backend.common.rhnLog'
#W0603: 72:initLOG: Using the global statement
# for pylint-1.0 we also disable
#C1001: 46, 0: Old-style class defined. (old-style-class)
#W0121: 33,16: Use raise ErrorClass(args) instead of raise ErrorClass, args. (old-raise-syntax)
#W:243, 8: Else clause on loop without a break statement (useless-else-on-loop)
# pylint-1.1 checks
#C:334, 0: No space allowed after bracket (bad-whitespace)
#W:162, 8: Attempting to unpack a non-sequence defined at line 6 of (unpacking-non-sequence)
#C: 37, 0: Unnecessary parens after 'not' keyword (superfluous-parens)
#C:301, 0: Unnecessary parens after 'if' keyword (superfluous-parens)

[REPORTS]

# Set the output format. Available formats are text, parseable, colorized, msvs
# (visual studio) and html
output-format=parseable

# Include message's id in output
include-ids=yes

# Tells whether to display a full report or only the messages
reports=yes

# Template used to display messages. This is a python new-style format string
# used to format the message information. See doc for all details
msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}"

[VARIABLES]

# A regular expression matching names used for dummy variables (i.e. not used).
dummy-variables-rgx=_|dummy


[BASIC]

# Regular expression which should only match correct module names
#module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
module-rgx=([a-zA-Z_][a-zA-Z0-9_]+)$

# Regular expression which should only match correct module level names
const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$

# Regular expression which should only match correct class names
class-rgx=[a-zA-Z_][a-zA-Z0-9_]+$

# Regular expression which should only match correct function names
function-rgx=[a-z_][a-zA-Z0-9_]{,42}$

# Regular expression which should only match correct method names
method-rgx=[a-z_][a-zA-Z0-9_]{,42}$

# Regular expression which should only match correct instance attribute names
attr-rgx=[a-z_][a-zA-Z0-9_]{,30}$

# Regular expression which should only match correct argument names
argument-rgx=[a-z_][a-zA-Z0-9_]{,30}$

# Regular expression which should only match correct variable names
variable-rgx=[a-z_][a-zA-Z0-9_]{,30}$

# Regular expression which should only match correct list comprehension /
# generator expression variable names
inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$

# Regular expression which should only match correct class sttribute names
class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,42}|(__.*__))$

# Good variable names which should always be accepted, separated by a comma
good-names=i,j,k,ex,Run,_

# Bad variable names which should always be refused, separated by a comma
bad-names=foo,bar,baz,toto,tutu,tata

# List of builtins function names that should not be used, separated by a comma
bad-functions=apply,input


[DESIGN]

# Maximum number of arguments for function / method
max-args=10

# Maximum number of locals for function / method body
max-locals=20

# Maximum number of return / yield for function / method body
max-returns=6

# Maximum number of branch for function / method body
max-branchs=20

# Maximum number of statements in function / method body
max-statements=50

# Maximum number of parents for a class (see R0901).
max-parents=7

# Maximum number of attributes for a class (see R0902).
max-attributes=7

# Minimum number of public methods for a class (see R0903).
min-public-methods=1

# Maximum number of public methods for a class (see R0904).
max-public-methods=20


[CLASSES]


[FORMAT]

# Maximum number of characters on a single line.
max-line-length=120

# Maximum number of lines in a module
max-module-lines=1000

# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
# tab).
indent-string='    '


[MISCELLANEOUS]

# List of note tags to take in consideration, separated by a comma.
notes=
0707010000000B000081B4000000000000000000000001670D22FD000046D8000000000000000000000000000000000000003000000000spacewalk-proxy-installer/rhn-proxy-activate.py#!/usr/bin/python -u
#
# Copyright (c) 2008--2017 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#
""" Activate a Spacewalk Proxy
    USAGE: ./rhn-proxy-activate

    Author: Todd Warner <taw@redhat.com>

    NOTE: this file is compatible with Spacewalk Proxies 4.0. It is not guaranteed to
    work with older Spacewalk Proxies.
"""

# pylint: disable=E1101, invalid-name

# core lang imports
import os
import sys
import socket

try:                    # python 2
    import urlparse
    import xmlrpclib
except ImportError:     # python3
    # pylint: disable=F0401,E0611,redefined-builtin
    import urllib.parse as urlparse
    import xmlrpc.client as xmlrpclib
    raw_input = input

# lib imports
from optparse import Option, OptionParser # pylint: disable=deprecated-module
from rhn import rpclib, SSL

from up2date_client import config # pylint: disable=E0012, C0413

DEFAULT_WEBRPC_HANDLER_v3_x = '/rpc/api'


def getSystemId(cfg):
    """ returns content of systemid file """

    path = cfg['systemIdPath']
    if not os.access(path, os.R_OK):
        return None
    return open(path, "r").read()


def getServer(options, handler):
    """ get an rpclib.Server object. NOTE: proxy is an HTTP proxy """

    serverUrl = 'https://' + options.server + handler

    s = None
    if options.http_proxy:
        s = rpclib.Server(serverUrl,
                          proxy=options.http_proxy,
                          username=options.http_proxy_username,
                          password=options.http_proxy_password)
    else:
        s = rpclib.Server(serverUrl)

    if options.ca_cert:
        s.add_trusted_cert(options.ca_cert)

    return s


def _getProtocolError(e, hostname=''):
    """
        Based on error, returns couple:
        10      connection issues?
        44     host not found
        47     http proxy authentication failure
    """
    if hostname:
        hostname = ': %s' % hostname

    if e.errcode == 407:
        return 47, "ERROR: http proxy authentication required"
    if e.errcode == 404:
        return 44, "ERROR: host not found%s" % hostname

    return 10, "ERROR: connection issues? %s" % repr(e)


def _getSocketError(e, hostname=''):
    """
        Based on error, returns couple:
        10     connection issues?
        11     hostname unresolvable
        12     connection refused
    """
    if hostname:
        hostname = ': %s' % hostname

    if 'host not found' in e.args:
        return 11, 'ERROR: hostname could not be resolved%s' % hostname
    if 'connection refused' in e.args:
        return 12, 'ERROR: "connection refused"%s' % hostname

    return 10, "ERROR: connection issues? %s" % repr(e)


def _getActivationError(e):
    """ common error strings dependent upon faultString
        1      general
        2      proxy_invalid_systemid
        4      proxy_no_management_entitlements
        5      proxy_no_enterprise_entitlements
        6      proxy_no_channel_entitlements
        7      proxy_no_proxy_child_channel
        8      proxy_not_activated
    """

