Compare commits

..

No commits in common. "c8" and "c9s" have entirely different histories.
c8 ... c9s

34 changed files with 10150 additions and 2160 deletions

10
.gitignore vendored
View File

@ -1 +1,9 @@
SOURCES/oscap-anaconda-addon-1.2.1.tar.gz /oscap-anaconda-addon-0.2.tar.gz
/oscap-anaconda-addon-0.3.tar.gz
/oscap-anaconda-addon-0.4.tar.gz
/oscap-anaconda-addon-0.5.tar.gz
/oscap-anaconda-addon-0.6.tar.gz
/oscap-anaconda-addon-0.7.tar.gz
/oscap-anaconda-addon-1.0.tar.gz
/oscap-anaconda-addon-2.0.0.tar.gz
/addon-dbus-data.zip

File diff suppressed because it is too large Load Diff

View File

@ -1,206 +0,0 @@
From 8eacfad08b3c27aa9510f2c3337356581bd9bebd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:31:49 +0100
Subject: [PATCH 1/3] Add oscap sanity check before attempting remediation
If something is obviously wrong with the scanner, then don't attempt to remediate
and try to show relevant information in a dialog window.
---
org_fedora_oscap/common.py | 39 ++++++++++++++++++++++++++++--------
org_fedora_oscap/ks/oscap.py | 11 ++++++++++
tests/test_common.py | 8 ++++++++
3 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index 884bbc8..05829ce 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -139,7 +139,8 @@ def execute(self, ** kwargs):
proc = subprocess.Popen(self.args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, ** kwargs)
except OSError as oserr:
- msg = "Failed to run the oscap tool: %s" % oserr
+ msg = ("Failed to execute command '{command_string}': {oserr}"
+ .format(command_string=command_string, oserr=oserr))
raise OSCAPaddonError(msg)
(stdout, stderr) = proc.communicate()
@@ -215,6 +216,34 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="",
return proc.stdout
+def do_chroot(chroot):
+ """Helper function doing the chroot if requested."""
+ if chroot and chroot != "/":
+ os.chroot(chroot)
+ os.chdir("/")
+
+
+def assert_scanner_works(chroot, executable="oscap"):
+ args = [executable, "--version"]
+ command = " ".join(args)
+
+ try:
+ proc = subprocess.Popen(
+ args, preexec_fn=lambda: do_chroot(chroot),
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ (stdout, stderr) = proc.communicate()
+ stderr = stderr.decode(errors="replace")
+ except OSError as exc:
+ msg = _(f"Basic invocation '{command}' fails: {str(exc)}")
+ raise OSCAPaddonError(msg)
+ if proc.returncode != 0:
+ msg = _(
+ f"Basic scanner invocation '{command}' exited "
+ "with non-zero error code {proc.returncode}: {stderr}")
+ raise OSCAPaddonError(msg)
+ return True
+
+
def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
chroot=""):
"""
@@ -244,12 +273,6 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
if not profile:
return ""
- def do_chroot():
- """Helper function doing the chroot if requested."""
- if chroot and chroot != "/":
- os.chroot(chroot)
- os.chdir("/")
-
# make sure the directory for the results exists
results_dir = os.path.dirname(RESULTS_PATH)
if chroot:
@@ -274,7 +297,7 @@ def do_chroot():
args.append(fpath)
proc = SubprocessLauncher(args)
- proc.execute(preexec_fn=do_chroot)
+ proc.execute(preexec_fn=lambda: do_chroot(chroot))
proc.log_messages()
if proc.returncode not in (0, 2):
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index 65d74cf..da1600f 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -488,6 +488,17 @@ def execute(self, storage, ksdata, users, payload):
# selected
return
+ try:
+ common.assert_scanner_works(
+ chroot=conf.target.system_root, executable="oscap")
+ except Exception as exc:
+ msg_lines = [_(
+ "The 'oscap' scanner doesn't work in the installed system: {error}"
+ .format(error=str(exc)))]
+ msg_lines.append(_("As a result, the installed system can't be hardened."))
+ self._terminate("\n".join(msg_lines))
+ return
+
target_content_dir = utils.join_paths(conf.target.system_root,
common.TARGET_CONTENT_DIR)
utils.ensure_dir_exists(target_content_dir)
diff --git a/tests/test_common.py b/tests/test_common.py
index 9f7a16a..4f25379 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -77,6 +77,14 @@ def _run_oscap(mock_subprocess, additional_args):
return expected_args, kwargs
+def test_oscap_works():
+ assert common.assert_scanner_works(chroot="/")
+ with pytest.raises(common.OSCAPaddonError, match="No such file"):
+ common.assert_scanner_works(chroot="/", executable="i_dont_exist")
+ with pytest.raises(common.OSCAPaddonError, match="non-zero"):
+ common.assert_scanner_works(chroot="/", executable="false")
+
+
def test_run_oscap_remediate_profile_only(mock_subprocess, monkeypatch):
return run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
From b54cf2bddba56e5b776fb60514a5e29d47c74cac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:42:31 +0100
Subject: [PATCH 2/3] Don't raise exceptions in execute()
Those result in tracebacks during the installation,
while a dialog window presents a more useful form of user interaction.
---
org_fedora_oscap/ks/oscap.py | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index da1600f..d3f0dbe 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -513,8 +513,9 @@ def execute(self, storage, ksdata, users, payload):
ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
self.raw_postinst_content_path])
if ret != 0:
- raise common.ExtractionError("Failed to install content "
- "RPM to the target system")
+ msg = _(f"Failed to install content RPM to the target system.")
+ self._terminate(msg)
+ return
elif self.content_type == "scap-security-guide":
# nothing needed
pass
@@ -525,10 +526,15 @@ def execute(self, storage, ksdata, users, payload):
if os.path.exists(self.preinst_tailoring_path):
shutil.copy2(self.preinst_tailoring_path, target_content_dir)
- common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
- self.datastream_id, self.xccdf_id,
- self.postinst_tailoring_path,
- chroot=conf.target.system_root)
+ try:
+ common.run_oscap_remediate(self.profile_id, self.postinst_content_path,
+ self.datastream_id, self.xccdf_id,
+ self.postinst_tailoring_path,
+ chroot=conf.target.system_root)
+ except Exception as exc:
+ msg = _(f"Something went wrong during the final hardening: {str(exc)}.")
+ self._terminate(msg)
+ return
def clear_all(self):
"""Clear all the stored values."""
From 00d770d1b7f8e1f0734e93da227f1c3e445033c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:44:12 +0100
Subject: [PATCH 3/3] Change the error feedback based on the installation mode
The original approach was confusing, because non-interactive installs run without any user input,
and the message assumed that the user is able to answer installer's questions.
---
org_fedora_oscap/ks/oscap.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index d3f0dbe..ef34448 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -372,13 +372,14 @@ def postinst_tailoring_path(self):
self.tailoring_path)
def _terminate(self, message):
- message += "\n" + _("The installation should be aborted.")
- message += " " + _("Do you wish to continue anyway?")
if flags.flags.automatedInstall and not flags.flags.ksprompt:
# cannot have ask in a non-interactive kickstart
# installation
+ message += "\n" + _("Aborting the installation.")
raise errors.CmdlineError(message)
+ message += "\n" + _("The installation should be aborted.")
+ message += " " + _("Do you wish to continue anyway?")
answ = errors.errorHandler.ui.showYesNoQuestion(message)
if answ == errors.ERROR_CONTINUE:
# prevent any futher actions here by switching to the dry

View File

@ -1,39 +0,0 @@
From 1abc4e96638e819d3fbee74396b36a6ccaf0ab29 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989441
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

View File

@ -1,51 +0,0 @@
From 3377a914f4668af3d72216468ae192bc300890f9 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:45:58 +0200
Subject: [PATCH 1/2] Fix archive handling in GUI installs
GUI downloads an archive, so the ensuing installation doesn't have to.
However, the installation has to be able to discover files recovered
from the archive.
The fix makes sure that files are discovered also in subdirectories.
---
org_fedora_oscap/content_discovery.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index f6b4d27..5fc7343 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -196,7 +196,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase
From 191df327e3e51f486fb655e97acac30222c264fa Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 9 Aug 2021 15:48:50 +0200
Subject: [PATCH 2/2] Improve logging
Logs written to log files can contain specific details.
---
org_fedora_oscap/ks/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index d1b8c9e..65d74cf 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -393,7 +393,7 @@ def _terminate(self, message):
time.sleep(100000)
def _handle_error(self, exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error(f"Failed to fetch and initialize SCAP content: {str(exception)}")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")

View File

@ -1,202 +0,0 @@
From 08d3da5640e5c16cda4e79cc13ac7921f1ebd964 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 15 Nov 2022 15:37:28 +0100
Subject: [PATCH 1/2] Fix handling of content paths
Archives and ready-to-use content use paths differently.
Archives get unpacked into a directory, where they need to be unpacked,
analyzed, and cross-checked with e.g. the supplied content path,
whereas ready-to-use content can be used directly.
As the current codebase doesn't untangle all possible ways how to obtain
existing content in a way of decomposing those into layers, this change
just makes the current code working at the expense of making it worse to
maintain.
---
org_fedora_oscap/content_discovery.py | 34 ++++++++++++++++++---------
org_fedora_oscap/ks/oscap.py | 6 ++++-
tests/test_content_discovery.py | 21 +++++++++++++++++
3 files changed, 49 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index e9cf34a..2b71b1f 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -25,6 +25,14 @@ def is_network(scheme):
for net_prefix in data_fetch.NET_URL_PREFIXES)
+def path_is_present_among_paths(path, paths):
+ absolute_path = os.path.abspath(path)
+ for second_path in paths:
+ if absolute_path == os.path.abspath(second_path):
+ return True
+ return False
+
+
class ContentBringer:
CONTENT_DOWNLOAD_LOCATION = pathlib.Path(common.INSTALLATION_CONTENT_DIR)
DEFAULT_SSG_DATA_STREAM_PATH = f"{common.SSG_DIR}/{common.SSG_CONTENT}"
@@ -170,7 +178,7 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
raise content_handling.ContentCheckError(msg)
def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
- expected_tailoring = self._addon_data.tailoring_path
+ expected_tailoring = self._addon_data.preinst_tailoring_path
tailoring_label = CONTENT_TYPES["TAILORING"]
if expected_tailoring:
labelled_files = self.reduce_files(labelled_files, expected_tailoring, [tailoring_label])
@@ -182,7 +190,7 @@ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
return labelled_files
def filter_discovered_content(self, labelled_files):
- expected_path = self._addon_data.content_path
+ expected_path = self._addon_data.preinst_content_path
categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
if expected_path:
labelled_files = self.reduce_files(labelled_files, expected_path, categories)
@@ -198,7 +206,7 @@ def filter_discovered_content(self, labelled_files):
def reduce_files(self, labelled_files, expected_path, categories):
reduced_files = dict()
- if expected_path not in labelled_files:
+ if not path_is_present_among_paths(expected_path, labelled_files.keys()):
msg = (
f"Expected a file {expected_path} to be part of the supplied content, "
f"but it was not the case, got only {list(labelled_files.keys())}"
@@ -225,13 +233,9 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content.add_content_archive(dest_filename)
labelled_filenames = content_handling.identify_files(fpaths)
- labelled_relative_filenames = {
- os.path.relpath(path, self.CONTENT_DOWNLOAD_LOCATION): label
- for path, label in labelled_filenames.items()}
- labelled_relative_filenames = self.filter_discovered_content(labelled_relative_filenames)
+ labelled_filenames = self.filter_discovered_content(labelled_filenames)
- for rel_fname, label in labelled_relative_filenames.items():
- fname = self.CONTENT_DOWNLOAD_LOCATION / rel_fname
+ for fname, label in labelled_filenames.items():
structured_content.add_file(str(fname), label)
if fingerprint and dest_filename:
@@ -274,11 +278,18 @@ def use_downloaded_content(self, content):
# We know that we have ended up with a datastream-like content,
# but if we can't convert an archive to a datastream.
# self._addon_data.content_type = "datastream"
- self._addon_data.content_path = str(preferred_content.relative_to(content.root))
+ content_type = self._addon_data.content_type
+ if content_type in ("archive", "rpm"):
+ self._addon_data.content_path = str(preferred_content.relative_to(content.root))
+ else:
+ self._addon_data.content_path = str(preferred_content)
preferred_tailoring = self.get_preferred_tailoring(content)
if content.tailoring:
- self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
+ if content_type in ("archive", "rpm"):
+ self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
+ else:
+ self._addon_data.tailoring_path = str(preferred_tailoring)
def use_system_content(self, content=None):
self._addon_data.clear_all()
@@ -372,6 +383,7 @@ def _xccdf_content(self):
def find_expected_usable_content(self, relative_expected_content_path):
content_path = self.root / relative_expected_content_path
+ content_path = content_path.resolve()
eligible_main_content = (self._datastream_content(), self._xccdf_content())
if content_path in eligible_main_content:
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py
index dac273d..7d4a131 100644
--- a/org_fedora_oscap/ks/oscap.py
+++ b/org_fedora_oscap/ks/oscap.py
@@ -179,7 +179,11 @@ def _parse_profile_id(self, value):
self.profile_id = value
def _parse_content_path(self, value):
- # need to be checked?
+ if self.content_type in ("archive", "rpm") and os.path.isabs(self.content_path):
+ msg = (
+ "When using archives-like content input, the corresponding content path "
+ "has to be relative, but got '{self.content_path}'.")
+ raise KickstartValueError(msg)
self.content_path = value
def _parse_cpe_path(self, value):
diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
index 5463c9a..d6e14d9 100644
--- a/tests/test_content_discovery.py
+++ b/tests/test_content_discovery.py
@@ -1,3 +1,5 @@
+import os
+
import pytest
import org_fedora_oscap.content_discovery as tested_module
@@ -46,3 +48,22 @@ def test_reduce(labelled_files):
reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
assert reduced == labelled_files
+
+
+def test_path_presence_detection():
+ list_of_paths = ["file1", os.path.abspath("file2"), os.path.abspath("dir///file3")]
+
+ list_of_paths_in_list = [
+ "file1", os.path.abspath("file1"), "./file1",
+ "file2", "dir/..//file2",
+ "dir/../dir/file3", "dir/file3",
+ ]
+ list_of_paths_not_in_list = [
+ "../file1", "file3"
+ ]
+
+ for path in list_of_paths_in_list:
+ assert tested_module.path_is_present_among_paths(path, list_of_paths)
+
+ for path in list_of_paths_not_in_list:
+ assert not tested_module.path_is_present_among_paths(path, list_of_paths)
From 786ec5d90d12a1321fbff86f5d8d4a534059ad22 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 16 Nov 2022 15:35:09 +0100
Subject: [PATCH 2/2] Compare paths according to their equivalence
not according their arbitrary string form
---
org_fedora_oscap/content_discovery.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 2b71b1f..42c61e0 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -25,10 +25,14 @@ def is_network(scheme):
for net_prefix in data_fetch.NET_URL_PREFIXES)
+def paths_are_equivalent(p1, p2):
+ return os.path.abspath(p1) == os.path.abspath(p2)
+
+
def path_is_present_among_paths(path, paths):
absolute_path = os.path.abspath(path)
for second_path in paths:
- if absolute_path == os.path.abspath(second_path):
+ if paths_are_equivalent(path, second_path):
return True
return False
@@ -213,7 +217,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
)
raise RuntimeError(msg)
for path, label in labelled_files.items():
- if label in categories and path != expected_path:
+ if label in categories and not paths_are_equivalent(path, expected_path):
continue
reduced_files[path] = label
return reduced_files

