[redhat] Change authentication method for RHEL

[jcastill]

The authentication method for RHEL uploads to the
customer portal is changing in 2024 to Device Auth
tokens, from user/password basic authorization.
To accomplish this, one new class is created:
DeviceAuth (deviceauth.py), that takes care of
managing OID token authentication.

Closes: RH: SUPDEV-63

---

Please place an 'X' inside each '[]' to confirm you adhere to our Contributor Guidelines

• Is the commit message split over multiple lines and hard-wrapped at 72 characters?
• Is the subject and message clear and concise?
• Does the subject start with [plugin_name] if submitting a plugin patch or a [section_name] if part of the core sosreport code?
• Does the commit contain a Signed-off-by: First Lastname email@example.com?
• Are any related Issues or existing PRs properly referenced via a Closes (Issue) or Resolved (PR) line?

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo yum install -y dnf-plugins-core on RHEL 8
• sudo dnf install -y dnf-plugins-core on Fedora
• dnf copr enable packit/sosreport-sos-3380
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[packit-as-a-service]

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

• sudo yum install -y dnf-plugins-core on RHEL 8
• sudo dnf install -y dnf-plugins-core on Fedora
• dnf copr enable packit/sosreport-sos-3380
• And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

[jcastill]

Some notes:

• I thought about moving keyring.py and deviceauth.py to a new directory, perhaps Auth or something similar. But seeing other classes like 'tools' in that directory convinced me otherwise.
• I tried to make these two classes as distro-agnostic as possible, in case other distributions can benefit from that code as well.
• The error when there's no keyctl binary available is as follows:

Traceback (most recent call last):
File "/root/sos_auth_oid_keyctl/bin/sos", line 22, in
sos.execute()
File "/root/sos_auth_oid_keyctl/sos/init.py", line 193, in execute
self._component.execute()
File "/root/sos_auth_oid_keyctl/sos/report/init.py", line 1819, in execute
self.prework()
File "/root/sos_auth_oid_keyctl/sos/report/init.py", line 1197, in prework
self.policy.pre_work()
File "/root/sos_auth_oid_keyctl/sos/policies/distros/init.py", line 316, in pre_work
self.prompt_for_upload_user()
File "/root/sos_auth_oid_keyctl/sos/policies/distros/redhat.py", line 276, in prompt_for_upload_user
RHELAuth = AuthClass()
File "/root/sos_auth_oid_keyctl/sos/deviceauth.py", line 60, in init
raise Exception("keyctl tool is not installed"
Exception: keyctl tool is not installed and is required to store auth tokens.

This behaviour is copied from other similar approaches in other classes, but I can see that the last line may not be clear enough. I can change that for a simple message if needed.

• Class Key is inspired heavily on the work done to address authorization on the redhat-support-tool code, which in turn was taken from here

[pmoravec]

I should learn about keyctl (and idealy I should learned before I started to play with it :) ) but I am also asking: how robust the Key class should be? As I "just" run:

• one successful sos upload
• keyctl revoke @s
• an attempt of sos upload failed with:

`
Please visit the following URL to authenticate this device https://sso.redhat.com/auth/realms/..
Traceback (most recent call last):
File "/root/sos-main/sos/deviceauth.py", line 265, in persist_refresh_token
'sos-tools_refresh_token')
File "/root/sos-main/sos/keyring.py", line 363, in search
key.id = key._keyctl.get_id_from_name(name)
File "/root/sos-main/sos/keyring.py", line 175, in get_id_from_name
raise KeyNotFoundError(keyname=name)
sos.keyring.KeyNotFoundError: Key ('sos-tools_refresh_token') does not exists in the kernel keyring.

