From 7b475f1da0f843b20437896737be04cc1c7bbc0a Mon Sep 17 00:00:00 2001

From: Jake Hunsaker <jhunsake@redhat.com>

Date: Fri, 25 May 2018 13:38:27 -0400

Subject: [PATCH] [sosreport] Add mechanism to encrypt final archive

Adds an option to encrypt the resulting archive that sos generates.

There are two methods for doing so:

	--encrypt-key	Uses a key-pair for asymmetric encryption

	--encrypt-pass  Uses a password for symmetric encryption

For key-pair encryption, the key-to-be-used must be imported into the

root user's keyring, as gpg does not allow for the use of keyfiles.

If the encryption process fails, sos will not abort as the unencrypted

archive will have already been created. The assumption being that the

archive is still of use and/or the user has another means of encrypting

it.

Resolves: #1320

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

---

 man/en/sosreport.1     | 28 ++++++++++++++++++++++

 sos/__init__.py        | 10 ++++----

 sos/archive.py         | 63 ++++++++++++++++++++++++++++++++++++++++++++++----

 sos/sosreport.py       | 20 ++++++++++++++--

 tests/archive_tests.py |  3 ++-

 5 files changed, 113 insertions(+), 11 deletions(-)

diff --git a/man/en/sosreport.1 b/man/en/sosreport.1

index b0adcd8bb..b6051edc1 100644

--- a/man/en/sosreport.1

+++ b/man/en/sosreport.1

@@ -22,6 +22,8 @@ sosreport \- Collect and package diagnostic and support data

           [--log-size]\fR

           [--all-logs]\fR

           [-z|--compression-type method]\fR

+          [--encrypt-key KEY]\fR

+          [--encrypt-pass PASS]\fR

           [--experimental]\fR

           [-h|--help]\fR

@@ -120,6 +122,32 @@ increase the size of reports.

 .B \-z, \--compression-type METHOD

 Override the default compression type specified by the active policy.

 .TP

+.B \--encrypt-key KEY

+Encrypts the resulting archive that sosreport produces using GPG. KEY must be

+an existing key in the user's keyring as GPG does not allow for keyfiles.

+KEY can be any value accepted by gpg's 'recipient' option.

+

+Note that the user running sosreport must match the user owning the keyring

+from which keys will be obtained. In particular this means that if sudo is

+used to run sosreport, the keyring must also be set up using sudo

+(or direct shell access to the account).

+

+Users should be aware that encrypting the final archive will result in sos

+using double the amount of temporary disk space - the encrypted archive must be

+written as a separate, rather than replacement, file within the temp directory

+that sos writes the archive to. However, since the encrypted archive will be

+the same size as the original archive, there is no additional space consumption

+once the temporary directory is removed at the end of execution.

+

+This means that only the encrypted archive is present on disk after sos

+finishes running.

+

+If encryption fails for any reason, the original unencrypted archive is

+preserved instead.

+.TP

+.B \--encrypt-pass PASS

+The same as \--encrypt-key, but use the provided PASS for symmetric encryption

+rather than key-pair encryption.

 .TP

 .B \--batch

 Generate archive without prompting for interactive input.

diff --git a/sos/__init__.py b/sos/__init__.py

index ef4524c60..cd9779bdc 100644

--- a/sos/__init__.py

+++ b/sos/__init__.py

@@ -45,10 +45,10 @@ def _default(msg):

 _arg_names = [

     'add_preset', 'alloptions', 'all_logs', 'batch', 'build', 'case_id',

     'chroot', 'compression_type', 'config_file', 'desc', 'debug', 'del_preset',

-    'enableplugins', 'experimental', 'label', 'list_plugins', 'list_presets',

-    'list_profiles', 'log_size', 'noplugins', 'noreport', 'note',

-    'onlyplugins', 'plugopts', 'preset', 'profiles', 'quiet', 'sysroot',

-    'threads', 'tmp_dir', 'verbosity', 'verify'

+    'enableplugins', 'encrypt_key', 'encrypt_pass', 'experimental', 'label',

+    'list_plugins', 'list_presets', 'list_profiles', 'log_size', 'noplugins',

+    'noreport', 'note', 'onlyplugins', 'plugopts', 'preset', 'profiles',

+    'quiet', 'sysroot', 'threads', 'tmp_dir', 'verbosity', 'verify'

 ]

 #: Arguments with non-zero default values

@@ -84,6 +84,8 @@ class SoSOptions(object):

     del_preset = ""

     desc = ""

     enableplugins = []

+    encrypt_key = None

+    encrypt_pass = None

     experimental = False

     label = ""

     list_plugins = False

diff --git a/sos/archive.py b/sos/archive.py

index e153c09ad..263e3dd3f 100644

--- a/sos/archive.py

+++ b/sos/archive.py

@@ -142,11 +142,12 @@ class FileCacheArchive(Archive):

     _archive_root = ""

     _archive_name = ""

-    def __init__(self, name, tmpdir, policy, threads):

+    def __init__(self, name, tmpdir, policy, threads, enc_opts):

         self._name = name

         self._tmp_dir = tmpdir

         self._policy = policy

         self._threads = threads

+        self.enc_opts = enc_opts

         self._archive_root = os.path.join(tmpdir, name)

         with self._path_lock:

             os.makedirs(self._archive_root, 0o700)

@@ -384,12 +385,65 @@ def finalize(self, method):

                       os.stat(self._archive_name).st_size))

         self.method = method

         try:

-            return self._compress()

+            res = self._compress()

         except Exception as e:

             exp_msg = "An error occurred compressing the archive: "

             self.log_error("%s %s" % (exp_msg, e))

             return self.name()

+        if self.enc_opts['encrypt']:

+            try:

+                return self._encrypt(res)

+            except Exception as e:

+                exp_msg = "An error occurred encrypting the archive:"

+                self.log_error("%s %s" % (exp_msg, e))

+                return res

+        else:

+            return res

+

+    def _encrypt(self, archive):

+        """Encrypts the compressed archive using GPG.

