From 94b9b90c818eb18f0ca8d78fe063dc5b0677c885 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Tue, 22 Jun 2021 12:58:03 +0200 Subject: [PATCH] [rhui] add plugin to RHUI Add a new/revoked plugin for RHUI (newly based on python3 and pulp-3). Edditionally, collect /etc/pki/pulp certificates except for RSA keys. Resolves: #2590 Signed-off-by: Pavel Moravec --- sos/report/plugins/pulpcore.py | 7 ++++- sos/report/plugins/rhui.py | 49 ++++++++++++++++++++++++++++++++++ 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 sos/report/plugins/rhui.py diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py index ccaac3185..77ceacb92 100644 --- a/sos/report/plugins/pulpcore.py +++ b/sos/report/plugins/pulpcore.py @@ -77,7 +77,12 @@ def separate_value(line, sep=':'): def setup(self): self.parse_settings_config() - self.add_copy_spec("/etc/pulp/settings.py") + self.add_copy_spec([ + "/etc/pulp/settings.py", + "/etc/pki/pulp/*" + ]) + # skip collecting certificate keys + self.add_forbidden_path("/etc/pki/pulp/*.key") self.add_cmd_output("rq info -u redis://localhost:6379/8", env={"LC_ALL": "en_US.UTF-8"}, diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py new file mode 100644 index 000000000..7acd3f49e --- /dev/null +++ b/sos/report/plugins/rhui.py @@ -0,0 +1,49 @@ +# Copyright (C) 2021 Red Hat, Inc., Pavel Moravec + +# This file is part of the sos project: https://github.com/sosreport/sos +# +# This copyrighted material is made available to anyone wishing to use, +# modify, copy, or redistribute it subject to the terms and conditions of +# version 2 of the GNU General Public License. +# +# See the LICENSE file in the source distribution for further information. + +from sos.report.plugins import Plugin, RedHatPlugin + + +class Rhui(Plugin, RedHatPlugin): + + short_desc = 'Red Hat Update Infrastructure' + + plugin_name = "rhui" + commands = ("rhui-manager",) + files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py") + + def setup(self): + self.add_copy_spec([ + "/etc/rhui/rhui-tools.conf", + "/etc/rhui/registered_subscriptions.conf", + "/etc/pki/rhui/*", + "/var/log/rhui-subscription-sync.log", + "/var/cache/rhui/*", + "/root/.rhui/*", + ]) + # skip collecting certificate keys + self.add_forbidden_path("/etc/pki/rhui/*.key") + + self.add_cmd_output([ + "rhui-manager status", + "rhui-manager cert info", + "ls -lR /var/lib/rhui/remote_share", + ]) + + def postproc(self): + # obfuscate admin_pw and secret_key values + for prop in ["admin_pw", "secret_key"]: + self.do_path_regex_sub( + "/etc/ansible/facts.d/rhui_auth.fact", + r"(%s\s*=\s*)(.*)" % prop, + r"\1********") + + +# vim: set et ts=4 sw=4 : From bd15dc764c9d4554d8e8f08163228d65ca099985 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Thu, 24 Jun 2021 17:53:27 +0200 Subject: [PATCH 1/4] [plugins] Allow add_forbidden_path to apply glob recursively Add option to apply glob.glob to forbidden path recursively. Signed-off-by: Pavel Moravec --- sos/report/plugins/__init__.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py index 06923300..6fd1a3b2 100644 --- a/sos/report/plugins/__init__.py +++ b/sos/report/plugins/__init__.py @@ -1187,12 +1187,14 @@ class Plugin(object): 'symlink': "no" }) - def add_forbidden_path(self, forbidden): + def add_forbidden_path(self, forbidden, recursive=False): """Specify a path, or list of paths, to not copy, even if it's part of an ``add_copy_spec()`` call :param forbidden: A filepath to forbid collection from :type forbidden: ``str`` or a ``list`` of strings + + :param recursive: Should forbidden glob be applied recursively """ if isinstance(forbidden, str): forbidden = [forbidden] @@ -1202,7 +1204,7 @@ class Plugin(object): for forbid in forbidden: self._log_info("adding forbidden path '%s'" % forbid) - for path in glob.glob(forbid): + for path in glob.glob(forbid, recursive=recursive): self.forbidden_paths.append(path) def get_all_options(self): -- 2.31.1 From b695201baeb629a6543445d98dbb04f357670621 