    errorString = ''
    errorCode = 1

    if e.faultString.find('proxy_invalid_systemid') != -1:
        errorString = ("this server does not seem to be registered or "
                       "/etc/sysconfig/rhn/systemid is corrupt.")
        errorCode = 2
    elif e.faultString.find('proxy_no_management_entitlements') != -1:
        errorString = ("no Management entitlements available. There must be "
                       "at least one free Management/Provisioning slot "
                       "available in your SCC account.")
        errorCode = 4
    elif e.faultString.find('proxy_no_enterprise_entitlements') != -1:
        # legacy error message
        errorString = ("no Management entitlements available. There must be "
                       "at least one free Management/Provisioning slot "
                       "available in your SCC account.")
        errorCode = 5
    elif e.faultString.find('proxy_no_channel_entitlements') != -1:
        errorString = ("no SUSE Manager Proxy entitlements available. There must be "
                       "at least one free SUSE Manager Proxy entitlement "
                       "available in your SCC account.")
        errorCode = 6
    elif e.faultString.find('proxy_no_proxy_child_channel') != -1:
        errorString = ("no SUSE Manager Proxy entitlements available for this "
                       "server's version (or requested version) of SUSE Linux "
                       "Enterprise Server.")
        errorCode = 7
    elif e.faultString.find('proxy_not_activated') != -1:
        errorString = "this server not an activated SUSE Manager Proxy yet."
        errorCode = 8
    else:
        errorString = "unknown error - %s" % str(e)
        errorCode = 1
    return errorCode, errorString


def _errorHandler(pre='', post=''):
    """
        NOTE: only currently called if within an exception block.

        1      general
        2      proxy_invalid_systemid
        4      proxy_no_management_entitlements
        5      proxy_no_enterprise_entitlements
        6      proxy_no_channel_entitlements
        7      proxy_no_proxy_child_channel
        8      proxy_not_activated

        10     connection issues?
        11     hostname unresolvable
        12     connection refused
        13     SSL connection failed

        44     host not found
        47     http proxy authentication failure
    """
    try:
        raise # pylint: disable=bad-option-value, misplaced-bare-raise
    except (SystemExit, KeyboardInterrupt, NameError, TypeError,
            ValueError):
        raise
    except Exception:  # pylint: disable=E0012, W0703
        errorCode = 1
        errorString = pre
        try:
            raise
        except xmlrpclib.ProtocolError as e:
            errorCode, s = _getProtocolError(e)
            errorString = errorString + s
        except socket.error as e:
            errorCode, s = _getSocketError(e)
            errorString = errorString + s
        except xmlrpclib.Fault as e:
            errorCode, errorString = _getActivationError(e)
        except SSL.SSL.SSLError as e:
            errorCode = 13
            errorString = "ERROR: failed SSL connection - bad or expired cert?"
        except Exception as e:  # pylint: disable=E0012, W0703
            e0, e1 = str(e), repr(e)
            if e0:
                s = "(%s)" % e0
            if s and e1:
                s = s + ', '
            if e1:
                s = s + "(%s)" % e1
            errorString = errorString + "ERROR: unknown exception: %s" % s
        errorString = errorString + post
    return errorCode, errorString


def resolveHostnamePort(hostnamePort=''):
    """ hostname:port sanity check """

    hostname = urlparse.urlparse(hostnamePort)[1].split(':')
    port = ''
    if len(hostname) > 1:
        hostname, port = hostname[:2]
    else:
        hostname = hostname[0]

    if port:
        try:
            x = int(port)
            if str(x) != port:
                raise ValueError('should be an integer: %s' % port)
        except ValueError:
            sys.stderr.write("ERROR: the port setting is not an integer: %s\n" % port)
            sys.exit(1)

    if hostname:
        try:
            socket.getaddrinfo(hostname, None)
        except:  # pylint: disable=W0702
            errorCode, errorString = _errorHandler()
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)


def activateProxy_api_v3_x(options, cfg):
    """ API version 3.*, 4.* - deactivate, then activate
    """

    (errorCode, errorString) = _deactivateProxy_api_v3_x(options, cfg)
    if errorCode == 0:
        (errorCode, errorString) = _activateProxy_api_v3_x(options, cfg)
    return (errorCode, errorString)


def _deactivateProxy_api_v3_x(options, cfg):
    """ Deactivate this machine as Proxy """

    s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
    systemid = getSystemId(cfg)

    errorCode, errorString = 0, ''

    try:
        if not s.proxy.is_proxy(systemid):
            # if system is not proxy, we do not need to deactivate it
            return (errorCode, errorString)
    except:  # pylint: disable=W0702
        # api do not have proxy.is_proxy is implemented or it is hosted
        # ignore error and try to deactivate
        pass
    try:
        s.proxy.deactivate_proxy(systemid)       # proxy 3.0+ API
    except:  # pylint: disable=W0702
        errorCode, errorString = _errorHandler()
        try:
            raise
        except xmlrpclib.Fault:
            if errorCode == 8:
                # fine. We weren't activated yet.
                # noop and look like a success
                errorCode = 0
            else:
                errorString = "WARNING: upon deactivation attempt: %s" % errorString
                sys.stderr.write("%s\n" % errorString)
        except SSL.SSL.SSLError:
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)
        except (xmlrpclib.ProtocolError, socket.error):
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)
        except:
            errorString = "ERROR: upon deactivation attempt (something unexpected): %s" % errorString
            return errorCode, errorString
    else:
        errorCode = 0
        if not options.quiet:
            sys.stdout.write("SUSE Manager Proxy successfully deactivated.\n")
    return (errorCode, errorString)


def _activateProxy_api_v3_x(options, cfg):
    """ Activate this machine as Proxy.
        Do not check if has been already activated. For such case
        use activateProxy_api_v3_x method instead.
    """

    s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
    systemid = getSystemId(cfg)

    errorCode, errorString = 0, ''
    try:
        s.proxy.activate_proxy(systemid, str(options.version))
    except:  # pylint: disable=W0702
        errorCode, errorString = _errorHandler()
        try:
            raise
        except SSL.SSL.SSLError:
            # let's force a system exit for this one.
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)
        except (xmlrpclib.ProtocolError, socket.error):
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)
        except (xmlrpclib.Fault, Exception):  # pylint: disable=E0012, W0703
            # let's force a slight change in messaging for this one.
            errorString = "ERROR: upon entitlement/activation attempt: %s" % errorString
        except:
            errorString = "ERROR: upon activation attempt (something unexpected): %s" % errorString
            return errorCode, errorString
    else:
        errorCode = 0
        if not options.quiet:
            sys.stdout.write("SUSE Manager Proxy successfully activated.\n")
    return (errorCode, errorString)


def activateProxy(options, cfg):
    """ Activate proxy. Decide how to do it upon apiVersion. Currently we
        support only API v.3.1+. Support for 3.0 and older has been removed.
    """
    # errorCode == 0 means activated!
    errorCode, errorString = activateProxy_api_v3_x(options, cfg)

