|
 |
c5477d |
From 5e7a6e648c85cf923093ebac6448be82ba032448 Mon Sep 17 00:00:00 2001
|
|
|
c5477d |
From: Vratislav Podzimek <vpodzime@redhat.com>
|
|
|
c5477d |
Date: Wed, 25 May 2016 10:58:54 +0200
|
|
|
c5477d |
Subject: [PATCH 06/13] Allow fixing root password in graphical installations
|
|
|
c5477d |
|
|
|
c5477d |
If the root password from kickstart is too short we can give users a chance to
|
|
|
c5477d |
enter a new (better) one in case of graphical installation. Text mode doesn't
|
|
|
c5477d |
allow for this because the root password configuration happens before the SCAP
|
|
|
c5477d |
content is evaluated.
|
|
|
c5477d |
|
|
|
c5477d |
Resolves: rhbz#1265116
|
|
|
c5477d |
---
|
|
|
c5477d |
org_fedora_oscap/common.py | 3 ++-
|
|
|
c5477d |
org_fedora_oscap/gui/spokes/oscap.py | 39 +++++++++++++++++++++++++++++++-----
|
|
|
c5477d |
org_fedora_oscap/rule_handling.py | 29 ++++++++++++++++-----------
|
|
|
c5477d |
3 files changed, 53 insertions(+), 18 deletions(-)
|
|
|
c5477d |
|
|
|
c5477d |
diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py
|
|
|
c5477d |
index d09ccbd..8b2e84f 100644
|
|
|
c5477d |
--- a/org_fedora_oscap/common.py
|
|
|
c5477d |
+++ b/org_fedora_oscap/common.py
|
|
|
c5477d |
@@ -82,9 +82,10 @@ MESSAGE_TYPE_WARNING = 1
|
|
|
c5477d |
MESSAGE_TYPE_INFO = 2
|
|
|
c5477d |
|
|
|
c5477d |
# namedtuple for messages returned from the rules evaluation
|
|
|
c5477d |
+# origin -- class (inherited from RuleHandler) that generated the message
|
|
|
c5477d |
# type -- one of the MESSAGE_TYPE_* constants defined above
|
|
|
c5477d |
# text -- the actual message that should be displayed, logged, ...
|
|
|
c5477d |
-RuleMessage = namedtuple("RuleMessage", ["type", "text"])
|
|
|
c5477d |
+RuleMessage = namedtuple("RuleMessage", ["origin", "type", "text"])
|
|
|
c5477d |
|
|
|
c5477d |
def get_fix_rules_pre(profile, fpath, ds_id="", xccdf_id="", tailoring=""):
|
|
|
c5477d |
"""
|
|
|
c5477d |
diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py
|
|
|
c5477d |
index 3b8dbd7..42fc406 100644
|
|
|
c5477d |
--- a/org_fedora_oscap/gui/spokes/oscap.py
|
|
|
c5477d |
+++ b/org_fedora_oscap/gui/spokes/oscap.py
|
|
|
c5477d |
@@ -200,6 +200,11 @@ class OSCAPSpoke(NormalSpoke):
|
|
|
c5477d |
# leaving the spoke
|
|
|
c5477d |
self._rule_data = None
|
|
|
c5477d |
|
|
|
c5477d |
+ # used for storing previously set root password if we need to remove it
|
|
|
c5477d |
+ # due to the chosen policy (so that we can put it back in case of
|
|
|
c5477d |
+ # revert)
|
|
|
c5477d |
+ self.__old_root_pw = None
|
|
|
c5477d |
+
|
|
|
c5477d |
# used to check if the profile was changed or not
|
|
|
c5477d |
self._active_profile = None
|
|
|
c5477d |
|
|
|
c5477d |
@@ -584,20 +589,43 @@ class OSCAPSpoke(NormalSpoke):
|
|
|
c5477d |
# no messages from the rules, add a message informing about that
|
|
|
c5477d |
if not self._active_profile:
|
|
|
c5477d |
# because of no profile
|
|
|
c5477d |
- message = common.RuleMessage(common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
- _("No profile selected"))
|
|
|
c5477d |
+ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
+ _("No profile selected"))
|
|
|
c5477d |
else:
|
|
|
c5477d |
# because of no pre-inst rules
|
|
|
c5477d |
- message = common.RuleMessage(common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
- _("No rules for the pre-installation phase"))
