import ipa-healthcheck-0.16-7.el10

3 months ago · c4f7b5e891
parent 4450022cfd
commit c4f7b5e891
7 changed files with 477 additions and 1 deletions
--- a/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
+++ b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
@ -0,0 +1,46 @@
+From e556edc0b1cb607caa50f760d5059877f35fbcdc Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 11 Jan 2024 14:40:02 -0500
+Subject: [PATCH] Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0
+
+In 11.5.0 the PKI project stopped storing the certificate
+blobs in CS.cfg. If we continue to check it we will report a
+false positive so skip it in that case.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/dogtag/ca.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
+index 4afa5d7..ddf5ece 100644
+--- a/src/ipahealthcheck/dogtag/ca.py
+++ b/src/ipahealthcheck/dogtag/ca.py
+@@ -16,6 +16,8 @@ from ipaserver.install import krainstance
+ from ipapython.directivesetter import get_directive
+ from cryptography.hazmat.primitives.serialization import Encoding
+ 
+import pki.util
+
+ logger = logging.getLogger()
+ 
+ 
+@@ -30,6 +32,13 @@ class DogtagCertsConfigCheck(DogtagPlugin):
+             logger.debug("No CA configured, skipping dogtag config check")
+             return
+ 
+        pki_version = pki.util.Version(pki.specification_version())
+        if pki_version >= pki.util.Version("11.5.0"):
+            logger.debug(
+                "PKI 11.5.0 no longer stores certificats in CS.cfg"
+            )
+            return
+
+         kra = krainstance.KRAInstance(api.env.realm)
+ 
+         blobs = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
+-- 
+2.45.0
+
--- a/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
+++ b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
@ -0,0 +1,59 @@
+From 3d85d43f62a0c52e44a2228c872307152b2b0de1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 12 Jan 2024 10:17:18 -0500
+Subject: [PATCH] test: Handle PKI >= 11.5.0 not storing certs in CS.cfg
+
+Update the test to expect 0 results if the PKI version is
+>= 11.5.0.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ tests/test_dogtag_ca.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
+index 0820aba..1f61dea 100644
+--- a/tests/test_dogtag_ca.py
+++ b/tests/test_dogtag_ca.py
+@@ -2,12 +2,16 @@
+ # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ #
+ 
+import pki.util
+ from util import capture_results, CAInstance, KRAInstance
+ from base import BaseTest
+ from ipahealthcheck.core import config, constants
+ from ipahealthcheck.dogtag.plugin import registry
+ from ipahealthcheck.dogtag.ca import DogtagCertsConfigCheck
+ from unittest.mock import Mock, patch
+import pytest
+
+pki_version = pki.util.Version(pki.specification_version())
+ 
+ 
+ class mock_Cert:
+@@ -43,6 +47,9 @@ class TestCACerts(BaseTest):
+         Mock(return_value=KRAInstance()),
+     }
+ 
+    @pytest.mark.skipif(
+        pki_version >= pki.util.Version("11.5.0"),
+        reason='Does not apply to PKI 11.5.0+')
+     @patch('ipahealthcheck.dogtag.ca.get_directive')
+     @patch('ipaserver.install.certs.CertDB')
+     def test_ca_certs_ok(self, mock_certdb, mock_directive):
+@@ -71,6 +78,9 @@ class TestCACerts(BaseTest):
+             assert result.source == 'ipahealthcheck.dogtag.ca'
+             assert result.check == 'DogtagCertsConfigCheck'
+ 
+    @pytest.mark.skipif(
+        pki_version >= pki.util.Version("11.5.0"),
