add upgrade script for setting authentication for CUPS-Get-Document operation

cups.spec

@@ -15,7 +15,7 @@ Summary: CUPS printing system
 Name: cups
 Epoch: 1
 Version: 2.4.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 # backend/failover.c - BSD-3-Clause
 # cups/md5* - Zlib
 # scheduler/colorman.c - Apache-2.0 WITH LLVM-exception AND BSD-2-Clause
@@ -31,6 +31,9 @@ Source0: https://github.com/OpenPrinting/cups/releases/download/v%{VERSION}/cups
 Source1: cupsprinter.png
 # cups_serverbin macro definition for use during builds
 Source2: macros.cups
+# upgrade script for CUPS-Get-Document fix
+# remove after Fedora 40 is EOL and C10S is released
+Source3: upgrade_get_document.py
 
 # PAM enablement, very old patch, not even git can track when or why
 # the patch was added.
@@ -157,6 +160,9 @@ Requires(post): grep, sed
 Requires(preun): systemd
 Requires(postun): systemd
 
+# for upgrade-get-document script - remove after C10S is released and F40 is EOL
+Requires(post): python3
+
 
 %package client
 Summary: CUPS printing system - client programs
@@ -466,6 +472,10 @@ s:.*\('%{_datadir}'/\)\([^/_]\+\)\(.*\.po$\):%lang(\2) \1\2\3:
 /^\([^%].*\)/d
 ' > %{name}.lang
 
+# install get-document upgrade script - remove it after
+# C10S is released and Fedora 40 is EOL
+install -m 0755 %{SOURCE3} %{buildroot}%{_sbindir}/upgrade_get_document
+
 %post
 # remove after CentOS Stream 10 is released
 # Require authentication for accessing /admin location
@@ -480,6 +490,9 @@ sed -ne '/^\s*<Location \/admin>/ { :loop; /<\/Location>/ ! {N; b loop}; p }' %{
 | grep -E '^\s*(AuthType|Require)' &> /dev/null || \
 sed -i.rpmsave '/^\s*<Location \/admin>/a\  AuthType Default\n  Require user @SYSTEM' %{_sysconfdir}/cups/cupsd.conf
 
+# remove after C10S release and Fedora 40 EOL
+%{_sbindir}/upgrade_get_document
+
 # required for systemd units
 %systemd_post %{name}.path %{name}.socket %{name}.service
 
@@ -550,6 +563,8 @@ rm -f %{cups_serverbin}/backend/smb
 %{_sbindir}/lpadmin
 %{_sbindir}/lpinfo
 %{_sbindir}/lpmove
+# remove upgrade-get-document once C10S is released and Fedora 40 EOL
+%{_sbindir}/upgrade_get_document
 %dir %{cups_serverbin}/daemon
 %{cups_serverbin}/daemon/cups-deviced
 %{cups_serverbin}/daemon/cups-driverd
@@ -763,6 +778,9 @@ rm -f %{cups_serverbin}/backend/smb
 %{_mandir}/man7/ippeveps.7.gz
 
 %changelog
+* Thu Aug 10 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.6-4
+- add upgrade script for setting authentication for CUPS-Get-Document operation
+
 * Wed Jul 26 2023 Zdenek Dohnal <zdohnal@redhat.com> - 1:2.4.6-3
 - SPDX migration completed
 