View File

@ -1,424 +0,0 @@
# Patch0 applies correctly but with mismatch and we dont't want backup file
%global _default_patch_flags --no-backup-if-mismatch
Name: oscap-anaconda-addon
Version: 1.2.1
Release: 14%{?dist}
Summary: Anaconda addon integrating OpenSCAP to the installation process
License: GPLv2+
URL: https://github.com/OpenSCAP/oscap-anaconda-addon
# This is a Red Hat maintained package which is specific to
# our distribution.
#
# The source is thus available only from within this SRPM
# or via direct git checkout:
# git clone https://github.com/OpenSCAP/oscap-anaconda-addon.git
Source0: %{name}-%{version}.tar.gz
# Let the Patch1 be reserved for translations patches
Patch1: lang.patch
Patch2: oscap-anaconda-addon-1.2.2-content_ident-PR_167.patch
Patch3: oscap-anaconda-addon-1.2.2-deep_archives-PR_168.patch
Patch4: oscap-anaconda-addon-1.2.2-absent_appstream-PR_184.patch
Patch5: oscap-anaconda-addon-1.3.0-better_archive_handling-PR_220.patch
Patch6: oscap-anaconda-addon-1.3.0-clicking_nocrash-PR_221.patch
Patch7: oscap-anaconda-addon-1.3.0-fix_content_paths-PR_225.patch
Patch8: oscap-anaconda-addon-null-http_content_url-PR_232.patch
Patch9: oscap-anaconda-addon-1.2.2-tar-extraction-PR_249.patch
BuildArch: noarch
BuildRequires: make
BuildRequires: gettext
BuildRequires: python3-devel
BuildRequires: python3-pycurl
BuildRequires: openscap openscap-utils openscap-python3
BuildRequires: anaconda-core >= 33
Requires: anaconda-core >= 33
Requires: python3-cpio
Requires: python3-pycurl
Requires: python3-kickstart
Requires: openscap openscap-utils openscap-python3
Requires: scap-security-guide
%description
This is an addon that integrates OpenSCAP utilities with the Anaconda installer
and allows installation of systems following restrictions given by a SCAP
content.
%prep
%setup -q -n %{name}-%{version}
# As patches may translates the strings that are updated by later patches,
# Patch1 needs to be aplied last.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
# NOTE CONCERNING TRANSLATION PATCHES
# When preparing translation patches, don't consider that some languages are unsupported -
# we aim to include all applicable translation texts to the appropriate patch.
# This has consulted with ljanda@redhat.com, and we basically follow the existing practice of the Anaconda project we integrate into.
%build
#%check
#make test
%install
make install DESTDIR=%{buildroot}
%find_lang %{name}
%files -f %{name}.lang
%{_datadir}/anaconda/addons/org_fedora_oscap
%doc COPYING ChangeLog README.md
%changelog
* Wed Aug 02 2023 Jan Černý <jcerny@redhat.com> - 1.2.1-14
- Rebuild after tests update
* Wed Jul 19 2023 Jan Černý <jcerny@redhat.com> - 1.2.1-13
- Fix tar file extraction (rhbz#2219408)
- Update translations (rhbz#2189572)
* Wed Feb 08 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-12
- Update translations
Resolves: rhbz#2139743
* Mon Jan 23 2023 Matej Tyc <matyc@redhat.com> - 1.2.1-11
- Fix a reaction to invalid content URI
Resolves: rhbz#2148509
* Wed Nov 23 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-10
- Fix regression introduced when fixing content archive input
Resolves: rhbz#2129008
* Thu Nov 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-9
- Fix problems with handling multi-datastream archives
Resolves: rhbz#2129008
- Fix a crash when compulsively clicking in the GUI
Resolves: rhbz#2000998
* Wed Jul 20 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-8
- Update translations
Resolves: rhbz#2062707
* Fri Jun 10 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-7
- Remove the firstboot remediation feature completely.
We can't have it, while maintaining the standard UX.
Resolves: rhbz#2063179
* Mon Mar 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-6
- Introduce the firstboot remediation
Resolves: rhbz#1834716
- Add better error handling of installation using unsupported installation sources
Resolves: rhbz#2007981
* Fri Jan 21 2022 Matej Tyc <matyc@redhat.com> - 1.2.1-5
- Updated translations
Resolves: rhbz#2017356
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-4
- Updated translations
Resolves: rhbz#1962007
* Mon Aug 09 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-3
- Fix handling of archives with directories in GUI installs
- Resolves: rhbz#1691305
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-2
- Refactor content identification
- Resolves: rhbz#1989441
* Fri Jul 30 2021 Matej Tyc <matyc@redhat.com> - 1.2.1-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Fri Jul 16 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-2
- Updated translations
- Resolves: rhbz#1938623
* Fri Jun 25 2021 Matej Tyc <matyc@redhat.com> - 1.2.0-1
- Rebase to the new upstream version.
- Resolves: rhbz#1691305
* Mon Feb 15 2021 Matej Tyc <matyc@redhat.com> - 1.1.1-7
- Updated translations.
* Wed Nov 11 11:46:56 CET 2020 Matej Tyc <matyc@redhat.com> - 1.1.1-6
- Improved handling of conflicts between packages removed vs software wanted to be installed - rhbz#1892310
* Tue Aug 18 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-5
- Fixed issues with encountering filenames with weird encoding during scans - rhbz#1867960
* Thu Jul 09 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-4
- Fixed spoke window text: RHBZ#1855041
* Fri Jun 26 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-3
- Updated translations: RHBZ#1820557
* Mon Jun 22 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-2
- Fixed issues addressing combination of profiles and GUI-based software selections: RHBZ#1843932, RHBZ#1787156
- Improved handling of languages, capitalization: RHBZ#1696278
- Updated translations: RHBZ#1820557
* Tue Jun 02 2020 Matěj Týč <matyc@redhat.com> - 1.1.1-1
- Rebase to upstream 1.1.1
- This OAA is compatible with the RHEL 8.3 Anaconda: RHBZ#1696278
- The UX has been improved: RHBZ#1781790
* Mon Sep 02 2019 Watson Sato <wsato@redhat.com> - 1.0-10
- Do not use capital letters for spoke title: RHBZ#1744185
- Updated translations
* Wed Feb 13 2019 Matěj Týč <matyc@redhat.com> - 1.0-9
- Updated translations: RHBZ#1645924
* Fri Feb 08 2019 Watson Yuuma Sato <wsato@redhat.com> - 1.0-8
- Fixed translation of spoke title: RHBZ#1673044
* Fri Jan 18 2019 Matěj Týč <matyc@redhat.com> - 1.0-7
- Fixed bootloader-related Anaconda API usage: RHBZ#1664036
- Fixed root password-related Anaconda API usage: RHBZ#1665551
- Fixed checksum-related Python2->3 issue: RHBZ#1665147
* Thu Jan 17 2019 Matěj Týč <matyc@redhat.com> - 1.0-6
- Updated translations: RHBZ#1645924
* Mon Dec 17 2018 Matěj Týč <matyc@redhat.com> - 1.0-5
- Applied the HelpFile -> help_id patch
* Fri Dec 14 2018 Matěj Týč <matyc@redhat.com> - 1.0-4
- Updated translations: RHBZ#1608331, RHBZ#1645924
* Wed Oct 10 2018 Matěj Týč <matyc@redhat.com> - 1.0-3
- Updated to the latest Anaconda API: RHBZ#1637635
- Added updated translations: RHBZ#1608331
* Mon Oct 01 2018 Matěj Týč <matyc@redhat.com> - 1.0-2
- Added the missing pycurl dependency.
* Tue Jul 03 2018 Matěj Týč <matyc@redhat.com> - 1.0-1
- Rebased to upstream version 1.0
- Python3 support, anaconda 28 support.
* Tue Dec 12 2017 Watson Yuuma Sato <wsato@redhat.com> - 0.8-3
- Return empty string when there is no tailoring file
Resolves: rhbz#1520276
* Mon Dec 11 2017 Watson Sato <wsato@redhat.com> - 0.8-2
- Add japanese translation
- Update other translations
Resolves: rhbz#1481190
- Fix selection of RHEL datastream
Resolves: rhbz#1520358
* Mon Nov 27 2017 Watson Sato <wsato@redhat.com> - 0.8-1
- Rebase to the upstream version 0.8
Related: rhbz#1472419
* Tue May 30 2017 Watson Sato <wsato@redhat.com> - 0.7-15
- Add japanese translation
- Update other translations
Resolves: rhbz#1383181
* Thu Apr 20 2017 Raphael Sanchez Prudencio <rsprudencio@redhat.com> - 0.7-14
- Fixed gtk warning messages when anaconda is starting.
Resolves: rhbz#1437106
* Tue Mar 28 2017 Martin Preisler <mpreisle@redhat.com> - 0.7-13
- Avoid long delay before a GeoIP related timeout in case internet is not available
Resolves: rhbz#1379479
* Tue Sep 13 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-12
- Properly handle tailoring files for datastreams
Resolves: rhbz#1364929
* Thu Aug 25 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-11
- Don't require blank stderr when running the oscap tool
Resolves: rhbz#1360765
- Beware of the invalid profiles
Resolves: rhbz#1365130
- Properly set the seen property for root passwords
Resolves: rhbz#1357603
* Thu Jun 30 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-10
- Clear spoke's info before setting an error
Resolves: rhbz#1349446
* Wed Jun 1 2016 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-9
- Use the System hub category provided by Anaconda
Resolves: rhbz#1269211
- Wait for Anaconda to settle before evaluation
Resolves: rhbz#1265552
- Make the changes overview scrollable and smaller
Related: rhbz#1263582
- Make the list of profiles scrollable
Resolves: rhbz#1263582
- Do not try to create a single file multiple times
Related: rhbz#1263315
- Avoid crashes on extraction errors
Resolves: rhbz#1263315
- Disable GPG checks when installing content to the system
Resolves: rhbz#1263216
- Allow fixing root password in graphical installations
Resolves: rhbz#1265116
- Enforce the minimal root password length
Resolves: rhbz#1238281
- Just report misconfiguration instead of crashing in text mode
Resolves: rhbz#1263207
- Do not verify SSL if inst.noverifyssl was given
Resolves: rhbz#1263257
- Also catch data_fetch.DataFetchError when trying to get content
Resolves: rhbz#1263239
- Use new method signature with payload class
Related: rhbz#1288636
* Wed Sep 16 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-8
- Do not remove the root password behind user's back
Resolves: rhbz#1263254
* Mon Sep 7 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-7
- Completely skip the execute() part if no profile is selected
Resolves: rhbz#1254973
* Mon Aug 24 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-6
- Specify the name of the help content file
Resolves: rhbz#1254884
- Skip files unrecognized by the 'oscap info' command
Resolves: rhbz#1255075
- Only allow DS and XCCDF ID selection if it makes sense
Resolves: rhbz#1254876
* Tue Aug 4 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-5
- Make sure DS and XCCDF ID lists are correctly refreshed
Resolves: rhbz#1240946
- Make sure the DS and XCCDF ID combo boxes are visible for DS content
Resolves: rhbz#1249951
- Try to load the OSCAP session early for DS content
Resolves: rhbz#1247654
- Test preinst_content_path before raw_preinst_content_path
Resolves: rhbz#1249937
- Clear any error if switching to the dry-run mode
Related: rhbz#1247677
- Do not continue with and invalid profile ID
Resolves: rhbz#1247677
- Cover all potential places with a non-main thread changing Gtk stuff
Resolves: rhbz#1240967
* Thu Jul 23 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-4
- Better handle and report erroneous states
Resolves: rhbz#1241064
- Make sure (some more) GUI actions run in the main thread
Resolves: rhbz#1240967
- Beware of RPM->cpio entries' paths having absolute paths
Related: rhbz#1241064
- Only output the kickstart section with content and profile set
Resolves: rhbz#1241395
- Just report integrity check failure instead of traceback
Resolves: rhbz#1240710
- Properly react on download/loading issues in text+kickstart mode
Related: rhbz#1240710
- Fetch and process the content even if GUI doesn't take care of it
Resolves: rhbz#1240625
* Tue Jul 7 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-3
- Do not output redundant/invalid fields for the SSG content (vpodzime)
Resolves: rhbz#1240285
- Better handle unsupported URL types (vpodzime)
Resolves: rhbz#1232631
- React better on network issues (vpodzime)
Resolves: rhbz#1236657
- Improve the description of the default profile (vpodzime)
Resolves: rhbz#1238080
- Use the openscap-scanner package instead of openscap-utils (vpodzime)
Resolves: rhbz#1240249
- Better handle the case with no profile selected (vpodzime)
Resolves: rhbz#1235750
- Add newline and one blank line after the %%addon section (vpodzime)
Resolves: rhbz#1238267
- Word-wrap profile descriptions (vpodzime)
Resolves: rhbz#1236644
* Wed Jun 17 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-2
- Add gettext to BuildRequires (vpodzime)
Related: rhbz#1204640
* Tue Jun 16 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-1
- Rebase to the upstream version 0.7
Related: rhbz#1204640
* Tue Apr 28 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-1
- Rebase to the upstream version 0.6
Resolves: rhbz#1204640
* Mon Aug 04 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-3
- Don't distribute backup files
Resolves: rhbz#1065906
* Wed Jan 15 2014 Vratislav Podizmek <vpodzime@redhat.com> - 0.4-2
- Skip running tests on RHEL builds
Related: rhbz#1035662
* Tue Jan 14 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-1
- Beware of running Gtk actions from a non-main thread
- Fix path to the tailoring file when getting rules
- A git hook for running tests when pushing
- Inform user if no profile is selected
- Visually mark the selected profile
- Better UX with content URL entry and progress label
- React on invalid content properly (#1032846)
- Stop spinner when data fetching is finished
- Make the data fetching thread non-fatal (#1049989)
- Exit code 2 from the oscap tool is not an error for us (#1050913)
- Be ready to work with archives/RPMs containing data streams
- Add unit tests for the keep_type_map function
- Add support for namedtuples to keep_type_map
- Add target for running pylint check
- Add target for running just unittests
- On the way to tailoring
- Tests for kickstart XCCDF tailoring handling
- Kickstart support for XCCDF tailoring
- Check session validity also when using XCCDF benchmark
* Tue Dec 10 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.3-1
- Implement and use our own better function for joining paths
- The content entry should have focus if there is no content
- RPM is just a weird archive in the pre-installation phase
- Ignore RPM files as well
- Adapt tests to dir constants now ending with "/"
- CpioArchive cannot be created from a piped output
- Fix namespace definitions in the testing XCCDF file
- Prevent putting None into xccdf_session_is_sds
- Fix the __all__ variable in the common module
- Strip content dir prefix when setting xccdf/cpe paths
- Inform user we now support archive URLs as well
- Ignore various file types in the git repository
- Try to find content files in the fetched archive or RPM
- Run pylint -E as part of the test target
- Return list of extracted files/directories when extracting archive
- Do not try to search for empty file paths in archives
- Properly set the content type based on the URL's suffix
- Switch profiles on double-click
- Hook urlEntry's activate signal to fetchButton click
- Save the spoke's glade file with a new Glade
- The addon now requires the python-cpio package
- Use really_hide for the UI elements for datastream-id and xccdf-id
- Support for RPM content in the GUI spoke
- RPM content support for kickstart processing
- Add property for the raw post-installation content path
- Make content type case insensitive
- Rest of the code needed for RPM extraction
- Actually look for the file path in entry names
- Basic stuff needed for the RPM content support
- Run tests in paralel
- Specify files in a better way in spec
* Mon Oct 21 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.2-1
- Initial RPM for the oscap-anaconda-addon

