Merge pull request #661 from furlongm/develop (patchman 4)

patchman 4

Author: furlongm

.gitignore

@@ -14,3 +14,5 @@ dist
 run
 pyvenv.cfg
 .vscode
+.venv
+*.xml

TODO

@@ -1,15 +1,21 @@
-* allow sending updates from Red Hat / SuSE machines
-* web interface support for updating repos, finding updates
 * add checkrestart-style options to see which services need restarting
-* CVE/OVAL apps
+* OVAL/OSCAP apps
 * CA support (tinyca?)
-* native python client, using apt/yum/debian libraries
+* native python/go client, using apt/yum/debian libraries
 * record the history of installed packages on a host
 * also store package descriptions/tags/urls
 * check for unused repos
 * suggest names for repos with the same checksum
 * helper script to change paths (e.g. /usr/lib/python3/dist-packages/patchman)
 * Dockerfile/Dockerimage
 * compressed reports
-* add cronjobs to built packages
-* install celery/rabbit/memcache with packages
+* add cronjobs to build packages
+* dnf5 support
+* proxy support
+* GLSA support
+* only use date for errata issue date?
+* parallelize package extraction
+* use django-tables2
+* autonaming for deb repos
+* associate repos with gentoo hosts
+* populate authenticated repos with package lists from hosts?

arch/utils.py

@@ -0,0 +1,52 @@
+# Copyright 2025 Marcus Furlong <furlongm@gmail.com>
+#
+# This file is part of Patchman.
+#
+# Patchman is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 only.
+#
+# Patchman is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchman. If not, see <http://www.gnu.org/licenses/>
+
+from arch.models import PackageArchitecture, MachineArchitecture
+from patchman.signals import info_message
+
+
+def clean_package_architectures():
+    """ Remove package architectures that are no longer in use
+    """
+    parches = PackageArchitecture.objects.filter(package__isnull=True)
+    plen = parches.count()
+    if plen == 0:
+        info_message.send(sender=None, text='No orphaned PackageArchitectures found.')
+    else:
+        info_message.send(sender=None, text=f'Removing {plen} orphaned PackageArchitectures')
+        parches.delete()
+
+
+def clean_machine_architectures():
+    """ Remove machine architectures that are no longer in use
+    """
+    marches = MachineArchitecture.objects.filter(
+        host__isnull=True,
+        repository__isnull=True,
+    )
+    mlen = marches.count()
+    if mlen == 0:
+        info_message.send(sender=None, text='No orphaned MachineArchitectures found.')
+    else:
+        info_message.send(sender=None, text=f'Removing {mlen} orphaned MachineArchitectures')
+        marches.delete()
+
+
+def clean_architectures():
+    """ Remove architectures that are no longer in use
+    """
+    clean_package_architectures()
+    clean_machine_architectures()

client/patchman-client

@@ -297,10 +297,20 @@ get_installed_archlinux_packages() {
     fi
 }
 
+get_installed_gentoo_packages() {
+    if check_command_exists qkeyword ; then
+        gentoo_package_arch=$(qkeyword -A)
+    fi
+    if check_command_exists qlist ; then
+        qlist -Ic -F "'%{PN}' '%{SLOT}' '%{PV}' REL'%{PR}' '${gentoo_package_arch}' 'gentoo' '%{CAT}' '%{REPO}'" | sed -e "s/REL'r/'/g"  >> "${tmpfile_pkg}"
+    fi
+}
+
 get_packages() {
     get_installed_rpm_packages
     get_installed_deb_packages
     get_installed_archlinux_packages
+    get_installed_gentoo_packages
 }
 