 During handling of the above exception, another exception occurred:
  
Traceback (most recent call last):
  File "bin/sos", line 22, in <module>
    sos.execute()
  File "/root/sos-main/sos/__init__.py", line 193, in execute
    self._component.execute()
  File "/root/sos-main/sos/report/__init__.py", line 1820, in execute
    self.prework()
  File "/root/sos-main/sos/report/__init__.py", line 1197, in prework
    self.policy.pre_work()
  File "/root/sos-main/sos/policies/distros/__init__.py", line 316, in pre_work
    self.prompt_for_upload_user()
  File "/root/sos-main/sos/policies/distros/redhat.py", line 270, in prompt_for_upload_user
    RHELAuth = AuthClass()
  File "/root/sos-main/sos/deviceauth.py", line 74, in __init__
    self._use_device_code_grant()
  File "/root/sos-main/sos/deviceauth.py", line 91, in _use_device_code_grant
    self.poll_for_auth_completion()
  File "/root/sos-main/sos/deviceauth.py", line 152, in poll_for_auth_completion
    raise e
  File "/root/sos-main/sos/deviceauth.py", line 144, in poll_for_auth_completion
    self._set_token_data(check_auth_completion.json())
  File "/root/sos-main/sos/deviceauth.py", line 172, in _set_token_data
    self.persist_refresh_token()
  File "/root/sos-main/sos/deviceauth.py", line 269, in persist_refresh_token
    'sos-tools_refresh_token', self._refresh_token)
  File "/root/sos-main/sos/keyring.py", line 381, in add
    keyid = self._keyctl.add_key(name, data)
  File "/root/sos-main/sos/keyring.py", line 230, in add_key
    self.keytype, name, self.keyring], data)
  File "/root/sos-main/sos/keyring.py", line 161, in _system
    errmsg="({}){} {}".format(ret, err, out))
TypeError: KeyctlOperationError does not take keyword arguments

`

and I get this permanently.

I bet I did an unsupported action :), just are we OK if above uncaught exceptions will pop up? (should not we just log them and abort the upload..?)

(just a side note: nice work with the Auth class as keyctl wrapper class)

[jcastill]

and I get this permanently.

I'll check this. I'm interested to know if the problem goes away when you get a login into a new session, but it looks like you cannot upload sos anymore after this error?

I bet I did an unsupported action :), just are we OK if above uncaught exceptions will pop up? (should not we just log them and abort the upload..?)

I think the code should be robust enough to deal with the user explicitly removing session keys. So I'll rework the code to deal better with this and upload again. Thank you for testing!

[pmoravec]

The tests on Ubuntu are repeatedly failing with e.g.:

 (263/298) tests/report_tests/plugin_tests/sudo/sudo.py:SudoPluginTest.test_sudo_conf_collected:  ERROR:
WARNING: Unable to read configuration file /etc/sos/sos.conf : No such file or directory
Could not initialize 'report': 'NoneType' object is not iterable

ERROR: Command failed, see output above: 'sos report -v --batch --tmp-dir /var/tmp/avocado_4p7_c3vlsos_tests.py.SudoPluginTest -o sudo' (1.49 s)

but the log archive does not contain any details (esp. traceback is missing).

Can somebody with Ubuntu at hand check it?

[TurboTurtle]

Comments below. Beyond those, this seems to entirely break execution on Ubuntu as currently written, which obviously is a non-starter by itself.

[TurboTurtle]

This whole bit is rather over-engineered for what is ultimately needed - saving a short-lived expiring token. If there were other use cases at hand, perhaps this would be more viable, but there aren't. Beyond that, it adds an otherwise unnecessary dependency and operates on shell-out, which is something this project has actively and consciously tried to reduce in recent years in favor of native-python wherever possible (see our compression and decompression flows, for instance). A far more direct and more maintainable approach would be to simply save the token, salt it with whatever unique-to-the-host information we desire, and save it to disk in a well-known and secured location. These aren't massively sensitive keys we're dealing with.

[jcastill]

The original approach was to use local storage, but the Red Hat security team asked us to use session-keys via keyctl in both redhat-suppor-tool and sos, and that's the reason why we used keyctl.

[jcastill]

and I get this permanently.

I bet I did an unsupported action :), just are we OK if above uncaught exceptions will pop up? (should not we just log them and abort the upload..?)

(just a side note: nice work with the Auth class as keyctl wrapper class)

Actually it looks like there's not much we can do after revoking. I.e.:

[root@localhost sos_auth]# keyctl show @s
Keyring
  70757128 --alswrv      0     0  keyring: _ses
 405679211 --alswrv      0 65534   \_ keyring: _uid.0
 350348290 --alswrv      0     0   \_ user: sos-tools-user
  64290018 --alswrv      0     0   \_ user: sos-tools_refresh_token
[root@localhost sos_auth]# keyctl revoke @s
[root@localhost sos_auth]# keyctl show @s
Keyring
Unable to dump key: Key has been revoked
[root@localhost sos_auth]# keyctl add user mykey stuff @s
add_key: Key has been revoked

The only way to add keys or do anything else with the keyring seems to be to log out and in again, so the session is re-established. But I think I can improve the error log when the revoke occurs.

