Merge ~ahasenack/ubuntu/+source/ubuntu-advantage-tools:disco-v18-update into ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel
- Git
- lp:~ahasenack/ubuntu/+source/ubuntu-advantage-tools
- disco-v18-update
- Merge into ubuntu/devel
Status: | Merged |
---|---|
Approved by: | Robie Basak |
Approved revision: | 7245b89d3e844a8bf836199330308920dfdc84fe |
Merged at revision: | 7245b89d3e844a8bf836199330308920dfdc84fe |
Proposed branch: | ~ahasenack/ubuntu/+source/ubuntu-advantage-tools:disco-v18-update |
Merge into: | ubuntu/+source/ubuntu-advantage-tools:ubuntu/devel |
Diff against target: |
994 lines (+705/-12) 16 files modified
README.md (+2/-0) debian/changelog (+13/-0) keyrings/ubuntu-securitybenchmarks-keyring.gpg (+0/-0) modules/service-cc.sh (+75/-0) modules/service-cis.sh (+75/-0) modules/service-livepatch.sh (+14/-2) modules/service.sh (+9/-1) tests/fakes.py (+20/-0) tests/test_cc.py (+186/-0) tests/test_cisaudit.py (+187/-0) tests/test_livepatch_motd.py (+14/-0) tests/test_script.py (+20/-0) tests/testing.py (+26/-1) ubuntu-advantage (+23/-7) ubuntu-advantage.1 (+35/-1) update-motd.d/80-livepatch (+6/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Christian Ehrhardt (community) | Approve | ||
Canonical Server | Pending | ||
Review via email: mp+361749@code.launchpad.net |
Commit message
Description of the change
Bileto ticket and ppa: https:/
The package build runs unit tests, way more comprehensive than the dep8 tests.
This contains all the changes since v17 (available in disco) to what is in the master branch on github, effectively bringing the code in sync. I used git rebase to transport the github commits onto the ubuntu package git repo.
If reviewing each commit, what will complicate things a bit is the revert of "Merge pull request #147 from panlinux/
Christian Ehrhardt (paelzer) wrote : | # |
Andreas Hasenack (ahasenack) wrote : | # |
I'll fix that here.
Andreas Hasenack (ahasenack) wrote : | # |
Updated and pushed. There are other mentions of "PPA" elsewhere in the code (status messages, that kind of thing), but changing those is a bigger chunk of work as it also affects tests and UI. I would prefer to change that in a later version. The PPA change you noted in the help output was indeed an oversight and what I did is just a continuation of https:/
I also updated the README.md file regarding the CIS audit tool. No URL for it yet, though, so I'll just leave it mentioned.
Christian Ehrhardt (paelzer) wrote : | # |
Thanks, the packaging and the changes in general LGTM
Andreas Hasenack (ahasenack) wrote : | # |
Tagged and uploaded.
Preview Diff
1 | diff --git a/README.md b/README.md | |||
2 | index f18d214..b217889 100644 | |||
3 | --- a/README.md | |||
4 | +++ b/README.md | |||
5 | @@ -9,6 +9,8 @@ Currently it supports the following: | |||
6 | 9 | - [Ubuntu Extended Security Maintenance](https://ubuntu.com/esm) archive. | 9 | - [Ubuntu Extended Security Maintenance](https://ubuntu.com/esm) archive. |
7 | 10 | - [Canonical Livepatch](https://www.ubuntu.com/server/livepatch) service for managed live kernel patching. | 10 | - [Canonical Livepatch](https://www.ubuntu.com/server/livepatch) service for managed live kernel patching. |
8 | 11 | - Canonical FIPS 140-2 Certified Modules. Install Configure and Enable FIPS modules. | 11 | - Canonical FIPS 140-2 Certified Modules. Install Configure and Enable FIPS modules. |
9 | 12 | - Canonical Common Criteria EAL2 certification artifacts provisioning | ||
10 | 13 | - Canonical CIS Ubuntu Benchmark Audit tool | ||
11 | 12 | 14 | ||
12 | 13 | Run | 15 | Run |
13 | 14 | 16 | ||
14 | diff --git a/debian/changelog b/debian/changelog | |||
15 | index 39ea084..6b4db06 100644 | |||
16 | --- a/debian/changelog | |||
17 | +++ b/debian/changelog | |||
18 | @@ -1,3 +1,16 @@ | |||
19 | 1 | ubuntu-advantage-tools (18) disco; urgency=medium | ||
20 | 2 | |||
21 | 3 | [ Andreas Hasenack ] | ||
22 | 4 | * Have ua status cope with the additional livepatch status of running a | ||
23 | 5 | kernel that is not supported for livepatches. | ||
24 | 6 | |||
25 | 7 | [ Vineetha Kamath ] | ||
26 | 8 | * Add support to common criteria EAL2 artifacts installation #144 | ||
27 | 9 | * Add new flag enable-cisaudit to support cis audit | ||
28 | 10 | * Add support for disable-cc-provisioning | ||
29 | 11 | |||
30 | 12 | -- Andreas Hasenack <andreas@canonical.com> Mon, 14 Jan 2019 16:39:31 -0200 | ||
31 | 13 | |||
32 | 1 | ubuntu-advantage-tools (17) bionic; urgency=medium | 14 | ubuntu-advantage-tools (17) bionic; urgency=medium |
33 | 2 | 15 | ||
34 | 3 | * New upstream release (LP: #1759280): | 16 | * New upstream release (LP: #1759280): |
35 | diff --git a/keyrings/ubuntu-cc-keyring.gpg b/keyrings/ubuntu-cc-keyring.gpg | |||
36 | 4 | new file mode 100644 | 17 | new file mode 100644 |
37 | index 0000000..d00f63f | |||
38 | 5 | Binary files /dev/null and b/keyrings/ubuntu-cc-keyring.gpg differ | 18 | Binary files /dev/null and b/keyrings/ubuntu-cc-keyring.gpg differ |
39 | diff --git a/keyrings/ubuntu-securitybenchmarks-keyring.gpg b/keyrings/ubuntu-securitybenchmarks-keyring.gpg | |||
40 | 6 | new file mode 100644 | 19 | new file mode 100644 |
41 | index 0000000..e69de29 | |||
42 | --- /dev/null | |||
43 | +++ b/keyrings/ubuntu-securitybenchmarks-keyring.gpg | |||
44 | diff --git a/modules/service-cc.sh b/modules/service-cc.sh | |||
45 | 7 | new file mode 100644 | 20 | new file mode 100644 |
46 | index 0000000..2995c33 | |||
47 | --- /dev/null | |||
48 | +++ b/modules/service-cc.sh | |||
49 | @@ -0,0 +1,75 @@ | |||
50 | 1 | # shellcheck disable=SC2034,SC2039 | ||
51 | 2 | |||
52 | 3 | CC_PROVISIONING_SERVICE_TITLE="Canonical Common Criteria EAL2 Provisioning" | ||
53 | 4 | CC_PROVISIONING_SUPPORTED_SERIES="xenial" | ||
54 | 5 | CC_PROVISIONING_SUPPORTED_ARCHS="x86_64 ppc64le s390x" | ||
55 | 6 | |||
56 | 7 | CC_PROVISIONING_REPO_URL="https://private-ppa.launchpad.net/ubuntu-advantage/commoncriteria" | ||
57 | 8 | CC_PROVISIONING_REPO_KEY_FILE="ubuntu-cc-keyring.gpg" | ||
58 | 9 | CC_PROVISIONING_REPO_LIST=${CC_PROVISIONING_REPO_LIST:-"/etc/apt/sources.list.d/ubuntu-cc-${SERIES}.list"} | ||
59 | 10 | CC_PROVISIONING_UBUNTU_COMMONCRITERIA="ubuntu-commoncriteria" | ||
60 | 11 | |||
61 | 12 | cc_provisioning_enable() { | ||
62 | 13 | local token="$1" | ||
63 | 14 | local result=0 | ||
64 | 15 | |||
65 | 16 | _cc_is_installed || result=$? | ||
66 | 17 | if [ $result -eq 0 ]; then | ||
67 | 18 | error_msg "Common Criteria artifacts are already installed and available in /usr/lib/common-criteria." | ||
68 | 19 | error_exit service_already_enabled | ||
69 | 20 | fi | ||
70 | 21 | |||
71 | 22 | check_token "$CC_PROVISIONING_REPO_URL" "$token" | ||
72 | 23 | apt_add_repo "$CC_PROVISIONING_REPO_LIST" "$CC_PROVISIONING_REPO_URL" "$token" \ | ||
73 | 24 | "${KEYRINGS_DIR}/${CC_PROVISIONING_REPO_KEY_FILE}" | ||
74 | 25 | apt_install_package_if_missing_file "$APT_METHOD_HTTPS" apt-transport-https | ||
75 | 26 | apt_install_package_if_missing_file "$CA_CERTIFICATES" ca-certificates | ||
76 | 27 | echo -n 'Running apt-get update... ' | ||
77 | 28 | check_result apt_get update | ||
78 | 29 | echo 'Ubuntu Common Criteria PPA repository enabled.' | ||
79 | 30 | |||
80 | 31 | echo -n 'Installing Common Criteria artifacts (this may take a while)... ' | ||
81 | 32 | # shellcheck disable=SC2086 | ||
82 | 33 | check_result apt_get install $CC_PROVISIONING_UBUNTU_COMMONCRITERIA | ||
