[cleaner] ignores hostnames in SSL certificates

[pafernanr]

Refer to 3919

• New clean argument added --treat-certificates with next options:

  • obfuscate: (Default) convert certificates to text and let the method obfuscate_report do its job.
  • remove: Remove certificate files from the archive.
  • keep: Don't touch certificate files and keep them as is in the archive.

• Notes:

  • Certificate files are identified by extension (.csr, .pem) and header:
    • r'-----BEGIN CERTIFICATE-----'
    • r'-----BEGIN [A-Z]+ PRIVATE KEY-----'
  • If openssl is not available and obfuscate is selected. It will be replaced by remove after show a WARNING message.
  • Certificate Key files are always removed.

---

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

• Is the commit message split over multiple lines and hard-wrapped at 72 characters?
• Is the subject and message clear and concise?
• Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
• Does the commit contain a Signed-off-by: First Lastname [email protected]?
• Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?
• Are all passwords or private data gathered by this PR obfuscated?

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo yum install -y dnf-plugins-core on RHEL 8
• sudo dnf install -y dnf-plugins-core on Fedora
• dnf copr enable packit/sosreport-sos-4093
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[pmoravec]

Just a thought / option to consider: do we really want a WARNING message (either one of those three) printed on every cleaner run?

[pmoravec]

In theory, key files should have been removed by report already. But surely they can remain also here, makes sense to remove them despite they dont usually contain any cleaner-sensitive data.

[pmoravec]

Originally, I thought we should put some debug message here "removing certificate file" or similar.

But a better approach is updating remove_file method in sos/cleaner/archives/__init__.py to have extra argument filetype=binary and replace:

self.log_info(f"Removing binary file '{fname}' from archive")

to:
self.log_info(f"Removing {filetype} file '{fname}' from archive")

(and call the method from here with proper argument)

[pmoravec]

Just a thought / option to consider: should we keep original file's permissions and ownership? We are overwriting it here (which makes sense as well as we update the file content).

[TurboTurtle]

My only hangup here is actually dropping the .text suffix. I think if we're converting the cert file, then we should make that obvious, and I do like the idea of having a .text (or .txt if you prefer) appended to the filename.

[pmoravec]

I agree here, this behaviour can be confusing ("does the pem file really contain just text content, or..?").

Maybe worth appending the new filename to the log "Converting certificate .. above?

Gladly we do the change in cleaner and not in report where we would have to update filelist of collected files - here just removing the old file should be enough.

[pmoravec]

nitpick: Extra dot at the end. Same applies on two equivalent places later on.

[pmoravec]

Just a thought / option to consider: isnt this return redundant?

[pafernanr]

Yes, its is :) was added just to make lint happy

[pmoravec]

I added several comments. Those starting "Just a thought / option to consider:" are really "just a thought" and nothing else - in those cases I am OK with the current change but maybe others can see the mentioned option as a better one?

[pmoravec]

The foreman tests failing is foreman infra issue: they have expired GPG key:

# curl https://archivedeb.theforeman.org/foreman.asc | gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2460  100  2460    0     0  25696      0 --:--:-- --:--:-- --:--:-- 25894
pub   rsa4096 2021-07-23 [SCEA] [expired: 2025-07-24]
      5B7C3E5A735BCB4D615829DC0BDDA991FD7AAC8A
uid           Foreman Automatic Signing Key (2021) <[email protected]>
#

I am reporting this to the foreman team.

[ekohl]

The foreman tests failing is foreman infra issue: they have expired GPG key:

I opened theforeman/foreman-infra#2280 for this.

[pmoravec]

ACK (up to the doubt about CodeQL warning).

Thanks Pablo for applying repetitive feedback! :)

[pafernanr]

@pmoravec all checks passed.

• openssl command modified to "openssl storeutl -noout -text -certs /tmp/BUNDLE_FILE.crt"
• That CodeQL warning didn't arise ¿? but "with open" code remains the same :)

[TurboTurtle]

Ack up to my comment on the filename. I'd like to see us keep the .text/.txt, but willing to hear why that might not be a good idea.

[TurboTurtle]

My only hangup here is actually dropping the .text suffix. I think if we're converting the cert file, then we should make that obvious, and I do like the idea of having a .text (or .txt if you prefer) appended to the filename.

[pmoravec]

Sorry @pafernanr for yet another nitpick change requested. This slipped down among the reviews..

[pafernanr]

Hi all, last commit behaves as you requested. .pem files are renamed to .pem.text when using sos report --clean --treat-certificates obfuscate

[pmoravec]

Can we check against .crt suffix as well? E.g. various Satellite-related certificates (though afaik neither of them being collected by sos, in neither of plenty locations) have that suffix.

(tiny update: even sosreport from Satellite can contain ./etc/pki/pulp/qpid/ca.crt until Qpid broker is deprecated in Sat)

[pmoravec]

Apart of the .crt suffix, two nitpicks:

• Please merge the two commits
• The WARNING messages shall be wrapped to 80chars like e.g. print_disclaimer in sos/cleaner/__init__.py

[TurboTurtle]

LGTM, however if you could please rebase on current main to pull in the temporary disabling of Fedora tests in our suite, that will let the rest of the CI run, which does include some sanity testing for cleaner.

[TurboTurtle]

Friendly reminder ping to please rebase on current main and repush so we can get a sanity run of the test suite.

[pmoravec]

ACK, we just should drop the internal merge commit when we will do merge into upstream.