[RHELC-1117] Fix backtrace in kernel signature verification (oamg#952)

* Fix backtrace in kernel signature verification The old method we used was causing a backtrace during the fingerprint verification as it was consulting the yumdb and in return it was reporting metadata that was not relevant. This commit introduces an minimal refactor that changes the way we query for the package, so instead of relying in querying the rpmdb first, we use rpm directly to do the job. Signed-off-by: Rodolfo Olivieri <[email protected]> * Mock the _get_loaded_kmods to avoid running lsmod Sometimes lsmod was failing because it couldn't be found in the system, and since the return or execution of this function is not needed by the test result, mocking it to null value is an easy fix. Signed-off-by: Rodolfo Olivieri <[email protected]> --------- Signed-off-by: Rodolfo Olivieri <[email protected]>
Andrew-ang9 · Oct 31, 2023 · 8c77aa0 · 8c77aa0
1 parent dfbb8ee
commit 8c77aa0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 15 deletions.
diff --git a/convert2rhel/actions/system_checks/rhel_compatible_kernel.py b/convert2rhel/actions/system_checks/rhel_compatible_kernel.py
@@ -125,9 +125,8 @@ def _bad_kernel_package_signature(kernel_release):
     """Return True if the booted kernel is not signed by the original OS vendor, i.e. it's a custom kernel."""
     vmlinuz_path = "/boot/vmlinuz-%s" % kernel_release
 
-    kernel_pkg, return_code = run_subprocess(
-        ["rpm", "-qf", "--qf", "%{VERSION}&%{RELEASE}&%{ARCH}&%{NAME}", vmlinuz_path], print_output=False
-    )
+    kernel_pkg, return_code = run_subprocess(["rpm", "-qf", "--qf", "%{NEVRA}", vmlinuz_path], print_output=False)
+    logger.debug("Booted kernel package name: %s", kernel_pkg)
 
     os_vendor = system_info.name.split()[0]
     if return_code == 1:
@@ -138,15 +137,8 @@ def _bad_kernel_package_signature(kernel_release):
             dict(vmlinuz_path=vmlinuz_path, os_vendor=os_vendor),
         )
 
-    version, release, arch, name = tuple(kernel_pkg.split("&"))
-    logger.debug("Booted kernel package name: {0}".format(name))
-
-    kernel_pkg_obj = get_installed_pkg_objects(name, version, release, arch)[0]
-    package = get_installed_pkg_information(str(kernel_pkg_obj))[0]
-    bad_signature = system_info.cfg_content["gpg_fingerprints"] != package.fingerprint
-
-    # e.g. Oracle Linux Server -> Oracle or
-    #      Oracle Linux Server -> CentOS Linux
+    kernel_pkg_obj = get_installed_pkg_information(pkg_name=kernel_pkg)
+    bad_signature = system_info.cfg_content["gpg_fingerprints"] != kernel_pkg_obj[0].fingerprint
     if bad_signature:
         raise KernelIncompatibleError(
             "INVALID_KERNEL_PACKAGE_SIGNATURE",

diff --git a/convert2rhel/unit_tests/actions/pre_ponr_changes/kernel_modules_test.py b/convert2rhel/unit_tests/actions/pre_ponr_changes/kernel_modules_test.py
@@ -556,6 +556,7 @@ def test_get_unsupported_kmods(
 
 def test_kernel_modules_rhel_kernel_module_not_found_error(ensure_kernel_modules_compatibility_instance, monkeypatch):
     # need to trigger the raise event
+    monkeypatch.setattr(EnsureKernelModulesCompatibility, "_get_loaded_kmods", mock.Mock(return_value=None))
     monkeypatch.setattr(
         EnsureKernelModulesCompatibility,
         "_get_rhel_supported_kmods",
@@ -567,7 +568,6 @@ def test_kernel_modules_rhel_kernel_module_not_found_error(ensure_kernel_modules
     )
     monkeypatch.setattr(EnsureKernelModulesCompatibility, "_get_loaded_kmods", mock.Mock(return_value="loaded_kmods"))
     ensure_kernel_modules_compatibility_instance.run()
-    print(ensure_kernel_modules_compatibility_instance.result)
     assert_actions_result(
         ensure_kernel_modules_compatibility_instance,
         level="ERROR",

diff --git a/convert2rhel/unit_tests/actions/system_checks/rhel_compatible_kernel_test.py b/convert2rhel/unit_tests/actions/system_checks/rhel_compatible_kernel_test.py
@@ -266,7 +266,7 @@ def test_bad_kernel_package_signature_success(
     monkeypatch.setattr(rhel_compatible_kernel, "get_installed_pkg_information", get_installed_pkg_information_mocked)
     assert rhel_compatible_kernel._bad_kernel_package_signature(kernel_release) == exp_return
     run_subprocess_mocked.assert_called_with(
-        ["rpm", "-qf", "--qf", "%{VERSION}&%{RELEASE}&%{ARCH}&%{NAME}", "/boot/vmlinuz-%s" % kernel_release],
+        ["rpm", "-qf", "--qf", "%{NEVRA}", "/boot/vmlinuz-%s" % kernel_release],
         print_output=False,
     )
 
@@ -328,7 +328,7 @@ def test_bad_kernel_package_signature_invalid_signature(
     assert excinfo.value.template == template
     assert excinfo.value.variables == variables
     run_subprocess_mocked.assert_called_with(
-        ["rpm", "-qf", "--qf", "%{VERSION}&%{RELEASE}&%{ARCH}&%{NAME}", "/boot/vmlinuz-%s" % kernel_release],
+        ["rpm", "-qf", "--qf", "%{NEVRA}", "/boot/vmlinuz-%s" % kernel_release],
         print_output=False,
     )