    if errorCode != 0:
        if not errorString:
            errorString = ("An unknown error occured. Consult with your SUSE representative.\n")
        sys.stderr.write("\nThere was a problem activating the SUSE Manager Proxy entitlement:\n%s\n" % errorString)
        sys.exit(abs(errorCode))


def listAvailableProxyChannels(options, cfg):
    """ return list of version available to this system """

    server = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
    systemid = getSystemId(cfg)

    errorCode, errorString = 0, ''
    channel_list = []
    try:
        channel_list = server.proxy.list_available_proxy_channels(systemid)
    except:  # pylint: disable=W0702
        errorCode, errorString = _errorHandler()
        try:
            raise
        except:
            # let's force a system exit for this one.
            sys.stderr.write(errorString + '\n')
            sys.exit(errorCode)
    else:
        errorCode = 0
        if not options.quiet and channel_list:
            sys.stdout.write("\n".join(channel_list) + "\n")


def processCommandline(cfg):

    up2date_cfg = dict(cfg.items())

    if isinstance(up2date_cfg['serverURL'], type([])):
        rhn_parent = urlparse.urlparse(up2date_cfg['serverURL'][0])[1]
    else:
        rhn_parent = urlparse.urlparse(up2date_cfg['serverURL'])[1]

    httpProxy = urlparse.urlparse(up2date_cfg['httpProxy'])[1]
    httpProxyUsername = up2date_cfg['proxyUser']
    httpProxyPassword = up2date_cfg['proxyPassword']

    if not httpProxy:
        httpProxyUsername, httpProxyPassword = '', ''
    if not httpProxyUsername:
        httpProxyPassword = ''
    ca_cert = ''
    defaultVersion = '5.2'

    # parse options
    optionsTable = [
        Option('-s', '--server',     action='store',     default=rhn_parent,
               help="alternative server hostname to connect to, default is %s" % repr(rhn_parent)),
        Option('--http-proxy',      action='store',     default=httpProxy,
               help="alternative HTTP proxy to connect to (HOSTNAME:PORT), default is %s" % repr(httpProxy)),
        Option('--http-proxy-username', action='store', default=httpProxyUsername,
               help="alternative HTTP proxy usename, default is %s" % repr(httpProxyUsername)),
        Option('--http-proxy-password', action='store', default=httpProxyPassword,
               help="alternative HTTP proxy password, default is %s" % repr(httpProxyPassword)),
        Option('--ca-cert',         action='store',     default=ca_cert,
               help="alternative SSL certificate to use, default is %s" % repr(ca_cert)),
        Option('--version',         action='store',     default=defaultVersion,
               help='which X.Y version of the SUSE Manager Proxy are you upgrading to?' +
               ' Default is your current proxy version (' + defaultVersion + ')'),
        Option('--deactivate',      action='store_true',
               help='deactivate proxy, if already activated'),
        Option('-l', '--list-available-versions', action='store_true',
               help='print list of versions available to this system'),
        Option('--non-interactive', action='store_true',
               help='non-interactive mode'),
        Option('-q', '--quiet',     action='store_true',
               help='quiet non-interactive mode.'),
    ]
    parser = OptionParser(option_list=optionsTable)
    options, _args = parser.parse_args()

    if options.server:
        if options.server.find('http') != 0:
            options.server = 'https://' + options.server
        options.server = urlparse.urlparse(options.server)[1]

    if not options.http_proxy:
        options.http_proxy_username, options.http_proxy_password = '', ''

    if not options.http_proxy_username:
        options.http_proxy_password = ''
    exploded_version = options.version.split('.')
    # Pad it to be at least 2 components
    if len(exploded_version) == 1:
        exploded_version.append('0')

    # Make it a string
    options.version = '.'.join(exploded_version[:2])

    if options.quiet:
        options.non_interactive = 1

    return options


def yn(prompt):
    """ returns 0 if 'n', and 1 if 'y' """
    _yn = ''
    while _yn == '':
        _yn = raw_input(prompt)
        if _yn and _yn[0].lower() not in ('y', 'n'):
            _yn = ''
    return _yn[0].lower() == 'y'


def main():
    """
        0      success

        1      general
        2      proxy_invalid_systemid
        4      proxy_no_management_entitlements
        5      proxy_no_enterprise_entitlements
        6      proxy_no_channel_entitlements
        7      proxy_no_proxy_child_channel
        8      proxy_not_activated

        10     connection issues?
        11     hostname unresolvable
        12     connection refused
        13     SSL connection failed

        44     host not found
        47     http proxy authentication failure
    """

    cfg = config.initUp2dateConfig()
    options = processCommandline(cfg)

    if options.list_available_versions:
        resolveHostnamePort(options.http_proxy)
        if not options.http_proxy:
            resolveHostnamePort(options.server)
        listAvailableProxyChannels(options, cfg)
        sys.exit(0)

    if not options.non_interactive:
        print ("\n"
               "--server (RHN parent):  %s\n"
               "--http-proxy:           %s\n"
               "--http-proxy-username:  %s\n"
               "--http-proxy-password:  %s\n"
               "--ca-cert:              %s\n"
               "--version:              %s\n"
               % (options.server, options.http_proxy,
                  options.http_proxy_username, options.http_proxy_password,
                  options.ca_cert, options.version))
        if not yn("Are you sure about these options? y/n: "):
            return 0

    # early checks
    resolveHostnamePort(options.http_proxy)
    if not options.http_proxy:
        resolveHostnamePort(options.server)

    if options.deactivate:
        _deactivateProxy_api_v3_x(options, cfg)
    else:
        # ACTIVATE!!!!!!!!
        activateProxy(options, cfg)

    return 0

if __name__ == '__main__':
    try:
        sys.exit(abs(main() or 0))
    except KeyboardInterrupt:
        sys.stderr.write("\nUser interrupted process.\n")
        sys.exit(0)
    except SystemExit:
        raise
    except:
        sys.stderr.write("\nERROR: unhandled exception occurred:\n")
        raise
0707010000000C000081B4000000000000000000000001670D22FD00001551000000000000000000000000000000000000003200000000spacewalk-proxy-installer/rhn-proxy-activate.sgml<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V3.1//EN" [
<!ENTITY RHNPROXY "Spacewalk Proxy Server">
<!ENTITY SCRIPTNAME "Spacewalk Proxy Activate script">
<!ENTITY SCRIPTCOMMAND "rhn-proxy-activate">

]>
<refentry>

<RefMeta>
<RefEntryTitle>&SCRIPTCOMMAND;</RefEntryTitle><manvolnum>8</manvolnum>
<RefMiscInfo>Version 3.7</RefMiscInfo>
</RefMeta>

<RefNameDiv>
<RefName><command>&SCRIPTCOMMAND;</command></RefName>
<RefPurpose>
    Use the WebUI to activate your &RHNPROXY; product. This command
    should only be used under the direction of Red Hat personnel.
    This script allows an admin to activate an Spacewalk Proxy via the
    commandline.
</RefPurpose>
</RefNameDiv>