83 | 34 | |||
84 | 35 | echo "Successfully prepared this machine to host the Common Criteria artifacts." | ||
85 | 36 | echo "Please follow instructions in /usr/share/doc/ubuntu-commoncriteria/README to configure EAL2 on the target machine(s)." | ||
86 | 37 | } | ||
87 | 38 | |||
88 | 39 | cc_provisioning_disable() { | ||
89 | 40 | if [ -f "$CC_PROVISIONING_REPO_LIST" ]; then | ||
90 | 41 | apt_remove_repo "$CC_PROVISIONING_REPO_LIST" "$CC_PROVISIONING_REPO_URL" \ | ||
91 | 42 | "$APT_KEYS_DIR/$CC_PROVISIONING_REPO_KEY_FILE" | ||
92 | 43 | echo -n 'Running apt-get update... ' | ||
93 | 44 | check_result apt_get update | ||
94 | 45 | echo 'Canonical Common Criteria EAL2 Provisioning Disabled.' | ||
95 | 46 | else | ||
96 | 47 | echo 'Canonical Common Criteria EAL2 Provisioning is not Enabled.' | ||
97 | 48 | fi | ||
98 | 49 | |||
99 | 50 | if apt_is_package_installed $CC_PROVISIONING_UBUNTU_COMMONCRITERIA; then | ||
100 | 51 | check_result apt_get remove $CC_PROVISIONING_UBUNTU_COMMONCRITERIA | ||
101 | 52 | echo 'Canonical Common Criteria EAL2 Artifacts Removed.' | ||
102 | 53 | fi | ||
103 | 54 | } | ||
104 | 55 | |||
105 | 56 | cc_provisioning_is_enabled() { | ||
106 | 57 | _cc_is_installed | ||
107 | 58 | } | ||
108 | 59 | |||
109 | 60 | cc_provisioning_print_status() { | ||
110 | 61 | echo "cc-provisioning: artifacts are in /usr/lib/common-criteria" | ||
111 | 62 | } | ||
112 | 63 | |||
113 | 64 | _cc_is_installed() { | ||
114 | 65 | apt_is_package_installed ubuntu-commoncriteria && return 0 | ||
115 | 66 | } | ||
116 | 67 | |||
117 | 68 | cc_provisioning_validate_token() { | ||
118 | 69 | local token="$1" | ||
119 | 70 | |||
120 | 71 | if ! validate_user_pass_token "$token"; then | ||
121 | 72 | error_msg 'Invalid token, it must be in the form "user:password"' | ||
122 | 73 | return 1 | ||
123 | 74 | fi | ||
124 | 75 | } | ||
125 | diff --git a/modules/service-cis.sh b/modules/service-cis.sh | |||
126 | 0 | new file mode 100644 | 76 | new file mode 100644 |
127 | index 0000000..12fb3e4 | |||
128 | --- /dev/null | |||
129 | +++ b/modules/service-cis.sh | |||
130 | @@ -0,0 +1,75 @@ | |||
131 | 1 | # shellcheck disable=SC2034,SC2039 | ||
132 | 2 | |||
133 | 3 | CISAUDIT_SERVICE_TITLE="Canonical CIS Benchmark 16.04 Audit Tool" | ||
134 | 4 | CISAUDIT_SUPPORTED_SERIES="xenial" | ||
135 | 5 | CISAUDIT_SUPPORTED_ARCHS="x86_64 ppc64le s390x" | ||
136 | 6 | |||
137 | 7 | CISAUDIT_REPO_URL="https://private-ppa.launchpad.net/ubuntu-advantage/security-benchmarks" | ||
138 | 8 | CISAUDIT_REPO_KEY_FILE="ubuntu-securitybenchmarks-keyring.gpg" | ||
139 | 9 | CISAUDIT_REPO_LIST=${CISAUDIT_REPO_LIST:-"/etc/apt/sources.list.d/ubuntu-cis-${SERIES}.list"} | ||
140 | 10 | CISAUDIT_UBUNTU_CISBENCHMARK="ubuntu-cisbenchmark-16.04" | ||
141 | 11 | |||
142 | 12 | cisaudit_enable() { | ||
143 | 13 | local token="$1" | ||
144 | 14 | local result=0 | ||
145 | 15 | |||
146 | 16 | _cisaudit_is_installed || result=$? | ||
147 | 17 | if [ $result -eq 0 ]; then | ||
148 | 18 | error_msg "CIS benchmark audit package is already installed and files are available in /usr/share/ubuntu-securityguides/$CISAUDIT_UBUNTU_CISBENCHMARK." | ||
149 | 19 | error_exit service_already_enabled | ||
150 | 20 | fi | ||
151 | 21 | |||
152 | 22 | check_token "$CISAUDIT_REPO_URL" "$token" | ||
153 | 23 | apt_add_repo "$CISAUDIT_REPO_LIST" "$CISAUDIT_REPO_URL" "$token" \ | ||
154 | 24 | "${KEYRINGS_DIR}/${CISAUDIT_REPO_KEY_FILE}" | ||
155 | 25 | apt_install_package_if_missing_file "$APT_METHOD_HTTPS" apt-transport-https | ||
156 | 26 | apt_install_package_if_missing_file "$CA_CERTIFICATES" ca-certificates | ||
157 | 27 | echo -n 'Running apt-get update... ' | ||
158 | 28 | check_result apt_get update | ||
159 | 29 | echo 'Ubuntu Security Benchmarks PPA repository enabled.' | ||
160 | 30 | |||
161 | 31 | echo -n 'Installing CIS audit benchmark tool (this may take a while)... ' | ||
162 | 32 | # shellcheck disable=SC2086 | ||
163 | 33 | check_result apt_get install $CISAUDIT_UBUNTU_CISBENCHMARK | ||
164 | 34 | |||
165 | 35 | echo "Successfully installed the CIS audit tool." | ||
166 | 36 | echo "Please follow instructions in /usr/share/doc/$CISAUDIT_UBUNTU_CISBENCHMARK/README to run the CIS audit tool on the target machine(s)." | ||
167 | 37 | } | ||
168 | 38 | |||
169 | 39 | cisaudit_disable() { | ||
170 | 40 | if [ -f "$CISAUDIT_REPO_LIST" ]; then | ||
171 | 41 | apt_remove_repo "$CISAUDIT_REPO_LIST" "$CISAUDIT_REPO_URL" \ | ||
172 | 42 | "$APT_KEYS_DIR/$CISAUDIT_REPO_KEY_FILE" | ||
173 | 43 | echo -n 'Running apt-get update... ' | ||
174 | 44 | check_result apt_get update | ||
175 | 45 | echo "Canonical CIS Benchmark 16.04 Audit Tool Repository Disabled." | ||
176 | 46 | else | ||
177 | 47 | echo 'Canonical CIS Benchmark 16.04 Audit Tool Repository is not Enabled.' | ||
178 | 48 | fi | ||
179 | 49 | |||
180 | 50 | if apt_is_package_installed $CISAUDIT_UBUNTU_CISBENCHMARK; then | ||
181 | 51 | check_result apt_get remove $CISAUDIT_UBUNTU_CISBENCHMARK | ||
182 | 52 | echo 'Canonical CIS Benchmark 16.04 Audit Tool Removed.' | ||
183 | 53 | fi | ||
184 | 54 | } | ||
185 | 55 | |||
186 | 56 | cisaudit_is_enabled() { | ||
187 | 57 | _cisaudit_is_installed | ||
188 | 58 | } | ||
189 | 59 | |||
190 | 60 | cisaudit_print_status() { | ||
191 | 61 | echo "cisaudit: files are in /usr/share/ubuntu-securityguides/$CISAUDIT_UBUNTU_CISBENCHMARK" | ||
192 | 62 | } | ||
193 | 63 | |||
194 | 64 | _cisaudit_is_installed() { | ||
195 | 65 | apt_is_package_installed $CISAUDIT_UBUNTU_CISBENCHMARK && return 0 | ||
196 | 66 | } | ||
197 | 67 | |||
198 | 68 | cisaudit_validate_token() { | ||
199 | 69 | local token="$1" | ||
200 | 70 | |||
201 | 71 | if ! validate_user_pass_token "$token"; then | ||
202 | 72 | error_msg 'Invalid token, it must be in the form "user:password"' | ||
203 | 73 | return 1 | ||
204 | 74 | fi | ||
205 | 75 | } | ||
206 | diff --git a/modules/service-livepatch.sh b/modules/service-livepatch.sh | |||
207 | index 0e35020..d7e920d 100644 | |||
208 | --- a/modules/service-livepatch.sh | |||
209 | +++ b/modules/service-livepatch.sh | |||
210 | @@ -45,7 +45,7 @@ livepatch_disable() { | |||
211 | 45 | 45 | ||
212 | 46 | echo 'Disabling Livepatch...' | 46 | echo 'Disabling Livepatch...' |
213 | 47 | canonical-livepatch disable | 47 | canonical-livepatch disable |
215 | 48 | if [ "$remove_snap" ]; then | 48 | if [ -n "$remove_snap" ]; then |
216 | 49 | echo 'Removing the canonical-livepatch snap...' | 49 | echo 'Removing the canonical-livepatch snap...' |
217 | 50 | snap remove canonical-livepatch | 50 | snap remove canonical-livepatch |
218 | 51 | else | 51 | else |
219 | @@ -59,8 +59,20 @@ livepatch_is_enabled() { | |||
220 | 59 | canonical-livepatch status >/dev/null 2>&1 || return 1 | 59 | canonical-livepatch status >/dev/null 2>&1 || return 1 |
221 | 60 | } | 60 | } |
222 | 61 | 61 | ||
223 | 62 | livepatch_disabled_reason() { | ||
224 | 63 | local output | ||
225 | 64 | local result=0 | ||
226 | 65 | local unsupported_kernel_msg="is not eligible for livepatch updates" | ||
227 | 66 | |||
228 | 67 | output=$(canonical-livepatch status 2>&1) || result=$? | ||
229 | 68 | if echo "${output}" | grep -q "${unsupported_kernel_msg}"; then | ||
230 | 69 | echo " (unsupported kernel)" | ||
231 | 70 | fi | ||
232 | 71 | } | ||
233 | 72 | |||
234 | 62 | livepatch_print_status() { | 73 | livepatch_print_status() { |
236 | 63 | canonical-livepatch status | 74 | # remove empty lines |
