leapp-repository/SOURCES/0017-Warn-if-the-SSHD-is-not-configured-to-use-SFTP-serve.patch

From 85e1bd3c9366c6e15f53097ff0cd846739beb611 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Thu, 17 Mar 2022 16:01:12 +0100
Subject: [PATCH 17/39] Warn if the SSHD is not configured to use SFTP server

---
 .../actors/opensshsubsystemsftp/actor.py      | 22 +++++++++
 .../libraries/opensshsubsystemsftp.py         | 47 +++++++++++++++++++
 .../tests/test_opensshsubsystemsftp.py        | 33 +++++++++++++
 3 files changed, 102 insertions(+)
 create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
 create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
 create mode 100644 repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py

diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
new file mode 100644
index 00000000..14d8b882
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/actor.py
@@ -0,0 +1,22 @@
+from leapp.actors import Actor
+from leapp.libraries.actor import opensshsubsystemsftp
+from leapp.models import InstalledRedHatSignedRPM, OpenSshConfig
+from leapp.reporting import Report
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+
+class OpenSshSubsystemSftp(Actor):
+    """
+    The RHEL9 changes the SCP to use SFTP protocol internally. The both RHEL8 and RHEL9
+    enable SFTP server by default, but if the user disabled the SFTP for some reason,
+    it might make sense to warn that some previously working SCP operations could stop
+    working.
+    """
+
+    name = 'open_ssh_subsystem_sftp'
+    consumes = (OpenSshConfig, InstalledRedHatSignedRPM,)
+    produces = (Report,)
+    tags = (IPUWorkflowTag, ChecksPhaseTag)
+
+    def process(self):
+        opensshsubsystemsftp.process(self.consume(OpenSshConfig))
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
new file mode 100644
index 00000000..b60c08ca
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/libraries/opensshsubsystemsftp.py
@@ -0,0 +1,47 @@
+from leapp import reporting
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.stdlib import api
+
+
+def process(openssh_messages):
+    config = next(openssh_messages, None)
+    if list(openssh_messages):
+        api.current_logger().warning('Unexpectedly received more than one OpenSshConfig message.')
+    if not config:
+        raise StopActorExecutionError(
+            'Could not check openssh configuration', details={'details': 'No OpenSshConfig facts found.'}
+        )
+
+    # not modified configuration will get updated by RPM automatically
+    if not config.modified:
+        return
+
+    if not config.subsystem_sftp:
+        resources = [
+            reporting.RelatedResource('package', 'openssh-server'),
+            reporting.RelatedResource('file', '/etc/ssh/sshd_config'),
+            reporting.ExternalLink(
+                title="SCP support in RHEL",
+                url="https://access.redhat.com/articles/5284081",
+            ),
+            # TODO provide a link to documentation or blog post
+        ]
+        reporting.create_report([
+            reporting.Title('OpenSSH configured without SFTP subsystem'),
+            reporting.Summary(
+                'The RHEL9 is changing the default SCP behaviour to use SFTP internally '
+                'so not having SFTP server enabled can prevent interoperability and break existing '
+                'scripts on other systems updated to RHEL9 to copy files to or from this machine.'
+            ),
+            reporting.Remediation(
+                hint='Add the following line to the /etc/ssh/sshd_config to enable SFTP server: '
+                     'Subsystem sftp /usr/libexec/openssh/sftp-server'
+            ),
+            reporting.Severity(reporting.Severity.MEDIUM),
+            reporting.Tags([
+                    reporting.Tags.AUTHENTICATION,
+                    reporting.Tags.SECURITY,
+                    reporting.Tags.NETWORK,
+                    reporting.Tags.SERVICES
+            ]),
+        ] + resources)
diff --git a/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
new file mode 100644
index 00000000..4e3c2ace
--- /dev/null
+++ b/repos/system_upgrade/el8toel9/actors/opensshsubsystemsftp/tests/test_opensshsubsystemsftp.py
@@ -0,0 +1,33 @@
+import pytest
+
+from leapp.exceptions import StopActorExecutionError
+from leapp.libraries.actor import opensshsubsystemsftp
+from leapp.models import OpenSshConfig, Report
+
+
+def test_no_config(current_actor_context):
+    with pytest.raises(StopActorExecutionError):
+        opensshsubsystemsftp.process(iter([]))
+
+
+@pytest.mark.parametrize('modified,subsystem,expected_report', [
+    (False, None, False),  # should not happen
+    (False, '/usr/libexec/openssh/sftp-server', False),  # Defaults
+    (True, None, True),
+    (True, 'internal-sftp', False),
+    (True, '/usr/libexec/openssh/sftp-server', False)
+])
+def test_subsystem(current_actor_context, modified, subsystem, expected_report):
+    conf = OpenSshConfig(
+        modified=modified,
+        permit_root_login=[],
+        deprecated_directives=[]
+    )
+    if subsystem is not None:
+        conf.subsystem_sftp = subsystem
+    current_actor_context.feed(conf)
+    current_actor_context.run()
+    if expected_report:
+        assert current_actor_context.consume(Report)
+    else:
+        assert not current_actor_context.consume(Report)
-- 
2.35.3