<RefSynopsisDiv>
<Synopsis>
    <cmdsynopsis>
        <command>&SCRIPTCOMMAND;</command>
        <arg><replaceable>command</replaceable></arg>
        <arg>options <replaceable>...</replaceable></arg>
        <arg>-s<replaceable>HOSTNAME</replaceable></arg>
        <arg>--server=<replaceable>HOSTNAME</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--http-proxy=<replaceable>HTTP_PROXY_HOSTNAME:PORT</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--http-proxy-username=<replaceable>HTTP_PROXY_USERNAME</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--http-proxy-password=<replaceable>HTTP_PROXY_PASSWORD</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--ca-cert=<replaceable>CA_CERTIFICATE</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--version=<replaceable>RHN_PROXY_VERSION</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
        <arg>--non-interactive</arg>
        <arg>-q</arg>
        <arg>--quiet</arg>
    </cmdsynopsis>
</Synopsis>
</RefSynopsisDiv>

<RefSect1><Title>Description</Title>
<para>
    Use the WebUI to activate your &RHNPROXY; product. This command
    should only be used under the direction of Red Hat personnel.
    The &SCRIPTNAME; (<emphasis>&SCRIPTCOMMAND;</emphasis>) is a
    utility that will activate an &RHNPROXY; from the commandline of
    the Spacewalk Proxy itself.
</para>
<para>
    Without any command specified, this script will activate Spacewalk Proxy.
    For other possibility see COMMANDS section.
</para>
</RefSect1>

<RefSect1><Title>COMMANDS</Title>
<variablelist>
    <varlistentry>
        <term>-l, --list-available-versions</term>
        <listitem>
            <para>List available versions of Spacewalk Proxy on parent.</para>
        </listitem>
    </varlistentry>
</variablelist>
</RefSect1>

<RefSect1><Title>Options</Title>
<variablelist>
    <varlistentry>
        <term>-h, --help</term>
        <listitem>
            <para>Display the help screen with a list of options.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>-s<replaceable>HOSTNAME</replaceable>,
            --server=<replaceable>HOSTNAME</replaceable></term>
        <listitem>
            <para>parent to this &RHNPROXY;. Either RHN Classic, an
            Red Hat Satellite, or another Spacewalk Proxy.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-proxy=<replaceable>HOSTNAME:PORT</replaceable></term>
        <listitem>
            <para>alternative http proxy (hostname:port)</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-proxy-username=<replaceable>USERNAME</replaceable></term>
        <listitem>
            <para>alternative http proxy username</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--http-proxy-password=<replaceable>PASSWORD</replaceable></term>
        <listitem>
            <para>alternative http proxy password</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--ca-cert=<replaceable>SSL_CA_CERT_FULL_PATH</replaceable></term>
        <listitem>
            <para>alternative SSL CA Cert (fullpath to cert file)</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--version=<replaceable>RHN_PROXY_VERSION</replaceable></term>
        <listitem>
            <para>version of your &RHNPROXY;. Be very careful with this setting. Example: 3.2</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>-l,
            --list-available-versions</term>
        <listitem>
            <para>print list of versions of proxy channels available to this system (i.e. which versions you can activate) and exit.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>--non-interactive</term>
        <listitem>
            <para>Non-interactivate mode. You won't be asked to confirm
            your selections.</para>
        </listitem>
    </varlistentry>
    <varlistentry>
        <term>-q, --quiet</term>
        <listitem>
            <para>Quiet and non-interactivate mode. You won't be asked to confirm
            your selections and you won't see any output.</para>
        </listitem>
    </varlistentry>
</variablelist>
</RefSect1>


<RefSect1><Title>See Also</Title>
<simplelist>
    <member>rhn_package_manager(8)</member>
    <member>rhn-proxy(8)</member>
    <member>configure-proxy.sh(8)</member>
</simplelist>
</RefSect1>

<RefSect1><Title>Authors</Title>
<simplelist>
    <member>Todd Warner <email>taw@redhat.com</email></member>
    <member>Miroslav Suchy <email>msuchy@redhat.com</email></member>
</simplelist>
</RefSect1>
</RefEntry>
0707010000000D000081B4000000000000000000000001670D22FD00000335000000000000000000000000000000000000002300000000spacewalk-proxy-installer/rhn.conf# Automatically generated Spacewalk Proxy Server configuration file.
# -------------------------------------------------------------------------

# SSL CA certificate location
proxy.ca_chain = ${session.ca_chain:/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT}

# Corporate HTTP proxy, format: corp_gateway.example.com:8080
proxy.http_proxy = ${session.http_proxy}

# Username for that corporate HTTP proxy
proxy.http_proxy_username = ${session.http_proxy_username}

# Password for that corporate HTTP proxy
proxy.http_proxy_password = ${session.http_proxy_password}

# Location of locally built, custom packages
proxy.pkg_dir = /var/spool/rhn-proxy

# Hostname of RHN Classic Server or Red Hat Satellite
proxy.rhn_parent = ${session.rhn_parent}

# Destination of all tracebacks, etc.
traceback_mail = ${session.traceback_mail}

0707010000000E000081B4000000000000000000000001670D22FD00004995000000000000000000000000000000000000003C00000000spacewalk-proxy-installer/spacewalk-proxy-installer.changes-------------------------------------------------------------------
Mon Oct 14 15:52:57 CEST 2024 - rosuna@suse.com

- version 5.1.1-0
  * Bump version to 5.1.0

-------------------------------------------------------------------
Tue Jan 16 08:24:38 CET 2024 - jgonzalez@suse.com

- version 5.0.1-1
  * Bump version to 5.0.0

-------------------------------------------------------------------
Fri Dec 15 17:21:47 CET 2023 - rosuna@suse.com

- version 4.4.4-1
  * Remove unused makefiles

-------------------------------------------------------------------
Mon Sep 18 14:32:14 CEST 2023 - rosuna@suse.com

- version 4.4.3-1
  * remove old provide/obsoletes dependency
  * remove dependency to mgr-cfg which remove the possibility to create config channels for the proxy
  * Fix squid refresh_pattern for "venv-enabled-*.txt" files to avoid
    serving outdated version of the file (bsc#1211956)

-------------------------------------------------------------------
Wed Dec 14 14:14:01 CET 2022 - jgonzalez@suse.com

- version 4.4.2-1
  * remove jabberd and osa-dispatcher

-------------------------------------------------------------------
Wed Sep 28 11:12:52 CEST 2022 - jgonzalez@suse.com

- version 4.4.1-1
  * Bump version to 4.4.0

-------------------------------------------------------------------
Wed Jul 27 14:15:33 CEST 2022 - jgonzalez@suse.com

- version 4.3.10-1
  * When salt bundle is used, set correct minion ID

-------------------------------------------------------------------
Wed May 04 15:21:09 CEST 2022 - jgonzalez@suse.com

- version 4.3.9-1
  * Prefer salt-bundle minion config if available (bsc#1198226)

-------------------------------------------------------------------
Tue Apr 19 12:06:05 CEST 2022 - jgonzalez@suse.com

- version 4.3.8-1
  * Configure squid for big images and kernel/initrd files
    Part of saltboot containerization workflow

-------------------------------------------------------------------
Fri Mar 11 15:12:16 CET 2022 - jgonzalez@suse.com

- version 4.3.7-1
  * Fix changelog format

-------------------------------------------------------------------
Fri Mar 11 14:52:46 CET 2022 - jgonzalez@suse.com

- version 4.3.6-1
  * Remove pylint check according to Fedora package guidelines.

