From fd2bceb97a69d1abceac1e7cf3d32dfb8be88298 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 19 2015 15:56:49 +0000 Subject: import oscap-anaconda-addon-0.7-8.el7 --- diff --git a/.gitignore b/.gitignore index c0b985b..1dacb93 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/oscap-anaconda-addon-0.4.tar.gz +SOURCES/oscap-anaconda-addon-0.7.tar.gz diff --git a/.oscap-anaconda-addon.metadata b/.oscap-anaconda-addon.metadata index 82f35eb..ad006b8 100644 --- a/.oscap-anaconda-addon.metadata +++ b/.oscap-anaconda-addon.metadata @@ -1 +1 @@ -6a740f6441b04e2e1c8120bb31cc13814314775c SOURCES/oscap-anaconda-addon-0.4.tar.gz +1b073a990e13548ceec6749ee8be8bdf2f336b00 SOURCES/oscap-anaconda-addon-0.7.tar.gz diff --git a/SOURCES/better_error_handling_1241064.patch b/SOURCES/better_error_handling_1241064.patch new file mode 100644 index 0000000..3bc0404 --- /dev/null +++ b/SOURCES/better_error_handling_1241064.patch @@ -0,0 +1,248 @@ +From 3f9938a45b2fd7705e6fd40ab41231a79aaf5861 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 21 Jul 2015 16:48:27 +0200 +Subject: [PATCH 7/7] Better handle and report erroneous states + +So that users have a chance to find out what happened and fix the issue. + +Resolves: rhbz#1241064 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 93 ++++++++++++++++++++++++------------ + 1 file changed, 62 insertions(+), 31 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 10a7ca7..e5ea225 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -19,6 +19,7 @@ + # + + import threading ++from functools import wraps + + import gettext + _ = lambda x: gettext.ldgettext("oscap-anaconda-addon", x) +@@ -46,6 +47,9 @@ from pykickstart.errors import KickstartValueError + # pylint: disable-msg=E0611 + from gi.repository import Gdk + ++import logging ++log = logging.getLogger("anaconda") ++ + # export only the spoke, no helper functions, classes or constants + __all__ = ["OSCAPSpoke"] + +@@ -105,6 +109,21 @@ def render_message_type(column, renderer, model, itr, user_data=None): + else: + renderer.set_property("stock-id", "gtk-dialog-question") + ++def set_ready(func): ++ @wraps(func) ++ def decorated(self, *args, **kwargs): ++ ret = func(self, *args, **kwargs) ++ ++ self._unitialized_status = None ++ self._ready = True ++ # pylint: disable-msg=E1101 ++ hubQ.send_ready(self.__class__.__name__, True) ++ hubQ.send_message(self.__class__.__name__, self.status) ++ ++ return ret ++ ++ return decorated ++ + class OSCAPSpoke(NormalSpoke): + """ + Main class of the OSCAP addon spoke that will appear in the Security +@@ -182,6 +201,8 @@ class OSCAPSpoke(NormalSpoke): + self._fetching = False + self._fetch_flag_lock = threading.Lock() + ++ self._error = None ++ + def initialize(self): + """ + The initialize method that is called after the instance is created. +@@ -304,6 +325,7 @@ class OSCAPSpoke(NormalSpoke): + target=self._init_after_data_fetch, + args=(thread_name,))) + ++ @set_ready + def _init_after_data_fetch(self, wait_for): + """ + Waits for data fetching to be finished, extracts it (if needed), +@@ -379,6 +401,7 @@ class OSCAPSpoke(NormalSpoke): + # fetching done + with self._fetch_flag_lock: + self._fetching = False ++ + return + + if self._using_ds: +@@ -403,24 +426,19 @@ class OSCAPSpoke(NormalSpoke): + # update the message store with the messages + self._update_message_store() + +- # no more being unitialized +- self._unitialized_status = None +- self._ready = True +- + # all initialized, we can now let user set parameters + fire_gtk_action(self._main_notebook.set_current_page, SET_PARAMS_PAGE) + + # and use control buttons + fire_gtk_action(really_show, self._control_buttons) + +- # pylint: disable-msg=E1101 +- hubQ.send_ready(self.__class__.__name__, True) +- hubQ.send_message(self.__class__.__name__, self.status) +- + # fetching done + with self._fetch_flag_lock: + self._fetching = False + ++ # no error ++ self._error = None ++ + @property + def _using_ds(self): + return self._content_handling_cls == content_handling.DataStreamHandler +@@ -620,39 +638,43 @@ class OSCAPSpoke(NormalSpoke): + # update messages according to the newly chosen profile + self._update_message_store() + ++ @set_ready ++ def _set_error(self, msg): ++ self._error = msg ++ self.set_error(msg) ++ + @gtk_action_wait + def _invalid_content(self): + """Callback for informing user about provided content invalidity.""" + +- self._progress_label.set_markup("%s" % _("Invalid content " +- "provided. Enter a different URL, " +- "please.")) +- self._wrong_content() ++ msg = _("Invalid content provided. Enter a different URL, please.") ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content(msg) + + @gtk_action_wait + def _invalid_url(self): + """Callback for informing user about provided URL invalidity.""" + +- self._progress_label.set_markup("%s" % _("Invalid or unsupported content " +- "URL, please enter a different one.")) +- self._wrong_content() ++ msg = _("Invalid or unsupported content URL, please enter a different one.") ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content(msg) + + @gtk_action_wait + def _data_fetch_failed(self): + """Adapts the UI if fetching data from entered URL failed""" + +- self._progress_label.set_markup("%s" % _("Failed to fetch " +- "content. Enter a different URL, " +- "please.")) +- self._wrong_content() ++ msg = _("Failed to fetch content. Enter a different URL, please.") ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content(msg) + + @gtk_action_wait + def _network_problem(self): + """Adapts the UI if network error was encountered during data fetch""" + +- self._progress_label.set_markup("%s" % _("Network error encountered when fetching data." +- " Please check that network is setup and working.")) +- self._wrong_content() ++ msg = _("Network error encountered when fetching data." ++ " Please check that network is setup and working.") ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content(msg) + + @gtk_action_wait + def _integrity_check_failed(self): +@@ -660,7 +682,7 @@ class OSCAPSpoke(NormalSpoke): + + msg = _("The integrity check of the content failed. Cannot use the content.") + self._progress_label.set_markup("%s" % msg) +- self._wrong_content() ++ self._wrong_content(msg) + + @gtk_action_wait + def _extraction_failed(self, err_msg): +@@ -669,17 +691,18 @@ class OSCAPSpoke(NormalSpoke): + msg = _("Failed to extract content (%s). Enter a different URL, " + "please.") % err_msg + self._progress_label.set_markup("%s" % msg) +- self._wrong_content() ++ self._wrong_content(msg) + + @gtk_action_wait +- def _wrong_content(self): +- self._addon_data.content_url = "" +- self._addon_data.content_type = "" ++ def _wrong_content(self, msg): ++ self._addon_data.clear_all() + really_hide(self._progress_spinner) + self._fetch_button.set_sensitive(True) + self._content_url_entry.set_sensitive(True) + self._content_url_entry.grab_focus() + self._content_url_entry.select_region(0, -1) ++ self._content_handling_cls == None ++ self._set_error(msg) + + @gtk_action_wait + def _switch_dry_run(self, dry_run): +@@ -792,6 +815,10 @@ class OSCAPSpoke(NormalSpoke): + + """ + ++ if not self._addon_data.content_defined or not self._active_profile: ++ # no errors for no content or no profile ++ self._error = None ++ + # store currently selected values to the addon data attributes + if self._using_ds: + self._addon_data.datastream_id = self._current_ds_id +@@ -838,8 +865,8 @@ class OSCAPSpoke(NormalSpoke): + """ + + # no error message in the store +- return all(row[0] != common.MESSAGE_TYPE_FATAL +- for row in self._message_store) ++ return not self._error and all(row[0] != common.MESSAGE_TYPE_FATAL ++ for row in self._message_store) + + @property + @gtk_action_wait +@@ -854,6 +881,9 @@ class OSCAPSpoke(NormalSpoke): + + """ + ++ if self._error: ++ return _("Error fetching and loading content") ++ + if self._unitialized_status: + # not initialized + return self._unitialized_status +@@ -951,9 +981,10 @@ class OSCAPSpoke(NormalSpoke): + really_show(self._progress_spinner) + + if not data_fetch.can_fetch_from(url): ++ msg = _("Invalid or unsupported URL") + # cannot start fetching +- self._progress_label.set_markup("%s" % _("Invalid or unsupported URL")) +- self._wrong_content() ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content(msg) + return + + self._progress_label.set_text(_("Fetching content...")) +-- +2.4.3 + diff --git a/SOURCES/change_ssg_paths.patch b/SOURCES/change_ssg_paths.patch new file mode 100644 index 0000000..daf22a2 --- /dev/null +++ b/SOURCES/change_ssg_paths.patch @@ -0,0 +1,27 @@ +From 1bbde30a8220e545011e9df3b96bd3b9220c9cfe Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 28 Apr 2015 16:29:51 +0200 +Subject: [PATCH] Change paths to use RHEL 7's SSG instead of the Fedora's one + +--- + org_fedora_oscap/common.