upgrade_get_document.py

@@ -0,0 +1,171 @@
+#!/usr/bin/python3
+
+"""
+Upgrade script to enable authentication for CUPS-Get-Document in
+default policy
+"""
+
+import os
+import sys
+from shutil import copy
+
+
+def get_cupsd_conf():
+    """
+    Get all lines from cupsd.conf
+    """
+    if not os.path.exists('/etc/cups/cupsd.conf'):
+        return None
+
+    lines = []
+    with open('/etc/cups/cupsd.conf', encoding="utf-8") as conf:
+        lines = conf.readlines()
+
+    return lines
+
+
+def get_default_policy(lines):
+    """
+    Get the default policy lines
+
+    :param list lines: lines from cupsd.conf
+    """
+    default_policy = []
+    in_policy = False
+
+    for line in lines:
+        if not in_policy and not line.lstrip().startswith('<Policy default>'):
+            continue
+
+        default_policy.append(line)
+
+        if line.lstrip().startswith('</Policy>'):
+            return default_policy
+
+        in_policy = True
+
+    return default_policy
+
+
+def get_limit_with_document(lines):
+    """
+    Get <Limit> scope which defines CUPS-Get-Document operation
+
+    :param list lines: Lines containing the default policy
+    """
+    limit = []
+    in_limit = False
+
+    for line in lines:
+        if not in_limit and not line.lstrip().startswith('<Limit'):
+            continue
+
+        if (not in_limit and line.lstrip().startswith('<Limit') and
+            not 'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
+            continue
+
+        limit.append(line)
+
+        if line.lstrip().startswith('</Limit>'):
+            return limit
+
+        in_limit = True
+
+    return limit
+
+
+def check_for_authtype(lines):
+    """
+    Check if <Limit> defining CUPS-Get-Document defines
+    any authentication
+
+    :param list lines: Lines of <Limit> scope which defines CUPS-Get-Document
+    """
+    for line in lines:
+        if line.lstrip().startswith('AuthType'):
+            return True
+    return False
+
+
+def migrate_cupsd_conf(lines):
+    """
+    Make changes to cupsd.conf contents to use authentication
+    for CUPS-Get-Document
+
+    :param list lines: Lines from cupsd.conf
+    """
+    new_lines = []
+    in_policy = False
+    create_document_limit = False
+
+    for line in lines:
+        if (in_policy and line.lstrip().startswith('<Limit') and
+            not line.lstrip().startswith('<Limit CUPS-Get-Document>') and
+            'CUPS-Get-Document' in line.lstrip().split('#')[0][1:-1]):
+            line = line.replace(' CUPS-Get-Document', '')
+            create_document_limit = True
+
+        if in_policy and line.lstrip().startswith('</Policy>') and create_document_limit:
+            new_lines.append('\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '# added during upgrade\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '<Limit CUPS-Get-Document>\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'AuthType Default\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'Require user @OWNER @SYSTEM\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 4) * ' ' +
+                             'Order deny,allow\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '</Limit>\n')
+            create_document_limit = False
+
+        new_lines.append(line)
+
+        if not in_policy:
+            if line.lstrip().startswith('<Policy default>'):
+                in_policy = True
+            continue
+
+        if line.lstrip().startswith('<Limit CUPS-Get-Document>'):
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             '# added during upgrade\n')
+            new_lines.append((len(line) - len(line.lstrip()) + 2) * ' ' +
+                             'AuthType Default\n')
+            continue
+
+        if line.lstrip().startswith('</Policy>'):
+            in_policy = False
+            continue
+
+    return new_lines
+
+
+def apply_changes(lines):
+    """
+    Backup the original file if there is no .rpmsave already and
+    apply changes to the actual cupsd.conf
+
+    :param list lines: New lines for cupsd.conf
+    """
+    if not os.path.exists('/etc/cups/cupsd.conf.rpmsave'):
+        copy('/etc/cups/cupsd.conf', '/etc/cups/cupsd.conf.rpmsave')
+
+    with open('/etc/cups/cupsd.conf', 'w', encoding='utf-8') as conf:
+        conf.writelines(lines)
+
+
+
+content = get_cupsd_conf()
+if content is None:
+    sys.exit(1)
+
+if check_for_authtype(get_limit_with_document(get_default_policy(content))):
+    sys.exit(0)
+
+new_content = migrate_cupsd_conf(content)
+
+apply_changes(new_content)
+
+sys.exit(0)