-------------------------------------------------------------------
Tue Feb 15 10:04:10 CET 2022 - jgonzalez@suse.com

- version 4.3.5-1
  * integrate new TLS Certificate deployment tool

-------------------------------------------------------------------
Tue Jan 18 13:58:09 CET 2022 - jgonzalez@suse.com

- version 4.3.4-1
  * Update Squid config only when available
  * Remove outdated Squid config cleanup code

-------------------------------------------------------------------
Fri Dec 03 12:25:40 CET 2021 - jgonzalez@suse.com

- version 4.3.3-1
  * during setup detect venv-salt-minion

-------------------------------------------------------------------
Fri Nov 05 13:51:44 CET 2021 - jgonzalez@suse.com

- version 4.3.2-1
  * use system default for SSLProtocol

-------------------------------------------------------------------
Mon Aug 09 11:02:43 CEST 2021 - jgonzalez@suse.com

- version 4.3.1-1
- Improved for Enterprise Linux build.
- Modified for Pylint pass.
- Removed Python 2 build.
- Add new refresh_pattern to the squid.conf to fix a case where the repodata
  was invalid due to being cached (bsc#1186026)

-------------------------------------------------------------------
Wed May 05 16:38:27 CEST 2021 - jgonzalez@suse.com

- version 4.2.4-1
- change deprecated path /var/run into /run for systemd (bsc#1185059)

-------------------------------------------------------------------
Thu Feb 25 12:08:14 CET 2021 - jgonzalez@suse.com

- version 4.2.3-1
- adapt to new SSL implementation of rhnlib (bsc#1181807)

-------------------------------------------------------------------
Wed Jan 27 13:04:41 CET 2021 - jgonzalez@suse.com

- version 4.2.2-1
- drop the --no-ssl option

-------------------------------------------------------------------
Fri Sep 18 11:35:58 CEST 2020 - jgonzalez@suse.com

- version 4.2.1-1
- Update package version to 4.2.0

-------------------------------------------------------------------
Wed May 20 10:56:10 CEST 2020 - jgonzalez@suse.com

- version 4.1.5-1
- do not cache metadata of the bootstrap repositories (bsc#1171169)

-------------------------------------------------------------------
Mon Apr 13 09:34:15 CEST 2020 - jgonzalez@suse.com

- version 4.1.4-1
- move vital proxy templates to a safe place outside of docu (bsc#1166284)

-------------------------------------------------------------------
Mon Feb 17 12:51:37 CET 2020 - jgonzalez@suse.com

- version 4.1.3-1
- remove support for SuSEfirewall2
- use salt master as parent for minion based proxies (bsc#1162129)

-------------------------------------------------------------------
Wed Jan 22 12:12:44 CET 2020 - jgonzalez@suse.com

- version 4.1.2-1
- do not ask for version to activate during proxy configuration (bsc#1140427)

-------------------------------------------------------------------
Wed Nov 27 16:46:47 CET 2019 - jgonzalez@suse.com

- version 4.1.1-1
- Bump version to 4.1.0 (bsc#1154940)

-------------------------------------------------------------------
Wed Jul 31 17:35:39 CEST 2019 - jgonzalez@suse.com

- version 4.0.11-1
- Remove double slashes from cobbler api endpoint (bsc#1133800)

-------------------------------------------------------------------
Wed May 15 15:13:56 CEST 2019 - jgonzalez@suse.com

- version 4.0.10-1
- SPEC cleanup
- Improve error message when trying to configure a proxy on an
  machine that is not registered as client

-------------------------------------------------------------------
Mon Apr 22 12:14:25 CEST 2019 - jgonzalez@suse.com

- version 4.0.9-1
- fix connection type test for proxy (bsc#1132080)
- open needed firewall ports also when firewall not currently
  running (bsc#1131231)
- Add makefile and lintrc for pylint

-------------------------------------------------------------------
Mon Mar 25 16:44:13 CET 2019 - jgonzalez@suse.com

- version 4.0.8-1
- redirect new cobbler autoinstall url

-------------------------------------------------------------------
Tue Mar 12 15:33:51 CET 2019 - jgonzalez@suse.com

- version 4.0.7-1
- fix syntax error in proxy firewall file (bsc#1128885)

-------------------------------------------------------------------
Sat Mar 02 00:11:37 CET 2019 - jgonzalez@suse.com

- version 4.0.6-1
- Cache .deb packages

-------------------------------------------------------------------
Wed Feb 27 13:03:24 CET 2019 - jgonzalez@suse.com

- version 4.0.5-1
- fetch-certificate: allow more time for onboarding

-------------------------------------------------------------------
Wed Jan 16 12:24:15 CET 2019 - jgonzalez@suse.com

- version 4.0.4-1
- configure firewalld if available

-------------------------------------------------------------------
Mon Dec 17 14:39:21 CET 2018 - jgonzalez@suse.com

- version 4.0.3-1
- Add support for Python 3 on spacewalk-proxy-installer
- don't write invalid values to answer file for configure-proxy.sh

-------------------------------------------------------------------
Fri Oct 26 10:35:58 CEST 2018 - jgonzalez@suse.com

- version 4.0.2-1
- Change dependencies from rhncfg to mgr-cfg (bsc#1104034)
- Add script for retrieving the systemid file in  configure-proxy.sh for minions (FATE#323069)
- fix wrong paths to scripts; ensure CA can be found

-------------------------------------------------------------------
Fri Aug 10 15:26:11 CEST 2018 - jgonzalez@suse.com

- version 4.0.1-1
- Bump version to 4.0.0 (bsc#1104034)
- Fix copyright for the package specfile (bsc#1103696)

-------------------------------------------------------------------
Mon Mar 05 08:52:59 CET 2018 - jgonzalez@suse.com

- version 2.8.6.2-1
- remove empty clean section from spec (bsc#1083294)

-------------------------------------------------------------------
Wed Feb 28 09:48:18 CET 2018 - jgonzalez@suse.com

