def consume_unsigned_message_mocked(*models):
installed_rpm = [
RPM(name='sample02',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample04',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample06',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample08',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X')
]
yield InstalledUnsignedRPM(items=installed_rpm)
def process(self):
skip_check = os.getenv('LEAPP_SKIP_CHECK_SIGNED_PACKAGES')
if skip_check:
self.produce(
CheckResult(
severity='Warning',
result='Not Applicable',
summary='Skipped signed packages check',
details=
'Signed packages check skipped via LEAPP_SKIP_CHECK_SIGNED_PACKAGES env var'
))
return
unsigned_pkgs = next(self.consume(InstalledUnsignedRPM),
InstalledUnsignedRPM())
if len(unsigned_pkgs.items):
# FIXME: To avoid problems during tests, this is being reported as WARNING by now
self.produce(
CheckResult(
severity='Warning',
result='Fail',
summary=
'Packages not signed by Red Hat found in the system',
details=(
'Following packages were not signed by Red Hat:\n {}'
.format('\n '.join(
[pkg.name for pkg in unsigned_pkgs.items]))),
solutions=(
'Consider removing those packages from'
' the system. Such packages could have negative impact'
' on the whole upgrade process.')))
def test_actor_execution_with_unsigned_data(current_actor_context):
installed_rpm = [
RPM(name='sample02',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample04',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample06',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X'),
RPM(name='sample08',
version='0.1',
release='1.sm01',
epoch='1',
packager=RH_PACKAGER,
arch='noarch',
pgpsig='SOME_OTHER_SIG_X')
]
current_actor_context.feed(InstalledUnsignedRPM(items=installed_rpm))
current_actor_context.run()
assert current_actor_context.consume(CheckResult)
def process(self):
LEAPP_PACKAGES = [
'leapp', 'leapp-repository', 'snactor',
'leapp-repository-deps-el8', 'leapp-deps-el8', 'python2-leapp',
'leapp-repository-sos-plugin'
]
installed_rpms = get_installed_rpms()
if not installed_rpms:
return
to_remove = LeftoverPackages()
unsigned = [
pkg.name for pkg in next(self.consume(InstalledUnsignedRPM),
InstalledUnsignedRPM()).items
]
for rpm in installed_rpms:
rpm = rpm.strip()
if not rpm:
continue
name, version, release, epoch, packager, arch, pgpsig = rpm.split(
'|')
if 'el7' in release and name not in set(unsigned + LEAPP_PACKAGES):
to_remove.items.append(
RPM(name=name,
version=version,
epoch=epoch,
packager=packager,
arch=arch,
release=release,
pgpsig=pgpsig))
self.produce(to_remove)
def process(self):
RH_SIGS = [
'199e2f91fd431d51', '5326810137017186', '938a80caf21541eb',
'fd372689897da07a', '45689c882fa658e0'
]
signed_pkgs = InstalledRedHatSignedRPM()
unsigned_pkgs = InstalledUnsignedRPM()
for rpm_pkgs in self.consume(InstalledRPM):
for pkg in rpm_pkgs.items:
env_vars = self.configuration.leapp_env_vars
# if we start upgrade with LEAPP_DEVEL_RPMS_ALL_SIGNED=1, we consider all packages to be signed
all_signed = [
env for env in env_vars
if env.name == 'LEAPP_DEVEL_RPMS_ALL_SIGNED'
and env.value == '1'
]
# "gpg-pubkey" is not signed as it would require another package to verify its signature
if any(key in pkg.pgpsig for key in RH_SIGS) or \
(pkg.name == 'gpg-pubkey' and pkg.packager.startswith('Red Hat, Inc.') or all_signed):
signed_pkgs.items.append(pkg)
continue
unsigned_pkgs.items.append(pkg)
self.produce(signed_pkgs)
self.produce(unsigned_pkgs)
def process(self):
RH_SIGS = [
'199e2f91fd431d51', '5326810137017186', '938a80caf21541eb',
'fd372689897da07a', '45689c882fa658e0'
]
signed_pkgs = InstalledRedHatSignedRPM()
unsigned_pkgs = InstalledUnsignedRPM()
env_vars = self.configuration.leapp_env_vars
# if we start upgrade with LEAPP_DEVEL_RPMS_ALL_SIGNED=1, we consider
# all packages to be signed
all_signed = [
env for env in env_vars
if env.name == 'LEAPP_DEVEL_RPMS_ALL_SIGNED' and env.value == '1'
]
def has_rhsig(pkg):
return any(key in pkg.pgpsig for key in RH_SIGS)
def is_gpg_pubkey(pkg):
"""Check if gpg-pubkey pkg exists or LEAPP_DEVEL_RPMS_ALL_SIGNED=1
gpg-pubkey is not signed as it would require another package
to verify its signature
"""
return ( # pylint: disable-msg=consider-using-ternary
pkg.name == 'gpg-pubkey'
and pkg.packager.startswith('Red Hat, Inc.') or all_signed)
def has_katello_prefix(pkg):
"""Whitelist the katello package."""