+        reason='Does not apply to PKI 11.5.0+')
+     @patch('ipahealthcheck.dogtag.ca.get_directive')
+     @patch('ipaserver.install.certs.CertDB')
+     def test_cert_missing_from_file(self, mock_certdb, mock_directive):
+-- 
+2.45.0
+
--- a/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
+++ b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
@ -0,0 +1,92 @@
+From c780755c57286949d4c6d62dec6f0ce7d718dd13 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 18 Mar 2024 16:54:47 -0400
+Subject: [PATCH] Handle CS.cfg file missing in DogtagCertsConfigCheck
+
+This should never happen but if that file disappears things have
+gone really, really badly. Throw a CRITICAL error.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/327
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/dogtag/ca.py | 10 ++++++++++
+ tests/test_dogtag_ca.py         |  9 +++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
+index ddf5ece..5c2f6af 100644
+--- a/src/ipahealthcheck/dogtag/ca.py
+++ b/src/ipahealthcheck/dogtag/ca.py
+@@ -3,6 +3,7 @@
+ #
+ 
+ import logging
+import os
+ 
+ from ipahealthcheck.dogtag.plugin import DogtagPlugin, registry
+ from ipahealthcheck.core.plugin import Result
+@@ -32,6 +33,15 @@ class DogtagCertsConfigCheck(DogtagPlugin):
+             logger.debug("No CA configured, skipping dogtag config check")
+             return
+ 
+        if not os.path.exists(paths.CA_CS_CFG_PATH):
+            yield Result(
+                self, constants.CRITICAL,
+                key=f'{paths.CA_CS_CFG_PATH}_missing',
+                configfile=paths.CA_CS_CFG_PATH,
+                msg=f'Configuration file {paths.CA_CS_CFG_PATH} is missing'
+            )
+            return
+
+         pki_version = pki.util.Version(pki.specification_version())
+         if pki_version >= pki.util.Version("11.5.0"):
+             logger.debug(
+diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
+index 1f61dea..a78e5de 100644
+--- a/tests/test_dogtag_ca.py
+++ b/tests/test_dogtag_ca.py
+@@ -50,9 +50,10 @@ class TestCACerts(BaseTest):
+     @pytest.mark.skipif(
+         pki_version >= pki.util.Version("11.5.0"),
+         reason='Does not apply to PKI 11.5.0+')
+    @patch('os.path.exists')
+     @patch('ipahealthcheck.dogtag.ca.get_directive')
+     @patch('ipaserver.install.certs.CertDB')
+-    def test_ca_certs_ok(self, mock_certdb, mock_directive):
+    def test_ca_certs_ok(self, mock_certdb, mock_directive, mock_exists):
+         """Test what should be the standard case"""
+         trust = {
+             'ocspSigningCert cert-pki-ca': 'u,u,u',
+@@ -62,6 +63,7 @@ class TestCACerts(BaseTest):
+             'caSigningCert cert-pki-ca': 'CT,C,C',
+             'transportCert cert-pki-kra': 'u,u,u',
+         }
+        mock_exists.return_value = True
+         mock_certdb.return_value = mock_CertDB(trust)
+         mock_directive.side_effect = [name for name, nsstrust in trust.items()]
+ 
+@@ -81,9 +83,11 @@ class TestCACerts(BaseTest):
+     @pytest.mark.skipif(
+         pki_version >= pki.util.Version("11.5.0"),
+         reason='Does not apply to PKI 11.5.0+')
+    @patch('os.path.exists')
+     @patch('ipahealthcheck.dogtag.ca.get_directive')
+     @patch('ipaserver.install.certs.CertDB')
+-    def test_cert_missing_from_file(self, mock_certdb, mock_directive):
+    def test_cert_missing_from_file(self, mock_certdb, mock_directive,
+                                    mock_exists):
+         """Test a missing certificate.