- version 2.8.6.1-1
- Sync with upstream

-------------------------------------------------------------------
Wed Jan 17 12:54:09 CET 2018 - jgonzalez@suse.com

- version 2.8.4.1-1
- fix default value in squid.conf template

-------------------------------------------------------------------
Tue Nov 28 12:14:04 CET 2017 - jgonzalez@suse.com

- version 2.7.2.4-1
- more exact question for custom certificate and key (bsc#1059998)

-------------------------------------------------------------------
Mon Jun 12 08:59:11 CEST 2017 - mc@suse.de

- version 2.7.2.3-1
- disable config channel population by default in non-interactive
  mode (bsc#1043778)

-------------------------------------------------------------------
Mon May 29 15:32:31 CEST 2017 - mc@suse.de

- version 2.7.2.2-1
- proxy installer Apache certs did not match rhn-ssl-tools names
  (bsc#1038858)
- Tell user the proxy configure scripts needs to be re-run after
  copying the missing certificate (bsc#1035015)

-------------------------------------------------------------------
Fri Mar 31 09:34:27 CEST 2017 - mc@suse.de

- version 2.7.2.1-1
- do not start firewall on proxy during configuration if not already
  active (bsc#1031338)
- salt minions get repodata via a different URL; reflect by
  additional squid rule (bsc#1027873)
- extract utility to config ssh-push keys on a proxy
- only warn if parent ssh-push pub key could not be retrieved
- generate and auth ssh push keys for user mgrsshtunnel
- Authorize parent salt-ssh key on proxy
- Generate proxy ssh-push key and authorize the previous proxy in
  the chain
- extract ssh push key directory to variable
- Generate own ssh-push key for proxy and authorize parent

-------------------------------------------------------------------
Tue Mar 07 14:37:36 CET 2017 - mc@suse.de

- version 2.7.1.2-1
- Updated links to github in spec files
- add options for rhn-user and rhn-password
- ask user for credentials only if configuration script works in
  interactive mode

-------------------------------------------------------------------
Tue Feb 07 17:43:07 CET 2017 - michele.bologna@suse.com

- version 2.7.1.1-1
- Align with upstream versioning 

-------------------------------------------------------------------
Wed Jan 11 16:27:46 CET 2017 - michele.bologna@suse.com

- version 2.7.0.1-1
- Bumping package versions for 2.7.

-------------------------------------------------------------------
Thu Oct 06 14:59:00 CEST 2016 - mc@suse.de

- version 2.5.2.4-1
- Restaring salt-broker service when configure-config.sh finished
  the setup
- spacewalk-proxy-installer now requires spacewalk-proxy-salt
- configure firewall for saltproxy

-------------------------------------------------------------------
Mon Mar 21 16:33:55 CET 2016 - mc@suse.de

- version 2.5.2.3-1
- convert squid config parameter range_offset_limit for new squid
  version on update

-------------------------------------------------------------------
Wed Mar 09 10:45:15 CET 2016 - mc@suse.de

- version 2.5.2.2-1
- do not open salt ports

-------------------------------------------------------------------
Wed Mar 02 12:10:22 CET 2016 - mc@suse.de

- version 2.5.2.1-1
- filter only existing config files

-------------------------------------------------------------------
Tue Jan 26 14:09:06 CET 2016 - mc@suse.de

- version 2.5.1.2-1
- fix comments about Salt

-------------------------------------------------------------------
Mon Nov 30 11:07:27 CET 2015 - mc@suse.de

- version 2.5.1.1-1
- fix start of proxy services
- make sure ssl build directory exists (bsc#949516)

-------------------------------------------------------------------
Thu Oct 22 16:28:32 CEST 2015 - mc@suse.de

- version 2.5.0.2-1
- open needed firewall ports

-------------------------------------------------------------------
Wed Oct 07 14:34:16 CEST 2015 - mc@suse.de

- version 2.5.0.1-1
- replace upstream subscription counting with new subscription
  matching (FATE#311619)

-------------------------------------------------------------------
Mon Jun 22 16:14:33 CEST 2015 - jrenner@suse.de

- version 2.1.6.9-1
- Set USE_EXISTING_CERTS=N in the answers.txt example file.
- 'Bring your own certificate': update documentation for configure-proxy.sh
- configure-proxy.sh: 'Bring your own certificate' feature

-------------------------------------------------------------------
Tue Feb 03 11:59:55 CET 2015 - mc@suse.de

- version 2.1.6.8-1
- Added missing cli args (bnc#913941)
- Getting rid of Tabs and trailing spaces

-------------------------------------------------------------------
Thu Dec 04 13:30:20 CET 2014 - mc@suse.de

- version 2.1.6.7-1
- read systemid path from configuration
- proxy installer should use http proxy to get version number

-------------------------------------------------------------------
Fri Nov 07 13:16:16 CET 2014 - mc@suse.de

- version 2.1.6.6-1
- don't hardcode systemid path in rhn-proxy-activate

-------------------------------------------------------------------
Fri Sep 12 15:49:14 CEST 2014 - mc@suse.de

- version 2.1.6.5-1
- remove duplicate Summary and Group entries

-------------------------------------------------------------------
Tue May 06 15:17:23 CEST 2014 - mc@suse.de

- version 2.1.6.4-1
- move yes_no function before the first usage

-------------------------------------------------------------------
Thu Feb 27 15:29:55 CET 2014 - fcastelli@suse.com

- version 2.1.6.3-1
- add missing activate-SLP to option list
- correctly tell yum from zypper; not only in interactive mode
- Various fixes for configure-proxy.sh (rename YUM_OR_UPDATE to YUM, httpd to
  apache2)
- fix wrong product name in configure-proxy.sh
- Add SLP activation to configure-proxy.sh; fix SLP registration file for proxy

-------------------------------------------------------------------
Fri Feb 07 13:57:39 CET 2014 - mc@suse.de

- version 2.1.6.2-1
- fixed bug where UP2DATE_FILE was not set

-------------------------------------------------------------------
Mon Dec 09 16:51:33 CET 2013 - mc@suse.de

- version 2.1.6.1-1
- switch to 2.1

-------------------------------------------------------------------
Fri Sep 27 09:58:47 CEST 2013 - mc@suse.de

- version 1.7.6.10-1
- fix usage of answer file for configure-proxy.sh (bnc#834899)

-------------------------------------------------------------------
Wed Jun 12 13:25:32 CEST 2013 - mc@suse.de

- version 1.7.6.9-1
- report extra commandline arguments
- fail if answer file is not readable

-------------------------------------------------------------------
Fri Feb 08 11:05:40 CET 2013 - mc@suse.de

- version 1.7.6.8-1
- Remove superfluous stuff from cobbler-proxy.conf (bnc#796581)

-------------------------------------------------------------------
Fri Sep 28 16:17:12 CEST 2012 - mc@suse.de

