From 0f7f735ce04d98562c21dcc80d816c407dd2e569 Mon Sep 17 00:00:00 2001 From: Petr Stodulka Date: Fri, 10 Jan 2025 23:04:53 +0100 Subject: [PATCH] Generalize check of the third party RPMs This is initial draft to generalize current check of installed third party RPMs that are not part of the installed system distribution. Original actor has been written only for RHEL systems and expected that the only vendor as such is Red Hat. However, in case of other distributions it's not true. So such a report could be confusing for users and could set wrong expectations. List of changes: * Rename and move redhatsignedrpmcheck actor to * Update docstrings * Update the report, respecting name of the installed system * ... --- .../distributionsignedrpmcheck/actor.py | 36 ++++++++++++++ .../actors/redhatsignedrpmcheck/actor.py | 22 --------- .../libraries/redhatsignedrpmcheck.py | 45 ------------------ .../tests/test_redhatsignedrpmcheck.py | 47 ------------------- 4 files changed, 36 insertions(+), 114 deletions(-) create mode 100644 repos/system_upgrade/common/actors/distributionsignedrpmcheck/actor.py delete mode 100644 repos/system_upgrade/common/actors/redhatsignedrpmcheck/actor.py delete mode 100644 repos/system_upgrade/common/actors/redhatsignedrpmcheck/libraries/redhatsignedrpmcheck.py delete mode 100644 repos/system_upgrade/common/actors/redhatsignedrpmcheck/tests/test_redhatsignedrpmcheck.py diff --git a/repos/system_upgrade/common/actors/distributionsignedrpmcheck/actor.py b/repos/system_upgrade/common/actors/distributionsignedrpmcheck/actor.py new file mode 100644 index 0000000000..81a91ee1ec --- /dev/null +++ b/repos/system_upgrade/common/actors/distributionsignedrpmcheck/actor.py @@ -0,0 +1,36 @@ +from leapp.actors import Actor +from leapp.libraries.actor.distributionsignedrpmcheck import check_unsigned_packages +from leapp.models import InstalledUnsignedRPM +from leapp.reporting import Report +from leapp.tags import ChecksPhaseTag, IPUWorkflowTag + + +class DistributionSignedRpmCheck(Actor): + """ + Check if there are any packages that are not signed by distribution GPG keys. + + We are recognizing two (three) types of packages: + * RPMs that are part of the system distribution (RHEL, Centos Stream, + Fedora, ...) - which are recognized based on the signature by known GPG + keys for the particular distribution. + * RPMs that are not signed by such GPG keys - including RPMs not signed + at all. Such RPMs are considered in general as third party content. + ( + * some packages are known to not be signed as they are created by + delivered product (which can be part of the distribution). This includes + e.g. katello RPMs created in a Satellite server. We do not report + such packages known to us. + ) + + If any such non-distribution installed RPMs are detected, report it + to inform that user needs to take care about them before/during/after + the upgrade. + """ + + name = 'distribution_signed_rpm_check' + consumes = (InstalledUnsignedRPM,) + produces = (Report,) + tags = (IPUWorkflowTag, ChecksPhaseTag) + + def process(self): + check_unsigned_packages() diff --git a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/actor.py b/repos/system_upgrade/common/actors/redhatsignedrpmcheck/actor.py deleted file mode 100644 index a3555e523f..0000000000 --- a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/actor.py +++ /dev/null @@ -1,22 +0,0 @@ -from leapp.actors import Actor -from leapp.libraries.actor.redhatsignedrpmcheck import check_unsigned_packages -from leapp.models import InstalledUnsignedRPM -from leapp.reporting import Report -from leapp.tags import ChecksPhaseTag, IPUWorkflowTag - - -class RedHatSignedRpmCheck(Actor): - """ - Check if there are packages not signed by Red Hat in use. If yes, warn user about it. - - If any any installed RPM package does not contain a valid signature from Red Hat, a message - containing a warning is produced. - """ - - name = 'red_hat_signed_rpm_check' - consumes = (InstalledUnsignedRPM,) - produces = (Report,) - tags = (IPUWorkflowTag, ChecksPhaseTag) - - def process(self): - check_unsigned_packages() diff --git a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/libraries/redhatsignedrpmcheck.py b/repos/system_upgrade/common/actors/redhatsignedrpmcheck/libraries/redhatsignedrpmcheck.py