From d4973ef90eb69209f1448de7e7c0bf5a0e2b0354 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Tue, 26 Nov 2024 16:43:43 +0300 Subject: [PATCH] import ipa-healthcheck-0.16-6.el10 --- .gitignore | 1 + .ipa-healthcheck.metadata | 1 + SOURCES/0001-Remove-ipaclustercheck.patch | 639 ++++++++++++++++++ ...service-name-cannot-be-looked-up-in-.patch | 44 ++ ...ble-the-ipa-ods-exporter-service-sta.patch | 44 ++ ...sConfigCheck-for-PKI-versions-11.5.0.patch | 46 ++ ...I-11.5.0-not-storing-certs-in-CS.cfg.patch | 59 ++ ...le-missing-in-DogtagCertsConfigCheck.patch | 92 +++ ...ile-permissions-as-per-CIS-benchmark.patch | 47 ++ ...008-Fix-some-file-mode-format-issues.patch | 190 ++++++ ...0009-Allow-WARNING-in-the-files-test.patch | 28 + SOURCES/ipahealthcheck.conf | 1 + SPECS/freeipa-healthcheck.spec | 359 ++++++++++ 13 files changed, 1551 insertions(+) create mode 100644 .gitignore create mode 100644 .ipa-healthcheck.metadata create mode 100644 SOURCES/0001-Remove-ipaclustercheck.patch create mode 100644 SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch create mode 100644 SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch create mode 100644 SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch create mode 100644 SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch create mode 100644 SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch create mode 100644 SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch create mode 100644 SOURCES/0008-Fix-some-file-mode-format-issues.patch create mode 100644 SOURCES/0009-Allow-WARNING-in-the-files-test.patch create mode 100644 SOURCES/ipahealthcheck.conf create mode 100644 SPECS/freeipa-healthcheck.spec diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..487a6ec --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/0.16.tar.gz diff --git a/.ipa-healthcheck.metadata b/.ipa-healthcheck.metadata new file mode 100644 index 0000000..9650b1d --- /dev/null +++ b/.ipa-healthcheck.metadata @@ -0,0 +1 @@ +b6edbda881bceb9e0266169e06eb35984b1a7a77 SOURCES/0.16.tar.gz diff --git a/SOURCES/0001-Remove-ipaclustercheck.patch b/SOURCES/0001-Remove-ipaclustercheck.patch new file mode 100644 index 0000000..c812984 --- /dev/null +++ b/SOURCES/0001-Remove-ipaclustercheck.patch @@ -0,0 +1,639 @@ +From 378e0a353e670a6b498d454558a9139a859890d4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 9 Nov 2023 10:49:05 -0500 +Subject: [PATCH] Remove ipaclustercheck + +--- + setup.py | 12 +- + src/ipaclustercheck/__init__.py | 5 - + src/ipaclustercheck/core/__init__.py | 0 + src/ipaclustercheck/core/main.py | 32 ------ + src/ipaclustercheck/core/output.py | 68 ----------- + src/ipaclustercheck/ipa/__init__.py | 0 + src/ipaclustercheck/ipa/crlmanager.py | 36 ------ + src/ipaclustercheck/ipa/plugin.py | 117 ------------------- + src/ipaclustercheck/ipa/ruv.py | 155 -------------------------- + tests/test_cluster_ruv.py | 106 ------------------ + 10 files changed, 1 insertion(+), 530 deletions(-) + delete mode 100644 src/ipaclustercheck/__init__.py + delete mode 100644 src/ipaclustercheck/core/__init__.py + delete mode 100644 src/ipaclustercheck/core/main.py + delete mode 100644 src/ipaclustercheck/core/output.py + delete mode 100644 src/ipaclustercheck/ipa/__init__.py + delete mode 100644 src/ipaclustercheck/ipa/crlmanager.py + delete mode 100644 src/ipaclustercheck/ipa/plugin.py + delete mode 100644 src/ipaclustercheck/ipa/ruv.py + delete mode 100644 tests/test_cluster_ruv.py + +diff --git a/setup.py b/setup.py +index d926302..cb6265a 100644 +--- a/setup.py ++++ b/setup.py +@@ -4,7 +4,7 @@ from setuptools import find_packages, setup + setup( + name='ipahealthcheck', + version='0.16', +- namespace_packages=['ipahealthcheck', 'ipaclustercheck'], ++ namespace_packages=['ipahealthcheck'], + package_dir={'': 'src'}, + # packages=find_packages(where='src'), + packages=[ +@@ -14,14 +14,11 @@ setup( + 'ipahealthcheck.ipa', + 'ipahealthcheck.meta', + 'ipahealthcheck.system', +- 'ipaclustercheck.core', +- 'ipaclustercheck.ipa', + ], + entry_points={ + # creates bin/ipahealthcheck + 'console_scripts': [ + 'ipa-healthcheck = ipahealthcheck.core.main:main', +- 'ipa-clustercheck = ipaclustercheck.core.main:main', + ], + # subsystem registries + 'ipahealthcheck.registry': [ +@@ -72,13 +69,6 @@ setup( + 'ipahealthcheck.system': [ + 'filesystemspace = ipahealthcheck.system.filesystemspace', + ], +- 'ipaclustercheck.registry': [ +- 'ipaclustercheck.ipa = ipaclustercheck.ipa.plugin:registry', +- ], +- 'ipaclustercheck.ipa': [ +- 'crl = ipaclustercheck.ipa.crlmanager', +- 'ruv = ipaclustercheck.ipa.ruv', +- ], + }, + classifiers=[ + 'Programming