+

+        If encryption fails for any reason, it should be logged by sos but not

+        cause execution to stop. The assumption is that the unencrypted archive

+        would still be of use to the user, and/or that the end user has another

+        means of securing the archive.

+

+        Returns the name of the encrypted archive, or raises an exception to

+        signal that encryption failed and the unencrypted archive name should

+        be used.

+        """

+        arc_name = archive.replace("sosreport-", "secured-sosreport-")

+        arc_name += ".gpg"

+        enc_cmd = "gpg --batch -o %s " % arc_name

+        env = None

+        if self.enc_opts["key"]:

+            # need to assume a trusted key here to be able to encrypt the

+            # archive non-interactively

+            enc_cmd += "--trust-model always -e -r %s " % self.enc_opts["key"]

+            enc_cmd += archive

+        if self.enc_opts["password"]:

+            # prevent change of gpg options using a long password, but also

+            # prevent the addition of quote characters to the passphrase

+            passwd = "%s" % self.enc_opts["password"].replace('\'"', '')

+            env = {"sos_gpg": passwd}

+            enc_cmd += "-c --passphrase-fd 0 "

+            enc_cmd = "/bin/bash -c \"echo $sos_gpg | %s\"" % enc_cmd

+            enc_cmd += archive

+        r = sos_get_command_output(enc_cmd, timeout=0, env=env)

+        if r["status"] == 0:

+            return arc_name

+        elif r["status"] == 2:

+            if self.enc_opts["key"]:

+                msg = "Specified key not in keyring"

+            else:

+                msg = "Could not read passphrase"

+        else:

+            # TODO: report the actual error from gpg. Currently, we cannot as

+            # sos_get_command_output() does not capture stderr

+            msg = "gpg exited with code %s" % r["status"]

+        raise Exception(msg)

+

 # Compatibility version of the tarfile.TarFile class. This exists to allow

 # compatibility with PY2 runtimes that lack the 'filter' parameter to the

@@ -468,8 +522,9 @@ class TarFileArchive(FileCacheArchive):

     method = None

     _with_selinux_context = False

-    def __init__(self, name, tmpdir, policy, threads):

-        super(TarFileArchive, self).__init__(name, tmpdir, policy, threads)

+    def __init__(self, name, tmpdir, policy, threads, enc_opts):

+        super(TarFileArchive, self).__init__(name, tmpdir, policy, threads,

+                                             enc_opts)

         self._suffix = "tar"

         self._archive_name = os.path.join(tmpdir, self.name())

diff --git a/sos/sosreport.py b/sos/sosreport.py

index 60802617c..00c3e8110 100644

--- a/sos/sosreport.py

+++ b/sos/sosreport.py

@@ -316,6 +316,13 @@ def _parse_args(args):

     preset_grp.add_argument("--del-preset", type=str, action="store",

                             help="Delete the named command line preset")

+    encrypt_grp = parser.add_mutually_exclusive_group()

+    encrypt_grp.add_argument("--encrypt-key",

+                             help="Encrypt the final archive using a GPG "

+                                  "key-pair")

+    encrypt_grp.add_argument("--encrypt-pass",

+                             help="Encrypt the final archive using a password")

+

     return parser.parse_args(args)

@@ -431,16 +438,25 @@ def get_temp_file(self):

         return self.tempfile_util.new()

     def _set_archive(self):

+        enc_opts = {

+            'encrypt': True if (self.opts.encrypt_pass or

+                                self.opts.encrypt_key) else False,

+            'key': self.opts.encrypt_key,

+            'password': self.opts.encrypt_pass

+        }

+

         archive_name = os.path.join(self.tmpdir,

                                     self.policy.get_archive_name())

         if self.opts.compression_type == 'auto':

             auto_archive = self.policy.get_preferred_archive()

             self.archive = auto_archive(archive_name, self.tmpdir,

-                                        self.policy, self.opts.threads)

+                                        self.policy, self.opts.threads,

+                                        enc_opts)

         else:

             self.archive = TarFileArchive(archive_name, self.tmpdir,

-                                          self.policy, self.opts.threads)

+                                          self.policy, self.opts.threads,

+                                          enc_opts)

         self.archive.set_debug(True if self.opts.debug else False)

diff --git a/tests/archive_tests.py b/tests/archive_tests.py

index b4dd8d0ff..e5b329b5f 100644

--- a/tests/archive_tests.py

+++ b/tests/archive_tests.py

@@ -19,7 +19,8 @@ class TarFileArchiveTest(unittest.TestCase):

     def setUp(self):

         self.tmpdir = tempfile.mkdtemp()

-        self.tf = TarFileArchive('test', self.tmpdir, Policy(), 1)

+        enc = {'encrypt': False}

+        self.tf = TarFileArchive('test', self.tmpdir, Policy(), 1, enc)

     def tearDown(self):

         shutil.rmtree(self.tmpdir)