From 85e1bd3c9366c6e15f53097ff0cd846739beb611 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 17 Mar 2022 16:01:12 +0100 Subject: [PATCH 17/39] Warn if the SSHD is not configured to use SFTP server --- .../actors/opensshsubsystemsftp/actor.py | 22 +++++++++ .../libraries/opensshsubsystemsftp.py | 47 +++++++++++++++++++ .../tests/test_opensshsubsystemsftp.py | 33 +++++++++++++ 3 files changed, 102 insertions(+) create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py new file mode 100644 index 00000000..14d8b882 --- /dev/null +++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py @@ -0,0 +1,22 @@ +from leapp.actors import Actor +from leapp.libraries.actor import opensshsubsystemsftp +from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig +from leapp.reporting import Report +from leapp.tags import ChecksPhaseTag, IPUWorkflowTag + + +class OpenSshSubsystemSftp(Actor): + """ + The RHEL9 changes the SCP to use SFTP protocol internally. The both RHEL8 and RHEL9 + enable SFTP server by default, but if the user disabled the SFTP for some reason, + it might make sense to warn that some previously working SCP operations could stop + working. + """ + + name = 'open_ssh_subsystem_sftp' + consumes = (OpenSshConfig, InstalledRedHatSignedRPM,) + produces = (Report,) + tags = (IPUWorkflowTag, ChecksPhaseTag) + + def process(self): + opensshsubsystemsftp.process(self.consume(OpenSshConfig)) diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py new file mode 100644 index 00000000..b60c08ca --- /dev/null +++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py @@ -0,0 +1,47 @@ +from leapp import reporting +from leapp.exceptions import StopActorExecutionError +from leapp.libraries.stdlib import api + + +def process(openssh_messages): + config = next(openssh_messages, None) + if list(openssh_messages): + api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.') + if not config: + raise StopActorExecutionError( + 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'} + ) + + # not modified configuration will get updated by RPM automatically + if not config.modified: + return + + if not config.subsystem_sftp: + resources = [ + reporting.RelatedResource('package', 'openssh-server'), + reporting.RelatedResource('file', '/etc/ssh/sshd_config'), + reporting.ExternalLink( + title="SCP support in RHEL", + url="https://access.redhat.com/articles/5284081", + ), + # TODO provide a link to documentation or blog post + ] + reporting.create_report([ + reporting.Title('OpenSSH configured without SFTP subsystem'), + reporting.Summary( + 'The RHEL9 is changing the default SCP behaviour to use SFTP internally ' + 'so not having SFTP server enabled can prevent interoperability and break existing ' + 'scripts on other systems updated to RHEL9 to copy files to or from this machine.' + ), + reporting.Remediation( + hint='Add the following line to the /etc/ssh/sshd_config to enable SFTP server: ' + 'Subsystem sftp /usr/libexec/openssh/sftp-server' + ), + reporting.Severity(reporting.Severity.MEDIUM), + reporting.Tags([ + reporting.Tags.AUTHENTICATION, + reporting.Tags.SECURITY, + reporting.Tags.NETWORK, + reporting.Tags.SERVICES + ]), + ] + resources) diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py new file mode 100644 index 00000000..4e3c2ace --- /dev/null +++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py @@ -0,0 +1,33 @@ +import pytest + +from leapp.exceptions import StopActorExecutionError +from leapp.libraries.actor import opensshsubsystemsftp +from leapp.models import OpenSshConfig, Report + + +def test_no_config(current_actor_context): + with pytest.raises(StopActorExecutionError): + opensshsubsystemsftp.process(iter([])) + + +@pytest.mark.parametrize('modified,subsystem,expected_report', [ + (False, None, False), # should not happen + (False, '/usr/libexec/openssh/sftp-server', False), # Defaults + (True, None, True), + (True, 'internal-sftp', False), + (True, '/usr/libexec/openssh/sftp-server', False) +]) +def test_subsystem(current_actor_context, modified, subsystem, expected_report): + conf = OpenSshConfig( + modified=modified, + permit_root_login=[], + deprecated_directives=[] + ) + if subsystem is not None: + conf.subsystem_sftp = subsystem + current_actor_context.feed(conf) + current_actor_context.run() + if expected_report: + assert current_actor_context.consume(Report) + else: + assert not current_actor_context.consume(Report) -- 2.35.3