Add actors for OpenSSL conf and IBMCA

* The openssl-ibmca needs to be reconfigured manually after the upgrade.
  Report it to the user if the package is installed.

* The openssl configuration file (/etc/pki/tls/openssl.cnf) is not
  100% compatible between major verions of RHEL due to different
  versions of OpenSSL. Also the configuration is supposed to be
  done via system wide crypto policies instead, so it's expected
  to not modify this file anymore. If the content of the file has
  been modified, report to user what will happen during the upgrade
  and what they should do after it.

* If the openssl config file is modified (rpm -Vf <file>) and
  *.rpmnew file exists, back up the file with .leappsave suffix
  and replace it by the *.rpmsave one.

Author: pirat89

repos/system_upgrade/common/actors/openssl/checkopensslconf/actor.py

@@ -0,0 +1,33 @@
+from leapp.actors import Actor
+from leapp.libraries.actor import checkopensslconf
+from leapp.models import InstalledRedHatSignedRPM, Report, TrackedSourceFilesInfo
+from leapp.tags import ChecksPhaseTag, IPUWorkflowTag
+
+
+class CheckOpenSSLConf(Actor):
+    """
+    Check whether the openssl configuration and openssl-IBMCA.
+
+    See the report messages for more details. The summary is that since RHEL 8
+    it's expected to configure OpenSSL via crypto policies. Also, OpenSSL has
+    different versions between major versions of RHEL:
+      * RHEL 7: 1.0,
+      * RHEL 8: 1.1,
+      * RHEL 9: 3.0
+    So OpenSSL configuration from older system does not have to be 100%
+    compatible with the new system. In some cases, the old configuration could
+    make the system inaccessible remotely. So new approach is to ensure the
+    upgraded system will use always new default /etc/pki/tls/openssl.cnf
+    configuration file (the original one will be backed up if modified by user).
+
+    Similar for OpenSSL-IBMCA, when it's expected to configure it again on
+    each newer system.
+    """
+
+    name = 'check_openssl_conf'
+    consumes = (InstalledRedHatSignedRPM, TrackedSourceFilesInfo)
+    produces = (Report,)
+    tags = (IPUWorkflowTag, ChecksPhaseTag)
+
+    def process(self):
+        checkopensslconf.process()

repos/system_upgrade/common/actors/openssl/checkopensslconf/libraries/checkopensslconf.py

@@ -0,0 +1,90 @@
+from leapp import reporting
+from leapp.libraries.common.config import architecture, version
+from leapp.libraries.common.rpms import has_package
+from leapp.libraries.stdlib import api
+from leapp.models import InstalledRedHatSignedRPM, TrackedSourceFilesInfo
+
+DEFAULT_OPENSSL_CONF = '/etc/pki/tls/openssl.cnf'
+
+
+def check_ibmca():
+    if not architecture.matches_architecture(architecture.ARCH_S390X):
+        # not needed check really, but keeping it to make it clear
+        return
+    if not has_package(InstalledRedHatSignedRPM, 'openssl-ibmca'):
+        return
+    # TODO(pstodulk): check with @ksrot whether this is relevant for IPU 8 -> 9 also
+    # (orig msg was for IPU 7 -> 8 only); engine vs provider?
+    # https://www.ibm.com/docs/en/linux-on-z?topic=openssl-using-ibmca-provider
+    summary = (
+        'The presence of openssl-ibmca package suggests that the system may be configured'
+        ' to use the IBMCA OpenSSL engine.'
+        ' Due to major changes in OpenSSL and libica between RHEL {old} and RHEL {new} it is not'
+        ' possible to migrate OpenSSL configuration files automatically. Therefore,'
+        ' it is necessary to enable IBMCA engine in the OpenSSL config file manually'
+        ' after the system upgrade.'
+        .format(
+            old=version.get_source_major_version(),
+            new=version.get_target_major_version()
+        )
+    )
+
+    hint = (
+        'Configure the IBMCA engine manually after the upgrade.'
+        ' Please, be aware that it is not recommended to configure the system default'
+        ' /etc/pki/tls/openssl.cnf. Instead, it is recommended to configure a copy of'
+        ' that file and used this copy only for particular applications that are supposed'
+        ' to utilize the IBMCA engine. The location of the OpenSSL configuration file'
+        ' can be specified using the OPENSSL_CONF environment variable.'
+    )
+    # TODO(pstodulk): is there a doc?
+    # TODO(pstodulk): encryption, security groups?
+
+    reporting.create_report([
+        reporting.Title('Detected possible use of IBMCA in OpenSSL'),
+        reporting.Summary(summary),
+        reporting.Remediation(hint=hint),
+        reporting.Severity(reporting.Severity.MEDIUM),
+        reporting.Groups([
+            reporting.Groups.POST,
+            reporting.Groups.SECURITY,
+            reporting.Groups.SERVICES
+        ]),
+    ])
+
+
+def _is_openssl_modified():
+    tracked_files = next(api.consume(TrackedSourceFilesInfo), None)
+    if not tracked_files:
+        # unexpected at all, skipping testing, but keeping the log just in case
+        api.current_logger.warning('The TrackedSourceFilesInfo message is missing! Skipping check of openssl config.')
+        return False
+    for finfo in tracked_files.files:
+        if finfo.path == DEFAULT_OPENSSL_CONF:
+            return finfo.is_modified
+    return False
+
+
+def check_default_openssl():
+    if not _is_openssl_modified():
+        return
+    # TODO(pstodulk): total TODO. sync with dbelyakov
+    summary = (
+        ''
+    )
+    hint = (
+        'Review the changes after the upgrade and configure the system as needed'
+        ' via crypto policies.'
+    )
+    reporting.create_report([
+        reporting.Title('The /etc/pki/tls/openssl.cnf file will be replaced by the target RHEL default.'),
+        reporting.Summary(summary),
+        reporting.Remediation(hint=hint),
+        reporting.Severity(reporting.Severity.MEDIUM),
+        reporting.Groups([reporting.Groups.POST, reporting.Groups.SECURITY]),
+    ])
+
+
+def process():
+    check_ibmca()
+    check_default_openssl()

repos/system_upgrade/common/actors/openssl/checkopensslconf/tests/unit_test_checkopensslconf.py