6
gating.yaml Normal file
View File

@ -0,0 +1,6 @@
--- !Policy
product_versions:
- rhel-9
decision_context: osci_compose_gate
rules:
- !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}

8040
lang.patch Normal file

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,39 @@
From 20843d815a82d10cba773f4e10e9a45c57d5e12e Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 18 Aug 2021 10:54:20 +0200
Subject: [PATCH] Don't show the OSCAP spoke if the OSCAP DBus module is
disabled
Add-ons can be disabled in the Anaconda configuration files. Without the fix,
the OSCAP DBus module is started on demand by the OSCAP spoke even though it
shouldn't be activated. In the future, it will result in a failure of the
installer.
Related: rhbz#1994003
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 36c8d7a..fe26076 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -36,6 +36,7 @@
from org_fedora_oscap.structures import PolicyData
from pyanaconda.modules.common.constants.services import USERS
+from pyanaconda.modules.common.util import is_module_available
from pyanaconda.threading import threadMgr, AnacondaThread
from pyanaconda.ui.gui.spokes import NormalSpoke
from pyanaconda.ui.communication import hubQ
@@ -203,6 +204,10 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @classmethod
+ def should_run(cls, environment, data):
+ return is_module_available(OSCAP)
+
# methods defined by API and helper methods #
def __init__(self, data, storage, payload):
"""

View File

@ -0,0 +1,191 @@
From c92205d5a5c788eeac84a6e67956a3e0540ab565 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:31:49 +0100
Subject: [PATCH 1/2] Add oscap sanity check before attempting remediation
If something is obviously wrong with the scanner, then don't attempt to remediate
and try to show relevant information in a dialog window.
---
org_fedora_oscap/common.py | 39 +++++++++++++++++++-----
org_fedora_oscap/service/installation.py | 11 +++++++
tests/test_common.py | 8 +++++
tests/test_installation.py | 3 +-
4 files changed, 52 insertions(+), 9 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index c432168..eeb27fc 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -171,7 +171,8 @@ def execute(self, ** kwargs):
proc = subprocess.Popen(self.args, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, ** kwargs)
except OSError as oserr:
- msg = "Failed to run the oscap tool: %s" % oserr
+ msg = ("Failed to execute command '{command_string}': {oserr}"
+ .format(command_string=command_string, oserr=oserr))
raise OSCAPaddonError(msg)
(stdout, stderr) = proc.communicate()
@@ -247,6 +248,34 @@ def _run_oscap_gen_fix(profile, fpath, template, ds_id="", xccdf_id="",
return proc.stdout
+def do_chroot(chroot):
+ """Helper function doing the chroot if requested."""
+ if chroot and chroot != "/":
+ os.chroot(chroot)
+ os.chdir("/")
+
+
+def assert_scanner_works(chroot, executable="oscap"):
+ args = [executable, "--version"]
+ command = " ".join(args)
+
+ try:
+ proc = subprocess.Popen(
+ args, preexec_fn=lambda: do_chroot(chroot),
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+ (stdout, stderr) = proc.communicate()
+ stderr = stderr.decode(errors="replace")
+ except OSError as exc:
+ msg = _(f"Basic invocation '{command}' fails: {str(exc)}")
+ raise OSCAPaddonError(msg)
+ if proc.returncode != 0:
+ msg = _(
+ f"Basic scanner invocation '{command}' exited "
+ "with non-zero error code {proc.returncode}: {stderr}")
+ raise OSCAPaddonError(msg)
+ return True
+
+
def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
chroot=""):
"""
@@ -276,12 +305,6 @@ def run_oscap_remediate(profile, fpath, ds_id="", xccdf_id="", tailoring="",
if not profile:
return ""
- def do_chroot():
- """Helper function doing the chroot if requested."""
- if chroot and chroot != "/":
- os.chroot(chroot)
- os.chdir("/")
-
# make sure the directory for the results exists
results_dir = os.path.dirname(RESULTS_PATH)
if chroot:
@@ -306,7 +329,7 @@ def do_chroot():
args.append(fpath)
proc = SubprocessLauncher(args)
- proc.execute(preexec_fn=do_chroot)
+ proc.execute(preexec_fn=lambda: do_chroot(chroot))
proc.log_messages()
if proc.returncode not in (0, 2):
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index 2da8559..d909c44 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -239,6 +239,17 @@ def name(self):
def run(self):
"""Run the task."""
+ try:
+ common.assert_scanner_works(
+ chroot=self._sysroot, executable="oscap")
+ except Exception as exc:
+ msg_lines = [_(
+ "The 'oscap' scanner doesn't work in the installed system: {error}"
+ .format(error=str(exc)))]
+ msg_lines.append(_("As a result, the installed system can't be hardened."))
+ terminate("\n".join(msg_lines))
+ return
+
common.run_oscap_remediate(
self._policy_data.profile_id,
self._target_content_path,
diff --git a/tests/test_common.py b/tests/test_common.py
index 9f7a16a..4f25379 100644
--- a/tests/test_common.py
+++ b/tests/test_common.py
@@ -77,6 +77,14 @@ def _run_oscap(mock_subprocess, additional_args):
return expected_args, kwargs
+def test_oscap_works():
+ assert common.assert_scanner_works(chroot="/")
+ with pytest.raises(common.OSCAPaddonError, match="No such file"):
+ common.assert_scanner_works(chroot="/", executable="i_dont_exist")
+ with pytest.raises(common.OSCAPaddonError, match="non-zero"):
+ common.assert_scanner_works(chroot="/", executable="false")
+
+
def test_run_oscap_remediate_profile_only(mock_subprocess, monkeypatch):
return run_oscap_remediate_profile(
mock_subprocess, monkeypatch,
diff --git a/tests/test_installation.py b/tests/test_installation.py
index 5749a94..f819c3b 100644
--- a/tests/test_installation.py
+++ b/tests/test_installation.py
@@ -115,4 +115,5 @@ def test_remediate_system_task(sysroot_path, content_path, tailoring_path):
)
assert task.name == "Remediate the system"
- task.run()
+ with pytest.raises(installation.NonCriticalInstallationError, match="No such file"):
+ task.run()
From ea2dbf5017445875b1c0e4ee27899c8dde292c98 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 3 Jan 2022 17:42:31 +0100
Subject: [PATCH 2/2] Don't raise exceptions in execute()
Those result in tracebacks during the installation,
while a dialog window presents a more useful form of user interaction.
---
org_fedora_oscap/service/installation.py | 27 ++++++++++++++----------
1 file changed, 16 insertions(+), 11 deletions(-)
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index d909c44..290da40 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -210,9 +210,9 @@ def run(self):
)
if ret != 0:
- raise common.ExtractionError(
- "Failed to install content RPM to the target system"
- )
+ msg = _(f"Failed to install content RPM to the target system.")
+ terminate(msg)
+ return
else:
pattern = utils.join_paths(common.INSTALLATION_CONTENT_DIR, "*")
utils.universal_copy(pattern, target_content_dir)
@@ -250,11 +250,16 @@ def run(self):
terminate("\n".join(msg_lines))
return
- common.run_oscap_remediate(
- self._policy_data.profile_id,
- self._target_content_path,
- self._policy_data.datastream_id,
- self._policy_data.xccdf_id,
- self._target_tailoring_path,
- chroot=self._sysroot
- )
+ try:
+ common.run_oscap_remediate(
+ self._policy_data.profile_id,
+ self._target_content_path,
+ self._policy_data.datastream_id,
+ self._policy_data.xccdf_id,
+ self._target_tailoring_path,
+ chroot=self._sysroot
+ )
+ except Exception as exc:
+ msg = _(f"Something went wrong during the final hardening: {str(exc)}.")
+ terminate(msg)
+ return

View File

@ -0,0 +1,14 @@
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index bc14ef1..ccfe6c8 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -225,7 +225,8 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
if not dest_filename: # using scap-security-guide
fpaths = [self.DEFAULT_SSG_DATA_STREAM_PATH]
else: # Using downloaded XCCDF/OVAL/DS/tailoring
- fpaths = glob(str(self.CONTENT_DOWNLOAD_LOCATION / "*.xml"))
+ fpaths = pathlib.Path(self.CONTENT_DOWNLOAD_LOCATION).rglob("*")
+ fpaths = [str(p) for p in fpaths if p.is_file()]
else:
dest_filename = pathlib.Path(dest_filename)
# RPM is an archive at this phase

View File

@ -0,0 +1,22 @@
From c72b95146650b0debc36b8da546b60a9d5482ab3 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:28:24 +0200
Subject: [PATCH] Fix bad destination for the parsed content fingerprint
---
org_fedora_oscap/service/kickstart.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index d6f22ac..dc1a100 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -140,7 +140,7 @@ def _parse_fingerprint(self, value):
msg = "Unsupported fingerprint"
raise KickstartValueError(msg)
- self.fingerprint = value
+ self.policy_data.fingerprint = value
def _parse_certificates(self, value):
self.policy_data.certificates = value

View File

@ -0,0 +1,35 @@
From 7fdd6b28705a5c9ab5b836840ae521715ed6f893 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Wed, 6 Nov 2024 12:05:39 +0100
Subject: [PATCH] Do not rely on hashlib.algorithms_available
An algorithm could be a part of hashlib.algorithms_available set,
but still uninstantiatable in current runtime configuration.
See: https://github.com/python/cpython/issues/91257.
---
org_fedora_oscap/utils.py | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py
index 26fe40d..c05afe5 100644
--- a/org_fedora_oscap/utils.py
+++ b/org_fedora_oscap/utils.py
@@ -148,7 +148,16 @@ def get_hashing_algorithm(fingerprint):
expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'}
available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available)
- hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids)
+
+ hashes = []
+ for hash_id in available_hash_ids:
+ try:
+ hash_obj = hashlib.new(hash_id)
+ hashes.append(hash_obj)
+ except ValueError as e:
+ # We have an unavailable algorithm, that is a part of hashlib.algorithms_available,
+ # for example see https://github.com/python/cpython/issues/91257.
+ pass
if len(fingerprint) % 2 == 1:
return None

View File

@ -0,0 +1,83 @@
From fa02df9da7ce26dcd8051df541bf6d1da52dd849 Mon Sep 17 00:00:00 2001
From: Evgeny Kolesnikov <ekolesni@redhat.com>
Date: Fri, 4 Oct 2024 14:15:13 +0200
Subject: [PATCH] Do not assume availability of hashing algorithms in hashlib
Particular offender at this moment is 'md5', which is not available
in FIPS build of Python.
---
org_fedora_oscap/utils.py | 5 +++--
tests/test_utils.py | 38 ++++++++++++++++++++++++++++++++------
2 files changed, 35 insertions(+), 8 deletions(-)
diff --git a/org_fedora_oscap/utils.py b/org_fedora_oscap/utils.py
index 3be83254..26fe40df 100644
--- a/org_fedora_oscap/utils.py
+++ b/org_fedora_oscap/utils.py
@@ -146,8 +146,9 @@ def get_hashing_algorithm(fingerprint):
"""
- hashes = (hashlib.md5(), hashlib.sha1(), hashlib.sha224(),
- hashlib.sha256(), hashlib.sha384(), hashlib.sha512())
+ expected_hash_ids = {'md5', 'sha1', 'sha224', 'sha256', 'sha384', 'sha512'}
+ available_hash_ids = expected_hash_ids.intersection(hashlib.algorithms_available)
+ hashes = (hashlib.new(hash_id) for hash_id in available_hash_ids)
if len(fingerprint) % 2 == 1:
return None
diff --git a/tests/test_utils.py b/tests/test_utils.py
index c2d663f6..7fe3332e 100644
--- a/tests/test_utils.py
+++ b/tests/test_utils.py
@@ -27,6 +27,9 @@
from org_fedora_oscap import utils
+import hashlib
+import warnings
+
@pytest.fixture()
def mock_os():
@@ -146,11 +149,34 @@ def test_gen():
def test_hash():
- file_hash = '87fcda7d9e7a22412e95779e2f8e70f929106c7b27a94f5f8510553ebf4624a6'
- hash_obj = utils.get_hashing_algorithm(file_hash)
- assert hash_obj.name == "sha256"
+ file_hashes = {
+ 'md5': 'ea38136ca349e139c59f09e09d2aa956',
+ 'sha1': 'f905458483be8ac21002ab2c6409d3a10b3813f1',
+ 'sha224': '2b1e795db6b7397f47a270fbb5059e76b94a8c972240b17c45db1f13',
+ 'sha256': '87fcda7d9e7a22412e95779e2f8e70f929106c7b27a94f5f8510553ebf4624a6',
+ 'sha384': 'b3ffdfad2bf33caf6e44a8b34386ad741bb80fb02306d3889b8a5645cde31e9d'
+ '31ec44e0b0e6ce84d83a57339b75b9bf',
+ 'sha512': '7b05940e8d69e804a90f5110d22ad3a1cd03adc5bf4d0a4779790c78118b3c61'
+ 'b7f3a3cd39fcf2902ec92ac80df71b952a7aeb2d53c16f0e77436eeb91e33e1d'
+ }
+
+ for hash_id, file_hash in file_hashes.items():
+ if hash_id not in hashlib.algorithms_available:
+ warnings.warn(RuntimeWarning('Expected hash algorithm \'%s\' is not '
+ 'available in this build of Python' % hash_id))
+ continue
+
+ hash_obj = utils.get_hashing_algorithm(file_hash)
+ assert hash_obj.name == hash_id
- filepath = os.path.join(os.path.dirname(__file__), 'data', 'file')
- computed_hash = utils.get_file_fingerprint(filepath, hash_obj)
+ filepath = os.path.join(os.path.dirname(__file__), 'data', 'file')
+ computed_hash = utils.get_file_fingerprint(filepath, hash_obj)
- assert file_hash == computed_hash
+ assert file_hash == computed_hash
+
+
+def test_hash_unknown():
+ file_hash = 'XXXX'
+
+ hash_obj = utils.get_hashing_algorithm(file_hash)
+ assert hash_obj is None

View File

@ -0,0 +1,32 @@
From 56806b88b139d62276e8522bb3daf7d4fb02df84 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 15 Oct 2021 15:05:55 +0200
Subject: [PATCH] Represent unselected profile by an empty string
None can't be passed via the DBUS interface.
---
org_fedora_oscap/gui/spokes/oscap.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 4425757..36c8d7a 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -244,7 +244,7 @@ def __init__(self, data, storage, payload):
self.__old_root_pw = None
# used to check if the profile was changed or not
- self._active_profile = None
+ self._active_profile = ""
# prevent multiple simultaneous data fetches
self._fetching = False
@@ -719,7 +719,7 @@ def _unselect_profile(self, profile_id):
self._revert_rootpw_changes()
self._rule_data = None
- self._active_profile = None
+ self._active_profile = ""
@async_action_wait
def _select_profile(self, profile_id):