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index f1aba4c..7873b50 100644 +--- org_fedora_oscap/common.py ++++ org_fedora_oscap/common.py +@@ -48,8 +48,8 @@ __all__ = ["run_oscap_remediate", "get_fix_rules_pre", "wait_and_fetch_net_data" + INSTALLATION_CONTENT_DIR = "/tmp/openscap_data/" + TARGET_CONTENT_DIR = "/root/openscap_data/" + +-SSG_DIR = "/usr/share/xml/scap/ssg/fedora/" +-SSG_XCCDF = "ssg-fedora-xccdf.xml" ++SSG_DIR = "/usr/share/xml/scap/ssg/content/" ++SSG_XCCDF = "ssg-rhel7-xccdf.xml" + + RESULTS_PATH = utils.join_paths(TARGET_CONTENT_DIR, "eval_remediate_results.xml") + +-- +2.3.6 + diff --git a/SOURCES/clear_errors_1247677.patch b/SOURCES/clear_errors_1247677.patch new file mode 100644 index 0000000..9105717 --- /dev/null +++ b/SOURCES/clear_errors_1247677.patch @@ -0,0 +1,38 @@ +From 010a079417d75cebc059798fcf3d1044453759e0 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 3 Aug 2015 15:00:28 +0200 +Subject: [PATCH 3/7] Clear any error if switching to the dry-run mode + +Nothing is done by the addon in the dry-run mode so there cannot be any error. + +Related: rhbz#1247677 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 06107a3..7037f91 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -749,6 +749,7 @@ class OSCAPSpoke(NormalSpoke): + _("Not applying security policy")) + self._add_message(message) + ++ self._set_error(None) + else: + # mark the active profile as selected + self._select_profile(self._active_profile) +@@ -807,9 +808,6 @@ class OSCAPSpoke(NormalSpoke): + + self._main_notebook.set_current_page(SET_PARAMS_PAGE) + +- dry_run = self._dry_run_switch.get_active() +- self._switch_dry_run(dry_run) +- + self._active_profile = self._addon_data.profile_id + + if self._using_ds: +-- +2.1.0 + diff --git a/SOURCES/cpio_entries_paths_1241064.patch b/SOURCES/cpio_entries_paths_1241064.patch new file mode 100644 index 0000000..b20494a --- /dev/null +++ b/SOURCES/cpio_entries_paths_1241064.patch @@ -0,0 +1,31 @@ +From 29c2e15b0ee109be1db0e94e2afc6717076540b4 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 21 Jul 2015 16:43:04 +0200 +Subject: [PATCH 5/7] Beware of RPM->cpio entries' paths having absolute paths + +Otherwise the check for required files fails because the paths may be given as +relative. + +Related: rhbz#1241064 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/common.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/common.py b/org_fedora_oscap/common.py +index 7873b50..d09ccbd 100644 +--- a/org_fedora_oscap/common.py ++++ b/org_fedora_oscap/common.py +@@ -397,7 +397,8 @@ def _extract_rpm(rpm_path, root="/", ensure_has_files=None): + entry_names = [entry.name.lstrip(".") for entry in entries] + + for fpath in ensure_has_files or (): +- if not fpath in entry_names: ++ # RPM->cpio entries have absolute paths ++ if fpath not in entry_names and os.path.join("/", fpath) not in entry_names: + msg = "File '%s' not found in the archive '%s'" % (fpath, rpm_path) + raise ExtractionError(msg) + +-- +2.4.3 + diff --git a/SOURCES/default_profile_desc_1238080.patch b/SOURCES/default_profile_desc_1238080.patch new file mode 100644 index 0000000..c460bce --- /dev/null +++ b/SOURCES/default_profile_desc_1238080.patch @@ -0,0 +1,39 @@ +From bdd43cf791634bd1be3375263fd6dc956a6fda13 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 13:01:36 +0200 +Subject: [PATCH 5/9] Improve the description of the default profile (#1238080) + +The default profile usually contains no rules so we should reflect that in its +description. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/content_handling.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py +index 5f90f64..8621428 100644 +--- a/org_fedora_oscap/content_handling.py ++++ b/org_fedora_oscap/content_handling.py +@@ -269,7 +269,8 @@ class DataStreamHandler(object): + raise DataStreamHandlingError(OSCAP.oscap_err_desc()) + + # will hold items for the profiles for the speficied DS and checklist +- profiles = [ProfileInfo("default", "Default", "The default profile")] ++ profiles = [ProfileInfo("default", "Default", ++ "The implicit XCCDF profile. Usually, the default contains no rules.")] + + # get the benchmark (checklist) + policy_model = OSCAP.xccdf_session_get_policy_model(self._session) +@@ -317,7 +318,7 @@ class BenchmarkHandler(object): + + # stores a list of profiles in the benchmark + self._profiles = [ProfileInfo("default", "Default", +- "The default profile")] ++ "The implicit XCCDF profile. Usually, the default contains no rules.")] + + session = OSCAP.xccdf_session_new(xccdf_file_path) + if not session: +-- +2.4.3 + diff --git a/SOURCES/download_issues_react_1240710.patch b/SOURCES/download_issues_react_1240710.patch new file mode 100644 index 0000000..18e2148 --- /dev/null +++ b/SOURCES/download_issues_react_1240710.patch @@ -0,0 +1,79 @@ +From eb5c75eb590ff2eeac6b8c4e93d4589920cc3a9a Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 7 Jul 2015 15:28:09 +0200 +Subject: [PATCH 2/7] Properly react on download/loading issues in + text+kickstart mode + +Instead of raising an exception in case of content download or loading issues we +should let users know and give them a chance to continue anyway (if possible). + +Related: rhbz#1240710 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 31 +++++++++++++++++++++++++++++-- + 1 file changed, 29 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index fd57b14..ed0e54d 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -23,10 +23,14 @@ + import shutil + import re + import os ++import time + + from pyanaconda.addons import AddonData + from pyanaconda.iutil import getSysroot ++from pyanaconda.progress import progressQ ++from pyanaconda import errors + from pyanaconda import iutil ++from pyanaconda import flags + from pykickstart.errors import KickstartParseError, KickstartValueError + from org_fedora_oscap import utils, common, rule_handling, data_fetch + from org_fedora_oscap.common import SUPPORTED_ARCHIVES +@@ -35,6 +39,9 @@ from org_fedora_oscap.content_handling import ContentCheckError + import logging + log = logging.getLogger("anaconda") + ++import gettext ++_ = lambda x: gettext.ldgettext("oscap-anaconda-addon", x) ++ + # export OSCAPdata class to prevent Anaconda's collect method from taking + # AddonData class instead of the OSCAPdata class + # @see: pyanaconda.kickstart.AnacondaKSHandler.__init__ +@@ -406,9 +413,29 @@ class OSCAPdata(AddonData): + # content not available/fetched yet + try: + self._fetch_content_and_initialize() +- except common.OSCAPaddonError: ++ except common.OSCAPaddonError as e: + log.error("Failed to fetch and initialize SCAP content!") +- return ++ msg = _("There was an error fetching and loading the security content:\n" + ++ "%s\n" + ++ "The installation should be aborted. Do you wish to continue anyway?") % e ++ ++ if flags.flags.automatedInstall and not flags.flags.ksprompt: ++ # cannot have ask in a non-interactive kickstart installation ++ raise errors.CmdlineError(msg) ++ ++ answ = errors.errorHandler.ui.showYesNoQuestion(msg) ++ if answ == errors.ERROR_CONTINUE: ++ # prevent any futher actions here by switching to the dry ++ # run mode and let things go on ++ self.dry_run = True ++ return ++ else: ++ # Let's sleep forever to prevent any further actions and wait for ++ # the main thread to quit the process. ++ progressQ.send_quit(1) ++ while True: ++ time.sleep(100000) ++ + + # check fingerprint if given + if self.fingerprint: +-- +2.4.3 + diff --git a/SOURCES/ds_xccdf_id_refresh_1240946.patch b/SOURCES/ds_xccdf_id_refresh_1240946.patch new file mode 100644 index 0000000..acac3a4 --- /dev/null +++ b/SOURCES/ds_xccdf_id_refresh_1240946.patch @@ -0,0 +1,86 @@ +From 5d96c21e7735a35eff5301c98cc552aa7d5a2e82 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 4 Aug 2015 14:14:40 +0200 +Subject: [PATCH 7/7] Make sure DS and XCCDF ID lists are correctly refreshed + (#1240946) + +Otherwise in cases like when a different content is loaded, the spoke gets into +a weird state almost always resulting in a traceback (like in the bug report). + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index ae92ce9..1ca0be7 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -58,7 +58,7 @@ SET_PARAMS_PAGE = 0 + GET_CONTENT_PAGE = 1 + + # helper functions +-def set_combo_selection(combo, item): ++def