237 | 75 | canonical-livepatch status | grep -vE '^[[:blank:]]*$' | ||
238 | 64 | } | 76 | } |
239 | 65 | 77 | ||
240 | 66 | livepatch_validate_token() { | 78 | livepatch_validate_token() { |
241 | diff --git a/modules/service.sh b/modules/service.sh | |||
242 | index 26dc63e..f8e8d80 100644 | |||
243 | --- a/modules/service.sh | |||
244 | +++ b/modules/service.sh | |||
245 | @@ -49,15 +49,23 @@ service_print_status() { | |||
246 | 49 | status="disabled" | 49 | status="disabled" |
247 | 50 | if ! is_supported "$series" "$archs"; then | 50 | if ! is_supported "$series" "$archs"; then |
248 | 51 | status+=" (not available)" | 51 | status+=" (not available)" |
249 | 52 | else | ||
250 | 53 | status+=$(service_disabled_reason "${service}") | ||
251 | 52 | fi | 54 | fi |
252 | 53 | fi | 55 | fi |
253 | 54 | 56 | ||
255 | 55 | echo "$service: $status" | 57 | echo "${service//_/-}: $status" |
256 | 56 | if [ "$status" = enabled ]; then | 58 | if [ "$status" = enabled ]; then |
257 | 57 | _service_print_detailed_status "$service" | 59 | _service_print_detailed_status "$service" |
258 | 58 | fi | 60 | fi |
259 | 59 | } | 61 | } |
260 | 60 | 62 | ||
261 | 63 | service_disabled_reason() { | ||
262 | 64 | local service="$1" | ||
263 | 65 | |||
264 | 66 | call_if_defined "${service}_disabled_reason" | ||
265 | 67 | } | ||
266 | 68 | |||
267 | 61 | service_check_user() { | 69 | service_check_user() { |
268 | 62 | if [ "$(id -u)" -ne 0 ]; then | 70 | if [ "$(id -u)" -ne 0 ]; then |
269 | 63 | error_msg "This command must be run as root (try using sudo)" | 71 | error_msg "This command must be run as root (try using sudo)" |
270 | diff --git a/tests/fakes.py b/tests/fakes.py | |||
271 | index 0075504..ca6566d 100644 | |||
272 | --- a/tests/fakes.py | |||
273 | +++ b/tests/fakes.py | |||
274 | @@ -30,6 +30,16 @@ EOF | |||
275 | 30 | fi | 30 | fi |
276 | 31 | """ | 31 | """ |
277 | 32 | 32 | ||
278 | 33 | # regardless of the command, canonical-livepatch will always exit with | ||
279 | 34 | # status 1 and a message like this | ||
280 | 35 | LIVEPATCH_UNSUPPORTED_KERNEL = """ | ||
281 | 36 | cat <<EOF | ||
282 | 37 | 2018/05/24 18:51:29 cannot use livepatch: your kernel "4.15.0-1010-kvm" \ | ||
283 | 38 | is not eligible for livepatch updates | ||
284 | 39 | EOF | ||
285 | 40 | exit 1 | ||
286 | 41 | """ | ||
287 | 42 | |||
288 | 33 | LIVEPATCH_ENABLED = """ | 43 | LIVEPATCH_ENABLED = """ |
289 | 34 | if [ "$1" = "status" ]; then | 44 | if [ "$1" = "status" ]; then |
290 | 35 | cat <<EOF | 45 | cat <<EOF |
291 | @@ -50,6 +60,10 @@ status: | |||
292 | 50 | * CVE-2015-7837 LP: #1509563 | 60 | * CVE-2015-7837 LP: #1509563 |
293 | 51 | * CVE-2016-0758 LP: #1581202 | 61 | * CVE-2016-0758 LP: #1581202 |
294 | 52 | EOF | 62 | EOF |
295 | 63 | # empty lines, for regression testing of | ||
296 | 64 | # https://github.com/CanonicalLtd/ubuntu-advantage-script/issues/145 | ||
297 | 65 | echo | ||
298 | 66 | echo | ||
299 | 53 | elif [ "$1" = "enable" ]; then | 67 | elif [ "$1" = "enable" ]; then |
300 | 54 | echo -n "2017/08/04 18:03:47 Error executing enable?auth-token=" | 68 | echo -n "2017/08/04 18:03:47 Error executing enable?auth-token=" |
301 | 55 | echo "deafbeefdeadbeefdeadbeefdeadbeef." | 69 | echo "deafbeefdeadbeefdeadbeefdeadbeef." |
302 | @@ -159,6 +173,12 @@ fips: disabled (not available) | |||
303 | 159 | livepatch: disabled (not available) | 173 | livepatch: disabled (not available) |
304 | 160 | """ | 174 | """ |
305 | 161 | 175 | ||
306 | 176 | STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED = """\ | ||
307 | 177 | esm: disabled (not available) | ||
308 | 178 | fips: disabled (not available) | ||
309 | 179 | livepatch: disabled (unsupported kernel) | ||
310 | 180 | """ | ||
311 | 181 | |||
312 | 162 | STATUS_CACHE_MIXED_CONTENT = """\ | 182 | STATUS_CACHE_MIXED_CONTENT = """\ |
313 | 163 | esm: enabled | 183 | esm: enabled |
314 | 164 | patchState: should-not-be-here | 184 | patchState: should-not-be-here |
315 | diff --git a/tests/test_cc.py b/tests/test_cc.py | |||
316 | 165 | new file mode 100644 | 185 | new file mode 100644 |
317 | index 0000000..04ab50b | |||
318 | --- /dev/null | |||
319 | +++ b/tests/test_cc.py | |||
320 | @@ -0,0 +1,186 @@ | |||
321 | 1 | """Tests for CC-related commands.""" | ||
322 | 2 | |||
323 | 3 | from testing import UbuntuAdvantageTest | ||
324 | 4 | |||
325 | 5 | |||
326 | 6 | class CCTest(UbuntuAdvantageTest): | ||
327 | 7 | |||
328 | 8 | SERIES = 'xenial' | ||
329 | 9 | ARCH = 'x86_64' | ||
330 | 10 | |||
331 | 11 | def setUp(self): | ||
332 | 12 | super().setUp() | ||
333 | 13 | self.setup_cc() | ||
334 | 14 | |||
335 | 15 | def test_enable_cc_provisioning(self): | ||
336 | 16 | """The enable-cc-provisioning enables commoncriteria repository.""" | ||
337 | 17 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
338 | 18 | self.assertEqual(0, process.returncode) | ||
339 | 19 | self.assertIn( | ||
340 | 20 | 'Ubuntu Common Criteria PPA repository enabled.', | ||
341 | 21 | process.stdout) | ||
342 | 22 | expected = ( | ||
343 | 23 | 'deb https://private-ppa.launchpad.net/ubuntu-advantage/' | ||
344 | 24 | 'commoncriteria/ubuntu xenial main\n' | ||
345 | 25 | '# deb-src https://private-ppa.launchpad.net/' | ||
346 | 26 | 'ubuntu-advantage/commoncriteria/ubuntu xenial main\n') | ||
347 | 27 | self.assertEqual(expected, self.cc_repo_list.read_text()) | ||
348 | 28 | self.assertEqual( | ||
349 | 29 | self.apt_auth_file.read_text(), | ||
350 | 30 | 'machine private-ppa.launchpad.net/ubuntu-advantage/' | ||
351 | 31 | 'commoncriteria/ubuntu/' | ||
352 | 32 | ' login user password pass\n') | ||
353 | 33 | self.assertEqual(self.apt_auth_file.stat().st_mode, 0o100600) | ||
354 | 34 | keyring_file = self.trusted_gpg_dir / 'ubuntu-cc-keyring.gpg' | ||
355 | 35 | self.assertEqual('GPG key', keyring_file.read_text()) | ||
356 | 36 | self.assertIn( | ||
357 | 37 | 'Successfully prepared this machine to host' | ||
358 | 38 | ' the Common Criteria artifacts', | ||
359 | 39 | process.stdout) | ||
360 | 40 | # the apt-transport-https dependency is already installed | ||
361 | 41 | self.assertNotIn( | ||
362 | 42 | 'Installing missing dependency apt-transport-https', | ||
363 | 43 | process.stdout) | ||
364 | 44 | |||
365 | 45 | def test_enable_cc_provisioning_auth_if_other_entries(self): | ||
366 | 46 | """Existing auth.conf entries are preserved.""" | ||
367 | 47 | auth = 'machine example.com login user password pass\n' | ||
368 | 48 | self.apt_auth_file.write_text(auth) | ||
369 | 49 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
370 | 50 | self.assertEqual(0, process.returncode) | ||
371 | 51 | self.assertIn(auth, self.apt_auth_file.read_text()) | ||
372 | 52 | |||
373 | 53 | def test_enable_cc_provisioning_install_apt_transport_https(self): | ||
374 | 54 | """enable-cc-provisioning installs apt-transport-https if needed.""" | ||
375 | 55 | self.apt_method_https.unlink() | ||
376 | 56 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
377 | 57 | self.assertEqual(0, process.returncode) | ||
378 | 58 | self.assertIn( | ||
379 | 59 | 'Installing missing dependency apt-transport-https', | ||
380 | 60 | process.stdout) | ||
381 | 61 | |||
382 | 62 | def test_enable_cc_provisioning_install_apt_transport_https_fails(self): | ||
383 | 63 | """Stderr is printed if apt-transport-https install fails.""" | ||
384 | 64 | self.apt_method_https.unlink() | ||