@@ -0,0 +1,18 @@
+import pytest
+
+from leapp import reporting
+from leapp.libraries.actor import checkopensslconf
+from leapp.libraries.common.config import architecture
+from leapp.libraries.common.testutils import create_report_mocked, CurrentActorMocked, logger_mocked
+from leapp.libraries.stdlib import api
+from leapp.models import InstalledRedHatSignedRPM, TrackedSourceFilesInfo
+
+
+# TODO(pstodulk)
+@pytest.mark.parametrize('arch,msgs,ibmca,openssl', (
+    (architecture.ARCH_S390X, [], False, False),
+))
+def test_ibmca(monkeypatch, arch, msgs):
+    monkeypatch.setattr(reporting, "create_report", create_report_mocked())
+    monkeypatch.setattr(api, 'current_actor', CurrentActorMocked(arch=arch, msgs=msgs))
+    pass

repos/system_upgrade/common/actors/openssl/migrateopensslconf/actor.py

@@ -0,0 +1,26 @@
+from leapp.actors import Actor
+from leapp.libraries.actor import migrateopensslconf
+from leapp.tags import ApplicationsPhaseTag, IPUWorkflowTag
+
+
+class MigrateOpenSslConf(Actor):
+    """
+    Enforce the target default configuration file to be used.
+
+    If the /etc/pki/tls/openssl.cnf has been modified and openssl.cnf.rpmnew
+    file is created, backup the original one and replace it by the new default.
+
+    tl;dr:
+    if the file is modified; then
+      mv /etc/pki/tls/openssl.cnf{,rpmsave_leapp}
+      mv /etc/pki/tls/openssl.cnf{.rpmnew,}
+    fi
+    """
+
+    name = 'migrate_openssl_conf'
+    consumes = ()
+    produces = ()
+    tags = (IPUWorkflowTag, ApplicationsPhaseTag)
+
+    def process(self):
+        migrateopensslconf.process()

repos/system_upgrade/common/actors/openssl/migrateopensslconf/libraries/migrateopensslconf.py

@@ -0,0 +1,54 @@
+import os
+
+from leapp.libraries.stdlib import api, CalledProcessError, run
+
+DEFAULT_OPENSSL_CONF = '/etc/pki/tls/openssl.cnf'
+OPENSSL_CONF_RPMNEW = '{}.rpmnew'.format(DEFAULT_OPENSSL_CONF)
+OPENSSL_CONF_BACKUP = '{}.leappsave'.format(DEFAULT_OPENSSL_CONF)
+
+
+def _is_openssl_modified():
+    """
+    Return True if modified in any way
+    """
+    # NOTE(pstodulk): this is different from the approach in scansourcefiles,
+    # where we are interested about modified content. In this case, if the
+    # file is modified in any way, let's do something about that..
+    try:
+        run(['rpm', '-Vf', DEFAULT_OPENSSL_CONF])
+    except CalledProcessError:
+        return True
+    return False
+
+
+def _safe_mv_file(src, dst):
+    """
+    Move the file from src to dst. Return True on success, otherwise False.
+    """
+    try:
+        run(['mv', src, dst])
+    except CalledProcessError:
+        return False
+    return True
+
+
+def process():
+    if not _is_openssl_modified():
+        return
+    if not os.path.exists(OPENSSL_CONF_RPMNEW):
+        api.current_logger().debug('The {} file is modified, but *.rpmsave not found. Cannot do anything.')
+        return
+    if not _safe_mv_file(DEFAULT_OPENSSL_CONF, OPENSSL_CONF_BACKUP):
+        # NOTE(pstodulk): One of reasons could be the file is missing, however
+        # that's not expected to happen at all. If the file is missing before
+        # the upgrade, it will be installed by new openssl* package
+        api.current_logger().error(
+            'Could not back up the {} file. Skipping other actions.'
+            .format(DEFAULT_OPENSSL_CONF)
+        )
+        return
+    if not _safe_mv_file(OPENSSL_CONF_RPMNEW, DEFAULT_OPENSSL_CONF):
+        # unexpected, it's double seatbelt
+        api.current_logger().error('Cannot apply the new openssl configuration file! Restore it from the backup.')
+        if not _safe_mv_file(OPENSSL_CONF_BACKUP, DEFAULT_OPENSSL_CONF):
+            api.current_logger().error('Cannot restore the openssl configuration file!')

repos/system_upgrade/common/actors/scansourcefiles/libraries/scansourcefiles.py

@@ -9,6 +9,7 @@
 # '8' (etc..) -> files supposed to be scanned when particular major version of OS is used
 TRACKED_FILES = {
     'common': [
+        '/etc/pki/tls/openssl.cnf',
     ],
     '8': [
     ],