+ 
+            Note that if it is missing from the database then this check
+@@ -103,6 +107,7 @@ class TestCACerts(BaseTest):
+         location = nicknames.index('auditSigningCert cert-pki-ca')
+         nicknames[location] = 'NOT auditSigningCert cert-pki-ca'
+ 
+        mock_exists.return_value = True
+         mock_certdb.return_value = mock_CertDB(trust)
+         mock_directive.side_effect = nicknames
+ 
+-- 
+2.45.0
+
--- a/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+++ b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
@ -0,0 +1,47 @@
+From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001
+From: Thorsten Scherf <tscherf@redhat.com>
+Date: Wed, 13 Mar 2024 12:57:34 +0100
+Subject: [PATCH] Fixes log file permissions as per CIS benchmark
+
+As per CIS benchmark the log file permissions should be 640 for some log
+files but if we change /var/log/ipa-custodia.audit.log permissions to
+640 then "ipa-healthcheck" reports a permission issue.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325
+Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
+---
+ src/ipahealthcheck/ipa/files.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index b7ca116..d914014 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644'))
+                          'root', 'root', '0644', '0640'))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+         self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+-        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
+        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+                           '0644', '0640'))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+-                (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")
+                (globpath, constants.PKI_USER, constants.PKI_GROUP,
+                 "0644", "0640")
+             )
+ 
+         for globpath in glob.glob(
+-- 
+2.45.0
+
--- a/SOURCES/0008-Fix-some-file-mode-format-issues.patch
+++ b/SOURCES/0008-Fix-some-file-mode-format-issues.patch
@ -0,0 +1,190 @@
+From 2206b9915606c555163dec775a99a355dc02bee0 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 28 May 2024 11:15:48 -0400
+Subject: [PATCH] Fix some file mode format issues
+
+When specifying multiple possible modes for a file the values must
+be a tuple. There were two occurances where they were listed
+separately.
+
+Add in a pre-check on the formatting to raise an error for badly
+formatted files. This may be annoying for users if one sneaks in
+again but the CI should catch it.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/core/files.py | 12 +++++-
+ src/ipahealthcheck/ipa/files.py  |  6 +--
+ tests/test_core_files.py         | 72 +++++++++++++++++++++++++++++++-
+ tests/util.py                    |  1 +
+ 4 files changed, 85 insertions(+), 6 deletions(-)
+
+diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
+index 85d42bc..32bc5b2 100644
+--- a/src/ipahealthcheck/core/files.py
+++ b/src/ipahealthcheck/core/files.py
+@@ -31,7 +31,17 @@ class FileCheck:
+ 
+     @duration
+     def check(self):
+-        for (path, owner, group, mode) in self.files:
+        # first validate that the list of files to check is in the correct
+        # format
+        process_files = []
+        for file in self.files:
+            if len(file) == 4:
+                process_files.append(file)
+            else:
+                yield Result(self, constants.ERROR, key=file,
+                             msg='Code format is incorrect for file')
+
+        for (path, owner, group, mode) in process_files:
+             if not isinstance(owner, tuple):
+                 owner = tuple((owner,))
+             if not isinstance(group, tuple):
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index d914014..c80fd5b 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644', '0640'))
+                          'root', 'root', ('0644', '0640')))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+         self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+-                           '0644', '0640'))
+                           ('0644', '0640')))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+                 (globpath, constants.PKI_USER, constants.PKI_GROUP,
+-                 "0644", "0640")
+                 ("0644", "0640"))
+             )
+ 
+         for globpath in glob.glob(
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index 924d7fa..e7010a9 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -2,14 +2,22 @@
+ # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ #
+ 
+from ldap import OPT_X_SASL_SSF_MIN
+ import pwd
+ import posix
+from util import m_api
+from util import capture_results
+
+from ipahealthcheck.core import config
+ from ipahealthcheck.core.files import FileCheck
+ from ipahealthcheck.core import constants
+ from ipahealthcheck.core.plugin import Results
+from ipahealthcheck.ipa.files import IPAFileCheck
+from ipahealthcheck.system.plugin import registry
+ from unittest.mock import patch
+from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient, LDAPEntry
+ 
+-from util import capture_results
+ 
+ nobody = pwd.getpwnam('nobody')
+ 
+@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'),
+          ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'),
+          ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),))
+ 
+bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),)
+
+
+class mock_ldap:
+    SCOPE_BASE = 1
+    SCOPE_ONELEVEL = 2
+    SCOPE_SUBTREE = 4
+
+    def __init__(self, ldapentry):
+        """Initialize the results that we will return from get_entries"""
+        self.results = ldapentry
+
+    def get_entry(self, dn, attrs_list=None, time_limit=None,
+                  size_limit=None, get_effective_rights=False):
+        return []  # the call doesn't check the value
+
+
+class mock_ldap_conn:
+    def set_option(self, option, invalue):
+        pass
+
+    def get_option(self, option):
+        if option == OPT_X_SASL_SSF_MIN:
+            return 256
+
+        return None
+
+    def search_s(self, base, scope, filterstr=None,
+                 attrlist=None, attrsonly=0):
+        return tuple()
+
+ 
+ def make_stat(mode=33200, uid=0, gid=0):
+     """Return a mocked-up stat.
