From c4f7b5e891a4b57fd7b3c40466f7732e9a171224 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Fri, 22 Nov 2024 09:41:03 +0300 Subject: [PATCH] import ipa-healthcheck-0.16-7.el10 --- ...sConfigCheck-for-PKI-versions-11.5.0.patch | 46 +++++ ...I-11.5.0-not-storing-certs-in-CS.cfg.patch | 59 ++++++ ...le-missing-in-DogtagCertsConfigCheck.patch | 92 +++++++++ ...ile-permissions-as-per-CIS-benchmark.patch | 47 +++++ ...008-Fix-some-file-mode-format-issues.patch | 190 ++++++++++++++++++ ...0009-Allow-WARNING-in-the-files-test.patch | 28 +++ SPECS/freeipa-healthcheck.spec | 16 +- 7 files changed, 477 insertions(+), 1 deletion(-) create mode 100644 SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch create mode 100644 SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch create mode 100644 SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch create mode 100644 SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch create mode 100644 SOURCES/0008-Fix-some-file-mode-format-issues.patch create mode 100644 SOURCES/0009-Allow-WARNING-in-the-files-test.patch diff --git a/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch new file mode 100644 index 0000000..1552184 --- /dev/null +++ b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch @@ -0,0 +1,46 @@ +From e556edc0b1cb607caa50f760d5059877f35fbcdc Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 11 Jan 2024 14:40:02 -0500 +Subject: [PATCH] Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 + +In 11.5.0 the PKI project stopped storing the certificate +blobs in CS.cfg. If we continue to check it we will report a +false positive so skip it in that case. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/dogtag/ca.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py +index 4afa5d7..ddf5ece 100644 +--- a/src/ipahealthcheck/dogtag/ca.py ++++ b/src/ipahealthcheck/dogtag/ca.py +@@ -16,6 +16,8 @@ from ipaserver.install import krainstance + from ipapython.directivesetter import get_directive + from cryptography.hazmat.primitives.serialization import Encoding + ++import pki.util ++ + logger = logging.getLogger() + + +@@ -30,6 +32,13 @@ class DogtagCertsConfigCheck(DogtagPlugin): + logger.debug("No CA configured, skipping dogtag config check") + return + ++ pki_version = pki.util.Version(pki.specification_version()) ++ if pki_version >= pki.util.Version("11.5.0"): ++ logger.debug( ++ "PKI 11.5.0 no longer stores certificats in CS.cfg" ++ ) ++ return ++ + kra = krainstance.KRAInstance(api.env.realm) + + blobs = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', +-- +2.45.0 + diff --git a/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch new file mode 100644 index 0000000..5e85b25 --- /dev/null +++ b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch @@ -0,0 +1,59 @@ +From 3d85d43f62a0c52e44a2228c872307152b2b0de1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 12 Jan 2024 10:17:18 -0500 +Subject: [PATCH] test: Handle PKI >= 11.5.0 not storing certs in CS.cfg + +Update the test to expect 0 results if the PKI version is +>= 11.5.0. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317 + +Signed-off-by: Rob Crittenden +--- + tests/test_dogtag_ca.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py +index 0820aba..1f61dea 100644 +--- a/tests/test_dogtag_ca.py ++++ b/tests/test_dogtag_ca.py +@@ -2,12 +2,16 @@ + # Copyright (C) 2019 FreeIPA Contributors see COPYING for license + # + ++import pki.util + from util import capture_results, CAInstance, KRAInstance + from base import BaseTest + from ipahealthcheck.core import config, constants + from ipahealthcheck.dogtag.plugin import registry + from ipahealthcheck.dogtag.ca import DogtagCertsConfigCheck + from unittest.mock import Mock, patch ++import pytest ++ ++pki_version = pki.util.Version(pki.specification_version()) + + + class mock_Cert: +@@ -43,6 +47,9 @@ class TestCACerts(BaseTest): + Mock(return_value=KRAInstance()), + } + ++ @pytest.mark.skipif( ++ pki_version >= pki.util.Version("11.5.0"), ++ reason='Does not apply to PKI 11.5.0+') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') + def test_ca_certs_ok(self, mock_certdb, mock_directive): +@@ -71,6 +78,9 @@ class TestCACerts(BaseTest): + assert result.source == 'ipahealthcheck.dogtag.ca' + assert result.check == 'DogtagCertsConfigCheck' + ++ @pytest.mark.skipif( ++ pki_version >= pki.util.Version("11.5.0"), ++ reason='Does not apply to PKI 11.5.0+') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') + def test_cert_missing_from_file(self, mock_certdb, mock_directive): +-- +2.45.0 + diff --git a/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch new file mode 100644 index 0000000..3aabc32 --- /dev/null +++ b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch @@ -0,0 +1,92 @@ +From c780755c57286949d4c6d62dec6f0ce7d718dd13 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 18 Mar 2024 16:54:47 -0400 +Subject: [PATCH] Handle CS.cfg file missing in DogtagCertsConfigCheck + +This should never happen but if that file disappears things have +gone really, really badly. Throw a CRITICAL error. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/327 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/dogtag/ca.py | 10 ++++++++++ + tests/test_dogtag_ca.py | 9 +++++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py +index ddf5ece..5c2f6af 100644 +--- a/src/ipahealthcheck/dogtag/ca.py ++++ b/src/ipahealthcheck/dogtag/ca.py +@@ -3,6 +3,7 @@ + # + + import logging ++import os + + from ipahealthcheck.dogtag.plugin import DogtagPlugin, registry + from ipahealthcheck.core.plugin import Result +@@ -32,6 +33,15 @@ class DogtagCertsConfigCheck(DogtagPlugin): + logger.debug("No CA configured, skipping dogtag config check") + return + ++ if not os.path.exists(paths.CA_CS_CFG_PATH): ++ yield Result( ++ self, constants.CRITICAL, ++ key=f'{paths.CA_CS_CFG_PATH}_missing', ++ configfile=paths.CA_CS_CFG_PATH, ++ msg=f'Configuration file {paths.CA_CS_CFG_PATH} is missing' ++ ) ++ return ++ + pki_version = pki.util.Version(pki.specification_version()) + if pki_version >= pki.util.Version("11.5.0"): + logger.debug( +diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py +index 1f61dea..a78e5de 100644 +--- a/tests/test_dogtag_ca.py ++++ b/tests/test_dogtag_ca.py +@@ -50,9 +50,10 @@ class TestCACerts(BaseTest): + @pytest.mark.skipif( + pki_version >= pki.util.Version("11.5.0"), + reason='Does not apply to PKI 11.5.0+') ++ @patch('os.path.exists') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') +- def test_ca_certs_ok(self, mock_certdb, mock_directive): ++ def test_ca_certs_ok(self, mock_certdb, mock_directive, mock_exists): + """Test what should be the standard case""" + trust = { + 'ocspSigningCert cert-pki-ca': 'u,u,u', +@@ -62,6 +63,7 @@ class TestCACerts(BaseTest): + 'caSigningCert cert-pki-ca': 'CT,C,C', + 'transportCert cert-pki-kra': 'u,u,u', + } ++ mock_exists.return_value = True + mock_certdb.return_value = mock_CertDB(trust) + mock_directive.side_effect = [name for name, nsstrust in trust.items()] + +@@ -81,9 +83,11 @@ class TestCACerts(BaseTest): + @pytest.mark.skipif( + pki_version >= pki.util.Version("11.5.0"), + reason='Does not apply to PKI 11.5.0+') ++ @patch('os.path.exists') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') +- def test_cert_missing_from_file(self, mock_certdb, mock_directive): ++ def test_cert_missing_from_file(self, mock_certdb, mock_directive, ++ mock_exists): + """Test a missing certificate. + + Note that if it is missing from the database then this check +@@ -103,6 +107,7 @@ class TestCACerts(BaseTest): + location = nicknames.index('auditSigningCert cert-pki-ca') + nicknames[location] = 'NOT auditSigningCert cert-pki-ca' + ++ mock_exists.return_value = True + mock_certdb.return_value = mock_CertDB(trust) + mock_directive.side_effect = nicknames + +-- +2.45.0 + diff --git a/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch new file mode 100644 index 0000000..d09d7d6 --- /dev/null +++ b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch @@ -0,0 +1,47 @@ +From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001 +From: Thorsten Scherf +Date: Wed, 13 Mar 2024 12:57:34 +0100 +Subject: [PATCH] Fixes log file permissions as per CIS benchmark + +As per CIS benchmark the log file permissions should be 640 for some log +files but if we change /var/log/ipa-custodia.audit.log permissions to +640 then "ipa-healthcheck" reports a permission issue. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325 +Signed-off-by: Thorsten Scherf +--- + src/ipahealthcheck/ipa/files.