Add UI Action to deactivate IPMI SOL sessions

Harden SOL deactivate endpoint: POST+CSRF, secure ipmitool execution, timeout handling

add allowlist validation to BMC host and IPMI username before subprocess execution and added test that checks that unsafe input is rejected and not executed

Queue SOL deactivation via SSH task

- move SOL deactivate from request path to async task queue

- add dedicated DeactivateSerialOverLan task executed from cscreen server

- enqueue through signal receiver and keep model-side permission checks

- extend SSH.execute to support remote environment vars for IPMI_PASSWORD

- update frontend wording to explicit queued/background behavior

- add/adjust focused tests and user-guide notes

remove unused imports

SOL precondition checks now warn and return False instead of raising exceptions

add note to setup.rst  about paramiko

remove crsftoken

remove getCookie funtion, no needed

Fix linting: isort, black, flake8

Author: PrathamGhaywat

docs/adminguide/setup.rst

@@ -96,4 +96,9 @@ the manual setup of a cscreen server. Follow these steps to ensure that Orthos c
 
 3. Setup passwordless SSH keys between the ``orthos`` (Orthos server) to the ``_cscreen`` user (console server).
 
+.. note:: Orthos can pass environment variables to remote commands via Paramiko ``exec_command``.
+          See `Paramiko SSHClient.exec_command docs <https://docs.paramiko.org/en/stable/api/client.html#paramiko.client.SSHClient.exec_command>`_.
+          SSH servers may silently reject environment variables, so do not rely on them unless the server-side
+          SSH daemon is configured to accept them.
+
 4. Enable and start the systemd service for cscreen ``systemctl enable --now cscreend.service``

docs/userguide/machine_page.rst

@@ -60,6 +60,8 @@ Machine Actions
 - Setup Machine: Here you can install your machine according to your needs. You have the possibility to install SLES, 
   SLED, Opensuse Leap, Opensuse and Tumbleweed. During the installation you have several options: install, install ssh
   install ssh auto, install auto etc.
+- Queue SOL Deactivation: For machines with IPMI serial consoles, this action queues a background task to deactivate
+  Serial-over-LAN (SOL) via the configured serial console server.
 - Report Problem: If you unexpectedly encounter a problem with the machine, you can create a support ticket here.
 
 .. image:: ../img/userguide/10_machine_release.jpg

orthos2/data/models/machine.py

@@ -1393,6 +1393,43 @@ def powercycle(self, action: Optional[str], user: Any = None) -> bool:
 
         return False
 
+    @check_permission
+    def deactivate_sol(self, user: Any = None) -> bool:
+        """Queue asynchronous deactivation of the machine Serial-over-LAN session."""
+        from orthos2.data.signals import signal_serialconsole_sol_deactivate
+
+        if not self.has_serialconsole():
+            logger.warning(
+                "SOL deactivate skipped for %s: no serial console available", self.fqdn
+            )
+            return False
+
+        if self.serialconsole.stype.name != "IPMI":
+            logger.warning(
+                "SOL deactivate skipped for %s: serial console type is not IPMI",
+                self.fqdn,
+            )
+            return False
+
+        if not self.has_bmc():
+            logger.warning("SOL deactivate skipped for %s: no BMC available", self.fqdn)
+            return False
+
+        if not self.fqdn_domain.cscreen_server:
+            logger.warning(
+                "SOL deactivate skipped for %s: no serial console server configured for domain %s",
+                self.fqdn,
+                self.fqdn_domain,
+            )
+            return False
+
+        signal_serialconsole_sol_deactivate.send(  # type: ignore
+            sender=Machine,
+            machine_id=self.pk,
+        )
+
+        return True
+
     @check_permission
     def ssh_shutdown(self, user: Any = None, reboot: bool = False) -> bool:
         """Power off/reboot the machine using SSH."""

orthos2/data/signals.py

@@ -20,6 +20,7 @@
 signal_cobbler_sync_dhcp = Signal()
 signal_cobbler_machine_update = Signal()
 signal_serialconsole_regenerate = Signal()
+signal_serialconsole_sol_deactivate = Signal()
 signal_motd_regenerate = Signal()
 
 
@@ -163,6 +164,15 @@ def regenerate_serialconsole(
         TaskManager.add(task)
 
