From 94b9b90c818eb18f0ca8d78fe063dc5b0677c885 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Tue, 22 Jun 2021 12:58:03 +0200

Subject: [PATCH] [rhui] add plugin to RHUI

Add a new/revoked plugin for RHUI (newly based on python3 and pulp-3).

Edditionally, collect /etc/pki/pulp certificates except for RSA keys.

Resolves: #2590

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/pulpcore.py |  7 ++++-

 sos/report/plugins/rhui.py     | 49 ++++++++++++++++++++++++++++++++++

 2 files changed, 55 insertions(+), 1 deletion(-)

 create mode 100644 sos/report/plugins/rhui.py

diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py

index ccaac3185..77ceacb92 100644

--- a/sos/report/plugins/pulpcore.py

+++ b/sos/report/plugins/pulpcore.py

@@ -77,7 +77,12 @@ def separate_value(line, sep=':'):

     def setup(self):

         self.parse_settings_config()

-        self.add_copy_spec("/etc/pulp/settings.py")

+        self.add_copy_spec([

+            "/etc/pulp/settings.py",

+            "/etc/pki/pulp/*"

+        ])

+        # skip collecting certificate keys

+        self.add_forbidden_path("/etc/pki/pulp/*.key")

         self.add_cmd_output("rq info -u redis://localhost:6379/8",

                             env={"LC_ALL": "en_US.UTF-8"},

diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py

new file mode 100644

index 000000000..7acd3f49e

--- /dev/null

+++ b/sos/report/plugins/rhui.py

@@ -0,0 +1,49 @@

+# Copyright (C) 2021 Red Hat, Inc., Pavel Moravec <pmoravec@redhat.com>

+

+# This file is part of the sos project: https://github.com/sosreport/sos

+#

+# This copyrighted material is made available to anyone wishing to use,

+# modify, copy, or redistribute it subject to the terms and conditions of

+# version 2 of the GNU General Public License.

+#

+# See the LICENSE file in the source distribution for further information.

+

+from sos.report.plugins import Plugin, RedHatPlugin

+

+

+class Rhui(Plugin, RedHatPlugin):

+

+    short_desc = 'Red Hat Update Infrastructure'

+

+    plugin_name = "rhui"

+    commands = ("rhui-manager",)

+    files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py")

+

+    def setup(self):

+        self.add_copy_spec([

+            "/etc/rhui/rhui-tools.conf",

+            "/etc/rhui/registered_subscriptions.conf",

+            "/etc/pki/rhui/*",

+            "/var/log/rhui-subscription-sync.log",

+            "/var/cache/rhui/*",

+            "/root/.rhui/*",

+        ])

+        # skip collecting certificate keys

+        self.add_forbidden_path("/etc/pki/rhui/*.key")

+

+        self.add_cmd_output([

+            "rhui-manager status",

+            "rhui-manager cert info",

+            "ls -lR /var/lib/rhui/remote_share",

+        ])

+

+    def postproc(self):

+        # obfuscate admin_pw and secret_key values

+        for prop in ["admin_pw", "secret_key"]:

+            self.do_path_regex_sub(

+                "/etc/ansible/facts.d/rhui_auth.fact",

+                r"(%s\s*=\s*)(.*)" % prop,

+                r"\1********")

+

+

+# vim: set et ts=4 sw=4 :

From bd15dc764c9d4554d8e8f08163228d65ca099985 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Thu, 24 Jun 2021 17:53:27 +0200

Subject: [PATCH 1/4] [plugins] Allow add_forbidden_path to apply glob

 recursively

Add option to apply glob.glob to forbidden path recursively.

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/__init__.py | 6 ++++--

 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sos/report/plugins/__init__.py b/sos/report/plugins/__init__.py

index 06923300..6fd1a3b2 100644

--- a/sos/report/plugins/__init__.py

+++ b/sos/report/plugins/__init__.py

@@ -1187,12 +1187,14 @@ class Plugin(object):

             'symlink': "no"

         })

-    def add_forbidden_path(self, forbidden):

+    def add_forbidden_path(self, forbidden, recursive=False):

         """Specify a path, or list of paths, to not copy, even if it's part of

         an ``add_copy_spec()`` call

         :param forbidden: A filepath to forbid collection from

         :type forbidden: ``str`` or a ``list`` of strings

+

+        :param recursive: Should forbidden glob be applied recursively

         """

         if isinstance(forbidden, str):

             forbidden = [forbidden]

@@ -1202,7 +1204,7 @@ class Plugin(object):

         for forbid in forbidden:

             self._log_info("adding forbidden path '%s'" % forbid)

-            for path in glob.glob(forbid):

+            for path in glob.glob(forbid, recursive=recursive):

                 self.forbidden_paths.append(path)

     def get_all_options(self):

-- 

2.31.1

From b695201baeb629a6543445d98dbb04f357670621 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Thu, 24 Jun 2021 17:57:48 +0200

