Merge 3b6eec7 into 3d1cadd

package/yast2-storage-ng.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Nov 15 11:40:40 UTC 2022 - José Iván López González <jlopez@suse.com>
+
+- Validate security policies in both guided proposal and
+  partitioner (part of jsc#SLE-24764).
+- 4.5.13
+
 -------------------------------------------------------------------
 Thu Nov 10 11:31:21 UTC 2022 - Ancor Gonzalez Sosa <ancor@suse.com>
 

package/yast2-storage-ng.spec

@@ -16,7 +16,7 @@
 #
 
 Name:           yast2-storage-ng
-Version:        4.5.12
+Version:        4.5.13
 Release:        0
 Summary:        YaST2 - Storage Configuration
 License:        GPL-2.0-only OR GPL-3.0-only

src/lib/y2partitioner/widgets/overview.rb

@@ -24,7 +24,7 @@
 require "y2partitioner/icons"
 require "y2partitioner/ui_state"
 require "y2partitioner/widgets/pages"
-require "y2partitioner/setup_errors_presenter"
+require "y2storage/setup_errors_presenter"
 require "y2storage/setup_checker"
 require "y2storage/package_handler"
 require "y2storage/bcache"
@@ -188,7 +188,7 @@ def valid_setup?
         setup_checker = Y2Storage::SetupChecker.new(device_graph)
         return true if setup_checker.valid?
 
-        errors = SetupErrorsPresenter.new(setup_checker).to_html
+        errors = Y2Storage::SetupErrorsPresenter.new(setup_checker).to_html
 
         if setup_checker.errors.empty? # so only warnings there
           # FIXME: improve Yast2::Popup to allow some text before the buttons

src/lib/y2storage/dialogs/proposal.rb

@@ -1,4 +1,4 @@
-# Copyright (c) [2016] SUSE LLC
+# Copyright (c) [2016-2022] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -23,6 +23,8 @@
 require "y2storage"
 require "y2storage/actions_presenter"
 require "y2storage/dump_manager"
+require "y2storage/setup_checker"
+require "y2storage/setup_errors_presenter"
 
 Yast.import "HTML"
 
@@ -137,6 +139,7 @@ def summary
       def actions_html
         actions_source_html +
           boss_html +
+          setup_errors_html +
           # Reuse the exact string "Changes to partitioning" from the partitioner
           _("<p>Changes to partitioning:</p>") +
           @actions_presenter.to_html
@@ -183,6 +186,16 @@ def actions_source_for_default_settings
         para(_("Initial layout proposed with the default Guided Setup settings."))
       end
 
+      # Setup errors
+      #
+      # @return [String] HTML-formatted text
+      def setup_errors_html
+        setup_checker = Y2Storage::SetupChecker.new(devicegraph)
+        return "" if setup_checker.valid?
+
+        Y2Storage::SetupErrorsPresenter.new(setup_checker).to_html
+      end
+
       # Text for the summary in cases in which it was not possible to propose
       # a devicegraph
       #

src/lib/y2storage/setup_checker.rb

@@ -1,4 +1,4 @@
-# Copyright (c) [2018] SUSE LLC
+# Copyright (c) [2018-2022] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -23,11 +23,13 @@
 require "y2storage/setup_error"
 require "y2storage/boot_requirements_checker"
 require "y2storage/proposal_settings"
+require "y2storage/with_security_policies"
 
 # This 'import' is necessary to load the control file (/etc/YaST/control.xml)
 # when running in an installed system. During installation, this module
 # is imported by WorkflowManager.
 Yast.import "ProductControl"
+Yast.import "Mode"
 
 module Y2Storage
   # Class to check whether a setup (devicegraph) fulfills the storage requirements
@@ -41,6 +43,8 @@ module Y2Storage
   #   checker.valid? #=> true
   class SetupChecker
     include Yast::I18n
+    include Yast::Logger
+    include WithSecurityPolicies
 
     # @return [Devicegraph]
     attr_reader :devicegraph
@@ -74,7 +78,7 @@ def errors
     #
     # @return [Array<SetupError>]
     def warnings
-      boot_warnings + product_warnings + mount_warnings
+      boot_warnings + product_warnings + mount_warnings + security_policy_warnings
     end
 
     # All boot errors detected in the setup
@@ -105,6 +109,44 @@ def mount_warnings
       devicegraph.mount_points.map { |mp| mount_warning(mp) }.compact
     end
 
+    # Security policy warnings detected in the setup
+    #
+    # @return [Array<SetupError>]
+    def security_policy_warnings
+      @security_policy_warnings ||= security_policy_failing_rules.map do |rule|
+        SetupError.new(message: "#{rule.identifiers.first} #{rule.description}")
+      end
+    end
+
+    # Currently enabled security policy
+    #
+    # @note yast2-security might not be available, see {#with_security_policies}.
+    #
+    # @return [Y2Security::SecurityPolicies::Policy, nil]
+    def security_policy
+      with_security_policies { Y2Security::SecurityPolicies::Manager.instance.enabled_policy }
+    end
+
+    # Failing rules from the enabled security policy
+    #
+    # @note yast2-security might not be available, see {#with_security_policies}.
+    #
+    # @return [Array<Y2Security::SecurityPolicies::Rule>]
+    def security_policy_failing_rules
+      return [] unless Yast::Mode.installation
+
+      failing_rules = with_security_policies do
+        policies_manager = Y2Security::SecurityPolicies::Manager.instance
+        target_config = Y2Security::SecurityPolicies::TargetConfig.new.tap do |config|
+          config.storage = devicegraph
+        end
+
+        policies_manager.failing_rules(target_config, scope: :storage)
+      end
+
+      failing_rules || []
+    end
+
     private
 