 
+@receiver(signal_serialconsole_sol_deactivate)
+def deactivate_serialconsole_sol(
+    sender: Any, machine_id: int, *args: Any, **kwargs: Any
+) -> None:
+    """Create `DeactivateSerialOverLan()` task here."""
+    task = tasks.DeactivateSerialOverLan(machine_id)
+    TaskManager.add(task)
+
+
 @receiver(signal_cobbler_regenerate)
 def regenerate_cobbler(
     sender: Any, domain_id: Optional[int], *args: Any, **kwargs: Any

orthos2/frontend/templates/frontend/machines/detail/overview.html

@@ -55,6 +55,24 @@
   });
 }
 
+
+function deactivate_sol() {
+  $.ajax({
+    type: 'POST',
+    url: '{% url 'frontend:ajax_deactivate_sol' machine.id %}',
+    beforeSend: function() {
+      // Avoid double-submits while the backend deactivation request is running.
+      $('.deactivate-sol').addClass('disabled')
+    },
+    complete: function() {
+      $('.deactivate-sol').removeClass('disabled')
+    },
+    success: function(data) {
+      showMachineStatusBarMessage(data);
+    },
+  });
+}
+
 function regenerate_domain_cscreen() {
   $.ajax({
     url: '{% url 'frontend:regenerate_domain_cscreen' machine.id %}',

orthos2/frontend/templates/frontend/machines/detail/snippets/sidebar.html

@@ -79,6 +79,13 @@ <h5>Actions</h5>
   <a class="btn btn-secondary btn-sm regenerate-domain-cobbler" href="javascript:void(0);" onclick="regenerate_domain_cobbler()" role="button">Regenerate Cobbler Server</a>
   {% endif %}
 </div>
+
+{% if machine.has_serialconsole and machine.serialconsole.stype.name == "IPMI" %}
+<br/>
+<div class="btn-group-vertical d-flex">
+  <a class="btn btn-secondary btn-sm deactivate-sol" href="javascript:void(0);" onclick="deactivate_sol()" role="button">Queue SOL Deactivation</a>
+</div>
+{% endif %}
 {% endif %}
 
 <hr/>

orthos2/frontend/tests/admin/test_machine.py

@@ -1,17 +1,41 @@
+from unittest import mock
+
 from django.test import TestCase
-from django_webtest import WebTest  # type: ignore
 
+from orthos2.data.models import Machine
+
+
+class DeactivateSolMachineTest(TestCase):
+
+    fixtures = ["orthos2/utils/tests/fixtures/machines.json"]
+
+    @mock.patch("orthos2.data.signals.signal_serialconsole_sol_deactivate.send")
+    def test_deactivate_sol_enqueues_task(self, mocked_send: mock.MagicMock) -> None:
+        """The model action should enqueue a task instead of running SOL deactivate inline."""
+
+        machine = Machine.objects.get(pk=2)
+        machine.fqdn_domain.__class__.objects.filter(pk=machine.fqdn_domain.pk).update(
+            cscreen_server=machine
+        )
+        machine.refresh_from_db()
 
-class AddMachine(WebTest):
-    def test_add_new_machine(self) -> None:
-        pass
+        result = machine.deactivate_sol()
 
+        self.assertTrue(result)
+        mocked_send.assert_called_once_with(
+            sender=Machine,
+            machine_id=machine.pk,
+        )
 
-class EditMachine(TestCase):
+    def test_deactivate_sol_requires_serialconsole(self) -> None:
+        """The model action should return False when no serial console is configured."""
 
-    pass
+        machine = Machine.objects.get(pk=1)
 
+        self.assertFalse(machine.deactivate_sol())
 
-class DeleteMachine(TestCase):
+    def test_deactivate_sol_requires_cscreen_server(self) -> None:
+        """The model action should return False when no serial console server is configured."""
+        machine = Machine.objects.get(pk=2)
 
-    pass
+        self.assertFalse(machine.deactivate_sol())

orthos2/frontend/tests/admin/test_machine_views.py

@@ -1,9 +1,20 @@
+import json
 from unittest import mock
 
+from django.contrib.auth.models import User
 from django.urls import reverse  # type: ignore
 from django_webtest import WebTest  # type: ignore
 
-from orthos2.data.models import Architecture, Machine, ServerConfig, System
+from orthos2.data.models import (
+    BMC,
+    Architecture,
+    Machine,
+    RemotePowerType,
+    SerialConsole,
+    SerialConsoleType,
+    ServerConfig,
+    System,
+)
 from orthos2.data.models.domain import Domain
 
 
@@ -52,6 +63,34 @@ def setUp(self, m_is_dns_resolvable: mock.MagicMock):
 
         m2.save()
 