 get_modules() {
@@ -346,7 +356,9 @@ get_host_data() {
             os="${PRETTY_NAME}"
         elif [ "${ID}" == "arch" ] ; then
             os="${NAME}"
-        elif [[ "${ID}" =~ "suse" ]] ; then
+        elif [ "${ID}" == "gentoo" ] ; then
+            os="${PRETTY_NAME} ${VERSION_ID}"
+        elif [[ "${ID_LIKE}" =~ "suse" ]] ; then
             os="${PRETTY_NAME}"
         elif [ "${ID}" == "astra" ] ; then
             os="${NAME} $(cat /etc/astra_version)"
@@ -386,6 +398,9 @@ get_host_data() {
             fi
         done
     fi
+    if [ ! -z "${CPE_NAME}" ] ; then
+        os="${os} [${CPE_NAME}]"
+    fi
     if ${verbose} ; then
         echo "Kernel:   ${host_kernel}"
         echo "Arch:     ${host_arch}"
@@ -452,7 +467,7 @@ get_repos() {
         fi
         # replace this with a dedicated awk or simple python script?
         yum_repolist=$(yum repolist enabled --verbose 2>/dev/null | sed -e "s/:\? *([0-9]\+ more)$//g" -e "s/ ([0-9]\+$//g" -e "s/:\? more)$//g" -e "s/'//g" -e "s/%/%%/g")
-        for i in $(echo "${yum_repolist}" | awk '{ if ($1=="Repo-id") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'"'"' "} if ($1=="Repo-name") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'" ${host_arch}'"' "} if ($1=="Repo-mirrors" || $1=="Repo-metalink:") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'"'"' "} if ($1=="Repo-baseurl" || $1=="Repo-baseurl:") { url=1; comma=match($NF,","); if (comma) out=substr($NF,1,comma-1); else out=$NF; printf "'"'"'"out"'"'"' "; } else { if (url==1) { if ($1==":") { comma=match($NF,","); if (comma) out=substr($NF,1,comma-1); else out=$NF; printf "'"'"'"out"'"'"' "; } else {url=0; print "";} } } }' | sed -e "s/\/'/'/g" | sed -e "s/ ' /' /") ; do
+        for i in $(echo "${yum_repolist}" | awk '{ if ($1=="Repo-id") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'"'"' "} if ($1=="Repo-name") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'" ${host_arch}'"' "} if ($1=="Repo-mirrors" || $1=="Repo-metalink") {printf "'"'"'"; for (i=3; i<NF; i++) printf $i " "; printf $NF"'"'"' "} if ($1=="Repo-baseurl" || $1=="Repo-baseurl:") { url=1; comma=match($NF,","); if (comma) out=substr($NF,1,comma-1); else out=$NF; printf "'"'"'"out"'"'"' "; } else { if (url==1) { if ($1==":") { comma=match($NF,","); if (comma) out=substr($NF,1,comma-1); else out=$NF; printf "'"'"'"out"'"'"' "; } else {url=0; print "";} } } }' | sed -e "s/\/'/'/g" | sed -e "s/ ' /' /") ; do
             full_id=$(echo ${i} | cut -d \' -f 2)
             id=$(echo ${i} | cut -d \' -f 2 | cut -d \/ -f 1)
             name=$(echo ${i} | cut -d \' -f 4)
@@ -463,7 +478,7 @@ get_repos() {
             if [ "${priority}" == "" ] ; then
                 priority=99
             fi
-            redhat_repo=$(echo ${i} | grep -e "https://.*/XMLRPC.*\|https://cdn.redhat.com/.*")
+            redhat_repo=$(echo ${i} | grep -e "https://.*/XMLRPC.*\|https://cdn[-[a-z]*]*.redhat.com/.*")
             if [ ${?} == 0 ] || ${local_updates} ; then
                 if ${verbose} ; then
                     echo "Finding updates locally for ${id}"
@@ -473,7 +488,7 @@ get_repos() {
             if [ ! -z ${CPE_NAME} ] ; then
                 id="${CPE_NAME}-${id}"
             fi
-            j=$(echo ${i} | sed -e "s#'${full_id}' '${name}'#'${name}' '${id}' '${priority}'#")
+            j=$(echo ${i} | sed -e "s#'${full_id}' '${name}'#'${name}' '${id}' '${priority}'#" | sed -e "s/'\[/'/g" -e "s/\]'/'/g")
             echo "'rpm' ${j}" >> "${tmpfile_rep}"
             unset priority
         done
@@ -484,7 +499,8 @@ get_repos() {
         if ${verbose} ; then
             echo 'Finding apt repos...'
         fi
-        IFS=${FULL_IFS} read -r osname shortversion <<<$(echo "${os}" | awk '{print $1,$2}' | cut -d . -f 1,2)
+        osname=$(echo ${os} | cut -d " " -f 1)
+        shortversion=${VERSION_ID}
         repo_string="'deb\' \'${osname} ${shortversion} ${host_arch} repo at"
         repos=$(apt-cache policy | grep -v Translation | grep -E "^ *[0-9]{1,5}" | grep -E " mirror\+file|http(s)?:" | sed -e "s/^ *//g" -e "s/ *$//g" | cut -d " " -f 1,2,3,4)
         non_mirror_repos=$(echo "${repos}" | grep -Ev "mirror\+file")
@@ -510,11 +526,11 @@ get_repos() {
             echo 'Finding zypper repos...'
         fi
         if [ $(zypper -q --no-refresh lr --details | head -n 1 | grep Keep) ] ; then
-            zypper_lr_cols="2,3,8,10"
+            zypper_lr_cols='{print "${os}" $3 "|" $2 "|" $8 "|" $10}'
         else
-            zypper_lr_cols="2,3,7,9"
+            zypper_lr_cols='{print "${os}" $3 "|" $2 "|" $7 "|" $9}'
         fi
-        for i in $(zypper -q --no-refresh lr -E -u --details | grep -v ^$ | tail -n +3 | cut -d "|" -f ${zypper_lr_cols} | sed -e "s/ *|/ ${host_arch} |/" -e "s/\?[a-zA-Z0-9_-]* *$//" -e "s/^ /'/g" -e "s/ *| */' '/g" -e "s/ *$/'/g") ; do
+        for i in $(zypper -q --no-refresh lr -E -u --details | grep -v ^$ | tail -n +3 | awk -F"|" "${zypper_lr_cols}" | sed -e "s/\${os}/${PRETTY_NAME}/" -e "s/ *|/ ${host_arch} |/" -e "s/\?[a-zA-Z0-9_-]* *$//" -e "s/^/'/g" -e "s/ *| */' '/g" -e "s/ *$/'/g") ; do
             echo \'rpm\' ${i} >> "${tmpfile_rep}"
             id=$(echo ${i} | cut -d \' -f 4)
             suse_repo=$(echo ${i} | grep -e "https://updates.suse.com/.*")
@@ -557,6 +573,56 @@ get_repos() {
         done
     fi
 