View File

@ -0,0 +1,72 @@
From 1b96504a8bbc198cce11647a0c3a65e1a3ffaba1 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Fri, 13 May 2022 14:44:45 +0200
Subject: [PATCH] Fix strings for translations
The input of the _() function has to be a static string,
and it was in those cases a formatted one,
which didn't match the translation data.
---
org_fedora_oscap/rule_handling.py | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 244aac8..635446e 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -707,10 +707,11 @@ def eval_rules(self, ksdata, storage, report_only=False):
messages = []
packages_data = get_packages_data()
+ msg_installed_template = _(
+ "package '%s' has been added to the list of to be installed packages")
# add messages for the already added packages
for pkg in self._added_pkgs:
- msg = _("package '%s' has been added to the list of to be installed "
- "packages" % pkg)
+ msg = msg_installed_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
@@ -724,11 +725,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
self._added_pkgs.add(pkg)
packages_data.packages.append(pkg)
- msg = _("package '%s' has been added to the list of to be installed "
- "packages" % pkg)
+ msg = msg_installed_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
+ msg_excluded_template = _(
+ "package '%s' has been added to the list of excluded packages")
# now do the same for the packages that should be excluded
# add messages for the already excluded packages
for pkg in self._removed_pkgs:
@@ -736,13 +738,12 @@ def eval_rules(self, ksdata, storage, report_only=False):
msg = _(
"package '{package}' has been added to the list "
"of excluded packages, but it can't be removed "
- "from the current software selection without breaking the installation."
- .format(package=pkg))
+ "from the current software selection without breaking the installation.")
+ msg = msg.format(package=pkg)
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_FATAL, msg))
else:
- msg = _("package '%s' has been added to the list of excluded "
- "packages" % pkg)
+ msg = msg_excluded_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))
@@ -756,8 +757,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
self._removed_pkgs.add(pkg)
packages_data.excluded_packages.append(pkg)
- msg = _("package '%s' has been added to the list of excluded "
- "packages" % pkg)
+ msg = msg_excluded_template % pkg
messages.append(RuleMessage(self.__class__,
common.MESSAGE_TYPE_INFO, msg))

View File

@ -0,0 +1,26 @@
From cdb131f0b1282f833b697ef4cb4eb934ca2e9966 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Jul 2023 15:27:24 +0200
Subject: [PATCH] Remove obsolete mapping of packages-groups
---
org_fedora_oscap/rule_handling.py | 6 ------
1 file changed, 6 deletions(-)
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index 635446e..7e2077c 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -59,12 +59,6 @@
"env": ["graphical-server-environment", "workstation-product-environment"],
"groups": ["workstation-product-environment"],
},
- "tftp": {
- "groups": ["network-server"],
- },
- "abrt": {
- "groups": ["debugging"],
- },
"gssproxy": {
"groups": ["file-server"],
},

View File

@ -0,0 +1,29 @@
From a306b736f144260721dfae25f0b268353d6760c5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Thu, 25 Nov 2021 15:15:14 +0100
Subject: [PATCH] Fix tailoring
Fixes an error during installation caused during tailoring
Addressing:
dasbus.error.DBusError: Content evaluation and remediation with the oscap tool failed: OpenSCAP Error: Unable to open file: '/tmp/openscap_data/usr/share/xml/scap/sc_tailoring/tailoring-xccdf.xml' [/builddir/build/BUILD/openscap-1.3.5/src/source/oscap_source.c:288]
This is proabably a typo coming from 87509fb6ee22b6eeaa66ea4ae85ebf5abd353e14
which is only in rhel9-branch.
---
org_fedora_oscap/service/oscap.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index 4237a47..65da08b 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -221,7 +221,7 @@ def install_with_tasks(self):
sysroot=conf.target.system_root,
policy_data=self.policy_data,
target_content_path=common.get_postinst_content_path(self.policy_data),
- target_tailoring_path=common.get_preinst_tailoring_path(self.policy_data)
+ target_tailoring_path=common.get_postinst_tailoring_path(self.policy_data)
)
]

View File

@ -1,7 +1,7 @@
From 6ac75d5052fff5a7d4b7e249ef198ccecd1f86a4 Mon Sep 17 00:00:00 2001 From 2fbde88c29210c48083bd4840661d2af2d00ae69 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com> From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Mon, 17 Jul 2023 17:08:54 +0200 Date: Mon, 17 Jul 2023 17:10:41 +0200
Subject: [PATCH] Make tar extraction safer Subject: [PATCH] Make tar extraction safer on RHEL9
See also https://bugzilla.redhat.com/show_bug.cgi?id=2218875 See also https://bugzilla.redhat.com/show_bug.cgi?id=2218875
--- ---
@ -9,10 +9,10 @@ See also https://bugzilla.redhat.com/show_bug.cgi?id=2218875
1 file changed, 2 insertions(+), 2 deletions(-) 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index 05829ce..b27276e 100644 index eeb27fc..77d24c1 100644
--- a/org_fedora_oscap/common.py --- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py +++ b/org_fedora_oscap/common.py
@@ -360,7 +360,7 @@ def extract_data(archive, out_dir, ensure_has_files=None): @@ -392,7 +392,7 @@ def extract_data(archive, out_dir, ensure_has_files=None):
raise ExtractionError(msg) raise ExtractionError(msg)
utils.ensure_dir_exists(out_dir) utils.ensure_dir_exists(out_dir)
@ -21,7 +21,7 @@ index 05829ce..b27276e 100644
result = [utils.join_paths(out_dir, info.filename) for info in zfile.filelist] result = [utils.join_paths(out_dir, info.filename) for info in zfile.filelist]
zfile.close() zfile.close()
elif archive.endswith(".tar"): elif archive.endswith(".tar"):
@@ -418,7 +418,7 @@ def _extract_tarball(archive, out_dir, ensure_has_files, alg): @@ -450,7 +450,7 @@ def _extract_tarball(archive, out_dir, ensure_has_files, alg):
raise ExtractionError(msg) raise ExtractionError(msg)
utils.ensure_dir_exists(out_dir) utils.ensure_dir_exists(out_dir)

View File

@ -0,0 +1,460 @@
From aeb0e2ed5a524c5d4e5b72b2b11ea74a5119d45a Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:23:17 +0200
Subject: [PATCH 1/3] Improve logging
Make all log entries identifiable easily.
---
org_fedora_oscap/common.py | 4 ++--
org_fedora_oscap/content_discovery.py | 16 +++++++++++-----
org_fedora_oscap/gui/spokes/oscap.py | 19 ++++++++++++-------
org_fedora_oscap/rule_handling.py | 8 ++++----
org_fedora_oscap/service/installation.py | 6 +++---
org_fedora_oscap/service/kickstart.py | 2 +-
org_fedora_oscap/service/oscap.py | 12 ++++++------
7 files changed, 39 insertions(+), 28 deletions(-)
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
index a307baa..c432168 100644
--- a/org_fedora_oscap/common.py
+++ b/org_fedora_oscap/common.py
@@ -564,7 +564,7 @@ def get_content_name(data):
def get_raw_preinst_content_path(data):
"""Path to the raw (unextracted, ...) pre-installation content file"""
if data.content_type == "scap-security-guide":
- log.debug("Using scap-security-guide, no single content file")
+ log.debug("OSCAP addon: Using scap-security-guide, no single content file")
return None
content_name = get_content_name(data)
@@ -667,7 +667,7 @@ def set_packages_data(data: PackagesConfigurationData):
payload_proxy = get_payload_proxy()
if payload_proxy.Type != PAYLOAD_TYPE_DNF:
- log.debug("The payload doesn't support packages.")
+ log.debug("OSCAP addon: The payload doesn't support packages.")
return
return payload_proxy.SetPackages(
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 894f3e1..bc14ef1 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -98,7 +98,7 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
def _fetch_files(self, scheme, path, destdir, ca_certs_path, what_if_fail):
with self.activity_lock:
if self.now_fetching_or_processing:
- msg = "Strange, it seems that we are already fetching something."
+ msg = "OSCAP Addon: Strange, it seems that we are already fetching something."
log.warn(msg)
return
self.now_fetching_or_processing = True
@@ -175,7 +175,7 @@ def finish_content_fetch(self, fetching_thread_name, fingerprint, report_callbac
def _verify_fingerprint(self, dest_filename, fingerprint=""):
if not fingerprint:
- log.info("No fingerprint provided, skipping integrity check")
+ log.info("OSCAP Addon: No fingerprint provided, skipping integrity check")
return
hash_obj = utils.get_hashing_algorithm(fingerprint)
@@ -183,15 +183,19 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
hash_obj)
if digest != fingerprint:
log.error(
+ "OSCAP Addon: "
f"File {dest_filename} failed integrity check - assumed a "
f"{hash_obj.name} hash and '{fingerprint}', got '{digest}'"
)
- msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
+ msg = _(f"OSCAP Addon: Integrity check of the content failed - {hash_obj.name} hash didn't match")
raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
- threadMgr.wait(wait_for)
+ if wait_for:
+ log.info(f"OSCAP Addon: Waiting for thread {wait_for}")
+ threadMgr.wait(wait_for)
+ log.info(f"OSCAP Addon: Finished waiting for thread {wait_for}")
actually_fetched_content = wait_for is not None
if fingerprint and dest_filename:
@@ -201,6 +205,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content = ObtainedContent(self.CONTENT_DOWNLOAD_LOCATION)
content_type = self.get_content_type(str(dest_filename))
+ log.info(f"OSCAP Addon: started to look at the content")
if content_type in ("archive", "rpm"):
structured_content.add_content_archive(dest_filename)
@@ -211,6 +216,7 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if fingerprint and dest_filename:
structured_content.record_verification(dest_filename)
+ log.info(f"OSCAP Addon: finished looking at the content")
return structured_content
def _gather_available_files(self, actually_fetched_content, dest_filename):
@@ -232,7 +238,7 @@ def _gather_available_files(self, actually_fetched_content, dest_filename):
)
except common.ExtractionError as err:
msg = f"Failed to extract the '{dest_filename}' archive: {str(err)}"
- log.error(msg)
+ log.error("OSCAP Addon: " + msg)
raise err
elif content_type == "file":
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 76e508f..332e956 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -331,6 +331,7 @@ def initialize(self):
# if no content was specified and SSG is available, use it
if not self._policy_data.content_type and common.ssg_available():
+ log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
@@ -351,7 +352,7 @@ def initialize(self):
self._fetch_data_and_initialize()
def _handle_error(self, exception):
- log.error(str(exception))
+ log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
self._invalid_url()
elif isinstance(exception, common.OSCAPaddonNetworkError):
@@ -365,7 +366,7 @@ def _handle_error(self, exception):
elif isinstance(exception, content_handling.ContentCheckError):
self._integrity_check_failed()
else:
- log.exception("Unknown exception occurred", exc_info=exception)
+ log.exception("OSCAP Addon: Unknown exception occurred", exc_info=exception)
self._general_content_problem()
def _render_selected(self, column, renderer, model, itr, user_data=None):
@@ -385,6 +386,7 @@ def _fetch_data_and_initialize(self):
thread_name = None
if self._policy_data.content_url and self._policy_data.content_type != "scap-security-guide":
+ log.info(f"OSCAP Addon: Actually fetching content from somewhere")
thread_name = self.content_bringer.fetch_content(
self._handle_error, self._policy_data.certificates)
@@ -442,7 +444,7 @@ def update_progress_label(msg):
msg += f" with tailoring {preinst_tailoring_path}"
else:
msg += " without considering tailoring"
- log.info(msg)
+ log.info("OSCAP Addon: " + msg)
self._content_handler = scap_content_handler.SCAPContentHandler(
preinst_content_path,
@@ -456,7 +458,7 @@ def update_progress_label(msg):
return
- log.info("OAA: Done with analysis")
+ log.info("OSCAP Addon: Done with analysis")
self._ds_checklists = self._content_handler.get_data_streams_checklists()
if self._using_ds:
@@ -592,7 +594,7 @@ def _update_profiles_store(self):
try:
profiles = self._content_handler.get_profiles()
except scap_content_handler.SCAPContentHandlerError as e:
- log.warning(str(e))
+ log.warning("OSCAP Addon: " + str(e))
self._invalid_content()
for profile in profiles:
@@ -736,7 +738,7 @@ def _select_profile(self, profile_id):
ds, xccdf, common.get_preinst_tailoring_path(self._policy_data))
except common.OSCAPaddonError as exc:
log.error(
- "Failed to get rules for the profile '{}': {}"
+ "OSCAP Addon: Failed to get rules for the profile '{}': {}"
.format(profile_id, str(exc)))
self._set_error(
"Failed to get rules for the profile '{}'"
@@ -908,6 +910,7 @@ def refresh(self):
def _refresh_ui(self):
"""Refresh the UI elements."""
if not self._content_defined:
+ log.info("OSCAP Addon: Content not defined")
# hide the control buttons
really_hide(self._control_buttons)
@@ -1156,7 +1159,9 @@ def on_fetch_button_clicked(self, *args):
with self._fetch_flag_lock:
if self._fetching:
# some other fetching/pre-processing running, give up
- log.warn("Clicked the fetch button, although the GUI is in the fetching mode.")
+ log.warn(
+ "OSCAP Addon: "
+ "Clicked the fetch button, although the GUI is in the fetching mode.")
return
# prevent user from changing the URL in the meantime
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
index c478aa0..244aac8 100644
--- a/org_fedora_oscap/rule_handling.py
+++ b/org_fedora_oscap/rule_handling.py
@@ -261,7 +261,7 @@ def new_rule(self, rule):
try:
actions[first_word](rule)
except (ModifiedOptionParserException, KeyError) as e:
- log.warning("Unknown OSCAP Addon rule '{}': {}".format(rule, e))
+ log.warning("OSCAP Addon: Unknown OSCAP Addon rule '{}': {}".format(rule, e))
def eval_rules(self, ksdata, storage, report_only=False):
""":see: RuleHandler.eval_rules"""
@@ -565,7 +565,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
# root password set
if users_proxy.IsRootPasswordCrypted:
msg = _("cannot check root password length (password is crypted)")
- log.warning("cannot check root password length (password is crypted)")
+ log.warning("OSCAP Addon: cannot check root password length (password is crypted)")
return [RuleMessage(self.__class__,
common.MESSAGE_TYPE_WARNING, msg)]
elif len(users_proxy.RootPassword) < self._minlen:
@@ -880,7 +880,7 @@ def eval_rules(self, ksdata, storage, report_only=False):
kdump_proxy.KdumpEnabled = self._kdump_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping kdump configuration")
return messages
@@ -894,7 +894,7 @@ def revert_changes(self, ksdata, storage):
if self._kdump_enabled is not None:
kdump_proxy.KdumpEnabled = self._kdump_default_enabled
else:
- log.warning("com_redhat_kdump is not installed. "
+ log.warning("OSCAP Addon: com_redhat_kdump is not installed. "
"Skipping reverting kdump configuration")
self._kdump_enabled = None
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index e3a1d0f..2da8559 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -28,14 +28,14 @@
from org_fedora_oscap.content_handling import ContentCheckError
from org_fedora_oscap import content_discovery
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
REQUIRED_PACKAGES = ("openscap", "openscap-scanner",)
def _handle_error(exception):
- log.error("Failed to fetch and initialize SCAP content!")
+ log.error("OSCAP Addon: Failed to fetch and initialize SCAP content!")
if isinstance(exception, ContentCheckError):
msg = _("The integrity check of the security content failed.")
@@ -87,7 +87,7 @@ def run(self):
content = self.content_bringer.finish_content_fetch(
fetching_thread_name, self._policy_data.fingerprint,
- lambda msg: log.info(msg), content_dest, _handle_error)
+ lambda msg: log.info("OSCAP Addon: " + msg), content_dest, _handle_error)
if not content:
# this shouldn't happen because error handling is supposed to
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index 341c6c5..d6f22ac 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -25,7 +25,7 @@
from org_fedora_oscap import common, utils
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPKickstartSpecification"]
diff --git a/org_fedora_oscap/service/oscap.py b/org_fedora_oscap/service/oscap.py
index d491060..4237a47 100755
--- a/org_fedora_oscap/service/oscap.py
+++ b/org_fedora_oscap/service/oscap.py
@@ -34,7 +34,7 @@
from org_fedora_oscap.service.oscap_interface import OSCAPInterface
from org_fedora_oscap.structures import PolicyData
-log = logging.getLogger(__name__)
+log = logging.getLogger("anaconda")
__all__ = ["OSCAPService"]
@@ -71,7 +71,7 @@ def policy_enabled(self, value):
"""
self._policy_enabled = value
self.policy_enabled_changed.emit()
- log.debug("Policy enabled is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy enabled is set to '%s'.", value)
@property
def policy_data(self):
@@ -89,7 +89,7 @@ def policy_data(self, value):
"""
self._policy_data = value
self.policy_data_changed.emit()
- log.debug("Policy data is set to '%s'.", value)
+ log.debug("OSCAP Addon: Policy data is set to '%s'.", value)
@property
def installation_enabled(self):
@@ -150,7 +150,7 @@ def collect_requirements(self):
:return: a list of requirements
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the requirements.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the requirements.")
return []
requirements = [
@@ -180,7 +180,7 @@ def configure_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the configuration.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the configuration.")
return []
tasks = [
@@ -205,7 +205,7 @@ def install_with_tasks(self):
:return: a list of tasks
"""
if not self.installation_enabled:
- log.debug("The installation is disabled. Skip the installation.")
+ log.debug("OSCAP Addon: The installation is disabled. Skip the installation.")
return []
tasks = [
From b081e32012b93177167d3f7d0cc2024deb50e965 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 2 Aug 2021 17:24:15 +0200
Subject: [PATCH 2/3] Save addon data when using local content
Addon loads its data from the shared storage upon refresh,
which caused it to overwrite clicking on the "use SSG content" button.
Now the data is saved after clicking that button, and convenience
load/save methods were introduced.
---
org_fedora_oscap/gui/spokes/oscap.py | 27 +++++++++++++++------------
1 file changed, 15 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 332e956..4425757 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -232,11 +232,8 @@ def __init__(self, data, storage, payload):
# the proxy to OSCAP DBus module
self._oscap_module = OSCAP.get_proxy()
- # the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- self._policy_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
+ self._policy_data = PolicyData()
+ self._load_policy_data()
# used for changing profiles
self._rule_data = None
@@ -334,6 +331,7 @@ def initialize(self):
log.info("OSCAP Addon: Defaulting to local content")
self._policy_data.content_type = "scap-security-guide"
self._policy_data.content_path = common.SSG_DIR + common.SSG_CONTENT
+ self._save_policy_data()
if not self._content_defined:
# nothing more to be done now, the spoke is ready
@@ -351,6 +349,16 @@ def initialize(self):
# else fetch data
self._fetch_data_and_initialize()
+ def _save_policy_data(self):
+ self._oscap_module.PolicyData = PolicyData.to_structure(self._policy_data)
+ self._oscap_module.PolicyEnabled = self._policy_enabled
+
+ def _load_policy_data(self):
+ self._policy_data.update_from(PolicyData.from_structure(
+ self._oscap_module.PolicyData
+ ))
+ self._policy_enabled = self._oscap_module.PolicyEnabled
+
def _handle_error(self, exception):
log.error("OSCAP Addon: " + str(exception))
if isinstance(exception, KickstartValueError):
@@ -897,13 +905,7 @@ def refresh(self):
:see: pyanaconda.ui.common.UIObject.refresh
"""
- # update the security policy data
- self._policy_enabled = self._oscap_module.PolicyEnabled
- fresh_data = PolicyData.from_structure(
- self._oscap_module.PolicyData
- )
-
- self._policy_data.update_from(fresh_data)
+ self._load_policy_data()
# update the UI elements
self._refresh_ui()
@@ -1202,4 +1204,5 @@ def on_change_content_clicked(self, *args):
def on_use_ssg_clicked(self, *args):
self.content_bringer.use_system_content()
+ self._save_policy_data()
self._fetch_data_and_initialize()
From fee170f54aeb9f649ab891781532012a7b069f8f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 3 Aug 2021 11:01:59 +0200
Subject: [PATCH 3/3] Refactor content identification
Don't use the multiprocessing pool - it sometimes creates probems during
its initialization:
https://bugzilla.redhat.com/show_bug.cgi?id=1989434
---
org_fedora_oscap/content_handling.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py
index f2af22f..65d5a28 100644
--- a/org_fedora_oscap/content_handling.py
+++ b/org_fedora_oscap/content_handling.py
@@ -111,9 +111,8 @@ def parse_HTML_from_content(content):
def identify_files(fpaths):
- with multiprocessing.Pool(os.cpu_count()) as p:
- labels = p.map(get_doc_type, fpaths)
- return {path: label for (path, label) in zip(fpaths, labels)}
+ result = {path: get_doc_type(path) for path in fpaths}
+ return result
def get_doc_type(file_path):
@@ -131,7 +130,9 @@ def get_doc_type(file_path):
except UnicodeDecodeError:
# 'oscap info' supplied weird output, which happens when it tries
# to explain why it can't examine e.g. a JPG.
- return None
+ pass
+ except Exception as e:
+ log.warning(f"OSCAP addon: Unexpected error when looking at {file_path}: {str(e)}")
log.info("OSCAP addon: Identified {file_path} as {content_type}"
.format(file_path=file_path, content_type=content_type))
return content_type

