Diagnose ssl libs installed from sury (#1053)

* Small fix / syntax improvement in apt conf regen hook

* Diagnose, report and add a tip if some ssl libs are installed from Sury (shouldnt happen with the new pinning strategy, but some user still encounter issues because of this because of legacy installs)

data/hooks/conf_regen/10-apt

@@ -7,12 +7,13 @@ do_pre_regen() {
 
     mkdir --parents "${pending_dir}/etc/apt/preferences.d"
 
-    for package in "php" "php-fpm" "php-mysql" "php-xml" "php-zip" "php-mbstring" "php-ldap" "php-gd" "php-curl" "php-bz2" "php-json" "php-sqlite3" "php-intl" "openssl" "libssl1.1" "libssl-dev"
+    packages_to_refuse_from_sury="php php-fpm php-mysql php-xml php-zip php-mbstring php-ldap php-gd php-curl php-bz2 php-json php-sqlite3 php-intl openssl libssl1.1 libssl-dev"
+    for package in $packages_to_refuse_from_sury
     do
         echo "
 Package: $package
 Pin: origin \"packages.sury.org\" 
-Pin-Priority: -1" >> "/etc/apt/preferences.d/extra_php_version"
+Pin-Priority: -1" >> "${pending_dir}/etc/apt/preferences.d/extra_php_version"
     done
 }
 

data/hooks/diagnosis/00-basesystem.py

@@ -83,6 +83,29 @@ class BaseSystemDiagnoser(Diagnoser):
                        details=["diagnosis_security_vulnerable_to_meltdown_details"]
                        )
 
+        bad_sury_packages = list(self.bad_sury_packages())
+        if bad_sury_packages:
+            cmd_to_fix = "apt install --allow-downgrades " \
+                         + " ".join(["%s=%s" % (package, version) for package, version in bad_sury_packages])
+            yield dict(meta={"test": "packages_from_sury"},
+                       data={"cmd_to_fix": cmd_to_fix},
+                       status="WARNING",
+                       summary="diagnosis_package_installed_from_sury",
+                       details=["diagnosis_package_installed_from_sury_details"])
+
+    def bad_sury_packages(self):
+
+        packages_to_check = ["openssl", "libssl1.1", "libssl-dev"]
+        for package in packages_to_check:
+            cmd = "dpkg --list | grep '^ii' | grep gbp | grep -q -w %s" % package
+            # If version currently installed is not from sury, nothing to report
+            if os.system(cmd) != 0:
+                continue
+
+            cmd = "LC_ALL=C apt policy %s 2>&1 | grep http -B1 | tr -d '*' | grep '+deb' | grep -v 'gbp' | head -n 1 | awk '{print $1}'" % package
+            version_to_downgrade_to = check_output(cmd).strip()
+            yield (package, version_to_downgrade_to)
+
     def is_vulnerable_to_meltdown(self):
         # meltdown CVE: https://security-tracker.debian.org/tracker/CVE-2017-5754
 

locales/en.json

@@ -143,6 +143,8 @@
     "diagnosis_basesystem_ynh_single_version": "{package} version: {version} ({repo})",
     "diagnosis_basesystem_ynh_main_version": "Server is running YunoHost {main_version} ({repo})",
     "diagnosis_basesystem_ynh_inconsistent_versions": "You are running inconsistent versions of the YunoHost packages... most probably because of a failed or partial upgrade.",
+    "diagnosis_package_installed_from_sury": "Some system packages should be downgraded",
+    "diagnosis_package_installed_from_sury_details": "Some packages were inadvertendly installed from a third-party repository called Sury. The Yunohost team improved the strategy that handle these packages, but it's expected that some setups that installed PHP7.3 apps while still on Stretch have some remaining inconsistencies. To fix this situation, you should try running the following command: <cmd>{cmd_to_fix}</cmd>",
     "diagnosis_display_tip": "To see the issues found, you can go to the Diagnosis section of the webadmin, or run 'yunohost diagnosis show --issues' from the command-line.",
     "diagnosis_failed_for_category": "Diagnosis failed for category '{category}': {error}",
     "diagnosis_cache_still_valid": "(Cache still valid for {category} diagnosis. Won't re-diagnose it yet!)",