|
|
|
c5477d |
+ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
+ _("No rules for the pre-installation phase"))
|
|
|
c5477d |
self._add_message(message)
|
|
|
c5477d |
|
|
|
c5477d |
# nothing more to be done
|
|
|
c5477d |
return
|
|
|
c5477d |
|
|
|
c5477d |
+ self._resolve_rootpw_issues(messages, report_only)
|
|
|
c5477d |
for msg in messages:
|
|
|
c5477d |
self._add_message(msg)
|
|
|
c5477d |
|
|
|
c5477d |
+ def _resolve_rootpw_issues(self, messages, report_only):
|
|
|
c5477d |
+ """Mitigate root password issues (which are not fatal in GUI)"""
|
|
|
c5477d |
+ fatal_rootpw_msgs = [msg for msg in messages
|
|
|
c5477d |
+ if msg.origin == rule_handling.PasswdRules and msg.type == common.MESSAGE_TYPE_FATAL]
|
|
|
c5477d |
+ if fatal_rootpw_msgs:
|
|
|
c5477d |
+ for msg in fatal_rootpw_msgs:
|
|
|
c5477d |
+ # cannot just change the message type because it is a namedtuple
|
|
|
c5477d |
+ messages.remove(msg)
|
|
|
c5477d |
+ messages.append(common.RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg.text))
|
|
|
c5477d |
+ if not report_only:
|
|
|
c5477d |
+ self.__old_root_pw = self.data.rootpw.password
|
|
|
c5477d |
+ self.data.rootpw.password = None
|
|
|
c5477d |
+ self.__old_root_pw_seen = self.data.rootpw.password.seen
|
|
|
c5477d |
+ self.data.rootpw.password.seen = False
|
|
|
c5477d |
+
|
|
|
c5477d |
+ def _revert_rootpw_changes(self):
|
|
|
c5477d |
+ if self.__old_root_pw is not None:
|
|
|
c5477d |
+ self.data.rootpw.password = self.__old_root_pw
|
|
|
c5477d |
+ self.data.rootpw.password.seen = self.__old_root_pw_seen
|
|
|
c5477d |
+ self.__old_root_pw = None
|
|
|
c5477d |
+ self.__old_root_pw_seen = None
|
|
|
c5477d |
+
|
|
|
c5477d |
@gtk_action_wait
|
|
|
c5477d |
def _unselect_profile(self, profile_id):
|
|
|
c5477d |
"""Unselects the given profile."""
|
|
|
c5477d |
@@ -615,6 +643,7 @@ class OSCAPSpoke(NormalSpoke):
|
|
|
c5477d |
if self._rule_data:
|
|
|
c5477d |
# revert changes and clear rule_data (no longer valid)
|
|
|
c5477d |
self._rule_data.revert_changes(self.data, self._storage)
|
|
|
c5477d |
+ self._revert_rootpw_changes()
|
|
|
c5477d |
self._rule_data = None
|
|
|
c5477d |
|
|
|
c5477d |
self._active_profile = None
|
|
|
c5477d |
@@ -769,7 +798,7 @@ class OSCAPSpoke(NormalSpoke):
|
|
|
c5477d |
|
|
|
c5477d |
# no messages in the dry-run mode
|
|
|
c5477d |
self._message_store.clear()
|
|
|
c5477d |
- message = common.RuleMessage(common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
+ message = common.RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO,
|
|
|
c5477d |
_("Not applying security policy"))
|
|
|
c5477d |
self._add_message(message)
|
|
|
c5477d |
|
|
|
c5477d |
diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
index a7bed22..2d58efe 100644
|
|
|
c5477d |
--- a/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
+++ b/org_fedora_oscap/rule_handling.py
|
|
|
c5477d |
@@ -223,6 +223,11 @@ class RuleData(RuleHandler):
|
|
|
c5477d |
if opts.passwd:
|
|
|
c5477d |
self._bootloader_rules.require_password()
|
|
|
c5477d |
|
|
|
c5477d |
+ @property
|
|
|
c5477d |
+ def passwd_rules(self):
|
|
|
c5477d |
+ # needed for fixups in GUI
|
|
|
c5477d |
+ return self._passwd_rules
|
|
|
c5477d |
+
|
|
|
c5477d |
class PartRules(RuleHandler):
|
|
|
c5477d |
"""Simple class holding data from the rules affecting partitioning."""