return pkg.name.startswith('katello-ca-consumer')
def is_azure_pkg(pkg):
"""Whitelist Azure config package."""
arch = self.configuration.architecture
el7_pkg = rhui.RHUI_CLOUD_MAP[arch]['azure']['el7_pkg']
el8_pkg = rhui.RHUI_CLOUD_MAP[arch]['azure']['el8_pkg']
return pkg.name in [el7_pkg, el8_pkg]
for rpm_pkgs in self.consume(InstalledRPM):
for pkg in rpm_pkgs.items:
if any([
has_rhsig(pkg),
is_gpg_pubkey(pkg),
has_katello_prefix(pkg),
is_azure_pkg(pkg),
]):
signed_pkgs.items.append(pkg)
continue
unsigned_pkgs.items.append(pkg)
self.produce(signed_pkgs)
self.produce(unsigned_pkgs)
def get_unsigned_packages():
""" Get list of unsigned packages installed in the system """
rpm_messages = api.consume(InstalledUnsignedRPM)
data = next(rpm_messages, InstalledUnsignedRPM())
if list(rpm_messages):
api.current_logger().warning('Unexpectedly received more than one InstalledUnsignedRPM message.')
unsigned_packages = set()
unsigned_packages.update([pkg.name for pkg in data.items])
unsigned_packages = list(unsigned_packages)
unsigned_packages.sort()
return unsigned_packages
def process(self):
RH_SIGS = [
'199e2f91fd431d51', '5326810137017186', '938a80caf21541eb',
'fd372689897da07a', '45689c882fa658e0'
]
signed_pkgs = InstalledRedHatSignedRPM()
unsigned_pkgs = InstalledUnsignedRPM()
for rpm_pkgs in self.consume(InstalledRPM):
for pkg in rpm_pkgs.items:
if any(key in pkg.pgpsig for key in RH_SIGS):
signed_pkgs.items.append(pkg)
continue
unsigned_pkgs.items.append(pkg)
self.produce(signed_pkgs)
self.produce(unsigned_pkgs)
def process(self):
RH_SIGS = [
'199e2f91fd431d51', '5326810137017186', '938a80caf21541eb',
'fd372689897da07a', '45689c882fa658e0'
]
signed_pkgs = InstalledRedHatSignedRPM()
unsigned_pkgs = InstalledUnsignedRPM()
for rpm_pkgs in self.consume(InstalledRPM):
for pkg in rpm_pkgs.items:
# "gpg-pubkey" is not signed as it would require another package to verify its signature
if any(key in pkg.pgpsig for key in RH_SIGS) or \
(pkg.name == 'gpg-pubkey' and pkg.packager.startswith('Red Hat, Inc.')):
signed_pkgs.items.append(pkg)
continue
unsigned_pkgs.items.append(pkg)
self.produce(signed_pkgs)
self.produce(unsigned_pkgs)
def consume_unsigned_message_mocked(*models):
installed_rpm = []
yield InstalledUnsignedRPM(items=installed_rpm)
def test_actor_execution(current_actor_context):
current_actor_context.feed(InstalledUnsignedRPM(items=[]))
current_actor_context.run()
assert not current_actor_context.consume(CheckResult)