Language :: Python :: 3.6', +diff --git a/src/ipaclustercheck/__init__.py b/src/ipaclustercheck/__init__.py +deleted file mode 100644 +index 6c91ef7..0000000 +--- a/src/ipaclustercheck/__init__.py ++++ /dev/null +@@ -1,5 +0,0 @@ +-# +-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +-# +- +-__import__('pkg_resources').declare_namespace(__name__) +diff --git a/src/ipaclustercheck/core/__init__.py b/src/ipaclustercheck/core/__init__.py +deleted file mode 100644 +index e69de29..0000000 +diff --git a/src/ipaclustercheck/core/main.py b/src/ipaclustercheck/core/main.py +deleted file mode 100644 +index f475832..0000000 +--- a/src/ipaclustercheck/core/main.py ++++ /dev/null +@@ -1,32 +0,0 @@ +-# +-# Copyright (C) 2020 FreeIPA Contributors see COPYING for license +-# +- +-import sys +- +-from ipaclustercheck.core.output import output_registry +-from ipahealthcheck.core.core import RunChecks +- +- +-class ClusterChecks(RunChecks): +- +- def add_options(self): +- parser = self.parser +- parser.add_argument('--directory', dest='dir', +- help='Directory holding healthcheck logs') +- +- def validate_options(self): +- super().validate_options() +- +- if self.options.dir is None: +- print("--directory containing logs to check is required") +- return 1 +- +- return None +- +- +-def main(): +- clusterchecks = ClusterChecks(['ipaclustercheck.registry'], +- '/etc/ipa/clustercheck.conf', +- output_registry, 'ansible') +- sys.exit(clusterchecks.run_healthcheck()) +diff --git a/src/ipaclustercheck/core/output.py b/src/ipaclustercheck/core/output.py +deleted file mode 100644 +index 909eac4..0000000 +--- a/src/ipaclustercheck/core/output.py ++++ /dev/null +@@ -1,68 +0,0 @@ +-# +-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +-# +- +-import json +-from ipahealthcheck.core.output import OutputRegistry, Output +- +- +-output_registry = OutputRegistry() +- +-class ClusterOutput(Output): +- """Base class for writing/display output of cluster results +- +- severity doesn't apply in this case so exclude those. +- """ +- def __init__(self, options): +- self.filename = options.output_file +- +- def strip_output(self, results): +- """Nothing to strip out""" +- return list(results.output()) +- +- def generate(self, data): +- raise NotImplementedError +- +- +-@output_registry +-class Ansible(ClusterOutput): +- """Output information JSON format for consumption by Ansible +- +- Required keywords in a Result: +- name - unique identifier for the return value +- +- One of these is required: +- value - the return value. Type? I dunno yet +- error - if an error was returned +- """ +- +- options = ( +- ('--indent', dict(dest='indent', type=int, default=2, +- help='Indention level of JSON output')), +- ) +- +- def __init__(self, options): +- super().__init__(options) +- self.indent = options.indent +- +- def generate(self, data): +- output = [] +- for line in data: +- kw = line.get('kw') +- name = kw.get('name') +- value = kw.get('value') +- error = kw.get('error') +- +- if value and error: +- value = '%s: %s' % (error, value) +- elif error: +- value = error +- +- rval = {'%s' % name: value} +- output.append(rval) +- +- output = json.dumps(output, indent=self.indent) +- if self.filename is None: +- output += '\n' +- +- return output +diff --git a/src/ipaclustercheck/ipa/__init__.py b/src/ipaclustercheck/ipa/__init__.py +deleted file mode 100644 +index e69de29..0000000 +diff --git a/src/ipaclustercheck/ipa/crlmanager.py b/src/ipaclustercheck/ipa/crlmanager.py +deleted file mode 100644 +index 6806d74..0000000 +--- a/src/ipaclustercheck/ipa/crlmanager.py ++++ /dev/null +@@ -1,36 +0,0 @@ +-# +-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +-# +- +-from ipaclustercheck.ipa.plugin import ClusterPlugin, registry, find_checks +-from ipahealthcheck.core.plugin import Result, duration +-from ipahealthcheck.core import constants +- +- +-@registry +-class ClusterCRLManagerCheck(ClusterPlugin): +- +- @duration +- def check(self): +- data = self.registry.json +- crlmanagers = [] +- +- for fqdn in data.keys(): +- output = find_checks(data[fqdn], 'ipahealthcheck.ipa.roles', +- 'IPACRLManagerCheck') +- enabled = output[0].get('kw').get('crlgen_enabled') +- if enabled: +- crlmanagers.append(fqdn) +- if len(crlmanagers) == 0: +- yield Result(self, constants.ERROR, +- name='crlmanager', +- error='No CRL Manager defined') +- elif len(crlmanagers) == 1: +- yield Result(self, constants.SUCCESS, +- name='crlmanager', +- value=crlmanagers[0]) +- else: +- yield Result(self, constants.ERROR, +- name='crlmanager', +- value=','.join(crlmanagers), +- error='Multiple CRL Managers defined') +diff --git a/src/ipaclustercheck/ipa/plugin.py