import ipa-healthcheck-0.16-7.el10

3 months ago · c4f7b5e891
parent 4450022cfd
commit c4f7b5e891
7 changed files with 477 additions and 1 deletions
--- a/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
+++ b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
@ -0,0 +1,46 @@
 From e556edc0b1cb607caa50f760d5059877f35fbcdc Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 11 Jan 2024 14:40:02 -0500
 Subject: [PATCH] Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0
 In 11.5.0 the PKI project stopped storing the certificate
 blobs in CS.cfg. If we continue to check it we will report a
 false positive so skip it in that case.
 Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 src/ipahealthcheck/dogtag/ca.py | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
 index 4afa5d7..ddf5ece 100644
 --- a/src/ipahealthcheck/dogtag/ca.py
 +++ b/src/ipahealthcheck/dogtag/ca.py
@@ -16,6 +16,8 @@ from ipaserver.install import krainstance
 from ipapython.directivesetter import get_directive
 from cryptography.hazmat.primitives.serialization import Encoding
 +import pki.util
 +
 logger = logging.getLogger()
@@ -30,6 +32,13 @@ class DogtagCertsConfigCheck(DogtagPlugin):
             logger.debug("No CA configured, skipping dogtag config check")
             return
 +        pki_version = pki.util.Version(pki.specification_version())
 +        if pki_version >= pki.util.Version("11.5.0"):
 +            logger.debug(
 +                "PKI 11.5.0 no longer stores certificats in CS.cfg"
 +            )
 +            return
 +
         kra = krainstance.KRAInstance(api.env.realm)
         blobs = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
 -- 
 2.45.0
--- a/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
+++ b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
@ -0,0 +1,59 @@
 From 3d85d43f62a0c52e44a2228c872307152b2b0de1 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Fri, 12 Jan 2024 10:17:18 -0500
 Subject: [PATCH] test: Handle PKI >= 11.5.0 not storing certs in CS.cfg
 Update the test to expect 0 results if the PKI version is
 >= 11.5.0.
 Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 tests/test_dogtag_ca.py | 10 ++++++++++
 1 file changed, 10 insertions(+)
 diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
 index 0820aba..1f61dea 100644
 --- a/tests/test_dogtag_ca.py
 +++ b/tests/test_dogtag_ca.py
@@ -2,12 +2,16 @@
 # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
 #
 +import pki.util
 from util import capture_results, CAInstance, KRAInstance
 from base import BaseTest
 from ipahealthcheck.core import config, constants
 from ipahealthcheck.dogtag.plugin import registry
 from ipahealthcheck.dogtag.ca import DogtagCertsConfigCheck
 from unittest.mock import Mock, patch
 +import pytest
 +
 +pki_version = pki.util.Version(pki.specification_version())
 class mock_Cert:
@@ -43,6 +47,9 @@ class TestCACerts(BaseTest):
         Mock(return_value=KRAInstance()),
     }
 +    @pytest.mark.skipif(
 +        pki_version >= pki.util.Version("11.5.0"),
 +        reason='Does not apply to PKI 11.5.0+')
     @patch('ipahealthcheck.dogtag.ca.get_directive')
     @patch('ipaserver.install.certs.CertDB')
     def test_ca_certs_ok(self, mock_certdb, mock_directive):
@@ -71,6 +78,9 @@ class TestCACerts(BaseTest):
             assert result.source == 'ipahealthcheck.dogtag.ca'
             assert result.check == 'DogtagCertsConfigCheck'
 +    @pytest.mark.skipif(
 +        pki_version >= pki.util.Version("11.5.0"),
 +        reason='Does not apply to PKI 11.5.0+')
     @patch('ipahealthcheck.dogtag.ca.get_directive')
     @patch('ipaserver.install.certs.CertDB')
     def test_cert_missing_from_file(self, mock_certdb, mock_directive):
 -- 
 2.45.0
--- a/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
+++ b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
@ -0,0 +1,92 @@
 From c780755c57286949d4c6d62dec6f0ce7d718dd13 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Mon, 18 Mar 2024 16:54:47 -0400
 Subject: [PATCH] Handle CS.cfg file missing in DogtagCertsConfigCheck
 This should never happen but if that file disappears things have
 gone really, really badly. Throw a CRITICAL error.
 Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/327
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 src/ipahealthcheck/dogtag/ca.py | 10 ++++++++++
 tests/test_dogtag_ca.py         |  9 +++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
 index ddf5ece..5c2f6af 100644
 --- a/src/ipahealthcheck/dogtag/ca.py
 +++ b/src/ipahealthcheck/dogtag/ca.py
@@ -3,6 +3,7 @@
 #
 import logging
 +import os
 from ipahealthcheck.dogtag.plugin import DogtagPlugin, registry
 from ipahealthcheck.core.plugin import Result
@@ -32,6 +33,15 @@ class DogtagCertsConfigCheck(DogtagPlugin):
             logger.debug("No CA configured, skipping dogtag config check")
             return
 +        if not os.path.exists(paths.CA_CS_CFG_PATH):
 +            yield Result(
 +                self, constants.CRITICAL,
 +                key=f'{paths.CA_CS_CFG_PATH}_missing',
 +                configfile=paths.CA_CS_CFG_PATH,
 +                msg=f'Configuration file {paths.CA_CS_CFG_PATH} is missing'
 +            )
 +            return
 +
         pki_version = pki.util.Version(pki.specification_version())
         if pki_version >= pki.util.Version("11.5.0"):
             logger.debug(
 diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
 index 1f61dea..a78e5de 100644
 --- a/tests/test_dogtag_ca.py
 +++ b/tests/test_dogtag_ca.py
@@ -50,9 +50,10 @@ class TestCACerts(BaseTest):
     @pytest.mark.skipif(
         pki_version >= pki.util.Version("11.5.0"),
         reason='Does not apply to PKI 11.5.0+')
 +    @patch('os.path.exists')
     @patch('ipahealthcheck.dogtag.ca.get_directive')
     @patch('ipaserver.install.certs.CertDB')
 -    def test_ca_certs_ok(self, mock_certdb, mock_directive):
 +    def test_ca_certs_ok(self, mock_certdb, mock_directive, mock_exists):
         """Test what should be the standard case"""
         trust = {
             'ocspSigningCert cert-pki-ca': 'u,u,u',
@@ -62,6 +63,7 @@ class TestCACerts(BaseTest):
             'caSigningCert cert-pki-ca': 'CT,C,C',
             'transportCert cert-pki-kra': 'u,u,u',
         }
 +        mock_exists.return_value = True
         mock_certdb.return_value = mock_CertDB(trust)
         mock_directive.side_effect = [name for name, nsstrust in trust.items()]
@@ -81,9 +83,11 @@ class TestCACerts(BaseTest):
     @pytest.mark.skipif(
         pki_version >= pki.util.Version("11.5.0"),
         reason='Does not apply to PKI 11.5.0+')
 +    @patch('os.path.exists')
     @patch('ipahealthcheck.dogtag.ca.get_directive')
     @patch('ipaserver.install.certs.CertDB')
 -    def test_cert_missing_from_file(self, mock_certdb, mock_directive):
 +    def test_cert_missing_from_file(self, mock_certdb, mock_directive,
 +                                    mock_exists):
         """Test a missing certificate.
            Note that if it is missing from the database then this check
@@ -103,6 +107,7 @@ class TestCACerts(BaseTest):
         location = nicknames.index('auditSigningCert cert-pki-ca')
         nicknames[location] = 'NOT auditSigningCert cert-pki-ca'
 +        mock_exists.return_value = True
         mock_certdb.return_value = mock_CertDB(trust)
         mock_directive.side_effect = nicknames
 -- 
 2.45.0
--- a/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+++ b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
@ -0,0 +1,47 @@
 From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001
 From: Thorsten Scherf <tscherf@redhat.com>
 Date: Wed, 13 Mar 2024 12:57:34 +0100
 Subject: [PATCH] Fixes log file permissions as per CIS benchmark
 As per CIS benchmark the log file permissions should be 640 for some log
 files but if we change /var/log/ipa-custodia.audit.log permissions to
 640 then "ipa-healthcheck" reports a permission issue.
 Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325
 Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
 ---
 src/ipahealthcheck/ipa/files.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
 index b7ca116..d914014 100644
 --- a/src/ipahealthcheck/ipa/files.py
 +++ b/src/ipahealthcheck/ipa/files.py
@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
                 self.files.append((filename, 'root', 'root', '0600'))
         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
 -                          'root', 'root', '0644'))
 +                          'root', 'root', '0644', '0640'))
         self.files.append((paths.KADMIND_LOG, 'root', 'root',
                           ('0600', '0640')))
@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck):
         self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
                            constants.DS_USER, constants.DS_GROUP, '0600'))
 -        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
 +        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
 +                           '0644', '0640'))
         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
             self.files.append(
 -                (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")
 +                (globpath, constants.PKI_USER, constants.PKI_GROUP,
 +                 "0644", "0640")
             )
         for globpath in glob.glob(
 -- 
 2.45.0
--- a/SOURCES/0008-Fix-some-file-mode-format-issues.patch
+++ b/SOURCES/0008-Fix-some-file-mode-format-issues.patch
@ -0,0 +1,190 @@
 From 2206b9915606c555163dec775a99a355dc02bee0 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Tue, 28 May 2024 11:15:48 -0400
 Subject: [PATCH] Fix some file mode format issues
 When specifying multiple possible modes for a file the values must
 be a tuple. There were two occurances where they were listed
 separately.
 Add in a pre-check on the formatting to raise an error for badly
 formatted files. This may be annoying for users if one sneaks in
 again but the CI should catch it.
 Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 src/ipahealthcheck/core/files.py | 12 +++++-
 src/ipahealthcheck/ipa/files.py  |  6 +--
 tests/test_core_files.py         | 72 +++++++++++++++++++++++++++++++-
 tests/util.py                    |  1 +
 4 files changed, 85 insertions(+), 6 deletions(-)
 diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
 index 85d42bc..32bc5b2 100644
 --- a/src/ipahealthcheck/core/files.py
 +++ b/src/ipahealthcheck/core/files.py
@@ -31,7 +31,17 @@ class FileCheck:
     @duration
     def check(self):
 -        for (path, owner, group, mode) in self.files:
 +        # first validate that the list of files to check is in the correct
 +        # format
 +        process_files = []
 +        for file in self.files:
 +            if len(file) == 4:
 +                process_files.append(file)
 +            else:
 +                yield Result(self, constants.ERROR, key=file,
 +                             msg='Code format is incorrect for file')
 +
 +        for (path, owner, group, mode) in process_files:
             if not isinstance(owner, tuple):
                 owner = tuple((owner,))
             if not isinstance(group, tuple):
 diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
 index d914014..c80fd5b 100644
 --- a/src/ipahealthcheck/ipa/files.py
 +++ b/src/ipahealthcheck/ipa/files.py
@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
                 self.files.append((filename, 'root', 'root', '0600'))
         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
 -                          'root', 'root', '0644', '0640'))
 +                          'root', 'root', ('0644', '0640')))
         self.files.append((paths.KADMIND_LOG, 'root', 'root',
                           ('0600', '0640')))
@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck):
                            constants.DS_USER, constants.DS_GROUP, '0600'))
         self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
 -                           '0644', '0640'))
 +                           ('0644', '0640')))
         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
             self.files.append(
                 (globpath, constants.PKI_USER, constants.PKI_GROUP,
 -                 "0644", "0640")
 +                 ("0644", "0640"))
             )
         for globpath in glob.glob(
 diff --git a/tests/test_core_files.py b/tests/test_core_files.py
 index 924d7fa..e7010a9 100644
 --- a/tests/test_core_files.py
 +++ b/tests/test_core_files.py
@@ -2,14 +2,22 @@
 # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
 #
 +from ldap import OPT_X_SASL_SSF_MIN
 import pwd
 import posix
 +from util import m_api
 +from util import capture_results
 +
 +from ipahealthcheck.core import config
 from ipahealthcheck.core.files import FileCheck
 from ipahealthcheck.core import constants
 from ipahealthcheck.core.plugin import Results
 +from ipahealthcheck.ipa.files import IPAFileCheck
 +from ipahealthcheck.system.plugin import registry
 from unittest.mock import patch
 +from ipapython.dn import DN
 +from ipapython.ipaldap import LDAPClient, LDAPEntry
 -from util import capture_results
 nobody = pwd.getpwnam('nobody')
@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'),
          ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'),
          ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),))
 +bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),)
 +
 +
 +class mock_ldap:
 +    SCOPE_BASE = 1
 +    SCOPE_ONELEVEL = 2
 +    SCOPE_SUBTREE = 4
 +
 +    def __init__(self, ldapentry):
 +        """Initialize the results that we will return from get_entries"""
 +        self.results = ldapentry
 +
 +    def get_entry(self, dn, attrs_list=None, time_limit=None,
 +                  size_limit=None, get_effective_rights=False):
 +        return []  # the call doesn't check the value
 +
 +
 +class mock_ldap_conn:
 +    def set_option(self, option, invalue):
 +        pass
 +
 +    def get_option(self, option):
 +        if option == OPT_X_SASL_SSF_MIN:
 +            return 256
 +
 +        return None
 +
 +    def search_s(self, base, scope, filterstr=None,
 +                 attrlist=None, attrsonly=0):
 +        return tuple()
 +
 def make_stat(mode=33200, uid=0, gid=0):
     """Return a mocked-up stat.
