138 lines
5.7 KiB
Diff
138 lines
5.7 KiB
Diff
From 85e1bd3c9366c6e15f53097ff0cd846739beb611 Mon Sep 17 00:00:00 2001
|
|
From: Jakub Jelen <jjelen@redhat.com>
|
|
Date: Thu, 17 Mar 2022 16:01:12 +0100
|
|
Subject: [PATCH 17/39] Warn if the SSHD is not configured to use SFTP server
|
|
|
|
---
|
|
.../actors/opensshsubsystemsftp/actor.py | 22 +++++++++
|
|
.../libraries/opensshsubsystemsftp.py | 47 +++++++++++++++++++
|
|
.../tests/test_opensshsubsystemsftp.py | 33 +++++++++++++
|
|
3 files changed, 102 insertions(+)
|
|
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
|
|
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
|
|
create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
|
|
|
|
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
|
|
new file mode 100644
|
|
index 00000000..14d8b882
|
|
--- /dev/null
|
|
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
|
|
@@ -0,0 +1,22 @@
|
|
+from leapp.actors import Actor
|
|
+from leapp.libraries.actor import opensshsubsystemsftp
|
|
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig
|
|
+from leapp.reporting import Report
|
|
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
|
|
+
|
|
+
|
|
+class OpenSshSubsystemSftp(Actor):
|
|
+ """
|
|
+ The RHEL9 changes the SCP to use SFTP protocol internally. The both RHEL8 and RHEL9
|
|
+ enable SFTP server by default, but if the user disabled the SFTP for some reason,
|
|
+ it might make sense to warn that some previously working SCP operations could stop
|
|
+ working.
|
|
+ """
|
|
+
|
|
+ name = 'open_ssh_subsystem_sftp'
|
|
+ consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
|
|
+ produces = (Report,)
|
|
+ tags = (IPUWorkflowTag, ChecksPhaseTag)
|
|
+
|
|
+ def process(self):
|
|
+ opensshsubsystemsftp.process(self.consume(OpenSshConfig))
|
|
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
|
|
new file mode 100644
|
|
index 00000000..b60c08ca
|
|
--- /dev/null
|
|
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
|
|
@@ -0,0 +1,47 @@
|
|
+from leapp import reporting
|
|
+from leapp.exceptions import StopActorExecutionError
|
|
+from leapp.libraries.stdlib import api
|
|
+
|
|
+
|
|
+def process(openssh_messages):
|
|
+ config = next(openssh_messages, None)
|
|
+ if list(openssh_messages):
|
|
+ api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
|
|
+ if not config:
|
|
+ raise StopActorExecutionError(
|
|
+ 'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
|
|
+ )
|
|
+
|
|
+ # not modified configuration will get updated by RPM automatically
|
|
+ if not config.modified:
|
|
+ return
|
|
+
|
|
+ if not config.subsystem_sftp:
|
|
+ resources = [
|
|
+ reporting.RelatedResource('package', 'openssh-server'),
|
|
+ reporting.RelatedResource('file', '/etc/ssh/sshd_config'),
|
|
+ reporting.ExternalLink(
|
|
+ title="SCP support in RHEL",
|
|
+ url="https://access.redhat.com/articles/5284081",
|
|
+ ),
|
|
+ # TODO provide a link to documentation or blog post
|
|
+ ]
|
|
+ reporting.create_report([
|
|
+ reporting.Title('OpenSSH configured without SFTP subsystem'),
|
|
+ reporting.Summary(
|
|
+ 'The RHEL9 is changing the default SCP behaviour to use SFTP internally '
|
|
+ 'so not having SFTP server enabled can prevent interoperability and break existing '
|
|
+ 'scripts on other systems updated to RHEL9 to copy files to or from this machine.'
|
|
+ ),
|
|
+ reporting.Remediation(
|
|
+ hint='Add the following line to the /etc/ssh/sshd_config to enable SFTP server: '
|
|
+ 'Subsystem sftp /usr/libexec/openssh/sftp-server'
|
|
+ ),
|
|
+ reporting.Severity(reporting.Severity.MEDIUM),
|
|
+ reporting.Tags([
|
|
+ reporting.Tags.AUTHENTICATION,
|
|
+ reporting.Tags.SECURITY,
|
|
+ reporting.Tags.NETWORK,
|
|
+ reporting.Tags.SERVICES
|
|
+ ]),
|
|
+ ] + resources)
|
|
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
|
|
new file mode 100644
|
|
index 00000000..4e3c2ace
|
|
--- /dev/null
|
|
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
|
|
@@ -0,0 +1,33 @@
|
|
+import pytest
|
|
+
|
|
+from leapp.exceptions import StopActorExecutionError
|
|
+from leapp.libraries.actor import opensshsubsystemsftp
|
|
+from leapp.models import OpenSshConfig, Report
|
|
+
|
|
+
|
|
+def test_no_config(current_actor_context):
|
|
+ with pytest.raises(StopActorExecutionError):
|
|
+ opensshsubsystemsftp.process(iter([]))
|
|
+
|
|
+
|
|
+@pytest.mark.parametrize('modified,subsystem,expected_report', [
|
|
+ (False, None, False), # should not happen
|
|
+ (False, '/usr/libexec/openssh/sftp-server', False), # Defaults
|
|
+ (True, None, True),
|
|
+ (True, 'internal-sftp', False),
|
|
+ (True, '/usr/libexec/openssh/sftp-server', False)
|
|
+])
|
|
+def test_subsystem(current_actor_context, modified, subsystem, expected_report):
|
|
+ conf = OpenSshConfig(
|
|
+ modified=modified,
|
|
+ permit_root_login=[],
|
|
+ deprecated_directives=[]
|
|
+ )
|
|
+ if subsystem is not None:
|
|
+ conf.subsystem_sftp = subsystem
|
|
+ current_actor_context.feed(conf)
|
|
+ current_actor_context.run()
|
|
+ if expected_report:
|
|
+ assert current_actor_context.consume(Report)
|
|
+ else:
|
|
+ assert not current_actor_context.consume(Report)
|
|
--
|
|
2.35.3
|
|
|