View File

@ -1,4 +1,4 @@
From e8e303aa3ca9db564ea52258de15a81851c3b265 Mon Sep 17 00:00:00 2001 From a1b983b4b5f8e49daa978aec6f9d28ba6dcea20c Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:37:04 +0200 Date: Wed, 12 Oct 2022 11:37:04 +0200
Subject: [PATCH 1/5] Add capability to preselect content from archives Subject: [PATCH 1/5] Add capability to preselect content from archives
@ -13,20 +13,20 @@ and that they have precedence over other files.
create mode 100644 tests/test_content_discovery.py create mode 100644 tests/test_content_discovery.py
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 5fc7343..f654449 100644 index ccfe6c8..9ef144e 100644
--- a/org_fedora_oscap/content_discovery.py --- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py +++ b/org_fedora_oscap/content_discovery.py
@@ -11,6 +11,7 @@ @@ -12,6 +12,7 @@
from org_fedora_oscap import data_fetch, utils from org_fedora_oscap import data_fetch, utils
from org_fedora_oscap import common from org_fedora_oscap import common
from org_fedora_oscap import content_handling from org_fedora_oscap import content_handling
+from org_fedora_oscap.content_handling import CONTENT_TYPES +from org_fedora_oscap.content_handling import CONTENT_TYPES
from org_fedora_oscap import rule_handling
from org_fedora_oscap.common import _ from org_fedora_oscap.common import _
@@ -191,6 +192,38 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
@@ -167,6 +168,38 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
raise content_handling.ContentCheckError(msg) raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
+ def filter_discovered_content(self, labelled_files): + def filter_discovered_content(self, labelled_files):
+ expected_path = self._addon_data.content_path + expected_path = self._addon_data.content_path
@ -61,9 +61,9 @@ index 5fc7343..f654449 100644
+ return reduced_files + return reduced_files
+ +
def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename): def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_filename):
threadMgr.wait(wait_for) if wait_for:
actually_fetched_content = wait_for is not None log.info(f"OSCAP Addon: Waiting for thread {wait_for}")
@@ -182,6 +215,8 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file @@ -210,6 +243,8 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content.add_content_archive(dest_filename) structured_content.add_content_archive(dest_filename)
labelled_files = content_handling.identify_files(fpaths) labelled_files = content_handling.identify_files(fpaths)
@ -127,7 +127,7 @@ index 0000000..5463c9a
+ reduced = bringer.reduce_files(labelled_files, "cpe", ["C"]) + reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
+ assert reduced == labelled_files + assert reduced == labelled_files
From 82c1950903fcce079cd71f021c1fde25f75f9521 Mon Sep 17 00:00:00 2001 From 2a536a8ec4cdf20e4f19e8175898b7ace3fc7ca4 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:40:11 +0200 Date: Wed, 12 Oct 2022 11:40:11 +0200
Subject: [PATCH 2/5] Handle changes in content identification Subject: [PATCH 2/5] Handle changes in content identification
@ -140,7 +140,7 @@ content much more gracefully.
2 files changed, 14 insertions(+), 4 deletions(-) 2 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index f654449..b20f3a6 100644 index 9ef144e..9ed643b 100644
--- a/org_fedora_oscap/content_discovery.py --- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py +++ b/org_fedora_oscap/content_discovery.py
@@ -2,6 +2,7 @@ @@ -2,6 +2,7 @@
@ -149,9 +149,9 @@ index f654449..b20f3a6 100644
import shutil import shutil
+import os +import os
from glob import glob from glob import glob
from typing import List
from pyanaconda.core import constants @@ -242,11 +243,15 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
@@ -214,11 +215,15 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
if content_type in ("archive", "rpm"): if content_type in ("archive", "rpm"):
structured_content.add_content_archive(dest_filename) structured_content.add_content_archive(dest_filename)
@ -188,7 +188,7 @@ index 65d5a28..3e2ecae 100644
except OSError: except OSError:
# 'oscap info' exitted with a non-zero exit code -> unknown doc # 'oscap info' exitted with a non-zero exit code -> unknown doc
From b6bf5a6c96f5dbbd78043455802ebc0033cf1a6a Mon Sep 17 00:00:00 2001 From 17f80b71d17ce5a2bdbed87730133cdabec2e22b Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Wed, 12 Oct 2022 11:38:51 +0200 Date: Wed, 12 Oct 2022 11:38:51 +0200
Subject: [PATCH 3/5] Remove unused code Subject: [PATCH 3/5] Remove unused code
@ -247,7 +247,7 @@ index 3e2ecae..5096bab 100644
- files = ContentFiles(xccdf_file, cpe_file, tailoring_file) - files = ContentFiles(xccdf_file, cpe_file, tailoring_file)
- return files - return files
From a990568ccddb2864c8daeae91fdc1f6588b3c6f3 Mon Sep 17 00:00:00 2001 From 3aff547e2689a1ede4236c9166b11c99f272e3f7 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Thu, 13 Oct 2022 14:11:25 +0200 Date: Thu, 13 Oct 2022 14:11:25 +0200
Subject: [PATCH 4/5] Dont use tailoring if it is not expected Subject: [PATCH 4/5] Dont use tailoring if it is not expected
@ -259,12 +259,12 @@ Compulsive usage of tailoring may be unwanted.
1 file changed, 13 insertions(+), 4 deletions(-) 1 file changed, 13 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index b20f3a6..e9cf34a 100644 index 9ed643b..4235af7 100644
--- a/org_fedora_oscap/content_discovery.py --- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py +++ b/org_fedora_oscap/content_discovery.py
@@ -169,16 +169,25 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""): @@ -193,16 +193,25 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
msg = _(f"Integrity check of the content failed - {hash_obj.name} hash didn't match")
raise content_handling.ContentCheckError(msg) raise content_handling.ContentCheckError(msg)
log.info(f"Integrity check passed using {hash_obj.name} hash")
+ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files): + def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
+ expected_tailoring = self._addon_data.tailoring_path + expected_tailoring = self._addon_data.tailoring_path
@ -293,39 +293,65 @@ index b20f3a6..e9cf34a 100644
expected_path = self._addon_data.cpe_path expected_path = self._addon_data.cpe_path
categories = (CONTENT_TYPES["CPE_DICT"], ) categories = (CONTENT_TYPES["CPE_DICT"], )
From c4cb296ca3838a0967c8258b9ed5221691884a36 Mon Sep 17 00:00:00 2001 From 56d8e497e0a4c394784b1c950bd1a148a6dc42ad Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: =?UTF-8?q?Mat=C4=9Bj=20T=C3=BD=C4=8D?= <matyc@redhat.com>
Date: Tue, 8 Nov 2022 10:46:59 +0100 Date: Thu, 10 Nov 2022 12:46:46 +0100
Subject: [PATCH 5/5] Make the content RPM installation robust Subject: [PATCH 5/5] Make the content RPM installation robust
If a package manager fails to install the package, If a package manager fails to install the package,
use the rpm command directly and skip deps. use the rpm command directly and skip deps.
--- ---
org_fedora_oscap/ks/oscap.py | 41 ++++++++++++++++++++++++++++-------- org_fedora_oscap/service/installation.py | 48 +++++++++++++++++-------
1 file changed, 32 insertions(+), 9 deletions(-) 1 file changed, 34 insertions(+), 14 deletions(-)
diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index e47d6ba..dac273d 100644 index 255b992..f667479 100644
--- a/org_fedora_oscap/ks/oscap.py --- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/ks/oscap.py +++ b/org_fedora_oscap/service/installation.py
@@ -23,6 +23,7 @@ @@ -18,6 +18,7 @@
import shutil
import re
import os
+import io
import time
import logging import logging
import pathlib import os
@@ -473,6 +474,33 @@ def setup(self, storage, ksdata, payload): import shutil
if pkg not in ksdata.packages.packageList: +import io
ksdata.packages.packageList.append(pkg)
+ def _attempt_rpm_installation(self): from pyanaconda.core import util
from pyanaconda.modules.common.task import Task
@@ -198,21 +199,11 @@ def run(self):
elif self._policy_data.content_type == "datastream":
shutil.copy2(self._content_path, target_content_dir)
elif self._policy_data.content_type == "rpm":
- # copy the RPM to the target system
- shutil.copy2(self._file_path, target_content_dir)
+ try:
+ self._copy_rpm_to_target_and_install(target_content_dir)
- # get the path of the RPM
- content_name = common.get_content_name(self._policy_data)
- package_path = utils.join_paths(self._target_directory, content_name)
-
- # and install it with yum
- ret = util.execInSysroot(
- "yum", ["-y", "--nogpg", "install", package_path]
- )
-
- if ret != 0:
- msg = _(f"Failed to install content RPM to the target system.")
- terminate(msg)
+ except Exception as exc:
+ terminate(str(exc))
return
else:
pattern = utils.join_paths(common.INSTALLATION_CONTENT_DIR, "*")
@@ -221,6 +212,35 @@ def run(self):
if os.path.exists(self._tailoring_path):
shutil.copy2(self._tailoring_path, target_content_dir)
+ def _attempt_rpm_installation(self, chroot_package_path):
+ log.info("OSCAP addon: Installing the security content RPM to the installed system.") + log.info("OSCAP addon: Installing the security content RPM to the installed system.")
+ stdout = io.StringIO() + stdout = io.StringIO()
+ ret = util.execWithRedirect( + ret = util.execWithRedirect(
+ "yum", ["-y", "--nogpg", "install", self.raw_postinst_content_path], + "dnf", ["-y", "--nogpg", "install", chroot_package_path],
+ stdout=stdout, root=conf.target.system_root) + stdout=stdout, root=self._sysroot)
+ stdout.seek(0) + stdout.seek(0)
+ if ret != 0: + if ret != 0:
+ log.error( + log.error(
@ -334,8 +360,8 @@ index e47d6ba..dac273d 100644
+ +
+ stdout = io.StringIO() + stdout = io.StringIO()
+ ret = util.execWithRedirect( + ret = util.execWithRedirect(
+ "rpm", ["--install", "--nodeps", self.raw_postinst_content_path], + "rpm", ["--install", "--nodeps", chroot_package_path],
+ stdout=stdout, root=conf.target.system_root) + stdout=stdout, root=self._sysroot)
+ if ret != 0: + if ret != 0:
+ log.error( + log.error(
+ "OSCAP addon: Error installing security content RPM using rpm: {0}", + "OSCAP addon: Error installing security content RPM using rpm: {0}",
@ -344,29 +370,11 @@ index e47d6ba..dac273d 100644
+ raise RuntimeError(msg) + raise RuntimeError(msg)
+ +
+ def _copy_rpm_to_target_and_install(self, target_content_dir): + def _copy_rpm_to_target_and_install(self, target_content_dir):
+ shutil.copy2(self.raw_preinst_content_path, target_content_dir) + shutil.copy2(self._file_path, target_content_dir)
+ self._attempt_rpm_installation() + content_name = common.get_content_name(self._policy_data)
+ chroot_package_path = utils.join_paths(self._target_directory, content_name)
+ self._attempt_rpm_installation(chroot_package_path)
+ +
def execute(self, storage, ksdata, users, payload):
""" class RemediateSystemTask(Task):
The execute method that should make changes to the installed system. It """The installation task for running the remediation."""
@@ -507,15 +535,10 @@ def execute(self, storage, ksdata, users, payload):
if self.content_type == "datastream":
shutil.copy2(self.preinst_content_path, target_content_dir)
elif self.content_type == "rpm":
- # copy the RPM to the target system
- shutil.copy2(self.raw_preinst_content_path, target_content_dir)
-
- # and install it with yum
- ret = util.execInSysroot("yum", ["-y", "--nogpg", "install",
- self.raw_postinst_content_path])
- if ret != 0:
- msg = _(f"Failed to install content RPM to the target system.")
- self._terminate(msg)
+ try:
+ self._copy_rpm_to_target_and_install(target_content_dir)
+ except Exception as exc:
+ self._terminate(str(exc))
return
elif self.content_type == "scap-security-guide":
# nothing needed