[jcastill]

I've done some tests with Ubuntu and snaps and after reproducing the issue that was failing the tests, I think I managed to solve the problem (at least, locally).

[pmoravec]

One user experience question): Current flow is:

# python3 bin/sos report --upload -o qpid --case-id 12345
..
No changes will be made to system configuration.

Press ENTER to continue, or CTRL-C to quit.

The option --upload-user has been deprecated in favour of device authorization
Please visit the following URL to authenticate this device https://sso.redhat.com/auth/realms/redhat-external/device?user_code=ABCDEFGH

 Setting up archive ...
 Setting up plugins ...
 Running plugins. Please wait ...
..
Your sosreport has been generated and saved in:
	    /var/tmp/sosreport-pmoravec-rhel8-02732787-2023-10-18-xucgdsf.tar.xz
..
Please send this file to your support representative.

Attempting upload to Red Hat Customer Portal
Uploaded archive successfully
# 

So we ask for auth token before we even start to generate the report. If generating the report takes say 10 minutes, then the token might get expired ( key_refresh_token.set_timeout(self._refresh_expires_in - 300))..?

[jcastill]

One user experience question): Current flow is:

[...]

So we ask for auth token before we even start to generate the report. If generating the report takes say 10 minutes, then the token might get expired ( key_refresh_token.set_timeout(self._refresh_expires_in - 300))..?

This is a very good point. I think we have two, maybe three options:
a- We increase the token times to 15/20/30 minutes? Could this help in cases of collect + upload when there are many sos to be gathered?
b- We change the logic to generate the token only after the report has been created.
c- We print a message if the token has expired while the report has been generated. I'm not sure I like this option to be honest.

[pmoravec]

I was thinking on this to some extent and there are two opposite approaches: either move any upload querying steps after sosreport is generated (logically only then they are needed) - or insist on the approach "during interactive session (no --batch), ask for everything at the beginning and dont bother the user later on".

The "move user interaction wrt upload to the end" is option b), the "ask for everything at the beginning" is the option a).

No strong preference here, either a) or b) is good to me. Just b) should be coherent in either scenario, like asking for username/password for upload when basic auth is required - that would be extra nontrivial change.

So I lean a bit to increasing the timeout here (and optionally do the user interaction change altogether later on, if we decide so?).

[jcastill]

So I lean a bit to increasing the timeout here (and optionally do the user interaction change altogether later on, if we decide so?).

I think there may be an easier solution. I'm testing it now.

[jcastill]

New version pushed with:

• Fixes to capture the situation when the key has been revoked, and
• Delay token creation so we can deal with sos reports that take longer than the token timeout.

[jcastill]

Now, lets see if I can answer your points Jake:

This whole bit is rather over-engineered for what is ultimately needed - saving a short-lived expiring token. If there were other use cases at hand, perhaps this would be more viable, but there aren't.

You are completely right - this class is basically implementing a whole framework to use keyctl. Unfortunately, the requirements we got don't give us much room. Basically the main requirement is to use in-memory token storage instead of local storage, and we can do that only with keyctl. The problem with this is, there's no keyctl native-python implementation we can use, so we have to do everything from scratch.

But also, it is a bit more than just saving a short lived expiring token. Since we have to use the Linux kernel keyring, we need to be able to save keys, update them, remove them, set timeouts, set permissions, search, etc. That we have no native way to do this, and we need to call shell commands instead, is very unfortunate.

Beyond that, it adds an otherwise unnecessary dependency

If the unnecessary dependency that you mention is about having keyutils installed, that dependency is only enforced when an user wants to upload the report from a RHEL system. In any other scenario, the dependency doesn't exist.

and operates on shell-out, which is something this project has actively and consciously tried to reduce in recent years in favor of native-python wherever possible (see our compression and decompression flows, for instance).