b/src/ipaclustercheck/ipa/plugin.py +deleted file mode 100644 +index a111988..0000000 +--- a/src/ipaclustercheck/ipa/plugin.py ++++ /dev/null +@@ -1,117 +0,0 @@ +-# +-# Copyright (C) 2020 FreeIPA Contributors see COPYING for license +-# +- +-from copy import deepcopy +-import json +-import logging +-from os import listdir +-from os.path import isfile, join +- +-from ipahealthcheck.core.plugin import Plugin, Registry +-from ipalib import api +- +- +-logger = logging.getLogger() +- +-def find_checks(data, source, check): +- """Look through the dict for a matching source and check. +- +- data: dict of source and check output +- source: name of source to find +- check: name of check to find +- +- Returns list of contents of source + check or empty list +- """ +- rval = [] +- for d in data: +- if d.get('source') == source and d.get('check') == check: +- rval.append(d) +- +- return rval +- +- +-def get_masters(data): +- """ +- Return the list of known masters +- +- This is determined from the list of loaded healthcheck logs. It +- is possible that mixed versions are used so some may not be +- reporting the full list of masters, so check them all, and raise +- an exception if the list cannot be determined. +- """ +- test_masters = list(data) +- masters = None +- for master in test_masters: +- output = find_checks(data[master], 'ipahealthcheck.ipa.meta', +- 'IPAMetaCheck') +- if len(output) == 0: +- raise ValueError('Unable to determine full list of masters. ' +- 'ipahealthcheck.ipa.meta:IPAMetaCheck not ' +- 'found.') +- +- masters = output[0].get('kw').get('masters') +- if masters: +- return masters +- +- raise ValueError('Unable to determine full list of masters. ' +- 'None of ipahealthcheck.ipa.meta:IPAMetaCheck ' +- 'contain masters.') +- +- +-class ClusterPlugin(Plugin): +- pass +- +- +-class ClusterRegistry(Registry): +- def __init__(self): +- super().__init__() +- self.json = None +- +- def initialize(self, framework, config, options=None): +- super().initialize(framework, config, options) +- +- self.json = {} +- +- self.load_files(options.dir) +- +- if not api.isdone('finalize'): +- if not api.isdone('bootstrap'): +- api.bootstrap(in_server=True, +- context='ipahealthcheck', +- log=None) +- if not api.isdone('finalize'): +- api.finalize() +- +- def load_files(self, dir): +- if self.json: +- return +- +- files = [f for f in listdir(dir) if isfile(join(dir, f))] +- for file in files: +- fname = join(dir, file) +- logger.debug("Reading %s", fname) +- try: +- with open(fname, 'r') as fd: +- data = fd.read() +- except Exception as e: +- logger.error("Unable to read %s: %s", fname, e) +- continue +- +- try: +- data = json.loads(data) +- except Exception as e: +- logger.error("Unable to parse JSON in %s: %s", fname, e) +- continue +- +- meta = find_checks(data, 'ipahealthcheck.meta.core', +- 'MetaCheck') +- if meta: +- fqdn = meta[0].get('kw').get('fqdn') +- self.json[fqdn] = deepcopy(data) +- else: +- logger.error("No fqdn defined in JSON in %s", fname) +- continue +- +- +-registry = ClusterRegistry() +diff --git a/src/ipaclustercheck/ipa/ruv.py b/src/ipaclustercheck/ipa/ruv.py +deleted file mode 100644 +index 6477738..0000000 +--- a/src/ipaclustercheck/ipa/ruv.py ++++ /dev/null +@@ -1,155 +0,0 @@ +-# +-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +-# +- +-import logging +- +-from ipaclustercheck.ipa.plugin import ( +- ClusterPlugin, +- registry, +- find_checks, +- get_masters +-) +-from ipahealthcheck.core.plugin import Result, duration +-from ipahealthcheck.core import constants +-from ipalib import api +-from ipapython.dn import DN +- +- +-logger = logging.getLogger() +- +- +-@registry +-class ClusterRUVCheck(ClusterPlugin): +- +- # TODO: confirm that all masters are represented, otherwise the +- # trustworthiness of dangling RUV is mixed. +- # +- # gah, need to provide full list of all masters in a check. +- +- @duration +- def check(self): +- data = self.registry.json +- +- # Start with the list of masters from the file(s) collected +- # and find a MetaCheck with a full list of masters. For +- # backwards compatibility. +- try: +- masters = get_masters(data) +- except ValueError as e: +- yield Result(self, constants.ERROR, +- name='dangling_ruv', +- error=str(e)) +- return +- +- if len(data.keys()) < len(masters): +- yield Result(self, constants.ERROR, +- name='dangling_ruv', +- error='Unable to determine list of RUVs, missing ' +- 'some masters: %s' % +- ''.join(set(masters) - set(data.keys()))) +- return +- +- # collect the full set of known RUVs for each master +- info = {} +- for master in masters: +- info[master] = { +- 'ca': False, # does