385 | 65 | self.make_fake_binary('apt-get', command='echo failed >&2; false') | ||
386 | 66 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
387 | 67 | self.assertEqual(1, process.returncode) | ||
388 | 68 | self.assertIn('failed', process.stderr) | ||
389 | 69 | |||
390 | 70 | def test_enable_cc_provisioning_install_ca_certificates(self): | ||
391 | 71 | """enable-fips installs ca-certificates if needed.""" | ||
392 | 72 | self.ca_certificates.unlink() | ||
393 | 73 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
394 | 74 | self.assertEqual(0, process.returncode) | ||
395 | 75 | self.assertIn( | ||
396 | 76 | 'Installing missing dependency ca-certificates', | ||
397 | 77 | process.stdout) | ||
398 | 78 | |||
399 | 79 | def test_enable_cc_provisioning_install_ca_certificates_fails(self): | ||
400 | 80 | """Stderr is printed if ca-certificates install fails.""" | ||
401 | 81 | self.ca_certificates.unlink() | ||
402 | 82 | self.make_fake_binary('apt-get', command='echo failed >&2; false') | ||
403 | 83 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
404 | 84 | self.assertEqual(1, process.returncode) | ||
405 | 85 | self.assertIn('failed', process.stderr) | ||
406 | 86 | |||
407 | 87 | def test_enable_cc_provisioning_missing_token(self): | ||
408 | 88 | """The token must be specified when using enable-fips.""" | ||
409 | 89 | process = self.script('enable-cc-provisioning') | ||
410 | 90 | self.assertEqual(3, process.returncode) | ||
411 | 91 | self.assertIn( | ||
412 | 92 | 'Invalid token, it must be in the form "user:password"', | ||
413 | 93 | process.stderr) | ||
414 | 94 | |||
415 | 95 | def test_enable_cc_provisioning_invalid_token_format(self): | ||
416 | 96 | """The CC token must be specified as "user:password".""" | ||
417 | 97 | process = self.script('enable-cc-provisioning', 'foo-bar') | ||
418 | 98 | self.assertEqual(3, process.returncode) | ||
419 | 99 | self.assertIn( | ||
420 | 100 | 'Invalid token, it must be in the form "user:password"', | ||
421 | 101 | process.stderr) | ||
422 | 102 | |||
423 | 103 | def test_enable_cc_provisioning_invalid_token(self): | ||
424 | 104 | """If token is invalid, an error is returned.""" | ||
425 | 105 | message = ( | ||
426 | 106 | 'E: Failed to fetch https://esm.ubuntu.com/' | ||
427 | 107 | ' 401 Unauthorized [IP: 1.2.3.4]') | ||
428 | 108 | self.make_fake_binary( | ||
429 | 109 | 'apt-helper', command='echo "{}"; exit 1'.format(message)) | ||
430 | 110 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
431 | 111 | self.assertEqual(3, process.returncode) | ||
432 | 112 | self.assertIn('Checking token... ERROR', process.stdout) | ||
433 | 113 | self.assertIn('Invalid token', process.stderr) | ||
434 | 114 | |||
435 | 115 | def test_enable_cc_provisioning_error_checking_token(self): | ||
436 | 116 | """If token check fails, an error is returned.""" | ||
437 | 117 | message = ( | ||
438 | 118 | 'E: Failed to fetch https://esm.ubuntu.com/' | ||
439 | 119 | ' 404 Not Found [IP: 1.2.3.4]') | ||
440 | 120 | self.make_fake_binary( | ||
441 | 121 | 'apt-helper', command='echo "{}"; exit 1'.format(message)) | ||
442 | 122 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
443 | 123 | self.assertEqual(3, process.returncode) | ||
444 | 124 | self.assertIn('Checking token... ERROR', process.stdout) | ||
445 | 125 | self.assertIn( | ||
446 | 126 | 'Failed checking token (404 Not Found [IP: 1.2.3.4])', | ||
447 | 127 | process.stderr) | ||
448 | 128 | |||
449 | 129 | def test_enable_cc_provisioning_skip_token_check_no_helper(self): | ||
450 | 130 | """If apt-helper is not found, the token check is skipped.""" | ||
451 | 131 | self.apt_helper.unlink() | ||
452 | 132 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
453 | 133 | self.assertEqual(0, process.returncode) | ||
454 | 134 | self.assertIn('Checking token... SKIPPED', process.stdout) | ||
455 | 135 | |||
456 | 136 | def test_enable_cc_provisioning_only_supported_on_xenial(self): | ||
457 | 137 | """The enable-cc-provisioning option fails if not on Xenial.""" | ||
458 | 138 | self.SERIES = 'zesty' | ||
459 | 139 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
460 | 140 | self.assertEqual(4, process.returncode) | ||
461 | 141 | self.assertIn( | ||
462 | 142 | 'Canonical Common Criteria EAL2 Provisioning is ' | ||
463 | 143 | 'not supported on zesty', | ||
464 | 144 | process.stderr) | ||
465 | 145 | |||
466 | 146 | def test_unsupported_on_i686(self): | ||
467 | 147 | """CC is unsupported on i686 arch.""" | ||
468 | 148 | self.ARCH = 'i686' | ||
469 | 149 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
470 | 150 | self.assertEqual(7, process.returncode) | ||
471 | 151 | self.assertIn( | ||
472 | 152 | 'Sorry, but Canonical Common Criteria EAL2 Provisioning ' | ||
473 | 153 | 'is not supported on i686', | ||
474 | 154 | process.stderr) | ||
475 | 155 | |||
476 | 156 | def test_unsupported_on_arm64(self): | ||
477 | 157 | """CC is unsupported on arm64 arch.""" | ||
478 | 158 | self.ARCH = 'arm64' | ||
479 | 159 | process = self.script('enable-cc-provisioning', 'user:pass') | ||
480 | 160 | self.assertEqual(7, process.returncode) | ||
481 | 161 | self.assertIn( | ||
482 | 162 | 'Sorry, but Canonical Common Criteria EAL2 Provisioning ' | ||
483 | 163 | 'is not supported on arm64', | ||
484 | 164 | process.stderr) | ||
485 | 165 | |||
486 | 166 | def test_disable_cc_provisioning(self): | ||
487 | 167 | """The disable-cc-provisioning option disables commoncriteria repo.""" | ||
488 | 168 | self.setup_cc(enabled=True) | ||
489 | 169 | other_auth = 'machine example.com login user password pass\n' | ||
490 | 170 | self.apt_auth_file.write_text(other_auth) | ||
491 | 171 | process = self.script('disable-cc-provisioning') | ||
492 | 172 | self.assertEqual(0, process.returncode) | ||
493 | 173 | self.assertFalse(self.cc_repo_list.exists()) | ||
494 | 174 | # the keyring file is removed | ||
495 | 175 | keyring_file = self.trusted_gpg_dir / 'ubuntu-cc-keyring.gpg' | ||
496 | 176 | self.assertFalse(keyring_file.exists()) | ||
497 | 177 | # credentials are removed | ||
498 | 178 | self.assertEqual(self.apt_auth_file.read_text(), other_auth) | ||
499 | 179 | |||
500 | 180 | def test_disable_cc_provisioning_fails_already_disabled(self): | ||
501 | 181 | """If commoncriteria repo is not enabled, disable fails.""" | ||
502 | 182 | process = self.script('disable-cc-provisioning') | ||
503 | 183 | self.assertEqual(8, process.returncode) | ||
504 | 184 | self.assertIn( | ||
505 | 185 | 'Canonical Common Criteria EAL2 Provisioning is not enabled\n', | ||
506 | 186 | process.stderr) | ||
507 | diff --git a/tests/test_cisaudit.py b/tests/test_cisaudit.py | |||
508 | 0 | new file mode 100644 | 187 | new file mode 100644 |
509 | index 0000000..47b2784 | |||
510 | --- /dev/null | |||
511 | +++ b/tests/test_cisaudit.py | |||
512 | @@ -0,0 +1,187 @@ | |||
513 | 1 | """Tests for CISAudit-related commands.""" | ||
514 | 2 | |||
515 | 3 | from testing import UbuntuAdvantageTest | ||
516 | 4 | |||
517 | 5 | |||
518 | 6 | class CISAUDITTest(UbuntuAdvantageTest): | ||
519 | 7 | |||
520 | 8 | SERIES = 'xenial' | ||
521 | 9 | ARCH = 'x86_64' | ||
522 | 10 | |||
523 | 11 | def setUp(self): | ||
524 | 12 | super().setUp() | ||
525 | 13 | self.setup_cisaudit() | ||
526 | 14 | |||
527 | 15 | def test_enable_cisaudit(self): | ||
528 | 16 | """The enable-cisaudit enables security benchmarks repository.""" | ||
