Description of problem: Each rule will have a signature that we need to verify before playbook is run
Fix was merged in upstream and released in receptor-satellite-1.3.0
Since this belongs to an 6.9 aha card[1], could we get sat-6.9.0+? [1] - https://redhatmbu.aha.io/epics/SAT-E-600
To implement this we receptor-satellite started to depend on insights-core (see [1]). Judging from the following stacktrace it seems that we missed the dependency in packaging # receptor --debug --node-id controller -d /tmp/controller node --listen=receptor://0.0.0.0:8888 ERROR 2021-01-11 11:54:02,282 controller __main__ main: an error occured while running receptor Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/receptor/entrypoints.py", line 43, in run_as_node controller = Controller(config) File "/usr/lib/python3.6/site-packages/receptor/controller.py", line 19, in __init__ self.receptor = Receptor(config) File "/usr/lib/python3.6/site-packages/receptor/receptor.py", line 46, in __init__ self.work_manager = (work_manager_cls or WorkManager)(self) File "/usr/lib/python3.6/site-packages/receptor/work.py", line 20, in __init__ work_info.info(dict(plugins=str(self.get_capabilities()))) File "/usr/lib/python3.6/site-packages/receptor/work.py", line 36, in get_capabilities for x in pkg_resources.iter_entry_points('receptor.worker') File "/usr/lib/python3.6/site-packages/receptor/work.py", line 36, in <dictcomp> for x in pkg_resources.iter_entry_points('receptor.worker') File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2324, in resolve module = __import__(self.module_name, fromlist=['__name__'], level=0) File "/usr/lib/python3.6/site-packages/receptor_satellite/worker.py", line 9, in <module> from .run import Run File "/usr/lib/python3.6/site-packages/receptor_satellite/run.py", line 3, in <module> from . import playbook_verifier_adapter File "/usr/lib/python3.6/site-packages/receptor_satellite/playbook_verifier_adapter.py", line 1, in <module> from insights.client.apps.ansible.playbook_verifier import ( # noqa: F401 ModuleNotFoundError: No module named 'insights' Moving this back to modified until we fix this as it is currently not qa-ready. [1] - https://github.com/project-receptor/receptor-satellite/commit/b1b4fe48b58e8aa4a97f87488dc593b34adbfabf
The original commit adding the dependency is https://github.com/project-receptor/receptor-satellite/commit/1c0c8e3b3d58fe09152f907ef9a56563ca3ce609, but we currently don't package/ship that…
https://pypi.org/project/insights-core/ needs packaging
Tried with Sat 6.10.0 snap 20.0. When I use a playbook with the correct signature, it works. When I use a playbook with an incorrect signature, there are two possibilities: 1) It's "correctly" incorrect, the verifier returns that it's incorrect, receptor shows error and doesn't run the playbook. 2) It's "incorrectly" incorrect, verifier fails to load it, but doesn't indicate it, shows some traceback on stdout, and receptor reacts by running the playbook containing that traceback instead of actual playbook contents: ``` Playbook Verification has started Fatal error Traceback (most recent call last): File "/var/lib/insights/last_stable.egg/insights/client/phase/v1.py", line 32, in _f func(client, config) File "/var/lib/insights/last_stable.egg/insights/client/phase/v1.py", line 299, in collect_and_output runpy.run_module(config.module) File "/usr/lib64/python2.7/runpy.py", line 180, in run_module fname, loader, pkg_name) File "/usr/lib64/python2.7/runpy.py", line 72, in _run_code exec code in run_globals File "/var/lib/insights/last_stable.egg/insights/client/apps/ansible/playbook_verifier/__main__.py", line 28, in <module> sys.stderr.write(e.message) TypeError: expected a character buffer object Playbook Verification has started All templates successfully validated ``` So, verifier shouldn't have crashed and receptor shouldn't have attempted to run a playbook when the signature verification failed. This seems like mostly an issue in insights-client since it doesn't properly indicate the failure. I can imagine this can be abused to run a playbook with incorrect signature, e.g. by forging it into the traceback. Even if not, right now I'm able to run a job that, although it fails, it should have never run in the first place. This can be reproduced by running two receptors locally and sending the data from one to another. Example playbook with "incorrectly" incorrect signature attached privately.
Verified with Sat 6.10.0 snap 24.0, receptor-0.6.4-2, insights-client-3.1.5-1, Insights Core 3.0.249-1 and /etc/insights-client/rpm.egg with the md5 hash of cbdcbfdc97a5b2db397f164a15aa6900. Tried all the variants mentioned in comment 13, tried multiple-playbook files with only some playbooks failed (none should run in that case), everything works as expected.