- version 1.7.6.7-1
- cleanup jabberd db and use insserv to switch to current 
  default runlevel
- enable proxy services only in runlevel 3 and 5

-------------------------------------------------------------------
Thu Aug 02 16:22:54 CEST 2012 - mc@suse.de

- version 1.7.6.6-1
- make sure username/password is correct
- reuse already assigned variable

-------------------------------------------------------------------
Mon Jul 16 15:21:43 CEST 2012 - ug@suse.de

- version 1.7.6.5-1
- proxy-installer should pre-require proxy-common to ensure correct order of
  apache modules

-------------------------------------------------------------------
Mon Jun 25 13:58:26 CEST 2012 - mantel@suse.de

- proxy-installer should pre-require proxy-common to ensure correct
  order of apache modules

-------------------------------------------------------------------
Mon May 14 10:54:11 CEST 2012 - mc@suse.de

- version 1.7.6.4-1
- if koan is requesting anything from /cobbller_api replace hostname
  of server with hostname of first proxy in chain

-------------------------------------------------------------------
Fri Apr 27 16:54:44 CEST 2012 - mc@suse.de

- version 1.7.6.3-1
- fix jabberd setup in configure-proxy

-------------------------------------------------------------------
Thu Apr 19 13:46:08 CEST 2012 - mantel@suse.de

- squid stores its data in /var/cache/squid, not in
  /var/spool/squid

-------------------------------------------------------------------
Fri Mar 30 14:50:00 CEST 2012 - mc@suse.de

- version 1.7.6.2-1
- run pylint on SUSE systems

-------------------------------------------------------------------
Wed Mar 21 17:36:54 CET 2012 - mc@suse.de

- version 1.7.6.1-1
- Bumping package version

-------------------------------------------------------------------
Thu Dec 22 14:59:55 CET 2011 - mantel@suse.de

- rename Novell to SUSE (#708333)

-------------------------------------------------------------------
Mon Sep 12 11:28:48 CEST 2011 - mc@suse.de

- fix example answer file (bnc#703980)

-------------------------------------------------------------------
Wed May 25 13:26:16 CEST 2011 - mc@suse.de

- allow only secure SSLCipher and SSLProtocols (bnc#685550)

-------------------------------------------------------------------
Mon May  2 17:25:35 CEST 2011 - ug@suse.de

- apache has to load mod_proxy_http (bnc#683382)

-------------------------------------------------------------------
Thu Mar 31 15:45:30 CEST 2011 - mantel@suse.de

- more debranding

-------------------------------------------------------------------
Tue Mar 29 16:42:00 CEST 2011 - ug@suse.de

- added some directories to redirect to the sever for
  autoinstallation (/download and /ks - bnc#683382)

-------------------------------------------------------------------
Tue Mar 22 13:39:31 CET 2011 - mantel@suse.de

- remove /etc/motd after proxy has been configured (bnc#681220)

-------------------------------------------------------------------
Tue Mar  8 09:50:09 CET 2011 - mc@suse.de

- fix SSL certificate generation on SUSE (bnc#677468) 

-------------------------------------------------------------------
Thu Mar  3 17:48:44 CET 2011 - mc@suse.de

- fix ssl configuration 

-------------------------------------------------------------------
Thu Mar  3 15:54:20 CET 2011 - mantel@suse.de

- use FQHN for SSL certificate common name (bnc#676678)

-------------------------------------------------------------------
Thu Mar  3 12:43:00 CET 2011 - mantel@suse.de

- move apache module configuration to main package

-------------------------------------------------------------------
Thu Mar  3 10:48:58 CET 2011 - mantel@suse.de

- adapt for SUSE Manager

-------------------------------------------------------------------
Wed Feb 23 14:11:33 CET 2011 - mantel@suse.de

- some adaptations for SUSE manager

-------------------------------------------------------------------
Wed Sep 15 09:42:17 CEST 2010 - mantel@suse.de

- Initial release of spacewalk-proxy-installer

-------------------------------------------------------------------
0707010000000F000081B4000000000000000000000001670D22FD0000130D000000000000000000000000000000000000003900000000spacewalk-proxy-installer/spacewalk-proxy-installer.spec#
# spec file for package spacewalk-proxy-installer
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2008-2018 Red Hat, Inc.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.

# Please submit bugfixes or comments via https://bugs.opensuse.org/
#


#!BuildIgnore:  udev-mini libudev-mini1
%if 0%{?fedora} || 0%{?rhel}
%define apacheconfdir %{_sysconfdir}/httpd
%else
%define apacheconfdir %{_sysconfdir}/apache2
%endif

%define rhnroot %{_usr}/share/rhn
%define pythondir %{rhnroot}/proxy-installer

Name:           spacewalk-proxy-installer
Version:        5.1.1
Release:        0
Summary:        Spacewalk Proxy Server Installer
License:        GPL-2.0-only
# FIXME: use correct group or remove it, see "https://en.opensuse.org/openSUSE:Package_group_guidelines"
Group:          Applications/Internet
URL:            https://github.com/uyuni-project/uyuni
Source0:        https://github.com/spacewalkproject/spacewalk/archive/%{name}-%{version}.tar.gz
BuildArch:      noarch

Requires:       firewalld
Requires(pre):  spacewalk-proxy-common
Requires:       spacewalk-proxy-salt
%if 0%{?suse_version}
Requires:       aaa_base
Requires:       apache2
Requires:       glibc
%else
Requires:       chkconfig
Requires:       glibc-common
Requires:       hostname
Requires:       httpd
Requires:       net-tools
Requires:       rhn-client-tools > 2.8.4
Requires:       rhnlib
%endif
Requires:       libxslt
Requires:       salt
Requires:       spacewalk-certs-tools >= 1.6.4
BuildRequires:  /usr/bin/docbook2man

# weakremover used on SUSE to get rid of orphan packages which are
# unsupported and do not have a dependency anymore
Provides:       weakremover(mgr-cfg)
Provides:       weakremover(mgr-cfg-actions)
Provides:       weakremover(mgr-cfg-client)
Provides:       weakremover(mgr-cfg-management)

%define defaultdir %{_usr}/share/rhn/proxy-template

%description
The Spacewalk Proxy Server allows package proxying/caching
and local package delivery services for groups of local servers from
Spacewalk Server. This service adds flexibility and economy of
resources to package update and deployment.

This package includes command line installer of Spacewalk Proxy Server.
Run configure-proxy.sh after installation to configure proxy.