set_combo_selection(combo, item, unset_first=False): + """ + Set selected item of the combobox. + +@@ -67,6 +67,9 @@ def set_combo_selection(combo, item): + + """ + ++ if unset_first: ++ combo.set_active_iter(None) ++ + model = combo.get_model() + if not model: + return False +@@ -408,6 +411,7 @@ class OSCAPSpoke(NormalSpoke): + # populate the stores from items from the content + self._ds_checklists = self._content_handler.get_data_streams_checklists() + add_ds_ids = GtkActionList() ++ add_ds_ids.add_action(self._ds_store.clear) + for dstream in self._ds_checklists.iterkeys(): + add_ds_ids.add_action(self._add_ds_id, dstream) + add_ds_ids.fire() +@@ -815,18 +819,20 @@ class OSCAPSpoke(NormalSpoke): + fire_gtk_action(really_show, self._ids_box) + if self._addon_data.datastream_id: + set_combo_selection(self._ds_combo, +- self._addon_data.datastream_id) ++ self._addon_data.datastream_id, ++ unset_first=True) + else: + try: + default_ds = self._ds_checklists.iterkeys().next() +- set_combo_selection(self._ds_combo, default_ds) ++ set_combo_selection(self._ds_combo, default_ds, unset_first=True) + except StopIteration: + # no data stream available + pass + + if self._addon_data.datastream_id and self._addon_data.xccdf_id: + set_combo_selection(self._xccdf_combo, +- self._addon_data.xccdf_id) ++ self._addon_data.xccdf_id, ++ unset_first=True) + else: + fire_gtk_action(really_hide, self._ids_box) + # no combobox changes --> need to update profiles store manually +@@ -945,9 +951,11 @@ class OSCAPSpoke(NormalSpoke): + def on_ds_combo_changed(self, *args): + """Handler for the datastream ID change.""" + +- self._update_xccdfs_store() +- + ds_id = self._current_ds_id ++ if not ds_id: ++ return ++ ++ self._update_xccdfs_store() + first_checklist = self._ds_checklists[ds_id][0] + + set_combo_selection(self._xccdf_combo, first_checklist) +-- +2.1.0 + diff --git a/SOURCES/ds_xccdf_id_selection_1249951.patch b/SOURCES/ds_xccdf_id_selection_1249951.patch new file mode 100644 index 0000000..007f210 --- /dev/null +++ b/SOURCES/ds_xccdf_id_selection_1249951.patch @@ -0,0 +1,54 @@ +From 4a06d7d4d8c480b0dd54c1e6be661851ffe9228e Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 4 Aug 2015 10:58:06 +0200 +Subject: [PATCH 6/7] Make sure the DS and XCCDF ID combo boxes are visible for + DS content (#1249951) + +Otherwise there's no way to change/select DS and XCCDF IDs. Also make sure they +are hidden when they are not supposed to be visible. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 33b97c0..ae92ce9 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -411,6 +411,7 @@ class OSCAPSpoke(NormalSpoke): + for dstream in self._ds_checklists.iterkeys(): + add_ds_ids.add_action(self._add_ds_id, dstream) + add_ds_ids.fire() ++ fire_gtk_action(really_show, self._ids_box) + else: + # hide the labels and comboboxes for datastream-id and xccdf-id + # selection +@@ -514,7 +515,7 @@ class OSCAPSpoke(NormalSpoke): + + if self._using_ds: + profiles = self._content_handler.get_profiles(self._current_ds_id, +- self._current_xccdf_id) ++ self._current_xccdf_id) + else: + # pylint: disable-msg=E1103 + profiles = self._content_handler.profiles +@@ -811,6 +812,7 @@ class OSCAPSpoke(NormalSpoke): + self._active_profile = self._addon_data.profile_id + + if self._using_ds: ++ fire_gtk_action(really_show, self._ids_box) + if self._addon_data.datastream_id: + set_combo_selection(self._ds_combo, + self._addon_data.datastream_id) +@@ -826,6 +828,7 @@ class OSCAPSpoke(NormalSpoke): + set_combo_selection(self._xccdf_combo, + self._addon_data.xccdf_id) + else: ++ fire_gtk_action(really_hide, self._ids_box) + # no combobox changes --> need to update profiles store manually + self._update_profiles_store() + +-- +2.1.0 + diff --git a/SOURCES/ds_xccdf_ids_hide_1254876.patch b/SOURCES/ds_xccdf_ids_hide_1254876.patch new file mode 100644 index 0000000..7994980 --- /dev/null +++ b/SOURCES/ds_xccdf_ids_hide_1254876.patch @@ -0,0 +1,80 @@ +From 47bda76d8a951b095c464931f5e9f81ee04fa2a9 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 24 Aug 2015 13:18:32 +0200 +Subject: [PATCH 3/3] Only allow DS and XCCDF ID selection if it makes sense + (#1254876) + +If there's only one DS and a single XCCDF in it, there's no point in showing the +combo boxes that allow user to select the DS and XCCDF. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index af60841..3b8dbd7 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -418,11 +418,8 @@ class OSCAPSpoke(NormalSpoke): + for dstream in self._ds_checklists.iterkeys(): + add_ds_ids.add_action(self._add_ds_id, dstream) + add_ds_ids.fire() +- fire_gtk_action(really_show, self._ids_box) +- else: +- # hide the labels and comboboxes for datastream-id and xccdf-id +- # selection +- fire_gtk_action(really_hide, self._ids_box) ++ ++ self._update_ids_visibility() + + # refresh UI elements + self.refresh() +@@ -487,6 +484,25 @@ class OSCAPSpoke(NormalSpoke): + self._ds_store.append([ds_id]) + + @gtk_action_wait ++ def _update_ids_visibility(self): ++ """ ++ Updates visibility of the combo boxes that are used to select the DS and ++ XCCDF IDs. ++ ++ """ ++ ++ if self._using_ds: ++ # only show the combo boxes if there are multiple data streams or ++ # multiple xccdfs (IOW if there's something to choose from) ++ ds_ids = self._ds_checklists.keys() ++ if len(ds_ids) > 1 or len(self._ds_checklists[ds_ids[0]]) > 1: ++ really_show(self._ids_box) ++ return ++ ++ # not showing, hide instead ++ really_hide(self._ids_box) ++ ++ @gtk_action_wait + def _update_xccdfs_store(self): + """ + Clears and repopulates the store with XCCDF IDs from the currently +@@ -818,8 +834,9 @@ class OSCAPSpoke(NormalSpoke): + + self._active_profile = self._addon_data.profile_id + ++ self._update_ids_visibility() ++ + if self._using_ds: +- fire_gtk_action(really_show, self._ids_box) + if self._addon_data.datastream_id: + set_combo_selection(self._ds_combo, + self._addon_data.datastream_id, +@@ -837,7 +854,6 @@ class OSCAPSpoke(NormalSpoke): + self._addon_data.xccdf_id, + unset_first=True) + else: +- fire_gtk_action(really_hide, self._ids_box) + # no combobox changes --> need to update profiles store manually + self._update_profiles_store() + +-- +2.1.0 + diff --git a/SOURCES/early_ds_validation_1247654.patch b/SOURCES/early_ds_validation_1247654.patch new file mode 100644 index 0000000..f712ab6 --- /dev/null +++ b/SOURCES/early_ds_validation_1247654.patch @@ -0,0 +1,55 @@ +From 283cf8b21eba35a82a36989b16d52ec396bc8080 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 4 Aug 2015 10:55:30 +0200 +Subject: [PATCH 5/7] Try to load the OSCAP session early for DS content + (#1247654) + +This gives us an easy way to handle invalid content early enough to prevent any +complicated recovery. + +Also, discard the session and create a new one when getting profiles for +particular DS ID - XCCDF ID combination because otherwise we would get wrong +results. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/content_handling.py | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py +index 8621428..c88b8f1 100644 +--- a/org_fedora_oscap/content_handling.py ++++ b/org_fedora_oscap/content_handling.py +@@ -149,11 +149,15 @@ class DataStreamHandler(object): + msg = "Invalid file path: '%s'" % dsc_file_path + raise DataStreamHandlingError(msg) + ++ self._dsc_file_path = dsc_file_path ++ + # create an XCCDF session for the file + self._session = OSCAP.xccdf_session_new(dsc_file_path) + if not self._session: + msg = "'%s' is not a valid SCAP content file" % dsc_file_path + raise DataStreamHandlingError(msg) ++ if OSCAP.xccdf_session_load(self._session) != 0: ++ raise DataStreamHandlingError(OSCAP.oscap_err_desc()) + + if tailoring_file_path: + OSCAP.xccdf_session_set_user_tailoring_file(self._session, +@@ -263,6 +267,13 @@ class DataStreamHandler(object): + # not found in the cache, needs to be gathered + + # set the data stream and component (checklist) for the session ++ OSCAP.xccdf_session_free(self._session) ++ ++ self._session = OSCAP.xccdf_session_new(self._dsc_file_path) ++ if not self._session: ++ msg = "'%s' is not a valid SCAP content file" % self._dsc_file_path ++ raise DataStreamHandlingError(msg) ++ + OSCAP.xccdf_session_set_datastream_id(self._session, data_stream_id) + OSCAP.xccdf_session_set_component_id(self._session, checklist_id) + if OSCAP.xccdf_session_load(self._session) != 0: +-- +2.1.0 + diff --git a/SOURCES/gtk_thread_issues_1240967.patch b/SOURCES/gtk_thread_issues_1240967.patch new file mode 100644 index 0000000..dceadf4 --- /dev/null +++ b/SOURCES/gtk_thread_issues_1240967.patch @@ -0,0 +1,67 @@ +From 498ba60ff643991a4561ab86a63fc32e09486c30 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 3 Aug 2015 10:26:41 +0200 +Subject: [PATCH 1/7] Cover all potential places with a non-main thread + changing Gtk stuff (#1240967) + +There were a few more places where a non-main thread manipulated the Gtk objects +which sometimes caused Gtk and the whole anaconda to hang due to deadlocks. Make +sure all such actions are done in the main thread. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index e5ea225..38dabc1 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -40,7 +40,7 @@ from pyanaconda.threads import threadMgr, AnacondaThread + from pyanaconda.ui.gui.spokes import NormalSpoke + from pyanaconda.ui.communication import hubQ + from pyanaconda.ui.gui.utils import gtk_action_wait, really_hide, really_show +-from pyanaconda.ui.gui.utils import set_treeview_selection, fire_gtk_action ++from pyanaconda.ui.gui.utils import set_treeview_selection, fire_gtk_action, GtkActionList + + from pykickstart.errors import KickstartValueError + +@@ -407,8 +407,10 @@ class OSCAPSpoke(NormalSpoke): + if self._using_ds: + # populate the stores from items from the content + self._ds_checklists = self._content_handler.get_data_streams_checklists() ++ add_ds_ids = GtkActionList() + for dstream in self._ds_checklists.iterkeys(): +- self._add_ds_id(dstream) ++ add_ds_ids.add_action(self._add_ds_id, dstream) ++ add_ds_ids.fire() + else: + # hide the labels and comboboxes for datastream-id and xccdf-id + # selection +@@ -470,6 +472,7 @@ class OSCAPSpoke(NormalSpoke): + + self._ds_store.append([ds_id]) + ++ @gtk_action_wait + def _update_xccdfs_store(self): + """ + Clears and repopulates the store with XCCDF IDs from the currently +@@ -485,6 +488,7 @@ class OSCAPSpoke(NormalSpoke): + for xccdf_id in self._ds_checklists[self._current_ds_id]: + self._xccdf_store.append([xccdf_id]) + ++ @gtk_action_wait + def _update_profiles_store(self): + """ + Clears and repopulates the store with profiles from the currently +@@ -528,6 +532,7 @@ class OSCAPSpoke(NormalSpoke): + self._message_store.append([message.type, message.text]) + + @dry_run_skip ++ @gtk_action_wait + def _update_message_store(self, report_only=False): + """ + Updates the message store with messages from rule evaluation. +-- +2.1.0 + diff --git a/SOURCES/gui_actions_main_thread_1240967.patch b/SOURCES/gui_actions_main_thread_1240967.patch new file mode 100644 index 0000000..c5735a2 --- /dev/null +++ b/SOURCES/gui_actions_main_thread_1240967.patch @@ -0,0 +1,34 @@ +From abf631148823eec411ed09b5fd23fa93bc72f6af Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 21 Jul 2015 16:46:05 +0200 +Subject: [PATCH 6/7] Make sure (some more) GUI actions run in the main thread + (#1240967) + +Otherwise weird things happen because multiple threads manipulate with the +thread-unsafe Gtk structures. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 7ed6758..2813650 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -408,10 +408,10 @@ class OSCAPSpoke(NormalSpoke): + self._ready = True + + # all initialized, we can now let user set parameters +- self._main_notebook.set_current_page(SET_PARAMS_PAGE) ++ fire_gtk_action(self._main_notebook.set_current_page, SET_PARAMS_PAGE) + + # and use control buttons +- really_show(self._control_buttons) ++ fire_gtk_action(really_show, self._control_buttons) + + # pylint: disable-msg=E1101 + hubQ.send_ready(self.__class__.__name__, True) +-- +2.4.3 + diff --git a/SOURCES/help_file_name_1254884.patch b/SOURCES/help_file_name_1254884.patch new file mode 100644 index 0000000..91d0c18 --- /dev/null +++ b/SOURCES/help_file_name_1254884.patch @@ -0,0 +1,29 @@ +From f137590aeca6ed2c8222c0a3bce956af98c89dac Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 19 Aug 2015 10:51:04 +0200 +Subject: [PATCH 1/3] Specify the name of the help content file (#1254884) + +Otherwise no help would be shown if the Help! button is clicked. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 1ca0be7..af60841 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -154,6 +154,9 @@ class OSCAPSpoke(NormalSpoke): + # name of the .glade file in the same directory as this source + uiFile = "oscap.glade" + ++ # name of the file providing help content for this spoke ++ helpFile = "SecurityPolicySpoke.xml" ++ + # category this spoke belongs to + category = SecurityCategory + +-- +2.1.0 + diff --git a/SOURCES/integrity_check_fail_react_1240710.patch b/SOURCES/integrity_check_fail_react_1240710.patch new file mode 100644 index 0000000..7d1e519 --- /dev/null +++ b/SOURCES/integrity_check_fail_react_1240710.patch @@ -0,0 +1,84 @@ +From 9cf9d865f9c51b7d7d82b3a768244bbed763731e Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 8 Jul 2015 10:45:29 +0200 +Subject: [PATCH 3/7] Just report integrity check failure instead of traceback + (#1240710) + +That way users can continue with the installation in some way or exit the +installation in a user-friendly way. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 15 +++++++++++++-- + org_fedora_oscap/ks/oscap.py | 22 ++++++++++++++++++++-- + 2 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 46b742b..daa23e9 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -332,8 +332,11 @@ class OSCAPSpoke(NormalSpoke): + self._addon_data.raw_preinst_content_path, + hash_obj) + if digest != self._addon_data.fingerprint: +- msg = _("Integrity check failed") +- raise content_handling.ContentCheckError(msg) ++ self._integrity_check_failed() ++ # fetching done ++ with self._fetch_flag_lock: ++ self._fetching = False ++ return + + # RPM is an archive at this phase + if self._addon_data.content_type in ("archive", "rpm"): +@@ -652,6 +655,14 @@ class OSCAPSpoke(NormalSpoke): + self._wrong_content() + + @gtk_action_wait ++ def _integrity_check_failed(self): ++ """Adapts the UI if integrity check fails""" ++ ++ msg = _("The integrity check of the content failed. Cannot use the content.") ++ self._progress_label.set_markup("%s" % msg) ++ self._wrong_content() ++ ++ @gtk_action_wait + def _extraction_failed(self, err_msg): + """Adapts the UI if extracting data from entered URL failed""" + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index ed0e54d..1a185d5 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -443,8 +443,26 @@ class OSCAPdata(AddonData): + digest = utils.get_file_fingerprint(self.raw_preinst_content_path, + hash_obj) + if digest != self.fingerprint: +- msg = "Integrity check of the content failed!" +- raise ContentCheckError(msg) ++ log.error("Failed to fetch and initialize SCAP content!") ++ msg = _("The integrity check of the security content failed.\n" + ++ "The installation should be aborted. Do you wish to continue anyway?") ++ ++ if flags.flags.automatedInstall and not flags.flags.ksprompt: ++ # cannot have ask in a non-interactive kickstart installation ++ raise errors.CmdlineError(msg) ++ ++ answ = errors.errorHandler.ui.showYesNoQuestion(msg) ++ if answ == errors.ERROR_CONTINUE: ++ # prevent any futher actions here by switching to the dry ++ # run mode and let things go on ++ self.dry_run = True ++ return ++ else: ++ # Let's sleep forever to prevent any further actions and wait for ++ # the main thread to quit the process. ++ progressQ.send_quit(1) ++ while True: ++ time.sleep(100000) + + # evaluate rules, do automatic fixes and stop if something that cannot + # be fixed automatically is wrong +-- +2.4.3 + diff --git a/SOURCES/invalid_profile_id_1247677.patch b/SOURCES/invalid_profile_id_1247677.patch new file mode 100644 index 0000000..13e7d06 --- /dev/null +++ b/SOURCES/invalid_profile_id_1247677.patch @@ -0,0 +1,129 @@ +From d0a558b6e150e7d78caa16b33ca9029f2d4cfc1f Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 3 Aug 2015 13:28:20 +0200 +Subject: [PATCH 2/7] Do not continue with and invalid profile ID (#1247677) + +If an invalid profile ID is given, we need to stop the installation and, report +an error and let user choose a different profile. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 46 ++++++++++++++++++++++++++++-------- + 1 file changed, 36 insertions(+), 10 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 38dabc1..06107a3 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -420,7 +420,13 @@ class OSCAPSpoke(NormalSpoke): + self.refresh() + + # try to switch to the chosen profile (if any) +- self._switch_profile() ++ selected = self._switch_profile() ++ ++ if self._addon_data.profile_id and not selected: ++ # profile ID given, but it was impossible to select it -> invalid ++ # profile ID given ++ self._invalid_profile_id() ++ return + + # initialize the self._addon_data.rule_data + self._addon_data.rule_data = self._rule_data +@@ -439,7 +445,7 @@ class OSCAPSpoke(NormalSpoke): + self._fetching = False + + # no error +- self._error = None ++ self._set_error(None) + + @property + def _using_ds(self): +@@ -595,7 +601,7 @@ class OSCAPSpoke(NormalSpoke): + + if not profile_id: + # no profile specified, nothing to do +- return ++ return False + + itr = self._profiles_store.get_iter_first() + while itr: +@@ -609,7 +615,7 @@ class OSCAPSpoke(NormalSpoke): + + if not all((ds, xccdf, profile_id)): + # something is not set -> do nothing +- return ++ return False + else: + ds = None + xccdf = None +@@ -628,25 +634,39 @@ class OSCAPSpoke(NormalSpoke): + # remember the active profile + self._active_profile = profile_id + ++ return True ++ + @gtk_action_wait + @dry_run_skip + def _switch_profile(self): +- """Switches to a current selected profile.""" ++ """Switches to a current selected profile. ++ ++ :returns: whether some profile was selected or not ++ ++ """ + ++ self._set_error(None) + profile = self._current_profile_id + if not profile: +- return ++ return False + + self._unselect_profile(self._active_profile) +- self._select_profile(profile) ++ ret = self._select_profile(profile) + + # update messages according to the newly chosen profile + self._update_message_store() + ++ return ret ++ + @set_ready + def _set_error(self, msg): +- self._error = msg +- self.set_error(msg) ++ """Set or clear error message""" ++ if msg: ++ self._error = msg ++ self.set_error(msg) ++ else: ++ self._error = None ++ self.clear_info() + + @gtk_action_wait + def _invalid_content(self): +@@ -710,6 +730,12 @@ class OSCAPSpoke(NormalSpoke): + self._set_error(msg) + + @gtk_action_wait ++ def _invalid_profile_id(self): ++ msg = _("Profile with ID '%s' not defined in the content. Select a different profile, please") % self._addon_data.profile_id ++ self._set_error(msg) ++ self._addon_data.profile_id = None ++ ++ @gtk_action_wait + def _switch_dry_run(self, dry_run): + self._choose_button.set_sensitive(not dry_run) + +@@ -822,7 +848,7 @@ class OSCAPSpoke(NormalSpoke): + + if not self._addon_data.content_defined or not self._active_profile: + # no errors for no content or no profile +- self._error = None ++ self._set_error(None) + + # store currently selected values to the addon data attributes + if self._using_ds: +-- +2.1.0 + diff --git a/SOURCES/network_issues_handling_1236657.patch b/SOURCES/network_issues_handling_1236657.patch new file mode 100644 index 0000000..026e8af --- /dev/null +++ b/SOURCES/network_issues_handling_1236657.patch @@ -0,0 +1,53 @@ +From 3f2ae1112b66ec1ec205d355ba2253d8fa30885d Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 13:36:55 +0200 +Subject: [PATCH 6/9] React better on network issues (#1236657) + +Instead of raising an exception we should let users know that there was a +network error. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 6656108..5e5a43e 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -277,10 +277,16 @@ class OSCAPSpoke(NormalSpoke): + if any(self._addon_data.content_url.startswith(net_prefix) + for net_prefix in data_fetch.NET_URL_PREFIXES): + # need to fetch data over network +- thread_name = common.wait_and_fetch_net_data( ++ try: ++ thread_name = common.wait_and_fetch_net_data( + self._addon_data.content_url, + self._addon_data.raw_preinst_content_path, + self._addon_data.certificates) ++ except common.OSCAPaddonNetworkError: ++ self._network_problem() ++ with self._fetch_flag_lock: ++ self._fetching = False ++ return + + # pylint: disable-msg=E1101 + hubQ.send_message(self.__class__.__name__, +@@ -623,6 +629,14 @@ class OSCAPSpoke(NormalSpoke): + self._wrong_content() + + @gtk_action_wait ++ def _network_problem(self): ++ """Adapts the UI if network error was encountered during data fetch""" ++ ++ self._progress_label.set_markup("%s" % _("Network error encountered when fetching data." ++ " Please check that network is setup and working.")) ++ self._wrong_content() ++ ++ @gtk_action_wait + def _extraction_failed(self, err_msg): + """Adapts the UI if extracting data from entered URL failed""" + +-- +2.4.3 + diff --git a/SOURCES/newline_after_addon_section_1238267.patch b/SOURCES/newline_after_addon_section_1238267.patch new file mode 100644 index 0000000..da640b8 --- /dev/null +++ b/SOURCES/newline_after_addon_section_1238267.patch @@ -0,0 +1,30 @@ +From b1e985b2cb489cc72637dde0590256cf0a7c5633 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 11:16:34 +0200 +Subject: [PATCH 2/9] Add newline and one blank line after the %addon section + (#1238267) + +Otherwise invalid kickstarts are produced when multiple addons are in the game +(as reported in the bug). + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 12e1772..9e95486 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -129,7 +129,7 @@ class OSCAPdata(AddonData): + if self.certificates: + ret += "\n%s" % key_value_pair("certificates", self.certificates) + +- ret += "\n%end" ++ ret += "\n%end\n\n" + return ret + + def _parse_content_type(self, value): +-- +2.4.3 + diff --git a/SOURCES/no_backup_files.patch b/SOURCES/no_backup_files.patch deleted file mode 100644 index 5e40f59..0000000 --- a/SOURCES/no_backup_files.patch +++ /dev/null @@ -1,488 +0,0 @@ ---- org_fedora_oscap/gui/spokes/oscap.glade~ 2014-01-14 10:47:35.000000000 +0100 -+++ /dev/null 2014-08-01 16:32:35.349499705 +0200 -@@ -1,485 +0,0 @@ -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- filler -- False -- True -- True -- filler -- -- -- -- False -- vertical -- 6 -- -- -- True -- False -- -- -- False -- 6 -- 6 -- 6 -- -- -- -- -- False -- False -- 0 -- -- -- -- -- False -- 0 -- 0.75 -- 0.75 -- -- -- False -- vertical -- 6 -- -- -- True -- True -- False -- False -- -- -- True -- False -- 6 -- 6 -- True -- True -- vertical -- 4 -- -- -- True -- False -- True -- 6 -- True -- -- -- True -- False -- 6 -- -- -- True -- False -- Data stream: -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- dsStore -- -- -- -- end -- -- -- 0 -- -- -- -- -- False -- True -- 1 -- -- -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- start -- 6 -- -- -- True -- False -- Checklist: -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- xccdfStore -- -- -- -- end -- -- -- 0 -- -- -- -- -- False -- True -- 1 -- -- -- -- -- False -- True -- 1 -- -- -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- 0 -- Choose profile below: -- -- -- False -- True -- 1 -- -- -- -- -- True -- True -- GDK_BUTTON_PRESS_MASK | GDK_STRUCTURE_MASK -- True -- True -- profilesStore -- False -- False -- 0 -- -- -- -- -- -- -- -- -- Profile -- True -- -- -- -- 1 -- -- -- -- -- -- -- Selected -- 1 -- -- -- -- -- -- -- -- False -- True -- 2 -- -- -- -- -- _Select profile -- True -- True -- True -- center -- True -- -- -- -- -- False -- True -- 3 -- -- -- -- -- True -- False -- 20 -- 0 -- Changes that were done or need to be done: -- -- -- False -- True -- 4 -- -- -- -- -- True -- True -- True -- True -- changesStore -- False -- False -- 0 -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- 1 -- -- -- -- -- -- -- False -- True -- 5 -- -- -- -- -- -- -- True -- False -- page 1 -- -- -- False -- -- -- -- -- -- -- -- True -- False -- page 2 -- -- -- 1 -- False -- -- -- -- -- True -- False -- vertical -- 3 -- -- -- True -- False -- 0 -- No content found. Please enter data stream content or archive URL below: -- True -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- 6 -- -- -- True -- True -- True -- -- -- -- -- False -- True -- 0 -- -- -- -- -- _Fetch -- True -- True -- True -- True -- -- -- -- False -- True -- 1 -- -- -- -- -- False -- True -- 1 -- -- -- -- -- True -- False -- 6 -- -- -- True -- False -- -- -- False -- True -- 0 -- -- -- -- -- True -- False -- Fetching content... -- -- -- False -- True -- 1 -- -- -- -- -- False -- True -- 2 -- -- -- -- -- 2 -- -- -- -- -- True -- False -- page 3 -- -- -- 2 -- False -- -- -- -- -- False -- True -- 0 -- -- -- -- -- -- -- True -- True -- 1 -- -- -- -- -- -- -- -- -- diff --git a/SOURCES/no_profile_handling_1235750.patch b/SOURCES/no_profile_handling_1235750.patch new file mode 100644 index 0000000..67a15a8 --- /dev/null +++ b/SOURCES/no_profile_handling_1235750.patch @@ -0,0 +1,60 @@ +From 1a2f4f4db12bd45dd9b172be270db61f6766b589 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 12:26:14 +0200 +Subject: [PATCH 3/9] Better handle the case with no profile selected + (#1235750) + +We need to let user know that no profile is selected and avoid doing things