529 | 17 | process = self.script('enable-cisaudit', 'user:pass') | ||
530 | 18 | self.assertEqual(0, process.returncode) | ||
531 | 19 | self.assertIn( | ||
532 | 20 | 'Ubuntu Security Benchmarks PPA repository enabled.', | ||
533 | 21 | process.stdout) | ||
534 | 22 | expected = ( | ||
535 | 23 | 'deb https://private-ppa.launchpad.net/ubuntu-advantage/' | ||
536 | 24 | 'security-benchmarks/ubuntu xenial main\n' | ||
537 | 25 | '# deb-src https://private-ppa.launchpad.net/' | ||
538 | 26 | 'ubuntu-advantage/security-benchmarks/ubuntu xenial main\n') | ||
539 | 27 | self.assertEqual(expected, self.cisaudit_repo_list.read_text()) | ||
540 | 28 | self.assertEqual( | ||
541 | 29 | self.apt_auth_file.read_text(), | ||
542 | 30 | 'machine private-ppa.launchpad.net/ubuntu-advantage/' | ||
543 | 31 | 'security-benchmarks/ubuntu/' | ||
544 | 32 | ' login user password pass\n') | ||
545 | 33 | self.assertEqual(self.apt_auth_file.stat().st_mode, 0o100600) | ||
546 | 34 | cis_keyring = 'ubuntu-securitybenchmarks-keyring.gpg' | ||
547 | 35 | keyring_file = self.trusted_gpg_dir / cis_keyring | ||
548 | 36 | self.assertEqual('GPG key', keyring_file.read_text()) | ||
549 | 37 | self.assertIn( | ||
550 | 38 | 'Successfully installed the CIS audit tool.', | ||
551 | 39 | process.stdout) | ||
552 | 40 | # the apt-transport-https dependency is already installed | ||
553 | 41 | self.assertNotIn( | ||
554 | 42 | 'Installing missing dependency apt-transport-https', | ||
555 | 43 | process.stdout) | ||
556 | 44 | |||
557 | 45 | def test_enable_cisaudit_auth_if_other_entries(self): | ||
558 | 46 | """Existing auth.conf entries are preserved.""" | ||
559 | 47 | auth = 'machine example.com login user password pass\n' | ||
560 | 48 | self.apt_auth_file.write_text(auth) | ||
561 | 49 | process = self.script('enable-cisaudit', 'user:pass') | ||
562 | 50 | self.assertEqual(0, process.returncode) | ||
563 | 51 | self.assertIn(auth, self.apt_auth_file.read_text()) | ||
564 | 52 | |||
565 | 53 | def test_enable_cisaudit_install_apt_transport_https(self): | ||
566 | 54 | """enable-cisaudit installs apt-transport-https if needed.""" | ||
567 | 55 | self.apt_method_https.unlink() | ||
568 | 56 | process = self.script('enable-cisaudit', 'user:pass') | ||
569 | 57 | self.assertEqual(0, process.returncode) | ||
570 | 58 | self.assertIn( | ||
571 | 59 | 'Installing missing dependency apt-transport-https', | ||
572 | 60 | process.stdout) | ||
573 | 61 | |||
574 | 62 | def test_enable_cisaudit_install_apt_transport_https_fails(self): | ||
575 | 63 | """Stderr is printed if apt-transport-https install fails.""" | ||
576 | 64 | self.apt_method_https.unlink() | ||
577 | 65 | self.make_fake_binary('apt-get', command='echo failed >&2; false') | ||
578 | 66 | process = self.script('enable-cisaudit', 'user:pass') | ||
579 | 67 | self.assertEqual(1, process.returncode) | ||
580 | 68 | self.assertIn('failed', process.stderr) | ||
581 | 69 | |||
582 | 70 | def test_enable_cisaudit_install_ca_certificates(self): | ||
583 | 71 | """enable-cisaudit installs ca-certificates if needed.""" | ||
584 | 72 | self.ca_certificates.unlink() | ||
585 | 73 | process = self.script('enable-cisaudit', 'user:pass') | ||
586 | 74 | self.assertEqual(0, process.returncode) | ||
587 | 75 | self.assertIn( | ||
588 | 76 | 'Installing missing dependency ca-certificates', | ||
589 | 77 | process.stdout) | ||
590 | 78 | |||
591 | 79 | def test_enable_cisaudit_install_ca_certificates_fails(self): | ||
592 | 80 | """Stderr is printed if ca-certificates install fails.""" | ||
593 | 81 | self.ca_certificates.unlink() | ||
594 | 82 | self.make_fake_binary('apt-get', command='echo failed >&2; false') | ||
595 | 83 | process = self.script('enable-cisaudit', 'user:pass') | ||
596 | 84 | self.assertEqual(1, process.returncode) | ||
597 | 85 | self.assertIn('failed', process.stderr) | ||
598 | 86 | |||
599 | 87 | def test_enable_cisaudit_missing_token(self): | ||
600 | 88 | """The token must be specified when using enable-cisaudit.""" | ||
601 | 89 | process = self.script('enable-cisaudit') | ||
602 | 90 | self.assertEqual(3, process.returncode) | ||
603 | 91 | self.assertIn( | ||
604 | 92 | 'Invalid token, it must be in the form "user:password"', | ||
605 | 93 | process.stderr) | ||
606 | 94 | |||
607 | 95 | def test_enable_cisaudit_invalid_token_format(self): | ||
608 | 96 | """The cisaudit token must be specified as "user:password".""" | ||
609 | 97 | process = self.script('enable-cisaudit', 'foo-bar') | ||
610 | 98 | self.assertEqual(3, process.returncode) | ||
611 | 99 | self.assertIn( | ||
612 | 100 | 'Invalid token, it must be in the form "user:password"', | ||
613 | 101 | process.stderr) | ||
614 | 102 | |||
615 | 103 | def test_enable_cisaudit_invalid_token(self): | ||
616 | 104 | """If token is invalid, an error is returned.""" | ||
617 | 105 | message = ( | ||
618 | 106 | 'E: Failed to fetch https://esm.ubuntu.com/' | ||
619 | 107 | ' 401 Unauthorized [IP: 1.2.3.4]') | ||
620 | 108 | self.make_fake_binary( | ||
621 | 109 | 'apt-helper', command='echo "{}"; exit 1'.format(message)) | ||
622 | 110 | process = self.script('enable-cisaudit', 'user:pass') | ||
623 | 111 | self.assertEqual(3, process.returncode) | ||
624 | 112 | self.assertIn('Checking token... ERROR', process.stdout) | ||
625 | 113 | self.assertIn('Invalid token', process.stderr) | ||
626 | 114 | |||
627 | 115 | def test_enable_cisaudit_error_checking_token(self): | ||
628 | 116 | """If token check fails, an error is returned.""" | ||
629 | 117 | message = ( | ||
630 | 118 | 'E: Failed to fetch https://esm.ubuntu.com/' | ||
631 | 119 | ' 404 Not Found [IP: 1.2.3.4]') | ||
632 | 120 | self.make_fake_binary( | ||
633 | 121 | 'apt-helper', command='echo "{}"; exit 1'.format(message)) | ||
634 | 122 | process = self.script('enable-cisaudit', 'user:pass') | ||
635 | 123 | self.assertEqual(3, process.returncode) | ||
636 | 124 | self.assertIn('Checking token... ERROR', process.stdout) | ||
637 | 125 | self.assertIn( | ||
638 | 126 | 'Failed checking token (404 Not Found [IP: 1.2.3.4])', | ||
639 | 127 | process.stderr) | ||
640 | 128 | |||
641 | 129 | def test_enable_cisaudit_skip_token_check_no_helper(self): | ||
642 | 130 | """If apt-helper is not found, the token check is skipped.""" | ||
643 | 131 | self.apt_helper.unlink() | ||
644 | 132 | process = self.script('enable-cisaudit', 'user:pass') | ||
645 | 133 | self.assertEqual(0, process.returncode) | ||
646 | 134 | self.assertIn('Checking token... SKIPPED', process.stdout) | ||
647 | 135 | |||
648 | 136 | def test_enable_cisaudit_only_supported_on_xenial(self): | ||
649 | 137 | """The enable-cisaudit option fails if not on Xenial.""" | ||
650 | 138 | self.SERIES = 'zesty' | ||
651 | 139 | process = self.script('enable-cisaudit', 'user:pass') | ||
652 | 140 | self.assertEqual(4, process.returncode) | ||
653 | 141 | self.assertIn( | ||
654 | 142 | 'Sorry, but Canonical CIS Benchmark 16.04 ' | ||
655 | 143 | 'Audit Tool is not supported on zesty\n', | ||
656 | 144 | process.stderr) | ||
657 | 145 | |||
658 | 146 | def test_unsupported_on_i686(self): | ||
659 | 147 | """CISAudit is unsupported on i686 arch.""" | ||
660 | 148 | self.ARCH = 'i686' | ||
661 | 149 | process = self.script('enable-cisaudit', 'user:pass') | ||
662 | 150 | self.assertEqual(7, process.returncode) | ||
663 | 151 | self.assertIn( | ||
664 | 152 | 'Sorry, but Canonical CIS Benchmark 16.04 Audit Tool ' | ||