That's part of the problem - as I mentioned, there's no native-python available. There was a keyctl project (https://pypi.org/project/keyctl/ ) that as far as I know, applies to python 2.7. If there's a native python keyctl that we can use available somewhere, that I've missed, I'm more than happy to discard this class.

A far more direct and more maintainable approach would be to simply save the token, salt it with whatever unique-to-the-host information we desire, and save it to disk in a well-known and secured location. These aren't massively sensitive keys we're dealing with.

We've been specifically requested not to store the tokens locally in the filesystem, and the alternative suggested was storing the tokens in memory via the Linux Kernel keyring.

I acknowledge that this is not the best implementation possible, but also that's the best we can do with the restrictions we've been imposed when it comes to managing tokens and uploading sos reports to the Red Hat Customer Portal. Hopefully this is more a temporary solution while we get some native keyctl in python, and when that happens I'll send a PR removing the whole class.

[TurboTurtle]

As this is a large item I will need to set aside some time to review it later.

[TurboTurtle]

My specific concerns follow below, however I am still not wanting to add more shell-out reliance for the reasons I've stated previously.

Shell-out by nature is fragile and prone to breaking, at least moreso than if a proper API was leveraged for something like this. If usingkeyctl is a hard requirement from some external (to sos that is) team, then that team should provide an alternative that isn't simply painting over the lack of proper support for the requested function.

[TurboTurtle]

Add a specific note that this is for RHEL here, not sos generally.

[jcastill]

Will change this.

[TurboTurtle]

Ditto, this deprecation is RHEL-specific.

[jcastill]

Ack, will change this.

[TurboTurtle]

Please provide a reference to redhat-support-tool code for this.

[jcastill]

The code hasn't been merged yet, it's still under review, but as soon as it's done I'll reference it here.

[TurboTurtle]

After very brief reviewing, this is nearly a complete lift from python-keyctl. In many places it is a line for line copy - the identifiers, methods, flow, naming convention, etc... are largely identical.

I realize this tool is Open Source, but it seems disingenuous to simply say whatever follows is "based on something that is based on something else" when there is clearly more at play there. While this may not run afoul of the letter of the GPL, to me it walks a very fine line on the spirit of it. However, that is then complicated by the decision to slap a copyright line on this which I am uncomfortable with to say the least.

I am unwilling to move the project forward with this until this gets cleared up by @sosreport/team-red-hat

[jcastill]

Indeed, as I referenced before, https://github.com/tuxberlin/python-keyctl and https://pypi.org/project/keyctl/ are the original sources of the keyctl implementation in Python. It was written with Python 2.7 in mind, so we couldn't use the code directly in redhat-support-tool and in sos. The project has been abandoned for some time, but the code works for the most part - it doesn't make sense to reinvent the wheel, given this context.

Could you please clarify what do you mean when you say that there is clearly more at play there? The code has been adapted to this PR, and at the same time where it was taken from has been referenced. There has never been any intention to hide where the code was coming from originally, as you can see by my comments above. If there's a better way to reference the original code and author, I'm more than happy to change that - I'm still learning, and any suggestion will be very welcome, as always. For example, would adding the original creator in the copyright line be enough?

I look forward to further input from my colleagues in @sosreport/team-red-hat

[jcastill]

Shell-out by nature is fragile and prone to breaking, at least moreso than if a proper API was leveraged for something like this.

As I mentioned previously, this is not supposed to be a permanent change - rather, it's a first step or stage, and we want to use sos builtins to change the functon _system() in keyring.py for something closer to the sos way and style. But it is going to take a bit of time implementing and testing to adapt what currently exists in sos code. On the other hand, I see this situation very similar to the upload_sftp() function in sos/policies/distros/init.py, where it's stated that:

	"""Attempts to upload the archive to an SFTP location.
    
	Due to the lack of well maintained, secure, and generally widespread
	python libraries for SFTP, sos will shell-out to the system's local ssh
	installation in order to handle these uploads.

	Do not override this method with one that uses python-paramiko, as the
	upstream sos team will reject any PR that includes that dependency.
	"""

In our case the approach taken by the use of _system() inside keyring.py is "due to the lack of well maintained, secure, and generally widespread python libraries for keyctl, sos will need to shell-out to the system's local keyctl installation in order to handle these authorizations."

If usingkeyctl is a hard requirement from some external (to sos that is) team, then that team should provide an alternative that isn't simply painting over the lack of proper support for the requested function.