that +are only needed when some profile *is* selected (like installing extra packages, +etc.). + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 3 +++ + org_fedora_oscap/ks/oscap.py | 9 +++++---- + 2 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 564f0ed..6656108 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -821,6 +821,9 @@ class OSCAPSpoke(NormalSpoke): + if not self._addon_data.content_defined: + return _("No content found") + ++ if not self._active_profile: ++ return _("No profile selected") ++ + # update message store, something may changed from the last update + self._update_message_store(report_only=True) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 9e95486..f3ca15d 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -365,6 +365,11 @@ class OSCAPdata(AddonData): + + """ + ++ if self.dry_run or not self.profile_id: ++ # nothing more to be done in the dry-run mode or if no profile is ++ # selected ++ return ++ + # check fingerprint if given + if self.fingerprint: + hash_obj = utils.get_hashing_algorithm(self.fingerprint) +@@ -374,10 +379,6 @@ class OSCAPdata(AddonData): + msg = "Integrity check of the content failed!" + raise ContentCheckError(msg) + +- if self.dry_run: +- # nothing more to be done in the dry-run mode +- return +- + # evaluate rules, do automatic fixes and stop if something that cannot + # be fixed automatically is wrong + messages = self.rule_data.eval_rules(ksdata, storage) +-- +2.4.3 + diff --git a/SOURCES/no_profile_no_data_dir_1254973.patch b/SOURCES/no_profile_no_data_dir_1254973.patch new file mode 100644 index 0000000..0db2d5d --- /dev/null +++ b/SOURCES/no_profile_no_data_dir_1254973.patch @@ -0,0 +1,34 @@ +From d8b146ef85662677ac661e1606cb62e7b74d7d81 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Fri, 4 Sep 2015 13:01:33 +0200 +Subject: [PATCH] Completely skip the execute() part if no profile is selected + (#1254973) + +If user didn't select any profile in the GUI we shouldn't create the +/root/openscap_data directory and shouldn't do any extra steps as those are not +necessary and could cause confusion. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index c17a1ad..df92018 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -491,8 +491,9 @@ class OSCAPdata(AddonData): + + """ + +- if self.dry_run: +- # nothing to be done in the dry-run mode ++ if self.dry_run or not self.profile_id: ++ # nothing more to be done in the dry-run mode or if no profile is ++ # selected + return + + target_content_dir = utils.join_paths(getSysroot(), +-- +2.1.0 + diff --git a/SOURCES/no_profile_no_ks_section_1241395.patch b/SOURCES/no_profile_no_ks_section_1241395.patch new file mode 100644 index 0000000..b10e583 --- /dev/null +++ b/SOURCES/no_profile_no_ks_section_1241395.patch @@ -0,0 +1,32 @@ +From b9461ffa94293b0c75a62f08fdb751dca1c3c6b0 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 21 Jul 2015 16:35:34 +0200 +Subject: [PATCH 4/7] Only output the kickstart section with content and + profile set + +There may be a default content used (e.g. the SCAP Security Guide) with no +profile selected. Nothing related to the addon should appear in the resulting +kickstart in such case. + +Resolves: rhbz#1241395 +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 1a185d5..8352236 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -110,7 +110,7 @@ class OSCAPdata(AddonData): + + """ + +- if self.dry_run: ++ if self.dry_run or not self.profile_id: + # the addon was run in the dry run mode, omit it from the kickstart + return "" + +-- +2.4.3 + diff --git a/SOURCES/oscap_info_continue_1255075.patch b/SOURCES/oscap_info_continue_1255075.patch new file mode 100644 index 0000000..072bfb7 --- /dev/null +++ b/SOURCES/oscap_info_continue_1255075.patch @@ -0,0 +1,50 @@ +From d78f6866ffcbaa47a06b2bdc204d5be2cae478b9 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 24 Aug 2015 11:30:46 +0200 +Subject: [PATCH 2/3] Skip files unrecognized by the 'oscap info' command + (#1255075) + +If a file is unrecognized by the 'oscap info' command (not a SCAP document), it +returns a non-zero exit code. Such files are not important for us, so let's just +ignore them. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/content_handling.py | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/org_fedora_oscap/content_handling.py b/org_fedora_oscap/content_handling.py +index c88b8f1..0921ad9 100644 +--- a/org_fedora_oscap/content_handling.py ++++ b/org_fedora_oscap/content_handling.py +@@ -92,10 +92,14 @@ def explore_content_files(fpaths): + """ + + def get_doc_type(file_path): +- for line in execReadlines("oscap", ["info", file_path]): +- if line.startswith("Document type:"): +- _prefix, _sep, type_info = line.partition(":") +- return type_info.strip() ++ try: ++ for line in execReadlines("oscap", ["info", file_path]): ++ if line.startswith("Document type:"): ++ _prefix, _sep, type_info = line.partition(":") ++ return type_info.strip() ++ except OSError: ++ # 'oscap info' exitted with a non-zero exit code -> unknown doc type ++ return None + + xccdf_file = "" + cpe_file = "" +@@ -105,6 +109,8 @@ def explore_content_files(fpaths): + + for fpath in fpaths: + doc_type = get_doc_type(fpath) ++ if not doc_type: ++ continue + + # prefer DS over standalone XCCDF + if doc_type == "Source Data Stream" and (not xccdf_file or not found_ds): +-- +2.1.0 + diff --git a/SOURCES/short_root_pw_1263254.patch b/SOURCES/short_root_pw_1263254.patch new file mode 100644 index 0000000..c620e14 --- /dev/null +++ b/SOURCES/short_root_pw_1263254.patch @@ -0,0 +1,79 @@ +From ae19eb551eb6733ea7a4cf7a4e526371971f1663 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Wed, 16 Sep 2015 14:36:23 +0200 +Subject: [PATCH] Do not remove the root password behind user's back (#1263254) + +If the chosen profile requires a longer password than what was set in kickstart, +consider it a misconfiguration like any other such issue instead of silently +removing the password and going on. Removing password brings two problems: + +1) in text mode it causes a system with no (empty) root password to be installed + +2) in graphical mode it causes the installation with a complete kickstart to +hang waiting for a new root password + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/rule_handling.py | 29 ++++++----------------------- + 1 file changed, 6 insertions(+), 23 deletions(-) + +diff --git a/org_fedora_oscap/rule_handling.py b/org_fedora_oscap/rule_handling.py +index a969b16..6a67e8a 100644 +--- a/org_fedora_oscap/rule_handling.py ++++ b/org_fedora_oscap/rule_handling.py +@@ -392,7 +392,6 @@ class PasswdRules(RuleHandler): + """Constructor initializing attributes.""" + + self._minlen = 0 +- self._removed_password = None + + def __str__(self): + """Standard method useful for debugging and testing.""" +@@ -415,7 +414,7 @@ class PasswdRules(RuleHandler): + # no password restrictions, nothing to be done here + return [] + +- if not ksdata.rootpw.password and self._removed_password is None: ++ if not ksdata.rootpw.password: + # root password was not set + + # password length enforcement is not suported in the Anaconda yet +@@ -427,30 +426,14 @@ class PasswdRules(RuleHandler): + if ksdata.rootpw.isCrypted: + msg = _("cannot check root password length (password is crypted)") + return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] +- elif len(ksdata.rootpw.password) < self._minlen or \ +- self._removed_password is not None: +- # too short or already removed +- msg = _("root password was too short, a longer one with at " +- "least %d characters will be required" % self._minlen) +- if not report_only and self._removed_password is None: +- # remove the password and reset the seen flag no to confuse Anaconda +- self._removed_password = ksdata.rootpw.password +- ksdata.rootpw.password = "" +- ksdata.rootpw.seen = False +- return [RuleMessage(common.MESSAGE_TYPE_WARNING, msg)] ++ elif len(ksdata.rootpw.password) < self._minlen: ++ # too short ++ msg = _("root password is too short, a longer one with at " ++ "least %d characters is required" % self._minlen) ++ return [RuleMessage(common.MESSAGE_TYPE_FATAL, msg)] + else: + return [] + +- def revert_changes(self, ksdata, storage): +- """:see: RuleHandler.revert_changes""" +- +- # set the old password back +- if self._removed_password is not None: +- ksdata.rootpw.password = self._removed_password +- ksdata.rootpw.seen = True +- +- self._removed_password = None +- + class PackageRules(RuleHandler): + """Simple class holding data from the rules affecting installed packages.""" + +-- +2.1.0 + diff --git a/SOURCES/ssg_ks_output_1240285.patch b/SOURCES/ssg_ks_output_1240285.patch new file mode 100644 index 0000000..8f922c0 --- /dev/null +++ b/SOURCES/ssg_ks_output_1240285.patch @@ -0,0 +1,39 @@ +From 046b160cfce6521c2a126cad267a2b43a54b50db Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 15:01:15 +0200 +Subject: [PATCH 8/9] Do not output redundant/invalid fields for the SSG + content (#1240285) + +The SSG content is specific and it doesn't require xccdf-path nor content-url +fields in the kickstart. Thus we should avoid putting them into the output that +may be later used as an input for more installations. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index d0c39b8..475aa2c 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -108,13 +108,14 @@ class OSCAPdata(AddonData): + + ret = "%%addon %s" % self.name + ret += "\n%s" % key_value_pair("content-type", self.content_type) +- ret += "\n%s" % key_value_pair("content-url", self.content_url) + ++ if self.content_url: ++ ret += "\n%s" % key_value_pair("content-url", self.content_url) + if self.datastream_id: + ret += "\n%s" % key_value_pair("datastream-id", self.datastream_id) + if self.xccdf_id: + ret += "\n%s" % key_value_pair("xccdf-id", self.xccdf_id) +- if self.xccdf_path: ++ if self.xccdf_path and self.content_type != "scap-security-guide": + ret += "\n%s" % key_value_pair("xccdf-path", self.xccdf_path) + if self.cpe_path: + ret += "\n%s" % key_value_pair("cpe-path", self.cpe_path) +-- +2.4.3 + diff --git a/SOURCES/ssg_usage_ks_or_gui_switch_1249937.patch b/SOURCES/ssg_usage_ks_or_gui_switch_1249937.patch new file mode 100644 index 0000000..6307b9b --- /dev/null +++ b/SOURCES/ssg_usage_ks_or_gui_switch_1249937.patch @@ -0,0 +1,45 @@ +From 28aa3ea6325b43e6a12815457f431a49167898e3 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 4 Aug 2015 10:52:11 +0200 +Subject: [PATCH 4/7] Test preinst_content_path before raw_preinst_content_path + (#1249937) + +If the SSG content is used, the content is already prepared for processing and +thus there's already valid content on the preinst_content_path so we need to +check for that before using the check of raw_preinst_content_path to decide +whether content download is needed or not. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 1 + + org_fedora_oscap/ks/oscap.py | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 7037f91..33b97c0 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -1039,6 +1039,7 @@ class OSCAPSpoke(NormalSpoke): + self.refresh() + + def on_use_ssg_clicked(self, *args): ++ self._addon_data.clear_all() + self._addon_data.content_type = "scap-security-guide" + self._addon_data.xccdf_path = common.SSG_DIR + common.SSG_XCCDF + self._fetch_data_and_initialize() +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 8352236..c17a1ad 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -409,7 +409,7 @@ class OSCAPdata(AddonData): + # selected + return + +- if not os.path.exists(self.raw_preinst_content_path): ++ if not os.path.exists(self.preinst_content_path) and not os.path.exists(self.raw_preinst_content_path): + # content not available/fetched yet + try: + self._fetch_content_and_initialize() +-- +2.1.0 + diff --git a/SOURCES/tui_fetch_and_process_1240625.patch b/SOURCES/tui_fetch_and_process_1240625.patch new file mode 100644 index 0000000..a2def7b --- /dev/null +++ b/SOURCES/tui_fetch_and_process_1240625.patch @@ -0,0 +1,85 @@ +From c899ac40c5793dc76e5c726d610ee17f9bc71d43 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 7 Jul 2015 15:15:33 +0200 +Subject: [PATCH 1/7] Fetch and process the content even if GUI doesn't take + care of it (#1240625) + +We cannot rely on the GUI code fetching and loading the content because in text +kickstart installations it never gets a chance to do so. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 35 ++++++++++++++++++++++++++++++++++- + 1 file changed, 34 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 475aa2c..fd57b14 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -22,15 +22,19 @@ + + import shutil + import re ++import os + + from pyanaconda.addons import AddonData + from pyanaconda.iutil import getSysroot + from pyanaconda import iutil + from pykickstart.errors import KickstartParseError, KickstartValueError +-from org_fedora_oscap import utils, common, rule_handling ++from org_fedora_oscap import utils, common, rule_handling, data_fetch + from org_fedora_oscap.common import SUPPORTED_ARCHIVES + from org_fedora_oscap.content_handling import ContentCheckError + ++import logging ++log = logging.getLogger("anaconda") ++ + # export OSCAPdata class to prevent Anaconda's collect method from taking + # AddonData class instead of the OSCAPdata class + # @see: pyanaconda.kickstart.AnacondaKSHandler.__init__ +@@ -356,6 +360,27 @@ class OSCAPdata(AddonData): + return utils.join_paths(common.TARGET_CONTENT_DIR, + self.tailoring_path) + ++ def _fetch_content_and_initialize(self): ++ """Fetch content and initialize from it""" ++ ++ data_fetch.fetch_data(self.content_url, self.raw_preinst_content_path, self.certificates) ++ # RPM is an archive at this phase ++ if self.content_type in ("archive", "rpm"): ++ # extract the content ++ common.extract_data(self.raw_preinst_content_path, ++ common.INSTALLATION_CONTENT_DIR, ++ [self.xccdf_path]) ++ ++ rules = common.get_fix_rules_pre(self.profile_id, ++ self.preinst_content_path, ++ self.datastream_id, self.xccdf_id, ++ self.preinst_tailoring_path) ++ ++ # parse and store rules with a clean RuleData instance ++ self.rule_data = rule_handling.RuleData() ++ for rule in rules.splitlines(): ++ self.rule_data.new_rule(rule) ++ + def setup(self, storage, ksdata, instclass): + """ + The setup method that should make changes to the runtime environment +@@ -377,6 +402,14 @@ class OSCAPdata(AddonData): + # selected + return + ++ if not os.path.exists(self.raw_preinst_content_path): ++ # content not available/fetched yet ++ try: ++ self._fetch_content_and_initialize() ++ except common.OSCAPaddonError: ++ log.error("Failed to fetch and initialize SCAP content!") ++ return ++ + # check fingerprint if given + if self.fingerprint: + hash_obj = utils.get_hashing_algorithm(self.fingerprint) +-- +2.4.3 + diff --git a/SOURCES/unsup_url_handling_1232631.patch b/SOURCES/unsup_url_handling_1232631.patch new file mode 100644 index 0000000..d56865c --- /dev/null +++ b/SOURCES/unsup_url_handling_1232631.patch @@ -0,0 +1,79 @@ +From 6f444b269f48dd3fa4e92d5ff8c17892558f7d63 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 14:31:36 +0200 +Subject: [PATCH 7/9] Better handle unsupported URL types (#1232631) + +If a URL that is not supported by the addon is given, it needs to report that as +an issue instead of crashing. + +Unsupported URLs are either incomplete or not starting with a recognized and +supported protocol type. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.py | 15 +++++++++++++++ + org_fedora_oscap/ks/oscap.py | 8 +++++++- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.py b/org_fedora_oscap/gui/spokes/oscap.py +index 5e5a43e..46b742b 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.py ++++ b/org_fedora_oscap/gui/spokes/oscap.py +@@ -41,6 +41,8 @@ from pyanaconda.ui.communication import hubQ + from pyanaconda.ui.gui.utils import gtk_action_wait, really_hide, really_show + from pyanaconda.ui.gui.utils import set_treeview_selection, fire_gtk_action + ++from pykickstart.errors import KickstartValueError ++ + # pylint: disable-msg=E0611 + from gi.repository import Gdk + +@@ -287,6 +289,11 @@ class OSCAPSpoke(NormalSpoke): + with self._fetch_flag_lock: + self._fetching = False + return ++ except KickstartValueError: ++ self._invalid_url() ++ with self._fetch_flag_lock: ++ self._fetching = False ++ return + + # pylint: disable-msg=E1101 + hubQ.send_message(self.__class__.