%prep
%setup -q

%build
/usr/bin/docbook2man rhn-proxy-activate.sgml
/usr/bin/gzip rhn-proxy-activate.8
/usr/bin/docbook2man configure-proxy.sh.sgml
/usr/bin/gzip configure-proxy.sh.8

%install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_usr}/sbin
mkdir -p %{buildroot}%{pythondir}
mkdir -p %{buildroot}%{_prefix}/lib/firewalld/services

install -m 755 -d %{buildroot}%{defaultdir}
install -m 644 squid.conf %{buildroot}%{defaultdir}
install -m 644 rhn.conf %{buildroot}%{defaultdir}
install -m 644 cobbler-proxy.conf %{buildroot}%{defaultdir}
install -m 644 insights-proxy.conf %{buildroot}%{defaultdir}
install -m 755 configure-proxy.sh %{buildroot}%{_usr}/sbin
install -m 644 fetch-certificate.py  %{buildroot}%{pythondir}
install -m 755 spacewalk-setup-httpd %{buildroot}%{_bindir}
install -m 644 get_system_id.xslt %{buildroot}%{_usr}/share/rhn/
install -m 644 rhn-proxy-activate.8.gz %{buildroot}%{_mandir}/man8/
install -m 644 configure-proxy.sh.8.gz %{buildroot}%{_mandir}/man8/
install -m 0644 suse-manager-proxy.xml %{buildroot}%{_prefix}/lib/firewalld/services

# Fixing shebang for Python 3
for i in $(find . -type f);
do
    sed -i '1s=^#!/usr/bin/\(python\|env python\)[0-9.]*=#!/usr/bin/python3=' $i;
done
install -m 755 rhn-proxy-activate.py %{buildroot}%{_usr}/sbin/rhn-proxy-activate

%check

%post
%if 0%{?suse_version}
if [ -f %{_sysconfdir}/sysconfig/apache2 ]; then
    sysconf_addword %{_sysconfdir}/sysconfig/apache2 APACHE_MODULES proxy_http
    sysconf_addword %{_sysconfdir}/sysconfig/apache2 APACHE_MODULES headers
fi
%endif

%files
%defattr(-,root,root,-)
%dir %{defaultdir}
%{defaultdir}/squid.conf
%{defaultdir}/rhn.conf
%{defaultdir}/cobbler-proxy.conf
%{defaultdir}/insights-proxy.conf
%{_usr}/sbin/configure-proxy.sh
%{_mandir}/man8/*
%{_usr}/share/rhn/get_system_id.xslt
%{_usr}/sbin/rhn-proxy-activate
%dir %{pythondir}
%{pythondir}/fetch-certificate.py
%{_bindir}/spacewalk-setup-httpd
%doc answers.txt
%license LICENSE
%dir %{_usr}/share/rhn/proxy-template
%dir %{_usr}/share/rhn
%{_prefix}/lib/firewalld/services/suse-manager-proxy.xml

%changelog
07070100000010000081B4000000000000000000000001670D22FD000002AA000000000000000000000000000000000000003000000000spacewalk-proxy-installer/spacewalk-setup-httpd#!/bin/bash

HTTPDCONF_DIR=/etc/apache2/vhosts.d
if [ ! -e /etc/apache2 ]; then
  HTTPDCONF_DIR=/etc/httpd/conf.d
fi
PKI_DIR=/etc/pki/tls

if [ ! -e $HTTPDCONF_DIR/ssl.conf ]; then
    cp $HTTPDCONF_DIR/vhost-ssl.template $HTTPDCONF_DIR/ssl.conf
fi
sed -i -e "s|^[\t ]*SSLCertificateFile.*$|SSLCertificateFile $PKI_DIR/certs/spacewalk.crt|g" \
    -e "s|^[\t ]*SSLCertificateKeyFile.*$|SSLCertificateKeyFile $PKI_DIR/private/spacewalk.key|g" \
    -e "s|^[\t ]*SSLCipherSuite.*$|SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH|g" \
    -e "s|</VirtualHost>|RewriteEngine on\nRewriteOptions inherit\nSSLProxyEngine on\n</VirtualHost>|" \
    $HTTPDCONF_DIR/ssl.conf
07070100000011000081B4000000000000000000000001670D22FD00000ADD000000000000000000000000000000000000002500000000spacewalk-proxy-installer/squid.conf# squid.conf
# To be used for Spacewalk Proxy servers.
#

http_port 8080

cache_mem 400 MB

# cached images can be large
maximum_object_size 10 GB
maximum_object_size_in_memory 1024 KB

access_log /var/log/squid/access.log squid

# Size should be about 60% of your free space
cache_dir aufs /var/cache/squid 15000 16 256

# Average object size, used to estimate number of objects your
# cache can hold.  The default is 13 KB.
store_avg_object_size 817 KB

# We want to keep the largest objects around longer, and just download the smaller objects if we can. 
cache_replacement_policy heap LFUDA

memory_replacement_policy heap GDSF

# cache repodata only few minutes and then query parent whether it is fresh
refresh_pattern /XMLRPC/GET-REQ/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern /ks/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
# salt minions get the repodata via a different URL
refresh_pattern /rhn/manager/download/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
# bootstrap repos needs to be handled as well
refresh_pattern /pub/repositories/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern /pub/repositories/.*/venv-enabled-.*.txt$ 0 1% 1440 reload-into-ims refresh-ims
# rpm will hardly ever change, force to cache it for very long time
refresh_pattern  \.rpm$  10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern  \.deb$  10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims
# once downloaded images will never change. New image will have different revision number
refresh_pattern /os-images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private
# kernel and initrd are tied to images, will never change as well
refresh_pattern /tftp/images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private
# rest of tftp are config files prone to change frequently
refresh_pattern /tftp/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern 	.		0	100%	525600

# secure squid
# allow request only from localhost and to http and https ports
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80          # http
acl Safe_ports port 443         # https
acl CONNECT method CONNECT

http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
miss_access allow all

# if transport is canceled, finish downloading anyway
quick_abort_pct -1
quick_abort_min -1 KB

# when range is required, download whole file anyway
# when we request rpm header, we will nearly always get
# request for the rest of the file
range_offset_limit none

# we download only from 1 server, default is 1024
# which is too much for us
fqdncache_size 4
07070100000012000081B4000000000000000000000001670D22FD000002AC000000000000000000000000000000000000003100000000spacewalk-proxy-installer/suse-manager-proxy.xml<?xml version="1.0" encoding="utf-8"?>
<service>
	<short>SUSE Manager Proxy</short>
	<description>SUSE Manager Proxy Server allows package caching and local package delivery services for groups of local servers from SUSE Manager Server.</description>
        <port protocol="tcp" port="80"/>
        <port protocol="tcp" port="443"/>
        <port protocol="tcp" port="22"/>
        <port protocol="tcp" port="5222"/>
        <port protocol="tcp" port="5269"/>
        <port protocol="tcp" port="4505"/>
        <port protocol="tcp" port="4506"/>
        <port protocol="udp" port="123"/>
        <port protocol="udp" port="69"/>
        <module name="nf_conntrack_tftp"/>
</service>
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!
openSUSE Build Service is sponsored by