|
|
|
c5477d |
|
|
|
c5477d |
@@ -324,7 +329,7 @@ class PartRule(RuleHandler):
|
|
|
c5477d |
if self._mount_point not in storage.mountpoints:
|
|
|
c5477d |
msg = _("%s must be on a separate partition or logical "
|
|
|
c5477d |
"volume" % self._mount_point)
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_FATAL, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg))
|
|
|
c5477d |
|
|
|
c5477d |
# mount point doesn't exist, nothing more can be found here
|
|
|
c5477d |
return messages
|
|
|
c5477d |
@@ -337,7 +342,7 @@ class PartRule(RuleHandler):
|
|
|
c5477d |
for opt in self._added_mount_options:
|
|
|
c5477d |
msg = msg_tmpl % { "mount_option": opt,
|
|
|
c5477d |
"mount_point": self._mount_point }
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
# mount point to be created during installation
|
|
|
c5477d |
target_mount_point = storage.mountpoints[self._mount_point]
|
|
|
c5477d |
@@ -352,7 +357,7 @@ class PartRule(RuleHandler):
|
|
|
c5477d |
"mount_point": self._mount_point }
|
|
|
c5477d |
|
|
|
c5477d |
# add message for the mount option in any case
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
# add new options to the target mount point if not reporting only
|
|
|
c5477d |
if not report_only:
|
|
|
c5477d |
@@ -428,18 +433,18 @@ class PasswdRules(RuleHandler):
|
|
|
c5477d |
|
|
|
c5477d |
msg = _("make sure to create password with minimal length of %d "
|
|
|
c5477d |
"characters") % self._minlen
|
|
|
c5477d |
- ret = [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
+ ret = [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
else:
|
|
|
c5477d |
# root password set
|
|
|
c5477d |
if ksdata.rootpw.isCrypted:
|
|
|
c5477d |
msg = _("cannot check root password length (password is crypted)")
|
|
|
c5477d |
log.warning("cannot check root password length (password is crypted)")
|
|
|
c5477d |
- return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
+ return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING, msg)]
|
|
|
c5477d |
elif len(ksdata.rootpw.password) < self._minlen:
|
|
|
c5477d |
# too short
|
|
|
c5477d |
msg = _("root password is too short, a longer one with at "
|
|
|
c5477d |
"least %d characters is required") % self._minlen
|
|
|
c5477d |
- ret = [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)]
|
|
|
c5477d |
+ ret = [RuleMessage(self.__class__, common.MESSAGE_TYPE_FATAL, msg)]
|
|
|
c5477d |
else:
|
|
|
c5477d |
ret = []
|
|
|
c5477d |
|
|
|
c5477d |
@@ -532,7 +537,7 @@ class PackageRules(RuleHandler):
|
|
|
c5477d |
for pkg in self._added_pkgs:
|
|
|
c5477d |
msg = _("package '%s' has been added to the list of to be installed "
|
|
|
c5477d |
"packages" % pkg)
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
# packages, that should be added
|
|
|
c5477d |
packages_to_add = (pkg for pkg in self._add_pkgs
|
|
|
c5477d |
@@ -546,7 +551,7 @@ class PackageRules(RuleHandler):
|
|
|
c5477d |
|
|
|
c5477d |
msg = _("package '%s' has been added to the list of to be installed "
|
|
|
c5477d |
"packages" % pkg)
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
### now do the same for the packages that should be excluded
|
|
|
c5477d |
|
|
|
c5477d |
@@ -554,7 +559,7 @@ class PackageRules(RuleHandler):
|
|
|
c5477d |
for pkg in self._removed_pkgs:
|
|
|
c5477d |
msg = _("package '%s' has been added to the list of excluded "
|
|
|
c5477d |
"packages" % pkg)
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
# packages, that should be added
|
|
|
c5477d |
packages_to_remove = (pkg for pkg in self._remove_pkgs
|
|
|
c5477d |
@@ -568,7 +573,7 @@ class PackageRules(RuleHandler):
|
|
|
c5477d |
|
|
|
c5477d |
msg = _("package '%s' has been added to the list of excluded "
|
|
|
c5477d |
"packages" % pkg)
|
|
|
c5477d |
- messages.append(RuleMessage(common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
+ messages.append(RuleMessage(self.__class__, common.MESSAGE_TYPE_INFO, msg))
|
|
|
c5477d |
|
|
|
c5477d |
return messages
|
|
|
c5477d |
|
|
|
c5477d |
@@ -618,8 +623,8 @@ class BootloaderRules(RuleHandler):
|
|
|
c5477d |
# Anaconda doesn't provide a way to set bootloader password, so
|
|
|
c5477d |
# users cannot do much about that --> we shouldn't stop the
|
|
|
c5477d |
# installation, should we?
|
|
|
c5477d |
- return [RuleMessage(common.MESSAGE_TYPE_WARNING,
|
|
|
c5477d |
- "boot loader password not set up")]
|
|
|
c5477d |
+ return [RuleMessage(self.__class__, common.MESSAGE_TYPE_WARNING,
|
|
|
c5477d |
+ "boot loader password not set up")]
|
|
|
c5477d |
else:
|
|
|
c5477d |
return []
|
|
|
c5477d |
|
|
|
c5477d |
--
|
|
|
c5477d |
2.5.5
|
|
|
c5477d |
|