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Thu, 24 Jun 2021 17:57:48 +0200 Subject: [PATCH 2/4] [pulpcore] improve settings.py parsing - deal with /etc/pulp/settings.py as a one-line string - parse dbname from it as well - dont collect any *.key file from whole /etc/pki/pulp dir Related: #2593 Signed-off-by: Pavel Moravec --- sos/report/plugins/pulpcore.py | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py index 77ceacb9..be526035 100644 --- a/sos/report/plugins/pulpcore.py +++ b/sos/report/plugins/pulpcore.py @@ -28,9 +28,10 @@ class PulpCore(Plugin, IndependentPlugin): databases_scope = False self.dbhost = "localhost" self.dbport = 5432 + self.dbname = "pulpcore" self.dbpasswd = "" # TODO: read also redis config (we dont expect much customisations) - # TODO: read also db user (pulp) and database name (pulpcore) + # TODO: read also db user (pulp) self.staticroot = "/var/lib/pulp/assets" self.uploaddir = "/var/lib/pulp/media/upload" @@ -44,7 +45,10 @@ class PulpCore(Plugin, IndependentPlugin): return val try: - for line in open("/etc/pulp/settings.py").read().splitlines(): + # split the lines to "one option per line" format + for line in open("/etc/pulp/settings.py").read() \ + .replace(',', ',\n').replace('{', '{\n') \ + .replace('}', '\n}').splitlines(): # skip empty lines and lines with comments if not line or line[0] == '#': continue @@ -53,11 +57,14 @@ class PulpCore(Plugin, IndependentPlugin): continue # example HOST line to parse: # 'HOST': 'localhost', - if databases_scope and match(r"\s+'HOST'\s*:\s+\S+", line): + pattern = r"\s*['|\"]%s['|\"]\s*:\s*\S+" + if databases_scope and match(pattern % 'HOST', line): self.dbhost = separate_value(line) - if databases_scope and match(r"\s+'PORT'\s*:\s+\S+", line): + if databases_scope and match(pattern % 'PORT', line): self.dbport = separate_value(line) - if databases_scope and match(r"\s+'PASSWORD'\s*:\s+\S+", line): + if databases_scope and match(pattern % 'NAME', line): + self.dbname = separate_value(line) + if databases_scope and match(pattern % 'PASSWORD', line): self.dbpasswd = separate_value(line) # if line contains closing '}' database_scope end if databases_scope and '}' in line: @@ -82,7 +89,7 @@ class PulpCore(Plugin, IndependentPlugin): "/etc/pki/pulp/*" ]) # skip collecting certificate keys - self.add_forbidden_path("/etc/pki/pulp/*.key") + self.add_forbidden_path("/etc/pki/pulp/**/*.key", recursive=True) self.add_cmd_output("rq info -u redis://localhost:6379/8", env={"LC_ALL": "en_US.UTF-8"}, @@ -104,8 +111,8 @@ class PulpCore(Plugin, IndependentPlugin): _query = "select * from %s where pulp_last_updated > NOW() - " \ "interval '%s days' order by pulp_last_updated" % \ (table, task_days) - _cmd = "psql -h %s -p %s -U pulp -d pulpcore -c %s" % \ - (self.dbhost, self.dbport, quote(_query)) + _cmd = "psql -h %s -p %s -U pulp -d %s -c %s" % \ + (self.dbhost, self.dbport, self.dbname, quote(_query)) self.add_cmd_output(_cmd, env=self.env, suggest_filename=table) def postproc(self): -- 2.31.1 From 0286034da44bce43ab368dfc6815da7d74d60719 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Thu, 24 Jun 2021 17:59:36 +0200 Subject: [PATCH 3/4] [rhui] call rhui-* commands with proper env and timeout rhui-manager commands timeout when not being logged in, which should be reacted by adding proper cmd timeout. Adding the env.variable ensures potentially unaswered "RHUI Username:" is also printed/colected. Further, prevent collecting any *.key file from the whole /etc/pki/rhui dir. Related: #2593 Signed-off-by: Pavel Moravec --- sos/report/plugins/rhui.