diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py index f712ac4..738465f 100644 --- a/org_fedora_oscap/rule_handling.py +++ b/org_fedora_oscap/rule_handling.py @@ -26,7 +26,13 @@ import optparse import shlex import logging + from pyanaconda.pwpolicy import F22_PwPolicyData +from pyanaconda.core.constants import ( + FIREWALL_ENABLED, FIREWALL_DISABLED, FIREWALL_USE_SYSTEM_DEFAULTS) +from pyanaconda.modules.common.constants.objects import FIREWALL, BOOTLOADER +from pyanaconda.modules.common.constants.services import NETWORK, STORAGE, USERS + from org_fedora_oscap import common from org_fedora_oscap.common import OSCAPaddonError, RuleMessage @@ -496,7 +502,10 @@ def eval_rules(self, ksdata, storage, report_only=False): return [] ret = [] - if not ksdata.rootpw.password: + + users_proxy = USERS.get_proxy() + + if not users_proxy.IsRootPasswordSet: # root password was not set msg = _("make sure to create password with minimal length of %d " @@ -505,12 +514,12 @@ def eval_rules(self, ksdata, storage, report_only=False): common.MESSAGE_TYPE_WARNING, msg)] else: # root password set - if ksdata.rootpw.isCrypted: + if users_proxy.IsRootPasswordCrypted: msg = _("cannot check root password length (password is crypted)") log.warning("cannot check root password length (password is crypted)") return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)] - elif len(ksdata.rootpw.password) < self._minlen: + elif len(users_proxy.RootPassword) < self._minlen: # too short msg = _("root password is too short, a longer one with at " "least %d characters is required") % self._minlen @@ -705,10 +714,13 @@ def __str__(self): def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" - if self._require_password and not storage.bootloader.password: - # Anaconda doesn't provide a way to set bootloader password, so - # users cannot do much about that --> we shouldn't stop the - # installation, should we? + bootloader_proxy = STORAGE.get_proxy(BOOTLOADER) + + if self._require_password and not bootloader_proxy.password_is_set: + # TODO: Anaconda provides a way to set bootloader password: + # bootloader_proxy.set_password(...) + # We don't support setting the bootloader password yet, + # but we shouldn't stop the installation, just because of that. return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, "boot loader password not set up")] else: @@ -802,8 +814,13 @@ def __init__(self): self._added_trusts = set() self._removed_svcs = set() + self._new_services_to_add = set() + self._new_ports_to_add = set() + self._new_trusts_to_add = set() + self._new_services_to_remove = set() + self._firewall_enabled = None - self._firewall_default_enabled = None + self._firewall_default_state = None def add_services(self, services): """ @@ -895,25 +912,26 @@ def __str__(self): def eval_rules(self, ksdata, storage, report_only=False): """:see: RuleHandler.eval_rules""" + firewall_proxy = NETWORK.get_proxy(FIREWALL) messages = [] - if self._firewall_default_enabled is None: + if self._firewall_default_state is None: # firewall default startup setting - self._firewall_default_enabled = ksdata.firewall.enabled + self._firewall_default_state = firewall_proxy.FirewallMode if self._firewall_enabled is False: msg = _("Firewall will be disabled on startup") messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: - ksdata.firewall.enabled = self._firewall_enabled + firewall_proxy.SetFirewallMode(FIREWALL_DISABLED) elif self._firewall_enabled is True: msg = _("Firewall will be enabled on startup") messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) if not report_only: - ksdata.firewall.enabled = self._firewall_enabled + firewall_proxy.SetFirewallMode(FIREWALL_ENABLED) # add messages for the already added services for svc in self._added_svcs: @@ -937,49 +955,58 @@ def eval_rules(self, ksdata, storage, report_only=False): common.MESSAGE_TYPE_INFO, msg)) # services, that should be added - services_to_add = (svc for svc in self._add_svcs - if svc not in ksdata.firewall.services) + self._new_services_to_add = { + svc for svc in self._add_svcs + if svc not in firewall_proxy.EnabledServices} # ports, that should be added - ports_to_add = (ports for ports in self._add_ports - if ports not in ksdata.firewall.ports) + self._new_ports_to_add = { + ports for ports in self._add_ports + if ports not in firewall_proxy.EnabledPorts} # trusts, that should be added - trusts_to_add = (trust for trust in self._add_trusts - if