665 | 153 | 'is not supported on i686', | ||
666 | 154 | process.stderr) | ||
667 | 155 | |||
668 | 156 | def test_unsupported_on_arm64(self): | ||
669 | 157 | """CISAudit is unsupported on arm64 arch.""" | ||
670 | 158 | self.ARCH = 'arm64' | ||
671 | 159 | process = self.script('enable-cisaudit', 'user:pass') | ||
672 | 160 | self.assertEqual(7, process.returncode) | ||
673 | 161 | self.assertIn( | ||
674 | 162 | 'Sorry, but Canonical CIS Benchmark 16.04 Audit Tool ' | ||
675 | 163 | 'is not supported on arm64', | ||
676 | 164 | process.stderr) | ||
677 | 165 | |||
678 | 166 | def test_disable_cisaudit(self): | ||
679 | 167 | """The disable-cisaudit option disables security-benchmarks repo.""" | ||
680 | 168 | self.setup_cisaudit(enabled=True) | ||
681 | 169 | other_auth = 'machine example.com login user password pass\n' | ||
682 | 170 | self.apt_auth_file.write_text(other_auth) | ||
683 | 171 | process = self.script('disable-cisaudit') | ||
684 | 172 | self.assertEqual(0, process.returncode) | ||
685 | 173 | self.assertFalse(self.cisaudit_repo_list.exists()) | ||
686 | 174 | # the keyring file is removed | ||
687 | 175 | cis_keyring = 'ubuntu-securitybenchmarks-keyring.gpg' | ||
688 | 176 | keyring_file = self.trusted_gpg_dir / cis_keyring | ||
689 | 177 | self.assertFalse(keyring_file.exists()) | ||
690 | 178 | # credentials are removed | ||
691 | 179 | self.assertEqual(self.apt_auth_file.read_text(), other_auth) | ||
692 | 180 | |||
693 | 181 | def test_disable_cisaudit_fails_already_disabled(self): | ||
694 | 182 | """If security-benchmarks repo is not enabled, disable fails.""" | ||
695 | 183 | process = self.script('disable-cisaudit') | ||
696 | 184 | self.assertEqual(8, process.returncode) | ||
697 | 185 | self.assertIn( | ||
698 | 186 | 'Canonical CIS Benchmark 16.04 Audit Tool is not enabled\n', | ||
699 | 187 | process.stderr) | ||
700 | diff --git a/tests/test_livepatch_motd.py b/tests/test_livepatch_motd.py | |||
701 | index c8beeda..a934f4c 100644 | |||
702 | --- a/tests/test_livepatch_motd.py | |||
703 | +++ b/tests/test_livepatch_motd.py | |||
704 | @@ -9,6 +9,7 @@ from fakes import ( | |||
705 | 9 | STATUS_CACHE_LIVEPATCH_ENABLED_NO_CONTENT, | 9 | STATUS_CACHE_LIVEPATCH_ENABLED_NO_CONTENT, |
706 | 10 | STATUS_CACHE_LIVEPATCH_DISABLED_AVAILABLE, | 10 | STATUS_CACHE_LIVEPATCH_DISABLED_AVAILABLE, |
707 | 11 | STATUS_CACHE_LIVEPATCH_DISABLED_UNAVAILABLE, | 11 | STATUS_CACHE_LIVEPATCH_DISABLED_UNAVAILABLE, |
708 | 12 | STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED, | ||
709 | 12 | STATUS_CACHE_MIXED_CONTENT) | 13 | STATUS_CACHE_MIXED_CONTENT) |
710 | 13 | from random import randrange | 14 | from random import randrange |
711 | 14 | 15 | ||
712 | @@ -98,6 +99,19 @@ class LivepatchMOTDTest(UbuntuAdvantageTest): | |||
713 | 98 | self.assertEqual(0, process.returncode) | 99 | self.assertEqual(0, process.returncode) |
714 | 99 | self.assertEqual('', process.stdout) | 100 | self.assertEqual('', process.stdout) |
715 | 100 | 101 | ||
716 | 102 | def test_disabled_unsupported(self): | ||
717 | 103 | """Livepatch is disabled and unsupported.""" | ||
718 | 104 | self.KERNEL_VERSION = '4.15.0-1010-kvm' | ||
719 | 105 | self.ua_status_cache.write_text( | ||
720 | 106 | STATUS_CACHE_LIVEPATCH_DISABLED_UNSUPPORTED) | ||
721 | 107 | process = self.script() | ||
722 | 108 | self.assertEqual(0, process.returncode) | ||
723 | 109 | self.assertIn('Canonical Livepatch is installed but disabled', | ||
724 | 110 | process.stdout) | ||
725 | 111 | self.assertIn('Kernel {} is not supported (https://bit.ly/' | ||
726 | 112 | 'livepatch-faq)'.format(self.KERNEL_VERSION), | ||
727 | 113 | process.stdout) | ||
728 | 114 | |||
729 | 101 | def test_other_state_fields_ignored(self): | 115 | def test_other_state_fields_ignored(self): |
730 | 102 | """The MOTD script ignores *State fields not from livepatch.""" | 116 | """The MOTD script ignores *State fields not from livepatch.""" |
731 | 103 | self.ua_status_cache.write_text(STATUS_CACHE_MIXED_CONTENT) | 117 | self.ua_status_cache.write_text(STATUS_CACHE_MIXED_CONTENT) |
732 | diff --git a/tests/test_script.py b/tests/test_script.py | |||
733 | index 4e7da93..ec4be19 100644 | |||
734 | --- a/tests/test_script.py | |||
735 | +++ b/tests/test_script.py | |||
736 | @@ -1,6 +1,7 @@ | |||
737 | 1 | """Tests for the ubuntu-advantage script.""" | 1 | """Tests for the ubuntu-advantage script.""" |
738 | 2 | 2 | ||
739 | 3 | from testing import UbuntuAdvantageTest | 3 | from testing import UbuntuAdvantageTest |
740 | 4 | from fakes import LIVEPATCH_UNSUPPORTED_KERNEL | ||
741 | 4 | 5 | ||
742 | 5 | 6 | ||
743 | 6 | class UbuntuAdvantageScriptTest(UbuntuAdvantageTest): | 7 | class UbuntuAdvantageScriptTest(UbuntuAdvantageTest): |
744 | @@ -54,6 +55,14 @@ class UbuntuAdvantageScriptTest(UbuntuAdvantageTest): | |||
745 | 54 | self.assertIn("livepatch: disabled (not available)", process.stdout) | 55 | self.assertIn("livepatch: disabled (not available)", process.stdout) |
746 | 55 | self.assertIn("esm: enabled", process.stdout) | 56 | self.assertIn("esm: enabled", process.stdout) |
747 | 56 | 57 | ||
748 | 58 | def test_livepatch_status_no_empty_line(self): | ||
749 | 59 | """The status output has no empty lines when livepatch is enabled.""" | ||
750 | 60 | self.setup_livepatch(installed=True, enabled=True) | ||
751 | 61 | process = self.script('status', 'livepatch') | ||
752 | 62 | lines = process.stdout.split('\n')[:-1] | ||
753 | 63 | for line in lines: | ||
754 | 64 | self.assertNotEqual('', line.strip()) | ||
755 | 65 | |||
756 | 57 | def test_status_xenial(self): | 66 | def test_status_xenial(self): |
757 | 58 | """The status command shows only livepatch available on xenial.""" | 67 | """The status command shows only livepatch available on xenial.""" |
758 | 59 | self.SERIES = 'xenial' | 68 | self.SERIES = 'xenial' |
759 | @@ -91,6 +100,17 @@ class UbuntuAdvantageScriptTest(UbuntuAdvantageTest): | |||
760 | 91 | process = self.script('status', 'unknown') | 100 | process = self.script('status', 'unknown') |
761 | 92 | self.assertEqual(process.returncode, 1) | 101 | self.assertEqual(process.returncode, 1) |
762 | 93 | 102 | ||
763 | 103 | def test_status_livepatch_unsupported_kernel(self): | ||
764 | 104 | """Livepatch is unavailable on an unsupported kernel.""" | ||
765 | 105 | self.SERIES = 'xenial' | ||
766 | 106 | self.ARCH = 'x86_64' | ||
767 | 107 | self.setup_livepatch( | ||
768 | 108 | installed=True, enabled=False, | ||
769 | 109 | livepatch_command=LIVEPATCH_UNSUPPORTED_KERNEL) | ||
770 | 110 | process = self.script('status') | ||
771 | 111 | self.assertIn('livepatch: disabled (unsupported kernel)', | ||
772 | 112 | process.stdout) | ||
773 | 113 | |||
774 | 94 | def test_version(self): | 114 | def test_version(self): |
775 | 95 | """The version command shows the package version.""" | 115 | """The version command shows the package version.""" |
776 | 96 | self.make_fake_binary('dpkg-query', command='echo 123') | 116 | self.make_fake_binary('dpkg-query', command='echo 123') |
777 | diff --git a/tests/testing.py b/tests/testing.py | |||
778 | index c684f48..17fc080 100644 | |||
779 | --- a/tests/testing.py | |||
780 | +++ b/tests/testing.py | |||
781 | @@ -57,6 +57,8 @@ class UbuntuAdvantageTest(TestWithFixtures): | |||
782 | 57 | self.fips_repo_list = Path(self.tempdir.join('fips-repo.list')) | 57 | self.fips_repo_list = Path(self.tempdir.join('fips-repo.list')) |
