def consume_unsigned_message_mocked(*models): installed_rpm = [ RPM(name='sample02', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample04', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample06', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample08', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X') ] yield InstalledUnsignedRPM(items=installed_rpm)
def process(self): skip_check = os.getenv('LEAPP_SKIP_CHECK_SIGNED_PACKAGES') if skip_check: self.produce( CheckResult( severity='Warning', result='Not Applicable', summary='Skipped signed packages check', details= 'Signed packages check skipped via LEAPP_SKIP_CHECK_SIGNED_PACKAGES env var' )) return unsigned_pkgs = next(self.consume(InstalledUnsignedRPM), InstalledUnsignedRPM()) if len(unsigned_pkgs.items): # FIXME: To avoid problems during tests, this is being reported as WARNING by now self.produce( CheckResult( severity='Warning', result='Fail', summary= 'Packages not signed by Red Hat found in the system', details=( 'Following packages were not signed by Red Hat:\n {}' .format('\n '.join( [pkg.name for pkg in unsigned_pkgs.items]))), solutions=( 'Consider removing those packages from' ' the system. Such packages could have negative impact' ' on the whole upgrade process.')))
def test_actor_execution_with_unsigned_data(current_actor_context): installed_rpm = [ RPM(name='sample02', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample04', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample06', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X'), RPM(name='sample08', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', pgpsig='SOME_OTHER_SIG_X') ] current_actor_context.feed(InstalledUnsignedRPM(items=installed_rpm)) current_actor_context.run() assert current_actor_context.consume(CheckResult)
def process(self): LEAPP_PACKAGES = [ 'leapp', 'leapp-repository', 'snactor', 'leapp-repository-deps-el8', 'leapp-deps-el8', 'python2-leapp', 'leapp-repository-sos-plugin' ] installed_rpms = get_installed_rpms() if not installed_rpms: return to_remove = LeftoverPackages() unsigned = [ pkg.name for pkg in next(self.consume(InstalledUnsignedRPM), InstalledUnsignedRPM()).items ] for rpm in installed_rpms: rpm = rpm.strip() if not rpm: continue name, version, release, epoch, packager, arch, pgpsig = rpm.split( '|') if 'el7' in release and name not in set(unsigned + LEAPP_PACKAGES): to_remove.items.append( RPM(name=name, version=version, epoch=epoch, packager=packager, arch=arch, release=release, pgpsig=pgpsig)) self.produce(to_remove)
def process(self): RH_SIGS = [ '199e2f91fd431d51', '5326810137017186', '938a80caf21541eb', 'fd372689897da07a', '45689c882fa658e0' ] signed_pkgs = InstalledRedHatSignedRPM() unsigned_pkgs = InstalledUnsignedRPM() for rpm_pkgs in self.consume(InstalledRPM): for pkg in rpm_pkgs.items: env_vars = self.configuration.leapp_env_vars # if we start upgrade with LEAPP_DEVEL_RPMS_ALL_SIGNED=1, we consider all packages to be signed all_signed = [ env for env in env_vars if env.name == 'LEAPP_DEVEL_RPMS_ALL_SIGNED' and env.value == '1' ] # "gpg-pubkey" is not signed as it would require another package to verify its signature if any(key in pkg.pgpsig for key in RH_SIGS) or \ (pkg.name == 'gpg-pubkey' and pkg.packager.startswith('Red Hat, Inc.') or all_signed): signed_pkgs.items.append(pkg) continue unsigned_pkgs.items.append(pkg) self.produce(signed_pkgs) self.produce(unsigned_pkgs)
