Bug 1641830

Summary: additional files in /etc/crypto-policies/local.d do not get appended
Product: [Fedora] Fedora Reporter: Michael Riss <Michael.Riss>
Component: crypto-policiesAssignee: Red Hat Crypto Team <crypto-team>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 29CC: crypto-team, lef, nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: crypto-policies-20181026-1.gitd42aaa6.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-03 00:01:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michael Riss 2018-10-22 22:26:12 UTC 
Description of problem:

`update-crypto-policies --set <policy>` should create the files and symbolic links in /etc/crypto-policies/back-ends.
If there is a file of the form $app-XXX.config in /etc/crypto-policies/local.d
it's supposed to be appended to the policy file of $app.

Currently, this does not work, local custom files get ignored.


Version-Release number of selected component (if applicable):
crypto-policies-20180925-1.git71ca85f.fc29


How reproducible:

Steps to Reproduce:
1. place a custom file in /etc/crypto-policies/local.d, e.g. 
  /etc/crypto-policies/local.d/gnutls-test.config, fill it with some
  string, e.g. 
  "OPENCONNECT=NONE:+DHE-RSA:+AES-256-CBC:+SHA256:+VERS-TLS1.2:+SIGN-RSA-SHA256"
2. run `update-crypto-policies --set DEFAULT`
3. /etc/crypto-policies/back-ends/gnutls.config should now contain the content
  of /usr/share/crypto-policies/DEFAULT/gnutls.txt and appended 
  "OPENCONNECT=NONE:+DHE-RSA:+AES-256-CBC:+SHA256:+VERS-TLS1.2:+SIGN-RSA-SHA256"
  but it's just a link to /usr/share/crypto-policies/DEFAULT/gnutls.txt


Actual results:
The custom configuration files don't get included.


Expected results:
The custom configuration files should get included.


Additional info:
I believe the culprit is in /usr/bin/update-crypto-policies in line 90:
```
	if test -z $(ls "$local_dir/$basefile-*.config" 2>/dev/null);then
```
Here, the glob symbol * gets used within quotation marks and this does not expand. Therefore the local customization file isn't found and the code branch
for appending it does not get executed.
I think the quotation marks are intended to catch the case that someone uses 
custom configuration files with white spaces in the file name.
In this case I propose
```
	if test -z "$(ls $local_dir/$basefile-*.config 2>/dev/null)";then
```
This way `test -z` gets a quoted string that can contain white spaces and the
glob within also works. But please take a critical look at it yourself, I might
have misunderstood what was intended with the quotes.
Comment 1 Fedora Update System 2018-10-26 09:54:37 UTC 
crypto-policies-20181026-1.gitd42aaa6.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd3e06a89a
Comment 2 Fedora Update System 2018-10-31 18:49:22 UTC 
crypto-policies-20181026-1.gitd42aaa6.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd3e06a89a
Comment 3 Fedora Update System 2018-11-03 00:01:21 UTC 
crypto-policies-20181026-1.gitd42aaa6.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.