the host have ca configured? +- 'ruvs': set(), # ruvs on the host +- 'csruvs': set(), # csruvs on the host +- 'clean_ruv': set(), # ruvs to be cleaned from the host +- 'clean_csruv': set() # csruvs to be cleaned from the host +- } +- +- for fqdn in data.keys(): +- outputs = find_checks(data[fqdn], 'ipahealthcheck.ds.ruv', +- 'KnownRUVCheck') +- for output in outputs: +- if not 'suffix' in output.get('kw'): +- continue +- basedn = DN(output.get('kw').get('suffix')) +- +- ruvset = set() +- ruvtmp = output.get('kw').get('ruvs') +- for ruv in ruvtmp: +- ruvset.add(tuple(ruv)) +- +- if basedn == DN('o=ipaca'): +- info[fqdn]['ca'] = True +- info[fqdn]['csruvs'] = ruvset +- elif basedn == api.env.basedn: +- info[fqdn]['ruvs'] = ruvset +- else: +- yield Result(self, constants.WARNING, +- name='dangling_ruv', +- error='Unknown suffix found %s expected %s' +- % (basedn, api.env.basedn)) +- +- # Collect the nsDS5ReplicaID for each master +- ruvs = set() +- csruvs = set() +- for fqdn in data.keys(): +- outputs = find_checks(data[fqdn], 'ipahealthcheck.ds.ruv', +- 'RUVCheck') +- for output in outputs: +- if not 'key' in output.get('kw'): +- continue +- basedn = DN(output.get('kw').get('key')) +- ruv = (fqdn, (output.get('kw').get('ruv'))) +- if basedn == DN('o=ipaca'): +- csruvs.add(ruv) +- elif basedn == api.env.basedn: +- ruvs.add(ruv) +- else: +- yield Result(self, constants.WARNING, +- name='dangling_ruv', +- error='Unknown suffix found %s expected %s' +- % (basedn, api.env.basedn)) +- +- dangles = False +- # get the dangling RUVs +- for master_info in info.values(): +- for ruv in master_info['ruvs']: +- if ruv not in ruvs: +- master_info['clean_ruv'].add(ruv) +- dangles = True +- +- # if ca is not configured, there will be no csruvs in master_info +- for csruv in master_info['csruvs']: +- if csruv not in csruvs: +- master_info['clean_csruv'].add(csruv) +- dangles = True +- +- clean_csruvs = set() +- clean_ruvs = set() +- if dangles: +- for _unused, master_info in info.items(): +- for ruv in master_info['clean_ruv']: +- logger.debug( +- "Dangling RUV id: %s, hostname: %s", ruv[1], ruv[0] +- ) +- clean_ruvs.add(ruv[1]) +- for csruv in master_info['clean_csruv']: +- logger.debug( +- "Dangling CS RUV id: %s, hostname: %s", +- csruv[1], +- csruv[0] +- ) +- clean_csruvs.add(csruv[1]) +- +- if clean_ruvs: +- yield Result(self, constants.ERROR, +- name='dangling_ruv', +- value=', '.join(clean_ruvs)) +- else: +- yield Result(self, constants.SUCCESS, +- name='dangling_ruv', +- value='No dangling RUVs found') +- if clean_csruvs: +- yield Result(self, constants.ERROR, +- name='dangling_csruv', +- value=', '.join(clean_csruvs)) +- else: +- yield Result(self, constants.SUCCESS, +- name='dangling_csruv', +- value='No dangling CS RUVs found') +diff --git a/tests/test_cluster_ruv.py b/tests/test_cluster_ruv.py +deleted file mode 100644 +index 7583c84..0000000 +--- a/tests/test_cluster_ruv.py ++++ /dev/null +@@ -1,106 +0,0 @@ +-# +-# Copyright (C) 2019 FreeIPA Contributors see COPYING for license +-# +- +-from base import BaseTest +-from util import capture_results +- +-from ipahealthcheck.core import config +-from ipaclustercheck.ipa.plugin import ClusterRegistry +-from ipaclustercheck.ipa.ruv import ClusterRUVCheck +- +-import clusterdata +- +- +-class RUVRegistry(ClusterRegistry): +- def load_files(self, dir): +- self.json = dir +- +- +-class Options: +- def __init__(self, data): +- self.data = data +- +- @property +- def dir(self): +- return self.data +- +- +-registry = RUVRegistry() +- +- +-class TestClusterRUV(BaseTest): +- +- def test_no_ruvs(self): +- """Single master test that has never created a replica +- +- This type of master will have no RUVs created at all. +- """ +- framework = object() +- registry.initialize(framework, config.Config, +- Options(clusterdata.ONE_MASTER)) +- f = ClusterRUVCheck(registry) +- +- self.results = capture_results(f) +- +- assert len(self.results) == 2 +- result = self.results.results[0] +- assert result.kw.get('name') == 'dangling_ruv' +- assert result.kw.get('value') == 'No dangling RUVs found' +- result = self.results.results[1] +- assert result.kw.get('name') == 'dangling_csruv' +- assert result.kw.get('value') == 'No dangling CS RUVs found' +- +- def test_six_ruvs_ok(self): +- """Three master test with each having a CA, no dangling +- """ +- framework = object() +- registry.initialize(framework, config.Config, +- Options(clusterdata.THREE_MASTERS_OK)) +- f = ClusterRUVCheck(registry) +- +- self.results = capture_results(f) +- +- assert len(self.results) == 2 +- result = self.results.results[0] +- assert result.kw.get('name') == 'dangling_ruv' +- assert