     # Mandatory product volumes that are not present in the current setup

src/lib/y2partitioner/setup_errors_presenter.rb → src/lib/y2storage/setup_errors_presenter.rb

@@ -1,4 +1,4 @@
-# Copyright (c) [2017] SUSE LLC
+# Copyright (c) [2017-2022] SUSE LLC
 #
 # All Rights Reserved.
 #
@@ -20,13 +20,15 @@
 require "yast"
 require "yast/i18n"
 require "y2storage"
+require "y2storage/with_security_policies"
 
 Yast.import "HTML"
 
-module Y2Partitioner
+module Y2Storage
   # Class to represent storage setup errors
   class SetupErrorsPresenter
     include Yast::I18n
+    include WithSecurityPolicies
 
     # Constructor
     #
@@ -50,11 +52,17 @@ def to_html
     # @return [SetupChecker] checker for the current setup
     attr_reader :setup_checker
 
-    # HTML representation for boot warnings
+    # HTML representation for all warnings
     #
-    # @return [String, nil] nil if there is no boot warning
+    # @return [String, nil] nil if there is no warning
     def warnings_html
-      warnings = [boot_warnings_html, product_warnings_html, mount_warnings_html].compact
+      warnings = [
+        boot_warnings_html,
+        product_warnings_html,
+        mount_warnings_html,
+        security_policy_warnings_html
+      ].compact
+
       return nil if warnings.empty?
 
       warnings.join(Yast::HTML.Newline)
@@ -95,6 +103,26 @@ def mount_warnings_html
       create_html(header, warnings)
     end
 
+    # HTML representation for warnings from the enabled security policy
+    #
+    # @return [String, nil] nil if warnings cannot be represented, see {#with_security_policies}
+    def security_policy_warnings_html
+      policy = setup_checker.security_policy
+      failing_rules = setup_checker.security_policy_failing_rules
+
+      return nil if policy.nil? || failing_rules.none?
+
+      with_security_policies do
+        require "y2security/security_policies/rule_presenter"
+
+        header = format(_("The system does not comply with the %s security policy:"), policy.name)
+        sorted_rules = failing_rules.sort_by { |r| r.identifiers.first }
+        warnings = sorted_rules.map { |r| Y2Security::SecurityPolicies::RulePresenter.new(r).to_html }
+
+        header + Yast::HTML.List(warnings)
+      end
+    end
+
     # HTML representation for fatal booting errors
     #
     # @return [String, nil] nil if there is no error
@@ -118,7 +146,7 @@ def create_html(header, errors)
       return nil if errors.empty?
 
       error_messages = errors.map(&:message)
-      header + Yast::HTML.Newline + Yast::HTML.List(error_messages)
+      header + Yast::HTML.List(error_messages)
     end
   end
 end

src/lib/y2storage/with_security_policies.rb

@@ -0,0 +1,42 @@
+# Copyright (c) [2022] SUSE LLC
+#
+# All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or modify it
+# under the terms of version 2 of the GNU General Public License as published
+# by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, contact SUSE LLC.
+#
+# To contact SUSE LLC about this file by physical or electronic mail, you may
+# find current contact information at www.suse.com.
+
+require "yast"
+
+module Y2Storage
+  # Mixin to ensure that security policies can be used
+  #
+  # The package yast2-security requires yast2-storage-ng as dependency, so yast2-storage-ng does not
+  # require yast2-security at RPM level to avoid cyclic dependencies. Note that yast2-security is
+  # always included in the installation image, but it could be missing at building time.
+  # Missing yast2-security in a running system should not be relevant because the policies are
+  # only checked during the installation.
+  module WithSecurityPolicies
+    include Yast::Logger
+
+    # Runs a block ensuring that security policies are correctly loaded
+    def with_security_policies
+      require "y2security/security_policies"
+      yield
+    rescue LoadError
+      log.warn("Security policies cannot be loaded. Make sure yast2-security is installed.")
+      nil
+    end
+  end
+end

test/y2partitioner/widgets/overview_test.rb

@@ -322,7 +322,7 @@
       allow(checker).to receive(:valid?).and_return(valid_setup)
       allow(checker).to receive(:errors).and_return(fatal_errors)
 
-      allow(Y2Partitioner::SetupErrorsPresenter).to receive(:new).and_return(presenter)
+      allow(Y2Storage::SetupErrorsPresenter).to receive(:new).and_return(presenter)
       allow(presenter).to receive(:to_html).and_return("html representation")
 
       allow(Yast2::Popup).to receive(:show).and_return(user_input)
@@ -336,7 +336,7 @@
 
     let(:checker) { instance_double(Y2Storage::SetupChecker) }
 
-    let(:presenter) { instance_double(Y2Partitioner::SetupErrorsPresenter) }
+    let(:presenter) { instance_double(Y2Storage::SetupErrorsPresenter) }
 
     let(:valid_setup) { nil }