Subject: [PATCH 2/4] [pulpcore] improve settings.py parsing

- deal with /etc/pulp/settings.py as a one-line string

- parse dbname from it as well

- dont collect any *.key file from whole /etc/pki/pulp dir

Related: #2593

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/pulpcore.py | 23 +++++++++++++++--------

 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/sos/report/plugins/pulpcore.py b/sos/report/plugins/pulpcore.py

index 77ceacb9..be526035 100644

--- a/sos/report/plugins/pulpcore.py

+++ b/sos/report/plugins/pulpcore.py

@@ -28,9 +28,10 @@ class PulpCore(Plugin, IndependentPlugin):

         databases_scope = False

         self.dbhost = "localhost"

         self.dbport = 5432

+        self.dbname = "pulpcore"

         self.dbpasswd = ""

         # TODO: read also redis config (we dont expect much customisations)

-        # TODO: read also db user (pulp) and database name (pulpcore)

+        # TODO: read also db user (pulp)

         self.staticroot = "/var/lib/pulp/assets"

         self.uploaddir = "/var/lib/pulp/media/upload"

@@ -44,7 +45,10 @@ class PulpCore(Plugin, IndependentPlugin):

             return val

         try:

-            for line in open("/etc/pulp/settings.py").read().splitlines():

+            # split the lines to "one option per line" format

+            for line in open("/etc/pulp/settings.py").read() \

+                    .replace(',', ',\n').replace('{', '{\n') \

+                    .replace('}', '\n}').splitlines():

                 # skip empty lines and lines with comments

                 if not line or line[0] == '#':

                     continue

@@ -53,11 +57,14 @@ class PulpCore(Plugin, IndependentPlugin):

                     continue

                 # example HOST line to parse:

                 #         'HOST': 'localhost',

-                if databases_scope and match(r"\s+'HOST'\s*:\s+\S+", line):

+                pattern = r"\s*['|\"]%s['|\"]\s*:\s*\S+"

+                if databases_scope and match(pattern % 'HOST', line):

                     self.dbhost = separate_value(line)

-                if databases_scope and match(r"\s+'PORT'\s*:\s+\S+", line):

+                if databases_scope and match(pattern % 'PORT', line):

                     self.dbport = separate_value(line)

-                if databases_scope and match(r"\s+'PASSWORD'\s*:\s+\S+", line):

+                if databases_scope and match(pattern % 'NAME', line):

+                    self.dbname = separate_value(line)

+                if databases_scope and match(pattern % 'PASSWORD', line):

                     self.dbpasswd = separate_value(line)

                 # if line contains closing '}' database_scope end

                 if databases_scope and '}' in line:

@@ -82,7 +89,7 @@ class PulpCore(Plugin, IndependentPlugin):

             "/etc/pki/pulp/*"

         ])

         # skip collecting certificate keys

-        self.add_forbidden_path("/etc/pki/pulp/*.key")

+        self.add_forbidden_path("/etc/pki/pulp/**/*.key", recursive=True)

         self.add_cmd_output("rq info -u redis://localhost:6379/8",

                             env={"LC_ALL": "en_US.UTF-8"},

@@ -104,8 +111,8 @@ class PulpCore(Plugin, IndependentPlugin):

             _query = "select * from %s where pulp_last_updated > NOW() - " \

                      "interval '%s days' order by pulp_last_updated" % \

                      (table, task_days)

-            _cmd = "psql -h %s -p %s -U pulp -d pulpcore -c %s" % \

-                   (self.dbhost, self.dbport, quote(_query))

+            _cmd = "psql -h %s -p %s -U pulp -d %s -c %s" % \

+                   (self.dbhost, self.dbport, self.dbname, quote(_query))

             self.add_cmd_output(_cmd, env=self.env, suggest_filename=table)

     def postproc(self):

-- 

2.31.1

From 0286034da44bce43ab368dfc6815da7d74d60719 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Thu, 24 Jun 2021 17:59:36 +0200

Subject: [PATCH 3/4] [rhui] call rhui-* commands with proper env and timeout

rhui-manager commands timeout when not being logged in, which

should be reacted by adding proper cmd timeout.

Adding the env.variable ensures potentially unaswered "RHUI Username:"

is also printed/colected.

Further, prevent collecting any *.key file from the whole /etc/pki/rhui

dir.

Related: #2593

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/rhui.py | 7 +++++--

 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py

index 7acd3f49..5a152427 100644

--- a/sos/report/plugins/rhui.py

+++ b/sos/report/plugins/rhui.py

@@ -29,13 +29,16 @@ class Rhui(Plugin, RedHatPlugin):

             "/root/.rhui/*",

         ])

         # skip collecting certificate keys

-        self.add_forbidden_path("/etc/pki/rhui/*.key")

+        self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)

+        # call rhui-manager commands with 1m timeout and

+        # with an env. variable ensuring that "RHUI Username:"

+        # even unanswered prompt gets collected

         self.add_cmd_output([

             "rhui-manager status",

             "rhui-manager cert info",

             "ls -lR /var/lib/rhui/remote_share",

-        ])

+        ], timeout=60, env={'PYTHONUNBUFFERED': '1'})

     def postproc(self):