View File

@ -1,4 +1,4 @@
From 55cc3b685dd5a9ca6059459f41876dd9f19f900d Mon Sep 17 00:00:00 2001 From 99fc53d3691b24c6724c1cf3e7281c181b31cf45 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Tue, 11 Oct 2022 17:07:28 +0200 Date: Tue, 11 Oct 2022 17:07:28 +0200
Subject: [PATCH 1/2] Remove redundant message Subject: [PATCH 1/2] Remove redundant message
@ -10,19 +10,19 @@ could aim to accomplish.
1 file changed, 1 deletion(-) 1 file changed, 1 deletion(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index c57b1cd..4f8702a 100644 index 6d0aa5c..37b9681 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py --- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py +++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -150,7 +150,6 @@ def decorated(self, *args, **kwargs): @@ -151,7 +151,6 @@ def decorated(self, *args, **kwargs):
self._ready = True self._ready = True
# pylint: disable-msg=E1101 # pylint: disable-msg=E1101
hubQ.send_ready(self.__class__.__name__, True) hubQ.send_ready(self.__class__.__name__)
- hubQ.send_message(self.__class__.__name__, self.status) - hubQ.send_message(self.__class__.__name__, self.status)
return ret return ret
From 3f7c560947a17d1696899857e70ebcc8cba44019 Mon Sep 17 00:00:00 2001 From 24787f02e80162129256dc57dc3d491f00080370 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Thu, 13 Oct 2022 17:19:17 +0200 Date: Thu, 13 Oct 2022 17:19:17 +0200
Subject: [PATCH 2/2] Increase robustness of fetching state detection Subject: [PATCH 2/2] Increase robustness of fetching state detection
@ -35,10 +35,10 @@ whether well-known UI threads exist.
1 file changed, 6 insertions(+), 3 deletions(-) 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 4f8702a..d8e6ce2 100644 index 37b9681..97c4553 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py --- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py +++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -363,11 +363,14 @@ def _render_selected(self, column, renderer, model, itr, user_data=None): @@ -389,11 +389,14 @@ def _render_selected(self, column, renderer, model, itr, user_data=None):
else: else:
renderer.set_property("stock-id", None) renderer.set_property("stock-id", None)
@ -54,7 +54,7 @@ index 4f8702a..d8e6ce2 100644
# prevent multiple fetches running simultaneously # prevent multiple fetches running simultaneously
return return
self._fetching = True self._fetching = True
@@ -894,7 +897,7 @@ def refresh(self): @@ -940,7 +943,7 @@ def _refresh_ui(self):
# hide the progress box, no progress now # hide the progress box, no progress now
with self._fetch_flag_lock: with self._fetch_flag_lock:
@ -63,12 +63,12 @@ index 4f8702a..d8e6ce2 100644
really_hide(self._progress_box) really_hide(self._progress_box)
self._content_url_entry.set_sensitive(True) self._content_url_entry.set_sensitive(True)
@@ -1117,7 +1120,7 @@ def on_fetch_button_clicked(self, *args): @@ -1165,7 +1168,7 @@ def on_fetch_button_clicked(self, *args):
"""Handler for the Fetch button""" """Handler for the Fetch button"""
with self._fetch_flag_lock: with self._fetch_flag_lock:
- if self._fetching: - if self._fetching:
+ if self._still_fetching(): + if self._still_fetching():
# some other fetching/pre-processing running, give up # some other fetching/pre-processing running, give up
log.warn("Clicked the fetch button, although the GUI is in the fetching mode.") log.warn(
return "OSCAP Addon: "

View File

@ -0,0 +1,334 @@
From e2c47422b0ecfd561a8fe203b53e4a3831ae0ff7 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 22 Nov 2022 11:45:11 +0100
Subject: [PATCH 1/3] Fix handling of content paths
Archives and ready-to-use content use paths differently.
Archives get unpacked into a directory, where they need to be unpacked,
analyzed, and cross-checked with e.g. the supplied content path,
whereas ready-to-use content can be used directly.
As the current codebase doesn't untangle all possible ways how to obtain
existing content in a way of decomposing those into layers, this change
just makes the current code working at the expense of making it worse to
maintain.
---
org_fedora_oscap/content_discovery.py | 34 ++++++++++++++++++---------
org_fedora_oscap/service/kickstart.py | 10 +++++++-
tests/test_content_discovery.py | 21 +++++++++++++++++
3 files changed, 53 insertions(+), 12 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 4235af7c..ebef618e 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -46,6 +46,14 @@ def clear_all(data):
data.dry_run = False
+def path_is_present_among_paths(path, paths):
+ absolute_path = os.path.abspath(path)
+ for second_path in paths:
+ if absolute_path == os.path.abspath(second_path):
+ return True
+ return False
+
+
class ContentBringer:
CONTENT_DOWNLOAD_LOCATION = pathlib.Path(common.INSTALLATION_CONTENT_DIR)
DEFAULT_SSG_DATA_STREAM_PATH = f"{common.SSG_DIR}/{common.SSG_CONTENT}"
@@ -194,7 +202,7 @@ def _verify_fingerprint(self, dest_filename, fingerprint=""):
log.info(f"Integrity check passed using {hash_obj.name} hash")
def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
- expected_tailoring = self._addon_data.tailoring_path
+ expected_tailoring = common.get_preinst_tailoring_path(self._addon_data)
tailoring_label = CONTENT_TYPES["TAILORING"]
if expected_tailoring:
labelled_files = self.reduce_files(labelled_files, expected_tailoring, [tailoring_label])
@@ -206,7 +214,7 @@ def allow_one_expected_tailoring_or_no_tailoring(self, labelled_files):
return labelled_files
def filter_discovered_content(self, labelled_files):
- expected_path = self._addon_data.content_path
+ expected_path = common.get_preinst_content_path(self._addon_data)
categories = (CONTENT_TYPES["DATASTREAM"], CONTENT_TYPES["XCCDF_CHECKLIST"])
if expected_path:
labelled_files = self.reduce_files(labelled_files, expected_path, categories)
@@ -222,7 +230,7 @@ def filter_discovered_content(self, labelled_files):
def reduce_files(self, labelled_files, expected_path, categories):
reduced_files = dict()
- if expected_path not in labelled_files:
+ if not path_is_present_among_paths(expected_path, labelled_files.keys()):
msg = (
f"Expected a file {expected_path} to be part of the supplied content, "
f"but it was not the case, got only {list(labelled_files.keys())}"
@@ -253,13 +261,9 @@ def _finish_actual_fetch(self, wait_for, fingerprint, report_callback, dest_file
structured_content.add_content_archive(dest_filename)
labelled_filenames = content_handling.identify_files(fpaths)
- labelled_relative_filenames = {
- os.path.relpath(path, self.CONTENT_DOWNLOAD_LOCATION): label
- for path, label in labelled_filenames.items()}
- labelled_relative_filenames = self.filter_discovered_content(labelled_relative_filenames)
+ labelled_filenames = self.filter_discovered_content(labelled_filenames)
- for rel_fname, label in labelled_relative_filenames.items():
- fname = self.CONTENT_DOWNLOAD_LOCATION / rel_fname
+ for fname, label in labelled_filenames.items():
structured_content.add_file(str(fname), label)
if fingerprint and dest_filename:
@@ -303,11 +307,18 @@ def use_downloaded_content(self, content):
# We know that we have ended up with a datastream-like content,
# but if we can't convert an archive to a datastream.
# self._addon_data.content_type = "datastream"
- self._addon_data.content_path = str(preferred_content.relative_to(content.root))
+ content_type = self._addon_data.content_type
+ if content_type in ("archive", "rpm"):
+ self._addon_data.content_path = str(preferred_content.relative_to(content.root))
+ else:
+ self._addon_data.content_path = str(preferred_content)
preferred_tailoring = self.get_preferred_tailoring(content)
if content.tailoring:
- self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
+ if content_type in ("archive", "rpm"):
+ self._addon_data.tailoring_path = str(preferred_tailoring.relative_to(content.root))
+ else:
+ self._addon_data.tailoring_path = str(preferred_tailoring)
def use_system_content(self, content=None):
clear_all(self._addon_data)
@@ -403,6 +414,7 @@ def _xccdf_content(self):
def find_expected_usable_content(self, relative_expected_content_path):
content_path = self.root / relative_expected_content_path
+ content_path = content_path.resolve()
eligible_main_content = (self._datastream_content(), self._xccdf_content())
if content_path in eligible_main_content:
diff --git a/org_fedora_oscap/service/kickstart.py b/org_fedora_oscap/service/kickstart.py
index ce049d1b..6698978a 100644
--- a/org_fedora_oscap/service/kickstart.py
+++ b/org_fedora_oscap/service/kickstart.py
@@ -17,6 +17,7 @@
#
import logging
import re
+import os
from pyanaconda.core.kickstart import KickstartSpecification
from pyanaconda.core.kickstart.addon import AddonData
@@ -146,7 +147,14 @@ def _parse_profile_id(self, value):
self.policy_data.profile_id = value
def _parse_content_path(self, value):
- # need to be checked?
+ absolute_content_path_in_archive_like_file = (
+ self.policy_data.content_type in ("archive", "rpm")
+ and os.path.isabs(value))
+ if absolute_content_path_in_archive_like_file:
+ msg = (
+ "When using archives-like content input, the corresponding content path "
+ "has to be relative, but got '{value}'.")
+ raise KickstartValueError(msg)
self.policy_data.content_path = value
def _parse_cpe_path(self, value):
diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
index 5463c9a5..d6e14d9f 100644
--- a/tests/test_content_discovery.py
+++ b/tests/test_content_discovery.py
@@ -1,3 +1,5 @@
+import os
+
import pytest
import org_fedora_oscap.content_discovery as tested_module
@@ -46,3 +48,22 @@ def test_reduce(labelled_files):
reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
assert reduced == labelled_files
+
+
+def test_path_presence_detection():
+ list_of_paths = ["file1", os.path.abspath("file2"), os.path.abspath("dir///file3")]
+
+ list_of_paths_in_list = [
+ "file1", os.path.abspath("file1"), "./file1",
+ "file2", "dir/..//file2",
+ "dir/../dir/file3", "dir/file3",
+ ]
+ list_of_paths_not_in_list = [
+ "../file1", "file3"
+ ]
+
+ for path in list_of_paths_in_list:
+ assert tested_module.path_is_present_among_paths(path, list_of_paths)
+
+ for path in list_of_paths_not_in_list:
+ assert not tested_module.path_is_present_among_paths(path, list_of_paths)
From 9808e21ff4e6a4ce878d556f26cfddede04c870f Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Wed, 16 Nov 2022 15:35:09 +0100
Subject: [PATCH 2/3] Compare paths according to their equivalence
not according their arbitrary string form
---
org_fedora_oscap/content_discovery.py | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index ebef618e..9da44e73 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -46,10 +46,14 @@ def clear_all(data):
data.dry_run = False
+def paths_are_equivalent(p1, p2):
+ return os.path.abspath(p1) == os.path.abspath(p2)
+
+
def path_is_present_among_paths(path, paths):
absolute_path = os.path.abspath(path)
for second_path in paths:
- if absolute_path == os.path.abspath(second_path):
+ if paths_are_equivalent(path, second_path):
return True
return False
@@ -237,7 +241,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
)
raise RuntimeError(msg)
for path, label in labelled_files.items():
- if label in categories and path != expected_path:
+ if label in categories and not paths_are_equivalent(path, expected_path):
continue
reduced_files[path] = label
return reduced_files
From b422abba29a9304225c97e79945cf0f1a21de810 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Tue, 22 Nov 2022 15:44:13 +0100
Subject: [PATCH 3/3] Fix tests when relative content paths are enforced
---
org_fedora_oscap/content_discovery.py | 2 +-
org_fedora_oscap/service/installation.py | 7 ++++++-
tests/test_content_discovery.py | 3 ++-
tests/test_installation.py | 2 +-
tests/test_kickstart.py | 6 +++---
tests/test_service_kickstart.py | 19 +++++++++++++++----
6 files changed, 28 insertions(+), 11 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 9da44e73..61c49307 100644
--- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py
@@ -239,7 +239,7 @@ def reduce_files(self, labelled_files, expected_path, categories):
f"Expected a file {expected_path} to be part of the supplied content, "
f"but it was not the case, got only {list(labelled_files.keys())}"
)
- raise RuntimeError(msg)
+ raise content_handling.ContentHandlingError(msg)
for path, label in labelled_files.items():
if label in categories and not paths_are_equivalent(path, expected_path):
continue
diff --git a/org_fedora_oscap/service/installation.py b/org_fedora_oscap/service/installation.py
index f6674794..5ca102c0 100644
--- a/org_fedora_oscap/service/installation.py
+++ b/org_fedora_oscap/service/installation.py
@@ -23,10 +23,11 @@
from pyanaconda.core import util
from pyanaconda.modules.common.task import Task
from pyanaconda.modules.common.errors.installation import NonCriticalInstallationError
+from pykickstart.errors import KickstartValueError
from org_fedora_oscap import common, data_fetch, rule_handling, utils
from org_fedora_oscap.common import _, get_packages_data, set_packages_data
-from org_fedora_oscap.content_handling import ContentCheckError
+from org_fedora_oscap.content_handling import ContentCheckError, ContentHandlingError
from org_fedora_oscap import content_discovery
log = logging.getLogger("anaconda")
@@ -48,6 +49,10 @@ def _handle_error(exception):
msg = _("There was an error fetching and loading the security content:\n" +
f"{str(exception)}")
terminate(msg)
+ elif isinstance(exception, ContentHandlingError):
+ msg = _("There was a problem with the supplied security content:\n" +
+ f"{str(exception)}")
+ terminate(msg)
else:
msg = _("There was an unexpected problem with the supplied content.")
diff --git a/tests/test_content_discovery.py b/tests/test_content_discovery.py
index d6e14d9f..d664edee 100644
--- a/tests/test_content_discovery.py
+++ b/tests/test_content_discovery.py
@@ -3,6 +3,7 @@
import pytest
import org_fedora_oscap.content_discovery as tested_module
+from org_fedora_oscap import content_handling
@pytest.fixture
@@ -43,7 +44,7 @@ def test_reduce(labelled_files):
assert len(reduced) == len(labelled_files) - d_count - x_count + 1
assert "dir/XCCDF" in reduced
- with pytest.raises(RuntimeError, match="dir/datastream4"):
+ with pytest.raises(content_handling.ContentHandlingError, match="dir/datastream4"):
bringer.reduce_files(labelled_files, "dir/datastream4", ["D"])
reduced = bringer.reduce_files(labelled_files, "cpe", ["C"])
diff --git a/tests/test_installation.py b/tests/test_installation.py
index 302f5ed3..2cf78db1 100644
--- a/tests/test_installation.py
+++ b/tests/test_installation.py
@@ -76,7 +76,7 @@ def test_fetch_content_task(caplog, file_path, content_path):
assert task.name == "Fetch the content, and optionally perform check or archive extraction"
- with pytest.raises(NonCriticalInstallationError, match="Couldn't find a valid datastream"):
+ with pytest.raises(NonCriticalInstallationError, match="Expected a file"):
task.run()
diff --git a/tests/test_kickstart.py b/tests/test_kickstart.py
index d4cfda23..60fe63d8 100644
--- a/tests/test_kickstart.py
+++ b/tests/test_kickstart.py
@@ -160,7 +160,7 @@ def test_rpm(service):
content-url = http://example.com/oscap_content.rpm
content-type = RPM
profile = Web Server
- xccdf-path = /usr/share/oscap/xccdf.xml
+ xccdf-path = usr/share/oscap/xccdf.xml
%end
"""
check_ks_input(service, ks_in)
@@ -169,7 +169,7 @@ def test_rpm(service):
%addon com_redhat_oscap
content-type = rpm
content-url = http://example.com/oscap_content.rpm
- content-path = /usr/share/oscap/xccdf.xml
+ content-path = usr/share/oscap/xccdf.xml
profile = Web Server
%end
"""
@@ -195,7 +195,7 @@ def test_rpm_with_wrong_suffix(service):
content-url = http://example.com/oscap_content.xml
content-type = RPM
profile = Web Server
- xccdf-path = /usr/share/oscap/xccdf.xml
+ xccdf-path = usr/share/oscap/xccdf.xml
%end
"""
check_ks_input(service, ks_in, errors=[