783 | 58 | self.fips_updates_repo_list = Path( | 58 | self.fips_updates_repo_list = Path( |
784 | 59 | self.tempdir.join('fips-updates-repo.list')) | 59 | self.tempdir.join('fips-updates-repo.list')) |
785 | 60 | self.cc_repo_list = Path(self.tempdir.join('cc-repo.list')) | ||
786 | 61 | self.cisaudit_repo_list = Path(self.tempdir.join('cisaudit-repo.list')) | ||
787 | 60 | self.fips_repo_preferences = Path( | 62 | self.fips_repo_preferences = Path( |
788 | 61 | self.tempdir.join('preferences-fips')) | 63 | self.tempdir.join('preferences-fips')) |
789 | 62 | self.fips_updates_repo_preferences = Path( | 64 | self.fips_updates_repo_preferences = Path( |
790 | @@ -82,6 +84,9 @@ class UbuntuAdvantageTest(TestWithFixtures): | |||
791 | 82 | (self.keyrings_dir / 'ubuntu-fips-keyring.gpg').write_text('GPG key') | 84 | (self.keyrings_dir / 'ubuntu-fips-keyring.gpg').write_text('GPG key') |
792 | 83 | (self.keyrings_dir / 'ubuntu-fips-updates-keyring.gpg').write_text( | 85 | (self.keyrings_dir / 'ubuntu-fips-updates-keyring.gpg').write_text( |
793 | 84 | 'GPG key') | 86 | 'GPG key') |
794 | 87 | (self.keyrings_dir / 'ubuntu-cc-keyring.gpg').write_text('GPG key') | ||
795 | 88 | (self.keyrings_dir / | ||
796 | 89 | 'ubuntu-securitybenchmarks-keyring.gpg').write_text('GPG key') | ||
797 | 85 | self.cpuinfo.write_text('flags\t\t: fpu apic') | 90 | self.cpuinfo.write_text('flags\t\t: fpu apic') |
798 | 86 | self.make_fake_binary('apt-get') | 91 | self.make_fake_binary('apt-get') |
799 | 87 | self.make_fake_binary('apt-helper') | 92 | self.make_fake_binary('apt-helper') |
800 | @@ -117,12 +122,14 @@ class UbuntuAdvantageTest(TestWithFixtures): | |||
801 | 117 | 'ESM_REPO_LIST': str(self.esm_repo_list), | 122 | 'ESM_REPO_LIST': str(self.esm_repo_list), |
802 | 118 | 'FIPS_REPO_LIST': str(self.fips_repo_list), | 123 | 'FIPS_REPO_LIST': str(self.fips_repo_list), |
803 | 119 | 'FIPS_UPDATES_REPO_LIST': str(self.fips_updates_repo_list), | 124 | 'FIPS_UPDATES_REPO_LIST': str(self.fips_updates_repo_list), |
804 | 125 | 'CC_PROVISIONING_REPO_LIST': str(self.cc_repo_list), | ||
805 | 126 | 'CISAUDIT_REPO_LIST': str(self.cisaudit_repo_list), | ||
806 | 120 | 'FIPS_BOOT_CFG': str(self.boot_cfg), | 127 | 'FIPS_BOOT_CFG': str(self.boot_cfg), |
807 | 121 | 'FIPS_BOOT_CFG_DIR': str(self.etc_dir), | 128 | 'FIPS_BOOT_CFG_DIR': str(self.etc_dir), |
808 | 122 | 'FIPS_ENABLED_FILE': str(self.fips_enabled_file), | 129 | 'FIPS_ENABLED_FILE': str(self.fips_enabled_file), |
809 | 123 | 'FIPS_REPO_PREFERENCES': str(self.fips_repo_preferences), | 130 | 'FIPS_REPO_PREFERENCES': str(self.fips_repo_preferences), |
810 | 124 | 'FIPS_UPDATES_REPO_PREFERENCES': str( | 131 | 'FIPS_UPDATES_REPO_PREFERENCES': str( |
812 | 125 | self.fips_updates_repo_preferences), | 132 | self.fips_updates_repo_preferences), |
813 | 126 | 'KEYRINGS_DIR': str(self.keyrings_dir), | 133 | 'KEYRINGS_DIR': str(self.keyrings_dir), |
814 | 127 | 'APT_HELPER': str(self.apt_helper), | 134 | 'APT_HELPER': str(self.apt_helper), |
815 | 128 | 'APT_AUTH_FILE': str(self.apt_auth_file), | 135 | 'APT_AUTH_FILE': str(self.apt_auth_file), |
816 | @@ -174,3 +181,21 @@ class UbuntuAdvantageTest(TestWithFixtures): | |||
817 | 174 | return | 181 | return |
818 | 175 | self.make_fake_binary('dpkg-query') | 182 | self.make_fake_binary('dpkg-query') |
819 | 176 | self.fips_enabled_file.write_text('1' if enabled else '0') | 183 | self.fips_enabled_file.write_text('1' if enabled else '0') |
820 | 184 | |||
821 | 185 | def setup_cc(self, enabled=False): | ||
822 | 186 | """Setup the CC repository.""" | ||
823 | 187 | if enabled is True: | ||
824 | 188 | self.make_fake_binary( | ||
825 | 189 | 'dpkg-query', command='[ $2 = ubuntu-commoncriteria ]') | ||
826 | 190 | else: | ||
827 | 191 | self.make_fake_binary( | ||
828 | 192 | 'dpkg-query', command='[ $2 != ubuntu-commoncriteria ]') | ||
829 | 193 | |||
830 | 194 | def setup_cisaudit(self, enabled=False): | ||
831 | 195 | """Setup the CISAudit repository.""" | ||
832 | 196 | if enabled is True: | ||
833 | 197 | self.make_fake_binary( | ||
834 | 198 | 'dpkg-query', command='[ $2 = ubuntu-cisbenchmark-16.04 ]') | ||
835 | 199 | else: | ||
836 | 200 | self.make_fake_binary( | ||
837 | 201 | 'dpkg-query', command='[ $2 != ubuntu-cisbenchmark-16.04 ]') | ||
838 | diff --git a/ubuntu-advantage b/ubuntu-advantage | |||
839 | index 1ad03a5..19293f2 100755 | |||
840 | --- a/ubuntu-advantage | |||
841 | +++ b/ubuntu-advantage | |||
842 | @@ -4,7 +4,7 @@ | |||
843 | 4 | SCRIPTNAME=$(basename "$0") | 4 | SCRIPTNAME=$(basename "$0") |
844 | 5 | 5 | ||
845 | 6 | # Services managed by the script (in alphabetical order) | 6 | # Services managed by the script (in alphabetical order) |
847 | 7 | SERVICES="esm fips livepatch" | 7 | SERVICES="cc-provisioning esm fips livepatch cisaudit" |
848 | 8 | 8 | ||
849 | 9 | # system details | 9 | # system details |
850 | 10 | SERIES=${SERIES:-$(lsb_release -cs)} | 10 | SERIES=${SERIES:-$(lsb_release -cs)} |
851 | @@ -41,13 +41,13 @@ print_status() { | |||
852 | 41 | local service="$1" | 41 | local service="$1" |
853 | 42 | 42 | ||
854 | 43 | local services="$SERVICES" | 43 | local services="$SERVICES" |
857 | 44 | if [ "$service" ]; then | 44 | if [ -n "$service" ]; then |
858 | 45 | name_in_list "$service" "$SERVICES" || error_exit invalid_command | 45 | name_in_list "${service//_/-}" "$SERVICES" || error_exit invalid_command |
859 | 46 | services="$service" | 46 | services="$service" |
860 | 47 | fi | 47 | fi |
861 | 48 | 48 | ||
862 | 49 | for service in $services; do | 49 | for service in $services; do |
864 | 50 | service_print_status "$service" | 50 | service_print_status "${service//-/_}" |
865 | 51 | done | 51 | done |
866 | 52 | } | 52 | } |
867 | 53 | 53 | ||
868 | @@ -63,6 +63,8 @@ Currently available are: | |||
869 | 63 | - Canonical FIPS 140-2 Certified Modules | 63 | - Canonical FIPS 140-2 Certified Modules |
870 | 64 | - Canonical FIPS 140-2 Non-Certified Module Updates | 64 | - Canonical FIPS 140-2 Non-Certified Module Updates |
871 | 65 | - Canonical Livepatch Service (https://www.ubuntu.com/server/livepatch) | 65 | - Canonical Livepatch Service (https://www.ubuntu.com/server/livepatch) |
872 | 66 | - Canonical Common Criteria EAL2 certification artifacts provisioning | ||
873 | 67 | - Canonical CIS Ubuntu Benchmark Audit tool | ||
874 | 66 | 68 | ||
875 | 67 | Commands: | 69 | Commands: |
876 | 68 | version show the tool version | 70 | version show the tool version |
877 | @@ -70,16 +72,26 @@ Commands: | |||
878 | 70 | offerings (or of a specific one if provided) | 72 | offerings (or of a specific one if provided) |
879 | 71 | enable-esm <TOKEN> enable the ESM repository | 73 | enable-esm <TOKEN> enable the ESM repository |
880 | 72 | disable-esm disable the ESM repository | 74 | disable-esm disable the ESM repository |
882 | 73 | enable-fips <TOKEN> enable the FIPS PPA repository and install, | 75 | enable-fips <TOKEN> enable the FIPS repository and install, |
883 | 74 | configure and enable FIPS certified modules | 76 | configure and enable FIPS certified modules |
884 | 75 | disable-fips currently not supported | 77 | disable-fips currently not supported |
886 | 76 | enable-fips-updates <TOKEN> [-y] enable non-certified FIPS-UPDATES PPA | 78 | enable-fips-updates <TOKEN> [-y] enable non-certified FIPS-UPDATES |
887 | 77 | repository and install updates. With an | 79 | repository and install updates. With an |