+        ipmi_fence_agent = RemotePowerType.objects.create(
+            name="ipmilanplus", device="bmc"
+        )
+        ipmi_console_type = SerialConsoleType.objects.create(
+            name="IPMI",
+            command=(
+                "ipmitool -I lanplus -H {{ machine.bmc.fqdn }} "
+                "-U {{ ipmi.user}} -P {{ ipmi.password }} sol activate"
+            ),
+            comment="IPMI",
+        )
+
+        BMC.objects.create(
+            username="root",
+            password="root",
+            fqdn="testsys-sp.orthos2.test",
+            mac="AA:BB:CC:DD:EE:FF",
+            machine=m2,
+            fence_agent=ipmi_fence_agent,
+        )
+        SerialConsole.objects.create(
+            machine=m2,
+            stype=ipmi_console_type,
+            kernel_device="ttyS",
+            kernel_device_num=1,
+            baud_rate=115200,
+        )
+
     def test_visible_fieldsets_non_administrative_systems(self) -> None:
         """Test for fieldsets."""
         # Act
@@ -93,3 +132,50 @@ def test_visible_inlines_administrative_systems(self) -> None:
         # Assert
         self.assertContains(page, "Add another Serial Console")  # type: ignore
         self.assertContains(page, "Remote Power")  # type: ignore
+
+    def test_deactivate_sol_button_visible_for_ipmi_console(self) -> None:
+        """The machine detail page should expose the SOL deactivate action for IPMI consoles."""
+
+        page = self.app.get(  # type: ignore
+            reverse("frontend:detail", args=["2"]), user="superuser"
+        )
+
+        self.assertContains(page, "Queue SOL Deactivation")  # type: ignore
+
+    def test_deactivate_sol_button_hidden_without_serialconsole(self) -> None:
+        """The machine detail page should not expose the SOL action if no serial console exists."""
+
+        page = self.app.get(  # type: ignore
+            reverse("frontend:detail", args=["1"]), user="superuser"
+        )
+
+        self.assertNotContains(page, "Queue SOL Deactivation")  # type: ignore
+
+    @mock.patch("orthos2.frontend.views.ajax.Machine.deactivate_sol")
+    def test_ajax_deactivate_sol(self, mocked_deactivate_sol: mock.MagicMock) -> None:
+        """The AJAX endpoint should queue the machine action and return a success payload."""
+
+        mocked_deactivate_sol.return_value = True
+        self.client.force_login(User.objects.get(username="superuser"))
+
+        response = self.client.post(reverse("frontend:ajax_deactivate_sol", args=["2"]))
+
+        self.assertEqual(response.status_code, 200)
+        payload = json.loads(response.content)
+        self.assertEqual(payload["cls"], "success")
+        self.assertEqual(
+            payload["message"],
+            "SOL deactivation was queued and will run in the background.",
+        )
+        mocked_deactivate_sol.assert_called_once_with(user=mock.ANY)
+
+    def test_ajax_deactivate_sol_rejects_get(self) -> None:
+        """The SOL deactivation endpoint should reject GET requests."""
+
+        page = self.app.get(  # type: ignore
+            reverse("frontend:ajax_deactivate_sol", args=["2"]),
+            user="superuser",
+            expect_errors=True,
+        )
+
+        self.assertEqual(page.status_int, 405)  # type: ignore[attr-defined]

orthos2/frontend/urls.py

@@ -139,6 +139,11 @@
         views.ajax.powercycle,
         name="ajax_powercycle",
     ),
+    re_path(
+        r"^ajax/machine/(?P<machine_id>[0-9]+)/sol/deactivate$",
+        views.ajax.deactivate_sol,
+        name="ajax_deactivate_sol",
+    ),
     re_path(
         r"^ajax/machine/(?P<host_id>[0-9]+)/virtualization/list$",
         views.ajax.virtualization_list,

orthos2/frontend/views/ajax.py

@@ -4,6 +4,7 @@
 from django.contrib.auth.decorators import login_required
 from django.http import HttpRequest, JsonResponse
 from django.template.defaultfilters import urlize
+from django.views.decorators.http import require_POST
 
 from orthos2.data.models import Annotation, Machine, RemotePower
 from orthos2.frontend.decorators import check_permissions
@@ -77,6 +78,39 @@ def powercycle(request: HttpRequest, machine_id: int) -> JsonResponse:
         return JsonResponse({"type": "status", "cls": "danger", "message": str(e)})
 
 
+@require_POST
+@login_required
+@check_permissions(key="machine_id")
+def deactivate_sol(request: HttpRequest, machine_id: int) -> JsonResponse:
+    """Deactivate the machine SOL session and return result as JSON."""
+
+    try:
+        machine = Machine.objects.get(pk=machine_id)
+        # Keep queueing logic in the model layer so permissions and validation stay centralized.
+        result = machine.deactivate_sol(user=request.user)
+
+        if result:
+            return JsonResponse(
+                {
+                    "type": "status",
+                    "cls": "success",
+                    "message": "SOL deactivation was queued and will run in the background.",
+                }
+            )
+
+        return JsonResponse(
+            {"type": "status", "cls": "danger", "message": "SOL deactivate failed!"}
+        )
+
+    except Machine.DoesNotExist:
+        return JsonResponse(
+            {"type": "status", "cls": "danger", "message": "Machine does not exist!"}
+        )
+    except Exception as e:
+        logger.exception(e)
+        return JsonResponse({"type": "status", "cls": "danger", "message": str(e)})
+
+
 @login_required
 def virtualization_list(request: HttpRequest, host_id: int) -> JsonResponse:
     """Return VM list (libvirt)."""