+    # Gentoo
+    if [[ "${os}" =~ "Gentoo" ]] ; then
+        if [ ${verbose} == 1 ] ; then
+            echo 'Finding portage repos...'
+        fi
+        declare -A repo_info
+        repos_output=$(portageq repos_config /)
+        repo_name=""
+        priority=""
+        sync_uri=""
+
+        while IFS= read -r line; do
+            # if the line starts with a section header (e.g., [gentoo], [guru]), it's the repo name
+            if [[ "${line}" =~ ^\[(.*)\] ]]; then
+                # if we already have a repo_name, save the previous entry
+                if [[ -n "${repo_name}" && -n "${sync_uri}" ]]; then
+                    repo_info["${repo_name}"]="${priority},${sync_uri}"
+                fi
+                # else start new repo parsing, resetting vars
+                repo_name="${BASH_REMATCH[1]}"
+                priority=""
+                sync_uri=""
+            fi
+
+            # if the line contains "priority", extract the value, 0 if it doesnt exist
+            if [[ "${line}" =~ "priority" ]]; then
+                priority=$(echo "${line}" | cut -d'=' -f2 | xargs)
+            fi
+
+            # if the line contains "sync-uri", extract the value
+            if [[ "${line}" =~ "sync-uri" ]]; then
+                sync_uri=$(echo "${line}" | cut -d'=' -f2 | xargs)
+            fi
+        done <<< "${repos_output}"
+
+        # save the last repository entry if it's available
+        if [[ -n "${repo_name}" && -n "${sync_uri}" ]]; then
+            repo_info["${repo_name}"]="${priority},${sync_uri}"
+        fi
+
+        for repo in "${!repo_info[@]}"; do
+            priority=$(echo ${repo_info[$repo]} | cut -d',' -f1)
+            sync_uri=$(echo ${repo_info[$repo]} | cut -d',' -f2)
+            if [ "${priority}" == "" ] ; then
+                priority=0
+            fi
+            echo "'gentoo' 'Gentoo Linux ${repo} Repo ${host_arch}' '${repo}' '${priority}' '${sync_uri}'" >> "${tmpfile_rep}"
+        done
+    fi
+
     IFS=${FULL_IFS}
 