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py index 7acd3f49..5a152427 100644 --- a/sos/report/plugins/rhui.py +++ b/sos/report/plugins/rhui.py @@ -29,13 +29,16 @@ class Rhui(Plugin, RedHatPlugin): "/root/.rhui/*", ]) # skip collecting certificate keys - self.add_forbidden_path("/etc/pki/rhui/*.key") + self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True) + # call rhui-manager commands with 1m timeout and + # with an env. variable ensuring that "RHUI Username:" + # even unanswered prompt gets collected self.add_cmd_output([ "rhui-manager status", "rhui-manager cert info", "ls -lR /var/lib/rhui/remote_share", - ]) + ], timeout=60, env={'PYTHONUNBUFFERED': '1'}) def postproc(self): # obfuscate admin_pw and secret_key values -- 2.31.1 From a656bd239ab86dfd8973f733ae2c0fbd0c57d416 Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Thu, 24 Jun 2021 18:01:14 +0200 Subject: [PATCH 4/4] [rhui] fix broken obfuscation - /etc/ansible/facts.d/rhui_*.fact must be collected by rhui plugin to let some file to be obfuscated there - obfuscate also cookies values that can grant login access Resolves: #2593 Signed-off-by: Pavel Moravec --- sos/report/plugins/ansible.py | 3 +++ sos/report/plugins/rhui.py | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/sos/report/plugins/ansible.py b/sos/report/plugins/ansible.py index 3e5d3d37..5991b786 100644 --- a/sos/report/plugins/ansible.py +++ b/sos/report/plugins/ansible.py @@ -29,4 +29,7 @@ class Ansible(Plugin, RedHatPlugin, UbuntuPlugin): "ansible --version" ]) + # let rhui plugin collects the RHUI specific files + self.add_forbidden_path("/etc/ansible/facts.d/rhui_*.fact") + # vim: set et ts=4 sw=4 : diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py index 5a152427..1d479f85 100644 --- a/sos/report/plugins/rhui.py +++ b/sos/report/plugins/rhui.py @@ -27,6 +27,7 @@ class Rhui(Plugin, RedHatPlugin): "/var/log/rhui-subscription-sync.log", "/var/cache/rhui/*", "/root/.rhui/*", + "/etc/ansible/facts.d/rhui_*.fact", ]) # skip collecting certificate keys self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True) @@ -47,6 +48,12 @@ class Rhui(Plugin, RedHatPlugin): "/etc/ansible/facts.d/rhui_auth.fact", r"(%s\s*=\s*)(.*)" % prop, r"\1********") + # obfuscate twoo cookies for login session + for cookie in ["csrftoken", "sessionid"]: + self.do_path_regex_sub( + r"/root/\.rhui/.*/cookies.txt", + r"(%s\s+)(\S+)" % cookie, + r"\1********") # vim: set et ts=4 sw=4 : -- 2.31.1 From 4e5bebffca9936bcdf4d38aad9989970a15dd72b Mon Sep 17 00:00:00 2001 From: Pavel Moravec Date: Tue, 3 Aug 2021 21:54:33 +0200 Subject: [PATCH] [rhui] Update the plugin on several places - obfuscate "rhui_manager_password: xxx" in /root/.rhui/answers.yaml* - no need to collect or obfuscate anything from /etc/ansible/facts.d - newly detect the plugin via /etc/rhui/rhui-tools.conf file or rhui-manager command (only) Resolves: #2637 Signed-off-by: Pavel Moravec --- sos/report/plugins/rhui.py | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py index 1d479f85..52065fb4 100644 --- a/sos/report/plugins/rhui.py +++ b/sos/report/plugins/rhui.py @@ -16,8 +16,8 @@ class Rhui(Plugin, RedHatPlugin): short_desc = 'Red Hat Update Infrastructure' plugin_name = "rhui" - commands = ("rhui-manager",) - files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py") + commands = ("rhui-manager", ) + files = ("/etc/rhui/rhui-tools.conf", ) def setup(self): self.add_copy_spec([ @@ -27,7 +27,6 @@ class Rhui(Plugin, RedHatPlugin): "/var/log/rhui-subscription-sync.log", "/var/cache/rhui/*", "/root/.rhui/*", - "/etc/ansible/facts.d/rhui_*.fact", ]) # skip collecting certificate keys self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True) @@ -42,11 +41,10 @@ class Rhui(Plugin, RedHatPlugin): ], timeout=60, env={'PYTHONUNBUFFERED': '1'}) def postproc(self): - # obfuscate admin_pw and secret_key values - for prop in ["admin_pw", "secret_key"]: - self.do_path_regex_sub( - "/etc/ansible/facts.d/rhui_auth.fact", - r"(%s\s*=\s*)(.*)" % prop, + # hide rhui_manager_password value in (also rotated) answers file + self.do_path_regex_sub( + r"/root/\.rhui/answers.yaml.*", + r"(\s*rhui_manager_password\s*:)\s*(\S+)", r"\1********") # obfuscate twoo cookies for login session for cookie in ["csrftoken", "sessionid"]: -- 2.31.1