trust not in ksdata.firewall.trusts) + self._new_trusts_to_add = { + trust for trust in self._add_trusts + if trust not in firewall_proxy.Trusts} - for svc in services_to_add: + for svc in self._new_services_to_add: # add the service unless already added if not report_only: self._added_svcs.add(svc) - ksdata.firewall.services.append(svc) msg = _("service '%s' has been added to the list of services to be " "added to the firewall" % svc) messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + if not report_only: + all_services = list(self._add_svcs.union(set(firewall_proxy.EnabledServices))) + firewall_proxy.SetEnabledServices(all_services) - for port in ports_to_add: + for port in self._new_ports_to_add: # add the port unless already added if not report_only: self._added_ports.add(port) - ksdata.firewall.ports.append(port) msg = _("port '%s' has been added to the list of ports to be " "added to the firewall" % port) messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + if not report_only: + all_ports = list(self._add_ports.union(set(firewall_proxy.EnabledPorts))) + firewall_proxy.SetEnabledPorts(all_ports) - for trust in trusts_to_add: + for trust in self._new_trusts_to_add: # add the trust unless already added if not report_only: self._added_trusts.add(trust) - ksdata.firewall.trusts.append(trust) msg = _("trust '%s' has been added to the list of trusts to be " "added to the firewall" % trust) messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + if not report_only: + all_trusts = list(self._add_trusts.union(set(firewall_proxy.Trusts))) + firewall_proxy.SetTrusts(all_trusts) # now do the same for the services that should be excluded @@ -990,52 +1017,56 @@ def eval_rules(self, ksdata, storage, report_only=False): messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) - # services, that should be added - services_to_remove = (svc for svc in self._remove_svcs - if svc not in ksdata.firewall.remove_services) + # services, that should be excluded + self._new_services_to_remove = { + svc for svc in self._remove_svcs + if svc not in firewall_proxy.DisabledServices} - for svc in services_to_remove: + for svc in self._new_services_to_remove: # exclude the service unless already excluded if not report_only: self._removed_svcs.add(svc) - ksdata.firewall.remove_services.append(svc) msg = _("service '%s' has been added to the list of services to be " "removed from the firewall" % svc) messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg)) + if not report_only: + all_services = list(self._remove_svcs.union(set(firewall_proxy.DisabledServices))) + firewall_proxy.SetDisabledServices(all_services) return messages def revert_changes(self, ksdata, storage): """:see: RuleHander.revert_changes""" + firewall_proxy = NETWORK.get_proxy(FIREWALL) if self._firewall_enabled is not None: - ksdata.firewall.enabled = self._firewall_default_enabled + firewall_proxy.SetFirewallMode(self._firewall_default_state) # remove all services this handler added - for svc in self._added_svcs: - if svc in ksdata.firewall.services: - ksdata.firewall.services.remove(svc) + all_services = firewall_proxy.EnabledServices + orig_services = set(all_services).difference(self._new_services_to_add) + firewall_proxy.SetEnabledServices(list(orig_services)) # remove all ports this handler added - for port in self._added_ports: - if port in ksdata.firewall.ports: - ksdata.firewall.ports.remove(port) + all_ports = firewall_proxy.EnabledPorts + orig_ports = set(all_ports).difference(self._new_ports_to_add) + firewall_proxy.SetEnabledPorts(list(orig_ports)) # remove all trusts this handler added - for trust in self._added_trusts: - if trust in ksdata.firewall.trusts: - ksdata.firewall.trusts.remove(trust) + all_trusts = firewall_proxy.Trusts + orig_trusts = set(all_trusts).difference(self._new_trusts_to_add) + firewall_proxy.SetTrusts(list(orig_trusts)) # remove all services this handler excluded - for svc in self._removed_svcs: - if svc in ksdata.firewall.remove_services: - ksdata.firewall.remove_services.remove(svc) + all_services = firewall_proxy.DisabledServices + orig_services = set(all_services).difference(self._new_services_to_remove) + firewall_proxy.SetDisabledServices(list(orig_services)) self._added_svcs = set() self._added_ports = set() self._added_trusts = set() self._removed_svcs = set() self._firewall_enabled = None - self._firewall_default_enabled = None + self._firewall_default_state = None