View File

@ -0,0 +1,52 @@
From 3d7a943969d542392134f55078eadb0793b094dc Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:03 +0200
Subject: [PATCH 1/2] Specify a unique screen id
All spokes and hubs should provide a unique id.
---
org_fedora_oscap/gui/spokes/oscap.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index fe26076..44c7ced 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -204,6 +204,11 @@ class OSCAPSpoke(NormalSpoke):
# as it is displayed inside the spoke as the spoke label,
# and spoke labels are all uppercase by a convention.
+ @staticmethod
+ def get_screen_id():
+ """Return a unique id of this UI screen."""
+ return "security-policy-selection"
+
@classmethod
def should_run(cls, environment, data):
return is_module_available(OSCAP)
From ae9fdc9e6e189db215aeb39f2881311e5281587b Mon Sep 17 00:00:00 2001
From: Vendula Poncova <vponcova@redhat.com>
Date: Wed, 22 Sep 2021 17:52:51 +0200
Subject: [PATCH 2/2] Remove the help_id attribute
The help_id attribute is no longer used. Specify a screen id
or redefine the help handler to provide the built-in help.
---
org_fedora_oscap/gui/spokes/oscap.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index 44c7ced..6d0aa5c 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -185,9 +185,6 @@ class OSCAPSpoke(NormalSpoke):
# name of the .glade file in the same directory as this source
uiFile = "oscap.glade"
- # id of the help content for this spoke
- help_id = "SecurityPolicySpoke"
-
# domain of oscap-anaconda-addon translations
translationDomain = "oscap-anaconda-addon"

View File

@ -1,4 +1,4 @@
From 58d4847dc4b55b9d4982be9505127679beca87c6 Mon Sep 17 00:00:00 2001 From 5e91b77a0e96b811d95b7fa48cfd8f645a5616eb Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Wed, 18 Jan 2023 16:36:36 +0100 Date: Wed, 18 Jan 2023 16:36:36 +0100
Subject: [PATCH 1/2] Handle the URL with missing :// Subject: [PATCH 1/2] Handle the URL with missing ://
@ -8,10 +8,10 @@ Subject: [PATCH 1/2] Handle the URL with missing ://
1 file changed, 12 insertions(+), 4 deletions(-) 1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py diff --git a/org_fedora_oscap/content_discovery.py b/org_fedora_oscap/content_discovery.py
index 42c61e0..23fdafd 100644 index 61c4930..76959cd 100644
--- a/org_fedora_oscap/content_discovery.py --- a/org_fedora_oscap/content_discovery.py
+++ b/org_fedora_oscap/content_discovery.py +++ b/org_fedora_oscap/content_discovery.py
@@ -67,9 +67,14 @@ def content_uri(self): @@ -88,9 +88,14 @@ def content_uri(self):
@content_uri.setter @content_uri.setter
def content_uri(self, uri): def content_uri(self, uri):
@ -29,7 +29,7 @@ index 42c61e0..23fdafd 100644
def fetch_content(self, what_if_fail, ca_certs_path=""): def fetch_content(self, what_if_fail, ca_certs_path=""):
""" """
@@ -80,7 +85,10 @@ def fetch_content(self, what_if_fail, ca_certs_path=""): @@ -101,7 +106,10 @@ def fetch_content(self, what_if_fail, ca_certs_path=""):
should handle them in the calling layer. should handle them in the calling layer.
ca_certs_path: Path to the HTTPS certificate file ca_certs_path: Path to the HTTPS certificate file
""" """
@ -42,7 +42,7 @@ index 42c61e0..23fdafd 100644
self.CONTENT_DOWNLOAD_LOCATION.mkdir(parents=True, exist_ok=True) self.CONTENT_DOWNLOAD_LOCATION.mkdir(parents=True, exist_ok=True)
fetching_thread_name = self._fetch_files( fetching_thread_name = self._fetch_files(
From cbfdae4f43ade3ef982a967f3e2844e66db3f9a0 Mon Sep 17 00:00:00 2001 From 9588cb840d8c6193157e677decad843539bd2819 Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com> From: Matej Tyc <matyc@redhat.com>
Date: Wed, 18 Jan 2023 16:36:53 +0100 Date: Wed, 18 Jan 2023 16:36:53 +0100
Subject: [PATCH 2/2] Stop fetching when there is an invalid profile Subject: [PATCH 2/2] Stop fetching when there is an invalid profile
@ -52,11 +52,11 @@ Subject: [PATCH 2/2] Stop fetching when there is an invalid profile
1 file changed, 2 insertions(+) 1 file changed, 2 insertions(+)
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
index d8e6ce2..54eae1e 100644 index 97c4553..7765fbf 100644
--- a/org_fedora_oscap/gui/spokes/oscap.py --- a/org_fedora_oscap/gui/spokes/oscap.py
+++ b/org_fedora_oscap/gui/spokes/oscap.py +++ b/org_fedora_oscap/gui/spokes/oscap.py
@@ -469,6 +469,8 @@ def update_progress_label(msg): @@ -505,6 +505,8 @@ def update_progress_label(msg):
if self._addon_data.profile_id and not selected: if self._policy_data.profile_id and not selected:
# profile ID given, but it was impossible to select it -> invalid # profile ID given, but it was impossible to select it -> invalid
# profile ID given # profile ID given
+ with self._fetch_flag_lock: + with self._fetch_flag_lock:

338
oscap-anaconda-addon.spec Normal file
View File

@ -0,0 +1,338 @@
%if 0%{?rhel} == 8
%define anaconda_core_version 33
%endif
%if 0%{?rhel} == 9
%define anaconda_core_version 34
%endif
%if 0%{?fedora}
%define anaconda_core_version %{fedora}
%endif
Name: oscap-anaconda-addon
Version: 2.0.0
Release: 21%{?dist}
Summary: Anaconda addon integrating OpenSCAP to the installation process
License: GPLv2+
URL: https://github.com/OpenSCAP/oscap-anaconda-addon
Source0: https://github.com/OpenSCAP/oscap-anaconda-addon/releases/download/r%{version}/%{name}-%{version}.tar.gz
# TODO: Remove when the fixed upstream release contains dbus service data
Source1: addon-dbus-data.zip
Patch1: lang.patch
Patch2: oscap-anaconda-addon-2.0.1-various_bugfixes-PR_166.patch
Patch3: oscap-anaconda-addon-2.0.1-fix_archive_handling-PR_170.patch
Patch4: oscap-anaconda-addon-2.0.1-fix_no_hardening-PR_176.patch
Patch5: oscap-anaconda-addon-2.0.1-fix_fingerprint-PR_177.patch
Patch6: oscap-anaconda-addon-2.0.1-rhel9_tailoring_fix-PR_180.patch
Patch7: oscap-anaconda-addon-1.2.2-dbus_show_integration-PR_182.patch
Patch8: oscap-anaconda-addon-2.1.0-unified_help-PR_192.patch
Patch9: oscap-anaconda-addon-2.0.1-absent_appstream-PR_185.patch
Patch10: oscap-anaconda-addon-2.0.1-fix_strings-PR_207.patch
Patch11: oscap-anaconda-addon-2.1.0-clicking_fix-PR_223.patch
Patch12: oscap-anaconda-addon-2.1.0-archive_handling-PR_224.patch
Patch13: oscap-anaconda-addon-2.1.0-content_paths-PR_227.patch
Patch14: oscap-anaconda-addon-null-http_only_uri-PR_233.patch
Patch15: oscap-anaconda-addon-2.0.1-tar-extraction-PR_250.patch
Patch16: oscap-anaconda-addon-2.0.1-package-groups-PR_248.patch
Patch17: oscap-anaconda-addon-2.0.1-fix_fips_hashes_PR_255.patch
Patch18: oscap-anaconda-addon-2.0.1-fix_fips_hashes_2_PR_257.patch
BuildArch: noarch
BuildRequires: make
BuildRequires: gettext
BuildRequires: python3-devel
BuildRequires: python3-pycurl
BuildRequires: openscap openscap-utils openscap-python3
BuildRequires: anaconda-core >= %{anaconda_core_version}
Requires: anaconda-core >= %{anaconda_core_version}
Requires: python3-pycurl
Requires: python3-kickstart
Requires: openscap openscap-utils openscap-python3
Requires: scap-security-guide
%description
This is an addon that integrates OpenSCAP utilities with the Anaconda installer
and allows installation of systems following restrictions given by a SCAP
content.
%prep
%autosetup -p1
unzip %{_sourcedir}/addon-dbus-data.zip
%build
%check
%install
make install DESTDIR=%{buildroot}
%find_lang %{name}
%files -f %{name}.lang
%{_datadir}/anaconda/addons/org_fedora_oscap
%{_datadir}/anaconda/dbus/confs/org.fedoraproject.Anaconda.Addons.OSCAP.conf
%{_datadir}/anaconda/dbus/services/org.fedoraproject.Anaconda.Addons.OSCAP.service
%doc COPYING ChangeLog README.md
%changelog
* Wed Nov 06 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-21
- Fix Patch18 name (RHEL-40367)
* Wed Nov 06 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-20
- Re-fix checksums in FIPS mode (RHEL-40367)
* Mon Oct 21 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-19
- Add missing chunk for PR_227 patch file (RHEL-40367)
* Mon Oct 14 2024 Evgenii Kolesnikov <ekolesni@redhat.com> - 2.0.0-18
- Fix checksums in FIPS mode (RHEL-40367)
* Wed Jul 19 2023 Jan Černý <jcerny@redhat.com> - 2.0.0-17
- Update translations (rhbz#2189526)
- Fix tar file extraction (rhbz#2218875)
- Fix conflict of tftp package with "network servers" group (rhbz#2172264)
* Wed Feb 08 2023 Matej Tyc <matyc@redhat.com> - 2.0.0-16
- Update translations
Resolves: rhbz#2139667
Resolves: rhbz#2150877
* Mon Jan 23 2023 Matej Tyc <matyc@redhat.com> - 2.0.0-15
- Fix a reaction to invalid content URI
Resolves: rhbz#2148508
* Fri Nov 25 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-14
- Fix regression introduced when fixing content archive input
Resolves: rhbz#2129008
* Fri Nov 11 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-13
- Fix problems with handling multi-datastream archives
Resolves: rhbz#2129846
- Fix a crash when compulsively clicking in the GUI
Resolves: rhbz#2127502
* Fri Jun 10 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-12
- Remove the firstboot remediation feature completely.
We can't have it, while maintaining the standard UX.
Resolves: rhbz#2065751
* Wed Jun 01 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-11
- Remove the redundant dependency on oscap-utils
Resolves: rhbz#2086822
* Wed May 18 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-10
- Fix strings, so they are translatable, and update translations
Resolves: rhbz#2081268
* Mon Mar 21 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-9
- Introduce the firstboot remediation
Resolves: rhbz#1999587
- Add better error handling of installation using unsupported installation sources
Resolves: rhbz#2042334
* Mon Jan 24 2022 Matej Tyc <matyc@redhat.com> - 2.0.0-8
- Introduce unified help support
Resolves: rhbz#2043512
- Update translations
Resolves: rhbz#2017374
* Mon Dec 13 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-7
- Don't show the OSCAP spoke if the OSCAP DBus module is disabled
Resolves: rhbz#2018954
* Thu Nov 25 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-6
- Fix handling of tailoring in RHEL9
Resolves: rhbz#1996129
* Wed Nov 10 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-5
- Fix handling of content archives
Resolves: rhbz#1996129
- Fix handling of content fingerprint
Resolves: rhbz#1993065
- Fix crash when a previously selected hardening has been cancelled
Resolves: rhbz#2014108
- Pull latest translations
* Fri Aug 20 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-4
- Update translations
Resolves: rhbz#1962112
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 2.0.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Tue Aug 03 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-2
- Fix issues with locally installed content and labelling of discovered content.
- Resolves: rhbz#1989434
* Fri Jul 02 2021 Matej Tyc <matyc@redhat.com> - 2.0.0-1
- Rebase to the 2.0.0 upstream release.
- Remove the cpio dependency which is not needed any more.
* Wed Jun 23 2021 Jan Černý <jcerny@redhat.com> - 1.0-11
- Rebuild after test config change in test.yml
* Mon Jun 14 2021 Matej Tyc <matyc@redhat.com> - 1.0-10
- Unified the spec file with the Fedora one.
- Removed unwanted dependencies.
- nose is not needed for a long time.
- mock has been moved into the Python standard library, so it is also not needed.
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1.0-9
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Mon Aug 12 2019 Matěj Týč <matyc@redhat.com> - 1.0-5
- Disabled execution of tests, as they are not meant to be executed in the build environment.
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Fri Feb 01 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Jul 03 2018 Matěj Týč <matyc@redhat.com> - 1.0-1
- Rebased to upstream version 1.0
- Python3 support, anaconda 28 support.
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 0.7-7
- Escape macros in %%changelog
* Thu Feb 08 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-6
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Thu Feb 04 2016 Fedora Release Engineering <releng@fedoraproject.org> - 0.7-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Thu Jun 18 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
* Wed Jan 07 2015 Vratislav Podzimek <vpodzime@redhat.com> - 0.7-1
- Adapt to changes in Anaconda
- Define name of the spoke window
- Set fetching flag to False when extraction error happens
- Remove code that was pushed to the anaconda's sources
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-2
- Rebuild with building issues fixed
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.6-1
- Getting status needs to run in the main thread
- Grab focus for the URL entry after switching notebook page
- Clear rule data when unselecting profile
- Update message as part of the initialization
- Add BuildRequires: gettext
- Include translations in the tarball and RPM
* Fri Feb 28 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.5-1
- Allow users to change content
- Show and hide control buttons properly
- Fix sensitivity of the URL entry and fetch button
- Add the button allowing users to use SSG content if available
- Fix listing python sources when creating potfile and regenerate it
- Omit the %%addon section from kickstart in dry-run mode
- Implement the dry-run mode in the GUI (trac#2)
- Add UI elements for content changing and dry-run mode
- Check content_defined instead of content_url in the GUI code
- First select the profile, then update the message store
- Remove unused import
- Ignore some more temporary/backup files
- If no content is specified and SSG is available, use it
- New special content type -- SCAP Security Guide
- Fix name of the property used when doing fingerprint check
- Get rid of an unused variable
- Fix data fetch locking to work properly with kickstart installations
- Use 'anonymous:' if no username and password is given for FTP
- Initial version of the translations template file
- First steps to dry-run mode
- Fix main notebook tabs
- Make translations work
- Manipulation with the i18n related files
- If no profile is given, default to default
- Ignore updates.img and its auxiliary directory
- Catch only fetching errors from the fetching thread
- Do not allow multiple simultaneous fetches/initializations
- Prevent user from changing the URL while we try to fetch from it
- Add support for the Default profile
- Support FTP as a content source (#1050980)
- React properly on archive extraction failure
- Refactor the code pre-processing the fetched content
- Unify exceptions from archive extraction
- Make pylint check mandatory to pass
- Support for hash based content integrity checking
* Tue Jan 14 2014 Vratislav Podzimek <vpodzime@redhat.com> - 0.4-1
- Beware of running Gtk actions from a non-main thread
- Fix path to the tailoring file when getting rules
- A git hook for running tests when pushing
- Inform user if no profile is selected
- Visually mark the selected profile
- Better UX with content URL entry and progress label
- React on invalid content properly (#1032846)
- Stop spinner when data fetching is finished
- Make the data fetching thread non-fatal (#1049989)
- Exit code 2 from the oscap tool is not an error for us (#1050913)
- Be ready to work with archives/RPMs containing data streams
- Add unit tests for the keep_type_map function
- Add support for namedtuples to keep_type_map
- Add target for running pylint check
- Add target for running just unittests
- On the way to tailoring
- Tests for kickstart XCCDF tailoring handling
- Kickstart support for XCCDF tailoring
- Check session validity also when using XCCDF benchmark
* Tue Dec 10 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.3-1
- Implement and use our own better function for joining paths
- The content entry should have focus if there is no content
- RPM is just a weird archive in the pre-installation phase
- Ignore RPM files as well
- Adapt tests to dir constants now ending with "/"
- CpioArchive cannot be created from a piped output
- Fix namespace definitions in the testing XCCDF file
- Prevent putting None into xccdf_session_is_sds
- Fix the __all__ variable in the common module
- Strip content dir prefix when setting xccdf/cpe paths
- Inform user we now support archive URLs as well
- Ignore various file types in the git repository
- Try to find content files in the fetched archive or RPM
- Run pylint -E as part of the test target
- Return list of extracted files/directories when extracting archive
- Do not try to search for empty file paths in archives
- Properly set the content type based on the URL's suffix
- Switch profiles on double-click
- Hook urlEntry's activate signal to fetchButton click
- Save the spoke's glade file with a new Glade
- The addon now requires the python-cpio package
- Use really_hide for the UI elements for datastream-id and xccdf-id
- Support for RPM content in the GUI spoke
- RPM content support for kickstart processing
- Add property for the raw post-installation content path
- Make content type case insensitive
- Rest of the code needed for RPM extraction
- Actually look for the file path in entry names
- Basic stuff needed for the RPM content support
- Run tests in paralel
- Specify files in a better way in spec
* Mon Oct 21 2013 Vratislav Podzimek <vpodzime@redhat.com> - 0.2-1
- Initial RPM for the oscap-anaconda-addon