@@ -234,4 +273,33 @@ def test_files_group_not_found(mock_grgid, mock_grnam, mock_stat):
     my_results = get_results(results, 'group')
     for result in my_results.results:
         assert result.result == constants.WARNING
 -        assert result.kw.get('got') == 'Unknown gid 0'
 +
 +
 +def test_bad_modes():
 +    f = FileCheck()
 +    f.files = bad_modes
 +
 +    results = capture_results(f)
 +
 +    for result in results.results:
 +        assert result.result == constants.ERROR
 +        assert result.kw.get('msg') == 'Code format is incorrect for file'
 +
 +
 +@patch('ipaserver.install.krbinstance.is_pkinit_enabled')
 +def test_ipa_files_format(mock_pkinit):
 +    mock_pkinit.return_value = True
 +
 +    fake_conn = LDAPClient('ldap://localhost', no_schema=True)
 +    ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns,
 +                          m_api.env.basedn))
 +    framework = object()
 +    registry.initialize(framework, config.Config)
 +    f = IPAFileCheck(registry)
 +
 +    f.conn = mock_ldap(ldapentry)
 +
 +    results = capture_results(f)
 +
 +    for result in results.results:
 +        assert result.result == constants.SUCCESS
 diff --git a/tests/util.py b/tests/util.py
 index 12c1688..fb8750a 100644
 --- a/tests/util.py
 +++ b/tests/util.py
@@ -141,6 +141,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
 m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc'))
 m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts'))
 m_api.env.container_masters = DN(('cn', 'masters'))
 +m_api.env.container_dns = DN(('cn', 'dns'))
 m_api.Backend = Mock()
 m_api.Command = Mock()
 m_api.Command.ping.return_value = {
 -- 
 2.45.0
--- a/SOURCES/0009-Allow-WARNING-in-the-files-test.patch
+++ b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch
@ -0,0 +1,28 @@
 From b6346fedcc158a3ed3a70691350bf7ebee4a8460 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Thu, 20 Jun 2024 14:27:16 -0400
 Subject: [PATCH] Allow WARNING in the files test
 We are only validating the format and don't need to actually
 enforce the results in CI. The validation raises ERROR.
 Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 tests/test_core_files.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/tests/test_core_files.py b/tests/test_core_files.py
 index e7010a9..d308410 100644
 --- a/tests/test_core_files.py
 +++ b/tests/test_core_files.py
@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit):
     results = capture_results(f)
     for result in results.results:
 -        assert result.result == constants.SUCCESS
 +        assert result.result in (constants.SUCCESS, constants.WARNING)
 -- 
 2.45.0
--- a/SPECS/freeipa-healthcheck.spec
+++ b/SPECS/freeipa-healthcheck.spec
@ -17,7 +17,7 @@
 Name:           %{prefix}-healthcheck
 Version:        0.16
-Release:        5%{?dist}
+Release:        7%{?dist}
 Summary:        Health check tool for %{productname}
 BuildArch:      noarch
 License:        GPL-3.0-or-later
@ -28,6 +28,12 @@ Source1:        ipahealthcheck.conf
 Patch0001:      0001-Remove-ipaclustercheck.patch
 Patch0002:      0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch
 Patch0003:      0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch
 Patch0004:      0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
 Patch0005:      0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
 Patch0006:      0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch
 Patch0007:      0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
 Patch0008:      0008-Fix-some-file-mode-format-issues.patch
 Patch0009:      0009-Allow-WARNING-in-the-files-test.patch
 Requires:       %{name}-core = %{version}-%{release}
 Requires:       %{prefix}-server
@ -157,6 +163,14 @@ PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_*
 %changelog
 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.16-7
 - Bump release for October 2024 mass rebuild:
  Resolves: RHEL-64018
 * Fri Jul 19 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-6
 - Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 (RHEL-39701)
 - Need to change log file permissions of IPA as per CIS benchmark (RHEL-44305)
 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.16-5
 - Bump release for June 2024 mass rebuild