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py +index b7ca116..d914014 100644 +--- a/src/ipahealthcheck/ipa/files.py ++++ b/src/ipahealthcheck/ipa/files.py +@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((filename, 'root', 'root', '0600')) + + self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG, +- 'root', 'root', '0644')) ++ 'root', 'root', '0644', '0640')) + + self.files.append((paths.KADMIND_LOG, 'root', 'root', + ('0600', '0640'))) +@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst, + constants.DS_USER, constants.DS_GROUP, '0600')) + +- self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644')) ++ self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', ++ '0644', '0640')) + + for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR): + self.files.append( +- (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644") ++ (globpath, constants.PKI_USER, constants.PKI_GROUP, ++ "0644", "0640") + ) + + for globpath in glob.glob( +-- +2.45.0 + diff --git a/SOURCES/0008-Fix-some-file-mode-format-issues.patch b/SOURCES/0008-Fix-some-file-mode-format-issues.patch new file mode 100644 index 0000000..ae3a19f --- /dev/null +++ b/SOURCES/0008-Fix-some-file-mode-format-issues.patch @@ -0,0 +1,190 @@ +From 2206b9915606c555163dec775a99a355dc02bee0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 28 May 2024 11:15:48 -0400 +Subject: [PATCH] Fix some file mode format issues + +When specifying multiple possible modes for a file the values must +be a tuple. There were two occurances where they were listed +separately. + +Add in a pre-check on the formatting to raise an error for badly +formatted files. This may be annoying for users if one sneaks in +again but the CI should catch it. + +Related: https://github.com/freeipa/freeipa-healthcheck/issues/325 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/files.py | 12 +++++- + src/ipahealthcheck/ipa/files.py | 6 +-- + tests/test_core_files.py | 72 +++++++++++++++++++++++++++++++- + tests/util.py | 1 + + 4 files changed, 85 insertions(+), 6 deletions(-) + +diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py +index 85d42bc..32bc5b2 100644 +--- a/src/ipahealthcheck/core/files.py ++++ b/src/ipahealthcheck/core/files.py +@@ -31,7 +31,17 @@ class FileCheck: + + @duration + def check(self): +- for (path, owner, group, mode) in self.files: ++ # first validate that the list of files to check is in the correct ++ # format ++ process_files = [] ++ for file in self.files: ++ if len(file) == 4: ++ process_files.append(file) ++ else: ++ yield Result(self, constants.ERROR, key=file, ++ msg='Code format is incorrect for file') ++ ++ for (path, owner, group, mode) in process_files: + if not isinstance(owner, tuple): + owner = tuple((owner,)) + if not isinstance(group, tuple): +diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py +index d914014..c80fd5b 100644 +--- a/src/ipahealthcheck/ipa/files.py ++++ b/src/ipahealthcheck/ipa/files.py +@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((filename, 'root', 'root', '0600')) + + self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG, +- 'root', 'root', '0644', '0640')) ++ 'root', 'root', ('0644', '0640'))) + + self.files.append((paths.KADMIND_LOG, 'root', 'root', + ('0600', '0640'))) +@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck): + constants.DS_USER, constants.DS_GROUP, '0600')) + + self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', +- '0644', '0640')) ++ ('0644', '0640'))) + + for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR): + self.files.append( + (globpath, constants.PKI_USER, constants.PKI_GROUP, +- "0644", "0640") ++ ("0644", "0640")) + ) + + for globpath in glob.glob( +diff --git a/tests/test_core_files.py b/tests/test_core_files.py +index 924d7fa..e7010a9 100644 +--- a/tests/test_core_files.py ++++ b/tests/test_core_files.py +@@ -2,14 +2,22 @@ + # Copyright (C) 2019 FreeIPA Contributors see COPYING for license + # + ++from ldap import OPT_X_SASL_SSF_MIN + import pwd + import posix ++from util import m_api ++from util import capture_results ++ ++from ipahealthcheck.core import config + from ipahealthcheck.core.files import FileCheck + from ipahealthcheck.core import constants + from ipahealthcheck.core.plugin import Results ++from ipahealthcheck.ipa.files import IPAFileCheck ++from ipahealthcheck.system.plugin import registry + from unittest.mock import patch ++from ipapython.dn import DN ++from ipapython.ipaldap import LDAPClient, LDAPEntry + +-from util import capture_results + + nobody = pwd.getpwnam('nobody') + +@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'), + ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'), + ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),)) + ++bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),) ++ ++ ++class mock_ldap: ++ SCOPE_BASE = 1 ++ SCOPE_ONELEVEL = 2 ++ SCOPE_SUBTREE = 4 ++ ++ def __init__(self, ldapentry): ++ """Initialize the results that we will return from get_entries""" ++ self.results = ldapentry ++ ++ def get_entry(self, dn, attrs_list=None, time_limit=None, ++ size_limit=None, get_effective_rights=False): ++ return [] # the call doesn't check the value ++ ++ ++class mock_ldap_conn: ++ def set_option(self, option, invalue): ++ pass ++ ++ def get_option(self, option): ++ if option == OPT_X_SASL_SSF_MIN: ++ return 256 ++ ++ return None ++ ++ def search_s(self, base, scope, filterstr=None, ++ attrlist=None, attrsonly=0): ++ return tuple() ++ + + def make_stat(mode=33200, uid=0, gid=0): + """Return a mocked-up stat. +@@ -234,4 +273,33 @@ def test_files_group_not_found(mock_grgid, mock_grnam, mock_stat): + my_results = get_results(results, 'group') + for result in my_results.results: + assert result.result == constants.WARNING +- assert result.kw.get('got') == 'Unknown gid 0' ++ ++ ++def test_bad_modes(): ++ f = FileCheck() ++ f.files = bad_modes ++ ++ results = capture_results(f) ++ ++ for result in results.results: ++ assert result.result == constants.ERROR ++ assert result.kw.get('msg') == 'Code format is incorrect for file' ++ ++ ++@patch('ipaserver.install.krbinstance.is_pkinit_enabled') ++def test_ipa_files_format(mock_pkinit): ++ mock_pkinit.return_value = True ++ ++ fake_conn = LDAPClient('ldap://localhost', no_schema=True) ++ ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns, ++ m_api.env.basedn)) ++ framework = object() ++ registry.initialize(framework, config.Config) ++ f = IPAFileCheck(registry) ++ ++ f.conn = mock_ldap(ldapentry) ++ ++ results = capture_results(f) ++ ++ for result in results.results: ++ assert result.result == constants.SUCCESS +diff --git a/tests/util.py b/tests/util.py +index 12c1688..fb8750a 100644 +--- a/tests/util.py ++++ b/tests/util.py +@@ -141,6 +141,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts')) + m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc')) + m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts')) + m_api.env.container_masters = DN(('cn', 'masters')) ++m_api.env.container_dns = DN(('cn', 'dns')) + m_api.Backend = Mock() + m_api.Command = Mock() + m_api.Command.ping.return_value = { +-- +2.45.0 + diff --git a/SOURCES/0009-Allow-WARNING-in-the-files-test.patch b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch new file mode 100644 index 0000000..05bddbc --- /dev/null +++ b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch @@ -0,0 +1,28 @@ +From b6346fedcc158a3ed3a70691350bf7ebee4a8460 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 20 Jun 2024 14:27:16 -0400 +Subject: [PATCH] Allow WARNING in the files test + +We are only validating the format and don't need to actually +enforce the results in CI. The validation raises ERROR. + +Related: https://github.com/freeipa/freeipa-healthcheck/issues/325 + +Signed-off-by: Rob Crittenden +--- + tests/test_core_files.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_core_files.py b/tests/test_core_files.py +index e7010a9..d308410 100644 +--- a/tests/test_core_files.py ++++ b/tests/test_core_files.py +@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit): + results = capture_results(f) + + for result in results.results: +- assert result.result == constants.SUCCESS ++ assert result.result in (constants.SUCCESS, constants.WARNING) +-- +2.45.0 + diff --git a/SPECS/freeipa-healthcheck.spec b/SPECS/freeipa-healthcheck.spec index eb1569d..a405cc7 100644 --- a/SPECS/freeipa-healthcheck.spec +++ b/SPECS/freeipa-healthcheck.spec @@ -17,7 +17,7 @@ Name: %{prefix}-healthcheck Version: 0.16 -Release: 5%{?dist} +Release: 7%{?dist} Summary: Health check tool for %{productname} BuildArch: noarch License: GPL-3.0-or-later @@ -28,6 +28,12 @@ Source1: ipahealthcheck.conf Patch0001: 0001-Remove-ipaclustercheck.patch Patch0002: 0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch Patch0003: 0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch +Patch0004: 0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch +Patch0005: 0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch +Patch0006: 0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch +Patch0007: 0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch +Patch0008: 0008-Fix-some-file-mode-format-issues.patch +Patch0009: 0009-Allow-WARNING-in-the-files-test.patch Requires: %{name}-core = %{version}-%{release} Requires: %{prefix}-server @@ -157,6 +163,14 @@ PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_* %changelog +* Tue Oct 29 2024 Troy Dawson - 0.16-7 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Fri Jul 19 2024 Rob Crittenden - 0.16-6 +- Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 (RHEL-39701) +- Need to change log file permissions of IPA as per CIS benchmark (RHEL-44305) + * Mon Jun 24 2024 Troy Dawson - 0.16-5 - Bump release for June 2024 mass rebuild