+@@ -234,4 +273,33 @@ def test_files_group_not_found(mock_grgid, mock_grnam, mock_stat):
+     my_results = get_results(results, 'group')
+     for result in my_results.results:
+         assert result.result == constants.WARNING
+-        assert result.kw.get('got') == 'Unknown gid 0'
+
+
+def test_bad_modes():
+    f = FileCheck()
+    f.files = bad_modes
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.ERROR
+        assert result.kw.get('msg') == 'Code format is incorrect for file'
+
+
+@patch('ipaserver.install.krbinstance.is_pkinit_enabled')
+def test_ipa_files_format(mock_pkinit):
+    mock_pkinit.return_value = True
+
+    fake_conn = LDAPClient('ldap://localhost', no_schema=True)
+    ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns,
+                          m_api.env.basedn))
+    framework = object()
+    registry.initialize(framework, config.Config)
+    f = IPAFileCheck(registry)
+
+    f.conn = mock_ldap(ldapentry)
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.SUCCESS
+diff --git a/tests/util.py b/tests/util.py
+index 12c1688..fb8750a 100644
+--- a/tests/util.py
+++ b/tests/util.py
+@@ -141,6 +141,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
+ m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc'))
+ m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts'))
+ m_api.env.container_masters = DN(('cn', 'masters'))
+m_api.env.container_dns = DN(('cn', 'dns'))
+ m_api.Backend = Mock()
+ m_api.Command = Mock()
+ m_api.Command.ping.return_value = {
+-- 
+2.45.0
+
--- a/SOURCES/0009-Allow-WARNING-in-the-files-test.patch
+++ b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch
@ -0,0 +1,28 @@
+From b6346fedcc158a3ed3a70691350bf7ebee4a8460 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Jun 2024 14:27:16 -0400
+Subject: [PATCH] Allow WARNING in the files test
+
+We are only validating the format and don't need to actually
+enforce the results in CI. The validation raises ERROR.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ tests/test_core_files.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index e7010a9..d308410 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit):
+     results = capture_results(f)
+ 
+     for result in results.results:
+-        assert result.result == constants.SUCCESS
+        assert result.result in (constants.SUCCESS, constants.WARNING)
+-- 
+2.45.0
+
--- a/SPECS/freeipa-healthcheck.spec
+++ b/SPECS/freeipa-healthcheck.spec
@ -17,7 +17,7 @@

 Name:           %{prefix}-healthcheck
 Version:        0.16
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        Health check tool for %{productname}
 BuildArch:      noarch
 License:        GPL-3.0-or-later
@ -28,6 +28,12 @@ Source1:        ipahealthcheck.conf
 Patch0001:      0001-Remove-ipaclustercheck.patch
 Patch0002:      0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch
 Patch0003:      0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch
+Patch0004:      0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
+Patch0005:      0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
+Patch0006:      0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
+Patch0007:      0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+Patch0008:      0008-Fix-some-file-mode-format-issues.patch
+Patch0009:      0009-Allow-WARNING-in-the-files-test.patch

 Requires:       %{name}-core = %{version}-%{release}
 Requires:       %{prefix}-server
@ -157,6 +163,14 @@ PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_*


 %changelog
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.16-7
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Fri Jul 19 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-6
+- Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 (RHEL-39701)
+- Need to change log file permissions of IPA as per CIS benchmark (RHEL-44305)
+
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.16-5
 - Bump release for June 2024 mass rebuild