         # obfuscate admin_pw and secret_key values

-- 

2.31.1

From a656bd239ab86dfd8973f733ae2c0fbd0c57d416 Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Thu, 24 Jun 2021 18:01:14 +0200

Subject: [PATCH 4/4] [rhui] fix broken obfuscation

- /etc/ansible/facts.d/rhui_*.fact must be collected by

rhui plugin to let some file to be obfuscated there

- obfuscate also cookies values that can grant login access

Resolves: #2593

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/ansible.py | 3 +++

 sos/report/plugins/rhui.py    | 7 +++++++

 2 files changed, 10 insertions(+)

diff --git a/sos/report/plugins/ansible.py b/sos/report/plugins/ansible.py

index 3e5d3d37..5991b786 100644

--- a/sos/report/plugins/ansible.py

+++ b/sos/report/plugins/ansible.py

@@ -29,4 +29,7 @@ class Ansible(Plugin, RedHatPlugin, UbuntuPlugin):

             "ansible --version"

         ])

+        # let rhui plugin collects the RHUI specific files

+        self.add_forbidden_path("/etc/ansible/facts.d/rhui_*.fact")

+

 # vim: set et ts=4 sw=4 :

diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py

index 5a152427..1d479f85 100644

--- a/sos/report/plugins/rhui.py

+++ b/sos/report/plugins/rhui.py

@@ -27,6 +27,7 @@ class Rhui(Plugin, RedHatPlugin):

             "/var/log/rhui-subscription-sync.log",

             "/var/cache/rhui/*",

             "/root/.rhui/*",

+            "/etc/ansible/facts.d/rhui_*.fact",

         ])

         # skip collecting certificate keys

         self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)

@@ -47,6 +48,12 @@ class Rhui(Plugin, RedHatPlugin):

                 "/etc/ansible/facts.d/rhui_auth.fact",

                 r"(%s\s*=\s*)(.*)" % prop,

                 r"\1********")

+        # obfuscate twoo cookies for login session

+        for cookie in ["csrftoken", "sessionid"]:

+            self.do_path_regex_sub(

+                r"/root/\.rhui/.*/cookies.txt",

+                r"(%s\s+)(\S+)" % cookie,

+                r"\1********")

 # vim: set et ts=4 sw=4 :

-- 

2.31.1

From 4e5bebffca9936bcdf4d38aad9989970a15dd72b Mon Sep 17 00:00:00 2001

From: Pavel Moravec <pmoravec@redhat.com>

Date: Tue, 3 Aug 2021 21:54:33 +0200

Subject: [PATCH] [rhui] Update the plugin on several places

- obfuscate "rhui_manager_password: xxx" in /root/.rhui/answers.yaml*

- no need to collect or obfuscate anything from /etc/ansible/facts.d

- newly detect the plugin via /etc/rhui/rhui-tools.conf file or rhui-manager

  command (only)

Resolves: #2637

Signed-off-by: Pavel Moravec <pmoravec@redhat.com>

---

 sos/report/plugins/rhui.py | 14 ++++++--------

 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/sos/report/plugins/rhui.py b/sos/report/plugins/rhui.py

index 1d479f85..52065fb4 100644

--- a/sos/report/plugins/rhui.py

+++ b/sos/report/plugins/rhui.py

@@ -16,8 +16,8 @@ class Rhui(Plugin, RedHatPlugin):

     short_desc = 'Red Hat Update Infrastructure'

     plugin_name = "rhui"

-    commands = ("rhui-manager",)

-    files = ("/etc/ansible/facts.d/rhui_auth.fact", "/usr/lib/rhui/cds.py")

+    commands = ("rhui-manager", )

+    files = ("/etc/rhui/rhui-tools.conf", )

     def setup(self):

         self.add_copy_spec([

@@ -27,7 +27,6 @@ class Rhui(Plugin, RedHatPlugin):

             "/var/log/rhui-subscription-sync.log",

             "/var/cache/rhui/*",

             "/root/.rhui/*",

-            "/etc/ansible/facts.d/rhui_*.fact",

         ])

         # skip collecting certificate keys

         self.add_forbidden_path("/etc/pki/rhui/**/*.key", recursive=True)

@@ -42,11 +41,10 @@ class Rhui(Plugin, RedHatPlugin):

         ], timeout=60, env={'PYTHONUNBUFFERED': '1'})

     def postproc(self):

-        # obfuscate admin_pw and secret_key values

-        for prop in ["admin_pw", "secret_key"]:

-            self.do_path_regex_sub(

-                "/etc/ansible/facts.d/rhui_auth.fact",

-                r"(%s\s*=\s*)(.*)" % prop,

+        # hide rhui_manager_password value in (also rotated) answers file

+        self.do_path_regex_sub(

+                r"/root/\.rhui/answers.yaml.*",

+                r"(\s*rhui_manager_password\s*:)\s*(\S+)",

                 r"\1********")

         # obfuscate twoo cookies for login session

         for cookie in ["csrftoken", "sessionid"]:

-- 

2.31.1