stages: add org.osbuild.update-crypto-policies stage

This stage calls `update-crypto-policies` to set the policy applicable for the various cryptographic back-ends, such as SSL/TLS libraries. Signed-off-by: Miguel Martín <mmartinv@redhat.com>
2023-11-08 14:43:43 +01:00 · 2023-11-08 14:43:43 +01:00 · f3d740aaf8
commit f3d740aaf8
parent 5a58c35680
6 changed files with 2306 additions and 0 deletions
--- a/stages/org.osbuild.update-crypto-policies
+++ b/stages/org.osbuild.update-crypto-policies
@ -0,0 +1,50 @@
+#!/usr/bin/python3
+"""
+Sets the policy applicable for the various cryptographic back-ends,
+such as SSL/TLS libraries.
+
+This stage calls `update-crypto-policies` to set the system's
+cryptographic policy.
+
+Notes:
+  - Requires 'chroot' in the buildroot.
+  - Runs the 'update-crypto-policies' script from the image in the chroot.
+"""
+
+
+import subprocess
+import sys
+
+from osbuild import api
+
+SCHEMA_2 = r"""
+"options": {
+  "additionalProperties": false,
+  "description": "Sets the current policy and overwrites the config file",
+  "required": [ "policy" ],
+  "properties": {
+    "policy": {
+      "type": "string",
+      "minLength": 1,
+      "description": "The policy to be applied."
+    }
+  }
+}
+"""
+
+
+def main(tree, options):
+    policy = options["policy"]
+
+    cmd = ["/usr/sbin/chroot", tree,
+           "/usr/bin/update-crypto-policies", "--set", policy]
+
+    subprocess.run(cmd, check=True)
+
+    return 0
+
+
+if __name__ == "__main__":
+    args = api.arguments()
+    r = main(args["tree"], args["options"])
+    sys.exit(r)
--- a/test/data/stages/update-crypto-policies/a.json
+++ b/test/data/stages/update-crypto-policies/a.json
--- a/test/data/stages/update-crypto-policies/a.mpp.yaml
+++ b/test/data/stages/update-crypto-policies/a.mpp.yaml
@ -0,0 +1,29 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - crypto-policies-scripts
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true
--- a/test/data/stages/update-crypto-policies/b.json
+++ b/test/data/stages/update-crypto-policies/b.json
--- a/test/data/stages/update-crypto-policies/b.mpp.yaml
+++ b/test/data/stages/update-crypto-policies/b.mpp.yaml
@ -0,0 +1,32 @@
+version: '2'
+pipelines:
+  - mpp-import-pipelines:
+      path: ../manifests/fedora-vars.ipp.yaml
+  - mpp-import-pipeline:
+      path: ../manifests/fedora-build-v2.ipp.yaml
+      id: build
+    runner:
+      mpp-format-string: org.osbuild.fedora{release}
+  - name: tree
+    build: name:build
+    stages:
+      - type: org.osbuild.rpm
+        inputs:
+          packages:
+            type: org.osbuild.files
+            origin: org.osbuild.source
+            mpp-depsolve:
+              architecture: $arch
+              module-platform-id: $module_platform_id
+              repos:
+                mpp-eval: repos
+              packages:
+                - crypto-policies-scripts
+        options:
+          gpgkeys:
+            mpp-eval: gpgkeys
+          exclude:
+            docs: true
+      - type: org.osbuild.update-crypto-policies
+        options:
+          policy: FIPS
--- a/test/data/stages/update-crypto-policies/diff.json
+++ b/test/data/stages/update-crypto-policies/diff.json
@ -0,0 +1,107 @@
+{
+  "added_files": ["/dev/null"],
+  "deleted_files": [],
+  "differences": {
+    "/etc/crypto-policies/back-ends/bind.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/bind.txt",
+        "/usr/share/crypto-policies/FIPS/bind.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/gnutls.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/gnutls.txt",
+        "/usr/share/crypto-policies/FIPS/gnutls.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/java.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/java.txt",
+        "/usr/share/crypto-policies/FIPS/java.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/javasystem.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/javasystem.txt",
+        "/usr/share/crypto-policies/FIPS/javasystem.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/krb5.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/krb5.txt",
+        "/usr/share/crypto-policies/FIPS/krb5.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/libreswan.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/libreswan.txt",
+        "/usr/share/crypto-policies/FIPS/libreswan.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/libssh.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/libssh.txt",
+        "/usr/share/crypto-policies/FIPS/libssh.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/nss.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/nss.txt",
+        "/usr/share/crypto-policies/FIPS/nss.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/openssh.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/openssh.txt",
+        "/usr/share/crypto-policies/FIPS/openssh.txt"]
+    },
+    "/etc/crypto-policies/back-ends/opensshserver.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/opensshserver.txt",
+        "/usr/share/crypto-policies/FIPS/opensshserver.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/openssl.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/openssl.txt",
+        "/usr/share/crypto-policies/FIPS/openssl.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/opensslcnf.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/opensslcnf.txt",
+        "/usr/share/crypto-policies/FIPS/opensslcnf.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/rpm-sequoia.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/rpm-sequoia.txt",
+        "/usr/share/crypto-policies/FIPS/rpm-sequoia.txt"
+      ]
+    },
+    "/etc/crypto-policies/back-ends/sequoia.config": {
+      "symlink": [
+        "/usr/share/crypto-policies/DEFAULT/sequoia.txt",
+        "/usr/share/crypto-policies/FIPS/sequoia.txt"
+      ]
+    },
+    "/etc/crypto-policies/config": {
+      "content": [
+        "sha256:ecae097fb02a733ac98c03d7527fd923d5c9607c6a02feb5f0d388375f3e70dc",
+        "sha256:858dd9c983a8e87bbb242952b737f33499c99ff5fd8b377b218da3836357c874"
+      ]
+    },
+    "/etc/crypto-policies/state/CURRENT.pol": {
+      "content": [
+        "sha256:34459f8b102d05d1df56885c4a103e68ae6353f88ef41386402edf97c56eb505",
+        "sha256:3433137c54925eb3618bc7a34e33dfbc2d8fedad947256b91aa7ba7ac49eea51"
+      ]
+    },
+   "/etc/crypto-policies/state/current": {
+      "content": [
+        "sha256:ecae097fb02a733ac98c03d7527fd923d5c9607c6a02feb5f0d388375f3e70dc",
+        "sha256:858dd9c983a8e87bbb242952b737f33499c99ff5fd8b377b218da3836357c874"
+      ]
+    }
+  }
+}