2
sources Normal file
View File

@ -0,0 +1,2 @@
SHA512 (oscap-anaconda-addon-2.0.0.tar.gz) = 39d8692e8904cfd6e0b2b00e5081805977f4510154315be22732b8b31a42e65ed8a11dc2711f5ad5d4964bb1728521ce472ac208852f6a2373be45903a8d5611
SHA512 (addon-dbus-data.zip) = 2a618f6084f4dd5571d5c2aa22f7c7316e0e2de8a61c8eb13a9127f8726655e3d173d71c74ee7aa305d046a70f030ed07be8405debeb5fd0e8b6a40f081acf71

View File

@ -0,0 +1,64 @@
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Makefile of /Sanity/dir-install
# Description: Install using OAA into a directory, check that the results file from the final scan contains FIXED results, which proves that remediations were executed.
# Author: Matej Tyc <matyc@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2019 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
export TEST=/Sanity/dir-install
export TESTVERSION=1.0
BUILT_FILES=
FILES=$(METADATA) runtest.sh Makefile PURPOSE kickstart.cfg test-ds.xml
.PHONY: all install download clean
run: $(FILES) build
./runtest.sh
build: $(BUILT_FILES)
test -x runtest.sh || chmod a+x runtest.sh
clean:
rm -f *~ $(BUILT_FILES)
include /usr/share/rhts/lib/rhts-make.include
$(METADATA): Makefile
@echo "Owner: Matej Tyc <matyc@redhat.com>" > $(METADATA)
@echo "Name: $(TEST)" >> $(METADATA)
@echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
@echo "Path: $(TEST_DIR)" >> $(METADATA)
@echo "Description: Install using OAA into a directory, check that the results file from the final scan contains FIXED results, which proves that remediations were executed." >> $(METADATA)
@echo "Type: Sanity" >> $(METADATA)
@echo "TestTime: 1h" >> $(METADATA)
@echo "RunFor: oscap-anaconda-addon" >> $(METADATA)
@echo "Requires: oscap-anaconda-addon" >> $(METADATA)
@echo "Priority: Normal" >> $(METADATA)
@echo "License: GPLv2+" >> $(METADATA)
@echo "Confidential: no" >> $(METADATA)
@echo "Destructive: no" >> $(METADATA)
@echo "Bug: 1653915" >> $(METADATA)
@echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
rhts-lint $(METADATA)

View File

@ -0,0 +1,3 @@
PURPOSE of /Sanity/dir-install
Description: Install using OAA into a directory, check that the results file from the final scan contains FIXED results, which proves that remediations were executed.
Author: Matej Tyc <matyc@redhat.com>

View File

@ -0,0 +1,37 @@
lang en_US
keyboard us
timezone --utc America/New_York
reboot
url --url=@BASEOS_HTTP@
bootloader --location=mbr --append="rhgb quiet crashkernel=auto"
zerombr
clearpart --all --initlabel
autopart
authselect --passalgo=sha512 --useshadow
selinux --enforcing
firewall --enabled --ssh
skipx
firstboot --disable
repo --name=appstream --baseurl=@APPSTREAM_HTTP@
# Set the system's root password (required)
# Plaintext password is: server
# Refer to e.g. http://fedoraproject.org/wiki/Anaconda/Kickstart#rootpw to see how to create
# encrypted password form for different plaintext password
rootpw --iscrypted $6$rhel6usgcb$aS6oPGXcPKp3OtFArSrhRwu6sN8q2.yEGY7AIwDOQd23YCtiz9c5mXbid1BzX9bmXTEZi.hCzTEXFosVBI5ng0
# The selected profile will restrict root login
# Add a user that can login and escalate privileges
# Plaintext password is: admin123
user --name=admin --groups=wheel --password=$6$Ga6ZnIlytrWpuCzO$q0LqT1USHpahzUafQM9jyHCY9BiE5/ahXLNWUMiVQnFGblu0WWGZ1e6icTaCGO4GNgZNtspp1Let/qpM7FMVB0 --iscrypted
# Packages selection (%packages section is required)
%packages
openscap-scanner
%end
%addon org_fedora_oscap
content-type = datastream
content-url = http://localhost:8000/test-ds.xml
profile = xccdf_org.ssgproject.content_profile_standard
%end

View File

@ -0,0 +1,80 @@
#!/bin/bash
# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# runtest.sh of /Sanity/dir-install
# Description: Install using OAA into a directory, check that the results file from the final scan contains FIXED results, which proves that remediations were executed.
# Author: Matej Tyc <matyc@redhat.com>
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Copyright (c) 2019 Red Hat, Inc.
#
# This program is free software: you can redistribute it and/or
# modify it under the terms of the GNU General Public License as
# published by the Free Software Foundation, either version 2 of
# the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be
# useful, but WITHOUT ANY WARRANTY; without even the implied
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
# PURPOSE. See the GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see http://www.gnu.org/licenses/.
#
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
. /usr/share/beakerlib/beakerlib.sh || exit 1
PACKAGE="oscap-anaconda-addon"
KS=`pwd`/kickstart.cfg
INSTALLDIR=`pwd`/install
function get_fedora_repo_url {
local rawhide_repo="/etc/yum.repos.d/fedora-rawhide.repo"
if [ -f "$rawhide_repo" ]; then
dnf repoinfo rawhide 2>/dev/null | grep -i "baseurl" | awk '{print $3}'
else
dnf repoinfo fedora 2>/dev/null | grep -i "baseurl" | awk '{print $3}'
fi
}
# $1: Channel (baseos|appstream)
function get_rhel_repo_url {
grep -Ri "baseurl=.*$1.*/os" /etc/yum.repos.d/ | sed -e 's/.*baseurl=//' | head -n 1
}
rlJournalStart
rlPhaseStartSetup
rlAssertRpm "$PACKAGE"
if rlIsRHEL; then
baseos_url=$(get_rhel_repo_url baseos)
appstream_url=$(get_rhel_repo_url appstream)
rlRun "sed -i 's|@BASEOS_HTTP@|$baseos_url|' $KS"
rlRun "sed -i 's|@APPSTREAM_HTTP@|$appstream_url|' $KS"
else
baseos_url=$(get_fedora_repo_url)
rlRun "sed -i 's|@BASEOS_HTTP@|$baseos_url|' $KS"
rlRun "sed -i '/^.*@APPSTREAM_HTTP@.*$/d' $KS"
fi
python3 -m http.server &
server_pid=$!
rlPhaseEnd
rlPhaseStartTest
rlRun "mkdir install" 0 "Making install directory"
rlRun "anaconda --dirinstall $INSTALLDIR --kickstart $KS" 0 "Installing into a directory"
rlRun "test -f $INSTALLDIR/rh_baseos_test" 0 "Make sure that rh_baseos_test exists in the root of the installed system"
rlPhaseEnd
rlPhaseStartCleanup
rlRun "kill $server_pid" 0 "Terminating the Python server that serves the datastream"
rlRun "rm -rf $INSTALLDIR" 0 "Remove the directory with the system installation"
rlPhaseEnd
rlJournalPrintText
rlJournalEnd

View File

@ -0,0 +1,55 @@
<?xml version="1.0" encoding="utf-8"?>
<ds:data-stream-collection xmlns:ds="http://scap.nist.gov/schema/scap/source/1.2" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:cat="urn:oasis:names:tc:entity:xmlns:xml:catalog" id="scap_org.open-scap_collection_from_xccdf_xccdf.xml" schematron-version="1.2"><ds:data-stream id="scap_org.open-scap_datastream_from_xccdf_xccdf.xml" scap-version="1.2" use-case="OTHER"><ds:checklists><ds:component-ref id="scap_org.open-scap_cref_xccdf.xml" xlink:href="#scap_org.open-scap_comp_xccdf.xml"><cat:catalog><cat:uri name="oval.xml" uri="#scap_org.open-scap_cref_oval.xml"/></cat:catalog></ds:component-ref></ds:checklists><ds:checks><ds:component-ref id="scap_org.open-scap_cref_oval.xml" xlink:href="#scap_org.open-scap_comp_oval.xml"/></ds:checks></ds:data-stream><ds:component id="scap_org.open-scap_comp_oval.xml" timestamp="2016-09-07T20:50:46"><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5" xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5" xmlns:ind="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent" xmlns:unix="http://oval.mitre.org/XMLSchema/oval-definitions-5#unix" xmlns:linux="http://oval.mitre.org/XMLSchema/oval-definitions-5#linux" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5 oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#unix unix-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#linux linux-definitions-schema.xsd">
<generator>
<oval:schema_version>5.10</oval:schema_version>
<oval:timestamp>0001-01-01T00:00:00+00:00</oval:timestamp>
</generator>
<definitions>
<definition class="compliance" version="1" id="oval:x:def:1">
<metadata>
<title>x</title>
<description>x</description>
<affected family="unix">
<platform>Minimal test environment</platform>
</affected>
</metadata>
<criteria>
<criterion test_ref="oval:x:tst:1" comment="always pass"/>
</criteria>
</definition>
</definitions>
<tests>
<unix:file_test id="oval:x:tst:1" version="1" check="all" check_existence="all_exist" comment="check presence of file">
<unix:object object_ref="oval:x:obj:1"/>
</unix:file_test>
</tests>
<objects>
<unix:file_object id="oval:x:obj:1" version="1">
<unix:filepath>/rh_baseos_test</unix:filepath>
</unix:file_object>
</objects>
</oval_definitions></ds:component><ds:component id="scap_org.open-scap_comp_xccdf.xml" timestamp="2016-09-07T21:00:59"><Benchmark xmlns="http://checklists.nist.gov/xccdf/1.2" id="xccdf_test_benchmark_container">
<status>incomplete</status>
<platform idref="cpe:/o:fedoraproject:fedora"/>
<platform idref="cpe:/o:redhat:enterprise_linux"/>
<version>1.0</version>
<model system="urn:xccdf:scoring:default"/>
<Profile id="xccdf_org.ssgproject.content_profile_standard">
<title xmlns:xhtml="http://www.w3.org/1999/xhtml" xml:lang="en-US">Dummy standard profile</title>
<select idref="xccdf_test_rule_check_test_file" selected="true"/>
</Profile>
<Rule selected="true" id="xccdf_test_rule_check_test_file">
<fix id="check_test_file" system="urn:xccdf:fix:script:sh" complexity="low" disruption="low" strategy="configure">
touch /rh_baseos_test
</fix>
<check system="http://oval.mitre.org/XMLSchema/oval-definitions-5">
<check-content-ref href="oval.xml" name="oval:x:def:1"/>
</check>
</Rule>
</Benchmark></ds:component></ds:data-stream-collection>

27
tests/tests.yml Normal file
View File

@ -0,0 +1,27 @@
---
- hosts: localhost
roles:
- role: standard-test-source
tags:
- always
- role: standard-test-basic
tags:
- classic
required_packages:
- "python3-pytest"
- "anaconda"
tests:
- smoke:
run: "PYTHONPATH=/usr/share/anaconda/addons py.test-3 ."
dir: "./source/tests"
- role: standard-test-beakerlib
tags:
- classic
required_packages:
- "python3-pytest" # Not needed for this test, it is just a temp workaround for an Ansible bug https://github.com/ansible/ansible/issues/57365
- "anaconda"
tests:
- Sanity/dir-install:
timeout: 1h