__name__, +@@ -620,6 +627,14 @@ class OSCAPSpoke(NormalSpoke): + self._wrong_content() + + @gtk_action_wait ++ def _invalid_url(self): ++ """Callback for informing user about provided URL invalidity.""" ++ ++ self._progress_label.set_markup("%s" % _("Invalid or unsupported content " ++ "URL, please enter a different one.")) ++ self._wrong_content() ++ ++ @gtk_action_wait + def _data_fetch_failed(self): + """Adapts the UI if fetching data from entered URL failed""" + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index 1b44913..d0c39b8 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -275,7 +275,13 @@ class OSCAPdata(AddonData): + if self.content_type == "scap-security-guide": + raise ValueError("Using scap-security-guide, no single content file") + +- parts = self.content_url.rsplit("/", 1) ++ rest = "/anonymous_content" ++ for prefix in SUPPORTED_URL_PREFIXES: ++ if self.content_url.startswith(prefix): ++ rest = self.content_url[len(prefix):] ++ break ++ ++ parts = rest.rsplit("/", 1) + if len(parts) != 2: + msg = "Unsupported url '%s' in the %s addon" % (self.content_url, + self.name) +-- +2.4.3 + diff --git a/SOURCES/use_openscap_scanner_1240249.patch b/SOURCES/use_openscap_scanner_1240249.patch new file mode 100644 index 0000000..17f4f70 --- /dev/null +++ b/SOURCES/use_openscap_scanner_1240249.patch @@ -0,0 +1,30 @@ +From 157dbd4c4eff0543a60205e7be2939a9c1124780 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Mon, 6 Jul 2015 13:00:39 +0200 +Subject: [PATCH 4/9] Use the openscap-scanner package instead of + openscap-utils (#1240249) + +openscap-utils pulls openscap-scanner as a dependency and openscap-scanner is +enough to perform the scan on the installed system. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/ks/oscap.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/ks/oscap.py b/org_fedora_oscap/ks/oscap.py +index f3ca15d..1b44913 100644 +--- a/org_fedora_oscap/ks/oscap.py ++++ b/org_fedora_oscap/ks/oscap.py +@@ -44,7 +44,7 @@ SUPPORTED_URL_PREFIXES = ("http://", "https://", "ftp://" + # LABEL:?, hdaX:?, + ) + +-REQUIRED_PACKAGES = ("openscap", "openscap-utils", ) ++REQUIRED_PACKAGES = ("openscap", "openscap-scanner", ) + + FINGERPRINT_REGEX = re.compile(r'^[a-z0-9]+$') + +-- +2.4.3 + diff --git a/SOURCES/word_wrap_profile_desc_1236644.patch b/SOURCES/word_wrap_profile_desc_1236644.patch new file mode 100644 index 0000000..e82941b --- /dev/null +++ b/SOURCES/word_wrap_profile_desc_1236644.patch @@ -0,0 +1,34 @@ +From 67482a17a42efa67efaa6249711e31a4779f4b34 Mon Sep 17 00:00:00 2001 +From: Vratislav Podzimek +Date: Tue, 30 Jun 2015 13:54:11 +0200 +Subject: [PATCH 1/9] Word-wrap profile descriptions (#1236644) + +Otherwise the description is not fully displayed and what's more, Gtk+SPICE can +go crazy and shrink the screen. + +Signed-off-by: Vratislav Podzimek +--- + org_fedora_oscap/gui/spokes/oscap.glade | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/org_fedora_oscap/gui/spokes/oscap.glade b/org_fedora_oscap/gui/spokes/oscap.glade +index efcf140..49c7dae 100644 +--- a/org_fedora_oscap/gui/spokes/oscap.glade ++++ b/org_fedora_oscap/gui/spokes/oscap.glade +@@ -285,7 +285,12 @@ + Profile + True + +- ++ ++ 110 ++ word ++ 110 ++ 110 ++ + + 1 + +-- +2.4.3 + diff --git a/SPECS/oscap-anaconda-addon.spec b/SPECS/oscap-anaconda-addon.spec index c062c2c..692ebb5 100644 --- a/SPECS/oscap-anaconda-addon.spec +++ b/SPECS/oscap-anaconda-addon.spec @@ -1,6 +1,6 @@ Name: oscap-anaconda-addon -Version: 0.4 -Release: 3%{?dist} +Version: 0.7 +Release: 8%{?dist} Summary: Anaconda addon integrating OpenSCAP to the installation process License: GPLv2+ @@ -11,20 +11,49 @@ URL: https://git.fedorahosted.org/cgit/oscap-anaconda-addon.git # # The source is thus available only from within this SRPM # or via direct git checkout: -# git clone git://git.fedorahosted.org/oscap-anaconda-addon.git +# git clone https://github.com/OpenSCAP/oscap-anaconda-addon.git Source0: %{name}-%{version}.tar.gz -Patch0: no_backup_files.patch +Patch0: change_ssg_paths.patch +Patch1: word_wrap_profile_desc_1236644.patch +Patch2: newline_after_addon_section_1238267.patch +Patch3: no_profile_handling_1235750.patch +Patch4: use_openscap_scanner_1240249.patch +Patch5: default_profile_desc_1238080.patch +Patch6: network_issues_handling_1236657.patch +Patch7: unsup_url_handling_1232631.patch +Patch8: ssg_ks_output_1240285.patch +Patch9: tui_fetch_and_process_1240625.patch +Patch10: download_issues_react_1240710.patch +Patch11: integrity_check_fail_react_1240710.patch +Patch12: no_profile_no_ks_section_1241395.patch +Patch13: cpio_entries_paths_1241064.patch +Patch14: gui_actions_main_thread_1240967.patch +Patch15: better_error_handling_1241064.patch +Patch16: gtk_thread_issues_1240967.patch +Patch17: invalid_profile_id_1247677.patch +Patch18: clear_errors_1247677.patch +Patch19: ssg_usage_ks_or_gui_switch_1249937.patch +Patch20: early_ds_validation_1247654.patch +Patch21: ds_xccdf_id_selection_1249951.patch +Patch22: oscap-anaconda-addon/ds_xccdf_id_refresh_1240946.patch +Patch23: help_file_name_1254884.patch +Patch24: oscap_info_continue_1255075.patch +Patch25: ds_xccdf_ids_hide_1254876.patch +Patch26: no_profile_no_data_dir_1254973.patch +Patch27: short_root_pw_1263254.patch BuildArch: noarch +BuildRequires: gettext BuildRequires: python2-devel #BuildRequires: python-mock -BuildRequires: python-nose -BuildRequires: python-cpio -BuildRequires: anaconda >= 19 -Requires: anaconda >= 19 +#BuildRequires: python-nose +#BuildRequires: python-cpio +#BuildRequires: anaconda >= 21.35 +Requires: anaconda >= 21.35 Requires: openscap openscap-utils openscap-python Requires: python-cpio +Requires: scap-security-guide %description This is an addon that integrates OpenSCAP utilities with the Anaconda installer @@ -32,9 +61,35 @@ and allows installation of systems following restrictions given by a SCAP content. %prep -%setup -q +%setup -q -n %{name}-%{version} %patch0 - +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch19 -p1 +%patch20 -p1 +%patch21 -p1 +%patch22 -p1 +%patch23 -p1 +%patch24 -p1 +%patch25 -p1 +%patch26 -p1 +%patch27 -p1 %build @@ -44,13 +99,92 @@ content. %install make install DESTDIR=%{buildroot} +%find_lang %{name} -%files +%files -f %{name}.lang %{_datadir}/anaconda/addons/org_fedora_oscap %doc COPYING ChangeLog README %changelog +* Wed Sep 16 2015 Vratislav Podzimek - 0.7-8 +- Do not remove the root password behind user's back + Resolves: rhbz#1263254 + +* Mon Sep 7 2015 Vratislav Podzimek - 0.7-7 +- Completely skip the execute() part if no profile is selected + Resolves: rhbz#1254973 + +* Mon Aug 24 2015 Vratislav Podzimek - 0.7-6 +- Specify the name of the help content file + Resolves: rhbz#1254884 +- Skip files unrecognized by the 'oscap info' command + Resolves: rhbz#1255075 +- Only allow DS and XCCDF ID selection if it makes sense + Resolves: rhbz#1254876 + +* Tue Aug 4 2015 Vratislav Podzimek - 0.7-5 +- Make sure DS and XCCDF ID lists are correctly refreshed + Resolves: rhbz#1240946 +- Make sure the DS and XCCDF ID combo boxes are visible for DS content + Resolves: rhbz#1249951 +- Try to load the OSCAP session early for DS content + Resolves: rhbz#1247654 +- Test preinst_content_path before raw_preinst_content_path + Resolves: rhbz#1249937 +- Clear any error if switching to the dry-run mode + Related: rhbz#1247677 +- Do not continue with and invalid profile ID + Resolves: rhbz#1247677 +- Cover all potential places with a non-main thread changing Gtk stuff + Resolves: rhbz#1240967 + +* Thu Jul 23 2015 Vratislav Podzimek - 0.7-4 +- Better handle and report erroneous states + Resolves: rhbz#1241064 +- Make sure (some more) GUI actions run in the main thread + Resolves: rhbz#1240967 +- Beware of RPM->cpio entries' paths having absolute paths + Related: rhbz#1241064 +- Only output the kickstart section with content and profile set + Resolves: rhbz#1241395 +- Just report integrity check failure instead of traceback + Resolves: rhbz#1240710 +- Properly react on download/loading issues in text+kickstart mode + Related: rhbz#1240710 +- Fetch and process the content even if GUI doesn't take care of it + Resolves: rhbz#1240625 + +* Tue Jul 7 2015 Vratislav Podzimek - 0.7-3 +- Do not output redundant/invalid fields for the SSG content (vpodzime) + Resolves: rhbz#1240285 +- Better handle unsupported URL types (vpodzime) + Resolves: rhbz#1232631 +- React better on network issues (vpodzime) + Resolves: rhbz#1236657 +- Improve the description of the default profile (vpodzime) + Resolves: rhbz#1238080 +- Use the openscap-scanner package instead of openscap-utils (vpodzime) + Resolves: rhbz#1240249 +- Better handle the case with no profile selected (vpodzime) + Resolves: rhbz#1235750 +- Add newline and one blank line after the %%addon section (vpodzime) + Resolves: rhbz#1238267 +- Word-wrap profile descriptions (vpodzime) + Resolves: rhbz#1236644 + +* Wed Jun 17 2015 Vratislav Podzimek - 0.7-2 +- Add gettext to BuildRequires (vpodzime) + Related: rhbz#1204640 + +* Tue Jun 16 2015 Vratislav Podzimek - 0.7-1 +- Rebase to the upstream version 0.7 + Related: rhbz#1204640 + +* Tue Apr 28 2015 Vratislav Podzimek - 0.6-1 +- Rebase to the upstream version 0.6 + Resolves: rhbz#1204640 + * Mon Aug 04 2014 Vratislav Podzimek - 0.4-3 - Don't distribute backup files Resolves: rhbz#1065906