There are no alternatives to this, unfortunately. We've been investigating how to make this new requirement for uploads work in a sos way, and the only way for now is to take the old code for keyctl and adapt it (providing appropriate atribution to the original author and code) to our needs at the moment. Without this change, customers using RHEL won't be able to upload files to support.

[pmoravec]

The shell-out reliance
From say philosophical point of view, yes. We should not have it. From pragmatic point of view: if the hard requirement is "use keyctl only" and there is no Python library for it, what can be done? Should we wait for(ever) to have the library implemented? Implement it on its own? (that sounds good approach to me, I think that library deserves to exist - though how much time and resources it needs for an implementation? I have no idea..).

And we are here in really very similar situation like with SSHControlPersist class that also calls subprocess.Popen for ssh. Since there is no native library for it in Python. Also for a not-critical but important feature of sos.

And my gut feeling is, ssh can get hang for much more various reasons than some local tool manipulating with secure tokens in kernel memory.

Also, from user perspective, sos collect hung when running sosreport on external system is worse user experience than sos --upload hung during an attempt to upload the tarball somewhere - here there are alternatives in manually uploading the file to Red Hat support.

a complete lift from python-keyctl
More cleaner approach would be having that tool as a dependency or deliver it under sos as well. But then 1) we would have to keep an eye on future changes of the tool, if it affects us or not, 2) have another dependency we would like to avoid. So not a better option..? Or what option would you see as better, @TurboTurtle ? If some credits to the implementation is the concern - asking the author for proper way of credits/appreciation in sos code seems the solution here. Does it sound acceptable?

From a constructive perspective: what approach would be acceptable? So far we have heard just "not this way" pieces of feedback while we sometimes don't see a better approach. And all is for a request "store tokens via keyctl" that must have some acceptable solution - so what approach is better, then? I am all in to have something better(*), if there will be a consensus..

(*) I mean: the current PR is acceptable though maybe not ideal. If there is something better, let use it. If nobody sees a better solution, let use the current one.

Also, another angle to view this PR: it is for a use case that affects just Red Hat support. All (three) people involved in this PR from Red Hat support sees / acknowledges the implementation as good enough. No harm outside Red Hat can happen, right..?

[jcastill]

Latest update - there's no keyring.py anymore. With this PR, we don't store tokens at all, and as a result users will need to request a new one every time they want to upload to Red Hat Customer Portal.
No more shell-out either.

[pmoravec]

Here we assume http upload is the default, and we can failover from http to sftp only (but not vice versa). That is correct assumption and I dont expect something changes here - just in (the purely speculative) case we change the default to "sftp, if fails then http", we would have to modify this code (or move else-where to upload_http).

ACK as is now, just a comment about hidden assumption the code relies on (and works fine, as I tested).

[pmoravec]

Just the two instances of redundant code, otherwise all good. Code looks good, all tests of all variants "let break this in the middle of that user story" passed.

@TurboTurtle , could you please review it now? :) Thanks a lot in advance.

[TurboTurtle]

Marking for later review.

[pmoravec]

Could we get this into 3.7, please? What it is blocked by?

[pmoravec]

Could we get this into 3.7, please? What it is blocked by?

FYI the feature has been successfully verified by a few independent people within Red Hat, in various scenarios we have figured out. So for the RedHat specific stuff, we can grant it will work well.

The feedback about over-engineering and shell out has been accepted - the current proposal does not follow that approach. Just a different call flow (with working with tokens returned from RH API but not even storing them to the disk or other tool) is the matter of the PR.

The changes behind the PR are of a medium size. Something the community has provided some feedback within a few weeks almost every time in past.

Could you @arif-ali or @TurboTurtle review the PR or state if it is feasible to get it to 4.7 ? Or any other ETA of a review / feedback / whatever? I dont understand the silence here..

[TurboTurtle]

I simply do not have the same amount of time to spend on reviews as I previously had, as my professional priorities have been changed on me.

I can probably look through this later this week.

[arif-ali]

to me, it looks ok code wise. I don't have the knowledge of the RH side to say if it is functionally working or not. As @pmoravec has suggested this has been tested within RH by separate individuals, so I am basing this on that

[pmoravec]

Fixed by dd2e395.