deleted file mode 100644 index efdb8f409e..0000000000 --- a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/libraries/redhatsignedrpmcheck.py +++ /dev/null @@ -1,45 +0,0 @@ -from leapp import reporting -from leapp.libraries.stdlib import api -from leapp.libraries.stdlib.config import is_verbose -from leapp.models import InstalledUnsignedRPM - -COMMON_REPORT_TAGS = [reporting.Groups.SANITY] - - -def generate_report(packages): - """ Generate a report if there are unsigned packages installed on the system """ - if not packages: - return - unsigned_packages_new_line = '\n'.join(['- ' + p for p in packages]) - title = 'Packages not signed by Red Hat found on the system' - summary = ('The following packages have not been signed by Red Hat' - ' and may be removed during the upgrade process in case Red Hat-signed' - ' packages to be removed during the upgrade depend on them:\n{}' - .format(unsigned_packages_new_line)) - reporting.create_report([ - reporting.Title(title), - reporting.Summary(summary), - reporting.Severity(reporting.Severity.HIGH), - reporting.Groups(COMMON_REPORT_TAGS) - ]) - - if is_verbose(): - api.show_message(summary) - - -def get_unsigned_packages(): - """ Get list of unsigned packages installed in the system """ - rpm_messages = api.consume(InstalledUnsignedRPM) - data = next(rpm_messages, InstalledUnsignedRPM()) - if list(rpm_messages): - api.current_logger().warning('Unexpectedly received more than one InstalledUnsignedRPM message.') - unsigned_packages = set() - unsigned_packages.update([pkg.name for pkg in data.items]) - unsigned_packages = list(unsigned_packages) - unsigned_packages.sort() - return unsigned_packages - - -def check_unsigned_packages(): - """ Check and generate reports if system contains unsigned installed packages""" - generate_report(get_unsigned_packages()) diff --git a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/tests/test_redhatsignedrpmcheck.py b/repos/system_upgrade/common/actors/redhatsignedrpmcheck/tests/test_redhatsignedrpmcheck.py deleted file mode 100644 index 8ec4c16f50..0000000000 --- a/repos/system_upgrade/common/actors/redhatsignedrpmcheck/tests/test_redhatsignedrpmcheck.py +++ /dev/null @@ -1,47 +0,0 @@ -from leapp import reporting -from leapp.libraries.actor import redhatsignedrpmcheck -from leapp.libraries.common.testutils import create_report_mocked, produce_mocked -from leapp.libraries.stdlib import api -from leapp.models import InstalledUnsignedRPM, RPM - -RH_PACKAGER = 'Red Hat, Inc. ' - - -def test_actor_execution_without_unsigned_data(monkeypatch): - def consume_unsigned_message_mocked(*models): - installed_rpm = [] - yield InstalledUnsignedRPM(items=installed_rpm) - monkeypatch.setattr(api, "consume", consume_unsigned_message_mocked) - monkeypatch.setattr(api, "produce", produce_mocked()) - monkeypatch.setattr(api, "show_message", lambda x: True) - monkeypatch.setattr(reporting, "create_report", create_report_mocked()) - - packages = redhatsignedrpmcheck.get_unsigned_packages() - assert not packages - redhatsignedrpmcheck.generate_report(packages) - assert reporting.create_report.called == 0 - - -def test_actor_execution_with_unsigned_data(monkeypatch): - def consume_unsigned_message_mocked(*models): - installed_rpm = [ - RPM(name='sample02', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', - pgpsig='SOME_OTHER_SIG_X'), - RPM(name='sample04', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', - pgpsig='SOME_OTHER_SIG_X'), - RPM(name='sample06', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', - pgpsig='SOME_OTHER_SIG_X'), - RPM(name='sample08', version='0.1', release='1.sm01', epoch='1', packager=RH_PACKAGER, arch='noarch', - pgpsig='SOME_OTHER_SIG_X')] - yield InstalledUnsignedRPM(items=installed_rpm) - - monkeypatch.setattr(api, "consume", consume_unsigned_message_mocked) - monkeypatch.setattr(api, "produce", produce_mocked()) - monkeypatch.setattr(api, "show_message", lambda x: True) - monkeypatch.setattr(reporting, "create_report", create_report_mocked()) - - packages = redhatsignedrpmcheck.get_unsigned_packages() - assert len(packages) == 4 - redhatsignedrpmcheck.generate_report(packages) - assert reporting.create_report.called == 1 - assert 'Packages not signed by Red Hat found' in reporting.create_report.report_fields['title']