     sed -i -e '/^$/d' "${tmpfile_rep}"
@@ -629,10 +695,11 @@ post_data() {
 }
 
 if ! check_command_exists which || \
+   ! check_command_exists awk || \
    ! check_command_exists mktemp || \
    ! check_command_exists curl || \
    ! check_command_exists flock ; then
-    echo "which, mktemp, flock or curl was not found, exiting."
+    echo "which, awk, mktemp, flock or curl was not found, exiting."
     exit 1
 fi
 

debian/control

@@ -16,9 +16,11 @@ Homepage: https://github.com/furlongm/patchman
 Depends: ${misc:Depends}, python3 (>= 3.10), python3-django (>= 3.2),
  python3-django-tagging, python3-django-extensions, python3-django-bootstrap3,
  python3-djangorestframework, python3-django-filters, python3-debian,
- python3-rpm, python3-progressbar, python3-lxml, python3-defusedxml,
+ python3-rpm, python3-tqdm, python3-lxml, python3-defusedxml,
  python3-requests, python3-colorama, python3-magic, python3-humanize,
- python3-pip, python3-pymemcache, python3-yaml, memcached, libapache2-mod-wsgi-py3, apache2
+ python3-pip, python3-pymemcache, python3-yaml, memcached, libapache2-mod-wsgi-py3,
+ apache2, python3-django-taggit
+>>>>>>> 922796e (switch from obsolete django-tagging to django-taggit)
 Suggests: python3-django-celery, python3-mysqldb, python3-psycopg2
 Description: Django-based patch status monitoring tool for linux systems.
  .
@@ -41,7 +43,7 @@ Description: Django-based patch status monitoring tool for linux systems.
 Package: patchman-client
 Architecture: all
 Homepage: https://github.com/furlongm/patchman
-Depends: ${misc:Depends}, curl, debianutils, util-linux, coreutils
+Depends: ${misc:Depends}, curl, debianutils, util-linux, coreutils, mawk
 Description: Client for the patchman monitoring system.
  .
  The client will send a list of packages and repositories to the upstream

debian/python3-patchman.install

@@ -1,3 +1,4 @@
 #!/usr/bin/dh-exec
 etc/patchman/apache.conf.example => etc/apache2/conf-available/patchman.conf
 etc/patchman/local_settings.py etc/patchman
+etc/systemd/system/patchman-celery.service => lib/systemd/system/patchman-celery.service

debian/python3-patchman.postinst

@@ -20,6 +20,7 @@ if [ "$1" = "configure" ] ; then
 
     patchman-manage makemigrations
     patchman-manage migrate --run-syncdb --fake-initial
+    sqlite3 /var/lib/patchman/db/patchman.db 'PRAGMA journal_mode=WAL;'
 
     chown -R www-data:www-data /var/lib/patchman
 

errata/admin.py

@@ -0,0 +1,25 @@
+# Copyright 2025 Marcus Furlong <furlongm@gmail.com>
+#
+# This file is part of Patchman.
+#
+# Patchman is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 only.
+#
+# Patchman is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchman. If not, see <http://www.gnu.org/licenses/>
+
+from django.contrib import admin
+from errata.models import Erratum
+
+
+class ErratumAdmin(admin.ModelAdmin):
+    readonly_fields = ('affected_packages', 'fixed_packages', 'references')
+
+
+admin.site.register(Erratum, ErratumAdmin)

errata/apps.py

@@ -0,0 +1,21 @@
+# Copyright 2025 Marcus Furlong <furlongm@gmail.com>
+#
+# This file is part of Patchman.
+#
+# Patchman is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 only.
+#
+# Patchman is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchman. If not, see <http://www.gnu.org/licenses/>
+
+from django.apps import AppConfig
+
+
+class ErrataConfig(AppConfig):
+    name = 'errata'

errata/managers.py

@@ -0,0 +1,22 @@
+# Copyright 2025 Marcus Furlong <furlongm@gmail.com>
+#
+# This file is part of Patchman.
+#
+# Patchman is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, version 3 only.
+#
+# Patchman is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Patchman. If not, see <http://www.gnu.org/licenses/>
+
+from django.db import models
+
+
+class ErratumManager(models.Manager):
+    def get_queryset(self):
+        return super().get_queryset().select_related()