def process(self): RH_SIGS = [ '199e2f91fd431d51', '5326810137017186', '938a80caf21541eb', 'fd372689897da07a', '45689c882fa658e0' ] signed_pkgs = InstalledRedHatSignedRPM() unsigned_pkgs = InstalledUnsignedRPM() env_vars = self.configuration.leapp_env_vars # if we start upgrade with LEAPP_DEVEL_RPMS_ALL_SIGNED=1, we consider # all packages to be signed all_signed = [ env for env in env_vars if env.name == 'LEAPP_DEVEL_RPMS_ALL_SIGNED' and env.value == '1' ] def has_rhsig(pkg): return any(key in pkg.pgpsig for key in RH_SIGS) def is_gpg_pubkey(pkg): """Check if gpg-pubkey pkg exists or LEAPP_DEVEL_RPMS_ALL_SIGNED=1 gpg-pubkey is not signed as it would require another package to verify its signature """ return ( # pylint: disable-msg=consider-using-ternary pkg.name == 'gpg-pubkey' and pkg.packager.startswith('Red Hat, Inc.') or all_signed) def has_katello_prefix(pkg): """Whitelist the katello package.""" return pkg.name.startswith('katello-ca-consumer') def is_azure_pkg(pkg): """Whitelist Azure config package.""" arch = self.configuration.architecture el7_pkg = rhui.RHUI_CLOUD_MAP[arch]['azure']['el7_pkg'] el8_pkg = rhui.RHUI_CLOUD_MAP[arch]['azure']['el8_pkg'] return pkg.name in [el7_pkg, el8_pkg] for rpm_pkgs in self.consume(InstalledRPM): for pkg in rpm_pkgs.items: if any([ has_rhsig(pkg), is_gpg_pubkey(pkg), has_katello_prefix(pkg), is_azure_pkg(pkg), ]): signed_pkgs.items.append(pkg) continue unsigned_pkgs.items.append(pkg) self.produce(signed_pkgs) self.produce(unsigned_pkgs)
def get_unsigned_packages(): """ Get list of unsigned packages installed in the system """ rpm_messages = api.consume(InstalledUnsignedRPM) data = next(rpm_messages, InstalledUnsignedRPM()) if list(rpm_messages): api.current_logger().warning('Unexpectedly received more than one InstalledUnsignedRPM message.') unsigned_packages = set() unsigned_packages.update([pkg.name for pkg in data.items]) unsigned_packages = list(unsigned_packages) unsigned_packages.sort() return unsigned_packages
def process(self): RH_SIGS = [ '199e2f91fd431d51', '5326810137017186', '938a80caf21541eb', 'fd372689897da07a', '45689c882fa658e0' ] signed_pkgs = InstalledRedHatSignedRPM() unsigned_pkgs = InstalledUnsignedRPM() for rpm_pkgs in self.consume(InstalledRPM): for pkg in rpm_pkgs.items: if any(key in pkg.pgpsig for key in RH_SIGS): signed_pkgs.items.append(pkg) continue unsigned_pkgs.items.append(pkg) self.produce(signed_pkgs) self.produce(unsigned_pkgs)
def process(self): RH_SIGS = [ '199e2f91fd431d51', '5326810137017186', '938a80caf21541eb', 'fd372689897da07a', '45689c882fa658e0' ] signed_pkgs = InstalledRedHatSignedRPM() unsigned_pkgs = InstalledUnsignedRPM() for rpm_pkgs in self.consume(InstalledRPM): for pkg in rpm_pkgs.items: # "gpg-pubkey" is not signed as it would require another package to verify its signature if any(key in pkg.pgpsig for key in RH_SIGS) or \ (pkg.name == 'gpg-pubkey' and pkg.packager.startswith('Red Hat, Inc.')): signed_pkgs.items.append(pkg) continue unsigned_pkgs.items.append(pkg) self.produce(signed_pkgs) self.produce(unsigned_pkgs)
def consume_unsigned_message_mocked(*models): installed_rpm = [] yield InstalledUnsignedRPM(items=installed_rpm)
def test_actor_execution(current_actor_context): current_actor_context.feed(InstalledUnsignedRPM(items=[])) current_actor_context.run() assert not current_actor_context.consume(CheckResult)