888 | 78 | optional "-y" the user prompt will be | 80 | optional "-y" the user prompt will be |
889 | 79 | bypassed. | 81 | bypassed. |
890 | 80 | enable-livepatch <TOKEN> enable the Livepatch service | 82 | enable-livepatch <TOKEN> enable the Livepatch service |
891 | 81 | disable-livepatch [-r] disable the Livepatch service. With "-r", the | 83 | disable-livepatch [-r] disable the Livepatch service. With "-r", the |
892 | 82 | canonical-livepatch snap will also be removed | 84 | canonical-livepatch snap will also be removed |
893 | 85 | enable-cc-provisioning <TOKEN> enable the commoncriteria repository and | ||
894 | 86 | install the ubuntu-commoncriteria DEB package | ||
895 | 87 | disable-cc-provisioning disable the commoncriteria repository and | ||
896 | 88 | remove the ubuntu-commoncriteria DEB package | ||
897 | 89 | enable-cisaudit <TOKEN> enable the security benchmarks repository | ||
898 | 90 | and install the ubuntu-cisbenchmark-16.04 DEB | ||
899 | 91 | package. | ||
900 | 92 | disable-cisaudit disable the security benchmarks repository | ||
901 | 93 | and uninstall the ubuntu-cisbenchmark-16.04 DEB | ||
902 | 94 | package. | ||
903 | 83 | EOF | 95 | EOF |
904 | 84 | error_exit invalid_command | 96 | error_exit invalid_command |
905 | 85 | } | 97 | } |
906 | @@ -91,11 +103,15 @@ main() { | |||
907 | 91 | local service | 103 | local service |
908 | 92 | service=$(service_from_command "$command") | 104 | service=$(service_from_command "$command") |
909 | 93 | # if the command contains a service name, check that it's valid | 105 | # if the command contains a service name, check that it's valid |
911 | 94 | if [ "$service" ] && ! name_in_list "$service" "$SERVICES" \ | 106 | if [ -n "$service" ] && ! name_in_list "$service" "$SERVICES" \ |
912 | 95 | && [ "$service" != "fips-updates" ]; then | 107 | && [ "$service" != "fips-updates" ]; then |
913 | 96 | error_msg "Invalid command: \"$command\"" | 108 | error_msg "Invalid command: \"$command\"" |
914 | 97 | usage | 109 | usage |
915 | 98 | fi | 110 | fi |
916 | 111 | # replace -(hyphen) in service commands with _(underscore) (eg: cc-provisioning) to | ||
917 | 112 | # use in generic service function invocations. Adding it here so the name_in_list | ||
918 | 113 | # function call above uses the original command. | ||
919 | 114 | service=${service//-/_} | ||
920 | 99 | 115 | ||
921 | 100 | case "$command" in | 116 | case "$command" in |
922 | 101 | status) | 117 | status) |
923 | diff --git a/ubuntu-advantage.1 b/ubuntu-advantage.1 | |||
924 | index e86b85d..e53a774 100644 | |||
925 | --- a/ubuntu-advantage.1 | |||
926 | +++ b/ubuntu-advantage.1 | |||
927 | @@ -86,8 +86,42 @@ https://ubuntu.com/livepatch | |||
928 | 86 | .B | 86 | .B |
929 | 87 | disable-livepatch \fR[\fB\-r\fR] | 87 | disable-livepatch \fR[\fB\-r\fR] |
930 | 88 | Disable the Livepatch service. If the \fB\-r\fR option is given, the | 88 | Disable the Livepatch service. If the \fB\-r\fR option is given, the |
932 | 89 | canonical-livepatch snap will be removed after the sevice is disabled. | 89 | canonical-livepatch snap will be removed after the service is disabled. |
933 | 90 | 90 | ||
934 | 91 | .SH CC (Canonical Common Critieria EAL2 Provisioning) | ||
935 | 92 | Enable Common Criteria PPA and install Common Criteria EAL2 artifacts | ||
936 | 93 | .TP | ||
937 | 94 | .B | ||
938 | 95 | enable-cc-provisioning \fItoken\fR | ||
939 | 96 | Enables the Commoncriteria PPA repository, installs the ubuntu-commoncriteria | ||
940 | 97 | package which has the common criteria artifacts. The artifacts include a | ||
941 | 98 | configure script, a tarball with additional packages and post install scripts. | ||
942 | 99 | The artifacts will be installed in /usr/lib/common-criteria directory. The | ||
943 | 100 | evaluated configuration guide and README instructions on how to set up a | ||
944 | 101 | system to be Common Criteria compliant are available in | ||
945 | 102 | /usr/share/doc/ubuntu-commoncriteria directory. | ||
946 | 103 | .TP | ||
947 | 104 | .B | ||
948 | 105 | disable-cc-provisioning | ||
949 | 106 | Disables the commoncriteria PPA repository and removes the ubuntu-commoncriteria | ||
950 | 107 | DEB package. | ||
951 | 108 | .SH CIS (Canonical CIS Audit tooling) | ||
952 | 109 | Enable CIS Auditing PPA and install CIS audit tool package | ||
953 | 110 | .TP | ||
954 | 111 | .B | ||
955 | 112 | enable-cisaudit \fItoken\fR | ||
956 | 113 | Enables the Security Benchmarks PPA, installs the ubuntu-cisbenchmark-16.04 | ||
957 | 114 | package which has the CIS Audit tooling files. They include the xccdf and xml | ||
958 | 115 | files and scripts to check compliance against the CIS 16.04 benchmark. The | ||
959 | 116 | files will be installed in | ||
960 | 117 | /usr/share/ubuntu-securityguides/ubuntu-cisbenchmark-16.04. | ||
961 | 118 | The documentation for the tool is available in | ||
962 | 119 | /usr/share/doc/ubuntu-cisbenchmark-16.04. | ||
963 | 120 | .TP | ||
964 | 121 | .B | ||
965 | 122 | disable-cisaudit | ||
966 | 123 | Disables the security benchmarks PPA repository and removes the | ||
967 | 124 | ubuntu-cisbenchmark-16.04 DEB package installed on the machine. | ||
968 | 91 | .SH EXIT STATUS | 125 | .SH EXIT STATUS |
969 | 92 | .TP | 126 | .TP |
970 | 93 | .B | 127 | .B |
971 | diff --git a/update-motd.d/80-livepatch b/update-motd.d/80-livepatch | |||
972 | index de59bf1..ee09a73 100755 | |||
973 | --- a/update-motd.d/80-livepatch | |||
974 | +++ b/update-motd.d/80-livepatch | |||
975 | @@ -2,6 +2,7 @@ | |||
976 | 2 | 2 | ||
977 | 3 | UA=${UA:-"/usr/bin/ubuntu-advantage"} | 3 | UA=${UA:-"/usr/bin/ubuntu-advantage"} |
978 | 4 | UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"} | 4 | UA_STATUS_CACHE=${UA_STATUS_CACHE:-"/var/cache/ubuntu-advantage-tools/ubuntu-advantage-status.cache"} |
979 | 5 | KERNEL_VERSION=${KERNEL_VERSION:-"$(uname -r)"} | ||
980 | 5 | 6 | ||
981 | 6 | [ -x "$UA" ] || exit 0 | 7 | [ -x "$UA" ] || exit 0 |
982 | 7 | 8 | ||
983 | @@ -73,6 +74,11 @@ case "$livepatch_status" in | |||
984 | 73 | "disabled (not available)") | 74 | "disabled (not available)") |
985 | 74 | # do nothing | 75 | # do nothing |
986 | 75 | ;; | 76 | ;; |
987 | 77 | "disabled (unsupported kernel)") | ||
988 | 78 | echo | ||
989 | 79 | echo " * Canonical Livepatch is installed but disabled" | ||
990 | 80 | echo " - Kernel ${KERNEL_VERSION} is not supported (https://bit.ly/livepatch-faq)" | ||
991 | 81 | ;; | ||
992 | 76 | "enabled") | 82 | "enabled") |
993 | 77 | echo | 83 | echo |
994 | 78 | echo " * Canonical Livepatch is enabled." | 84 | echo " * Canonical Livepatch is enabled." |
Considering that the content was already reviewed on the actual project I can't find an issue from the packaging perspective.
So Ack?
I took a look at the rest (high level only) and found a few worth to mention:
I was wondering why the Readme.md didn't get an entry for "Canonical CIS Ubuntu Benchmark Audit tool", but all other elements got one - intentional?
Furthermore "FIPS PPA repository" got changed to "FIPS repository", but all the commoncriteria/CIS entries still call it "PPA repository" that feels a bit inconsistent.
How do you want to continue, do you want to fix up the mentioned issues and/or a deeper review of what was changed upstream?
Or would you want to upload v18 as-is (it is a correctly packaged v18) and work on those things fro v19 at the source?