result.kw.get('value') == 'No dangling RUVs found' +- result = self.results.results[1] +- assert result.kw.get('name') == 'dangling_csruv' +- assert result.kw.get('value') == 'No dangling CS RUVs found' +- +- def test_six_ruvs_ipa_bad(self): +- """Three master test with each having a CA, dangling IPA RUV +- """ +- framework = object() +- registry.initialize(framework, config.Config, +- Options(clusterdata.THREE_MASTERS_BAD_IPA_RUV)) +- f = ClusterRUVCheck(registry) +- +- self.results = capture_results(f) +- +- assert len(self.results) == 2 +- result = self.results.results[0] +- assert result.kw.get('name') == 'dangling_ruv' +- assert result.kw.get('value') == '9' +- result = self.results.results[1] +- assert result.kw.get('name') == 'dangling_csruv' +- assert result.kw.get('value') == 'No dangling CS RUVs found' +- +- def test_six_ruvs_cs_bad(self): +- """Three master test with each having a CA, dangling CA RUV +- """ +- framework = object() +- registry.initialize(framework, config.Config, +- Options(clusterdata.THREE_MASTERS_BAD_CS_RUV)) +- f = ClusterRUVCheck(registry) +- +- self.results = capture_results(f) +- +- assert len(self.results) == 2 +- result = self.results.results[0] +- assert result.kw.get('name') == 'dangling_ruv' +- assert result.kw.get('value') == 'No dangling RUVs found' +- result = self.results.results[1] +- assert result.kw.get('name') == 'dangling_csruv' +- assert result.kw.get('value') == '9' +-- +2.41.0 + diff --git a/SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch b/SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch new file mode 100644 index 0000000..5233083 --- /dev/null +++ b/SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch @@ -0,0 +1,44 @@ +From 35ff77300758c12110132d6d638802d5b223bd6d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 13 Nov 2023 14:09:16 -0500 +Subject: [PATCH] Don't fail if a service name cannot be looked up in LDAP + +A new method was introduced to handle more IPA services. This +requires looking some of them up in LDAP. dirsrv not running +was not being caught so raised an error instead. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/312 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/meta/services.py | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py +index 10fa83f..9838128 100644 +--- a/src/ipahealthcheck/meta/services.py ++++ b/src/ipahealthcheck/meta/services.py +@@ -25,10 +25,18 @@ class IPAServiceCheck(ServiceCheck): + def get_service_name(self, role): + """Roles define broad services. Translate a role name into + an individual service name. ++ ++ Returns a string on success, None if the service is not ++ configured or cannot be determined. + """ + conn = api.Backend.ldap2 +- if not api.Backend.ldap2.isconnected(): +- api.Backend.ldap2.connect() ++ try: ++ if not api.Backend.ldap2.isconnected(): ++ api.Backend.ldap2.connect() ++ except errors.NetworkError: ++ logger.debug("Service '%s' is not running", self.service_name) ++ return None ++ + dn = DN( + ("cn", role), ("cn", api.env.host), + ("cn", "masters"), ("cn", "ipa"), ("cn", "etc"), +-- +2.41.0 + diff --git a/SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch b/SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch new file mode 100644 index 0000000..2795766 --- /dev/null +++ b/SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch @@ -0,0 +1,44 @@ +From d1cb1997737c938bbc61d547aae277e308e78fce Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 14 Nov 2023 20:32:54 -0500 +Subject: [PATCH] Temporarily disable the ipa-ods-exporter service status check + +There is a bug in this service such that it will almost always +report as down. Rather than spamming users with this error give +time for it to be fixed in IPA upstream. + +See https://pagure.io/freeipa/issue/9463 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/meta/services.py | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py +index 9838128..b8973cb 100644 +--- a/src/ipahealthcheck/meta/services.py ++++ b/src/ipahealthcheck/meta/services.py +@@ -202,20 +202,6 @@ class ods_enforcerd(IPAServiceCheck): + return super().check() + + +-@registry +-class ipa_ods_exporter(IPAServiceCheck): +- requires = ('dirsrv',) +- +- def check(self, instance=''): +- self.service_name = self.get_service_name('DNSKeyExporter') +- +- if self.service_name is None: +- # No service name means it is not configured +- return () +- +- return super().check() +- +- + @registry + class ipa_dnskeysyncd(IPAServiceCheck): + requires = ('dirsrv',) +-- +2.40.1 + diff --git a/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch new file mode 100644 index 0000000..1552184 --- /dev/null +++ b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch @@ -0,0 +1,46 @@ +From e556edc0b1cb607caa50f760d5059877f35fbcdc Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 11 Jan 2024 14:40:02 -0500 +Subject: [PATCH] Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 + +In 11.5.0 the PKI project stopped storing the certificate +blobs in CS.cfg. If we continue to check it we will report a +false positive so skip it in that case. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/dogtag/ca.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py +index 4afa5d7..ddf5ece 100644 +--- a/src/ipahealthcheck/dogtag/ca.py ++++ b/src/ipahealthcheck/dogtag/ca.py +@@ -16,6 +16,8 @@ from ipaserver.install import krainstance + from ipapython.directivesetter import get_directive + from cryptography.hazmat.primitives.serialization import Encoding + ++import pki.util ++ + logger = logging.getLogger() + + +@@ -30,6 +32,13 @@ class DogtagCertsConfigCheck(DogtagPlugin): + logger.debug("No CA configured, skipping dogtag config check") + return + ++ pki_version = pki.util.Version(pki.specification_version()) ++ if pki_version >= pki.util.Version("11.5.0"): ++ logger.debug( ++ "PKI 11.5.0 no longer stores certificats in CS.cfg" ++ ) ++ return ++ + kra = krainstance.KRAInstance(api.env.realm) + + blobs = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert', +-- +2.45.0 + diff --git a/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch new file mode 100644 index 0000000..5e85b25 --- /dev/null +++ b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch @@ -0,0 +1,59 @@ +From 3d85d43f62a0c52e44a2228c872307152b2b0de1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 12 Jan 2024 10:17:18 -0500 +Subject: [PATCH] test: Handle PKI >= 11.5.0 not storing certs in CS.cfg + +Update the test to expect 0 results if the PKI version is +>= 11.5.0. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317 + +Signed-off-by: Rob Crittenden +--- + tests/test_dogtag_ca.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py +index 0820aba..1f61dea 100644 +--- a/tests/test_dogtag_ca.py ++++ b/tests/test_dogtag_ca.py +@@ -2,12 +2,16 @@ + # Copyright (C) 2019 FreeIPA Contributors see COPYING for license + # + ++import pki.util + from util import capture_results, CAInstance, KRAInstance + from base import BaseTest + from ipahealthcheck.core import config, constants + from ipahealthcheck.dogtag.plugin import registry + from ipahealthcheck.dogtag.ca import DogtagCertsConfigCheck + from unittest.mock import Mock, patch ++import pytest ++ ++pki_version = pki.util.Version(pki.specification_version()) + + + class mock_Cert: +@@ -43,6 +47,9 @@ class TestCACerts(BaseTest): + Mock(return_value=KRAInstance()), + } + ++ @pytest.mark.skipif( ++ pki_version >= pki.util.Version("11.5.0"), ++ reason='Does not apply to PKI 11.5.0+') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') + def test_ca_certs_ok(self, mock_certdb, mock_directive): +@@ -71,6 +78,9 @@ class TestCACerts(BaseTest): + assert result.source == 'ipahealthcheck.dogtag.ca' + assert result.check == 'DogtagCertsConfigCheck' + ++ @pytest.mark.skipif( ++ pki_version >= pki.util.Version("11.5.0"), ++ reason='Does not apply to PKI 11.5.0+') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') + def test_cert_missing_from_file(self, mock_certdb, mock_directive): +-- +2.45.0 + diff --git a/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch new file mode 100644 index 0000000..3aabc32 --- /dev/null +++ b/SOURCES/0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch @@ -0,0 +1,92 @@ +From c780755c57286949d4c6d62dec6f0ce7d718dd13 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 18 Mar 2024 16:54:47 -0400 +Subject: [PATCH] Handle CS.cfg file missing in DogtagCertsConfigCheck + +This should never happen but if that file disappears things have +gone really, really badly. Throw a CRITICAL error. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/327 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/dogtag/ca.py | 10 ++++++++++ + tests/test_dogtag_ca.py | 9 +++++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py +index ddf5ece..5c2f6af 100644 +--- a/src/ipahealthcheck/dogtag/ca.py ++++ b/src/ipahealthcheck/dogtag/ca.py +@@ -3,6 +3,7 @@ + # + + import logging ++import os + + from ipahealthcheck.dogtag.plugin import DogtagPlugin, registry + from ipahealthcheck.core.plugin import Result +@@ -32,6 +33,15 @@ class DogtagCertsConfigCheck(DogtagPlugin): + logger.debug("No CA configured, skipping dogtag config check") + return + ++ if not os.path.exists(paths.CA_CS_CFG_PATH): ++ yield Result( ++ self, constants.CRITICAL, ++ key=f'{paths.CA_CS_CFG_PATH}_missing', ++ configfile=paths.CA_CS_CFG_PATH, ++ msg=f'Configuration file {paths.CA_CS_CFG_PATH} is missing' ++ ) ++ return ++ + pki_version = pki.util.Version(pki.specification_version()) + if pki_version >= pki.util.Version("11.5.0"): + logger.debug( +diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py +index 1f61dea..a78e5de 100644 +--- a/tests/test_dogtag_ca.py ++++ b/tests/test_dogtag_ca.py +@@ -50,9 +50,10 @@ class TestCACerts(BaseTest): + @pytest.mark.skipif( + pki_version >= pki.util.Version("11.5.0"), + reason='Does not apply to PKI 11.5.0+') ++ @patch('os.path.exists') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') +- def test_ca_certs_ok(self, mock_certdb, mock_directive): ++ def test_ca_certs_ok(self, mock_certdb, mock_directive, mock_exists): + """Test what should be the standard case""" + trust = { + 'ocspSigningCert cert-pki-ca': 'u,u,u', +@@ -62,6 +63,7 @@ class TestCACerts(BaseTest): + 'caSigningCert cert-pki-ca': 'CT,C,C', + 'transportCert cert-pki-kra': 'u,u,u', + } ++ mock_exists.return_value = True + mock_certdb.return_value = mock_CertDB(trust) + mock_directive.side_effect = [name for name, nsstrust in trust.items()] + +@@ -81,9 +83,11 @@ class TestCACerts(BaseTest): + @pytest.mark.skipif( + pki_version >= pki.util.Version("11.5.0"), + reason='Does not apply to PKI 11.5.0+') ++ @patch('os.path.exists') + @patch('ipahealthcheck.dogtag.ca.get_directive') + @patch('ipaserver.install.certs.CertDB') +- def test_cert_missing_from_file(self, mock_certdb, mock_directive): ++ def test_cert_missing_from_file(self, mock_certdb, mock_directive, ++ mock_exists): + """Test a missing certificate. + + Note that if it is missing from the database then this check +@@ -103,6 +107,7 @@ class TestCACerts(BaseTest): + location = nicknames.index('auditSigningCert cert-pki-ca') + nicknames[location] = 'NOT auditSigningCert cert-pki-ca' + ++ mock_exists.return_value = True + mock_certdb.return_value = mock_CertDB(trust) + mock_directive.side_effect = nicknames + +-- +2.45.0 + diff --git a/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch new file mode 100644 index 0000000..d09d7d6 --- /dev/null +++ b/SOURCES/0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch @@ -0,0 +1,47 @@ +From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001 +From: Thorsten Scherf +Date: Wed, 13 Mar 2024 12:57:34 +0100 +Subject: [PATCH] Fixes log file permissions as per CIS benchmark + +As per CIS benchmark the log file permissions should be 640 for some log +files but if we change /var/log/ipa-custodia.audit.log permissions to +640 then "ipa-healthcheck" reports a permission issue. + +Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325 +Signed-off-by: Thorsten Scherf +--- + src/ipahealthcheck/ipa/files.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py +index b7ca116..d914014 100644 +--- a/src/ipahealthcheck/ipa/files.py ++++ b/src/ipahealthcheck/ipa/files.py +@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((filename, 'root', 'root', '0600')) + + self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG, +- 'root', 'root', '0644')) ++ 'root', 'root', '0644', '0640')) + + self.files.append((paths.KADMIND_LOG, 'root', 'root', + ('0600', '0640'))) +@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst, + constants.DS_USER, constants.DS_GROUP, '0600')) + +- self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644')) ++ self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', ++ '0644', '0640')) + + for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR): + self.files.append( +- (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644") ++ (globpath, constants.PKI_USER, constants.PKI_GROUP, ++ "0644", "0640") + ) + + for globpath in glob.glob( +-- +2.45.0 + diff --git a/SOURCES/0008-Fix-some-file-mode-format-issues.patch b/SOURCES/0008-Fix-some-file-mode-format-issues.patch new file mode 100644 index 0000000..ae3a19f --- /dev/null +++ b/SOURCES/0008-Fix-some-file-mode-format-issues.patch @@ -0,0 +1,190 @@ +From 2206b9915606c555163dec775a99a355dc02bee0 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 28 May 2024 11:15:48 -0400 +Subject: [PATCH] Fix some file mode format issues + +When specifying multiple possible modes for a file the values must +be a tuple. There were two occurances where they were listed +separately. + +Add in a pre-check on the formatting to raise an error for badly +formatted files. This may be annoying for users if one sneaks in +again but the CI should catch it. + +Related: https://github.com/freeipa/freeipa-healthcheck/issues/325 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/files.py | 12 +++++- + src/ipahealthcheck/ipa/files.py | 6 +-- + tests/test_core_files.py | 72 +++++++++++++++++++++++++++++++- + tests/util.py | 1 + + 4 files changed, 85 insertions(+), 6 deletions(-) + +diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py +index 85d42bc..32bc5b2 100644 +--- a/src/ipahealthcheck/core/files.py ++++ b/src/ipahealthcheck/core/files.py +@@ -31,7 +31,17 @@ class FileCheck: + + @duration + def check(self): +- for (path, owner, group, mode) in self.files: ++ # first validate that the list of files to check is in the correct ++ # format ++ process_files = [] ++ for file in self.files: ++ if len(file) == 4: ++ process_files.append(file) ++ else: ++ yield Result(self, constants.ERROR, key=file, ++ msg='Code format is incorrect for file') ++ ++ for (path, owner, group, mode) in process_files: + if not isinstance(owner, tuple): + owner = tuple((owner,)) + if not isinstance(group, tuple): +diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py +index d914014..c80fd5b 100644 +--- a/src/ipahealthcheck/ipa/files.py ++++ b/src/ipahealthcheck/ipa/files.py +@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck): + self.files.append((filename, 'root', 'root', '0600')) + + self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG, +- 'root', 'root', '0644', '0640')) ++ 'root', 'root', ('0644', '0640'))) + + self.files.append((paths.KADMIND_LOG, 'root', 'root', + ('0600', '0640'))) +@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck): + constants.DS_USER, constants.DS_GROUP, '0600')) + + self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', +- '0644', '0640')) ++ ('0644', '0640'))) + + for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR): + self.files.append( + (globpath, constants.PKI_USER, constants.PKI_GROUP, +- "0644", "0640") ++ ("0644", "0640")) + ) + + for globpath in glob.glob( +diff --git a/tests/test_core_files.py b/tests/test_core_files.py +index 924d7fa..e7010a9 100644 +--- a/tests/test_core_files.py ++++ b/tests/test_core_files.py +@@ -2,14 +2,22 @@ + # Copyright (C) 2019 FreeIPA Contributors see COPYING for license + # + ++from ldap import OPT_X_SASL_SSF_MIN + import pwd + import posix ++from util import m_api ++from util import capture_results ++ ++from ipahealthcheck.core import config + from ipahealthcheck.core.files import FileCheck + from ipahealthcheck.core import constants + from ipahealthcheck.core.plugin import Results ++from ipahealthcheck.ipa.files import IPAFileCheck ++from ipahealthcheck.system.plugin import registry + from unittest.mock import patch ++from ipapython.dn import DN ++from ipapython.ipaldap import LDAPClient, LDAPEntry + +-from util import capture_results + + nobody = pwd.getpwnam('nobody') + +@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'), + ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'), + ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),)) + ++bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),) ++ ++ ++class mock_ldap: ++ SCOPE_BASE = 1 ++ SCOPE_ONELEVEL = 2 ++ SCOPE_SUBTREE = 4 ++ ++ def __init__(self, ldapentry): ++ """Initialize the results that we will return from get_entries""" ++ self.results = ldapentry ++ ++ def get_entry(self, dn, attrs_list=None, time_limit=None, ++ size_limit=None, get_effective_rights=False): ++ return [] # the call doesn't check the value ++ ++ ++class mock_ldap_conn: ++ def set_option(self, option, invalue): ++ pass ++ ++ def get_option(self, option): ++ if option == OPT_X_SASL_SSF_MIN: ++ return 256 ++ ++ return None ++ ++ def search_s(self, base, scope, filterstr=None, ++ attrlist=None, attrsonly=0): ++ return tuple() ++ + + def make_stat(mode=33200, uid=0, gid=0): + """Return a mocked-up stat. +@@ -234,4 +273,33 @@ def test_files_group_not_found(mock_grgid, mock_grnam, mock_stat): + my_results = get_results(results, 'group') + for result in my_results.results: + assert result.result == constants.WARNING +- assert result.kw.get('got') == 'Unknown gid 0' ++ ++ ++def test_bad_modes(): ++ f = FileCheck() ++ f.files = bad_modes ++ ++ results = capture_results(f) ++ ++ for result in results.results: ++ assert result.result == constants.ERROR ++ assert result.kw.get('msg') == 'Code format is incorrect for file' ++ ++ ++@patch('ipaserver.install.krbinstance.is_pkinit_enabled') ++def test_ipa_files_format(mock_pkinit): ++ mock_pkinit.return_value = True ++ ++ fake_conn = LDAPClient('ldap://localhost', no_schema=True) ++ ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns, ++ m_api.env.basedn)) ++ framework = object() ++ registry.initialize(framework, config.Config) ++ f = IPAFileCheck(registry) ++ ++ f.conn = mock_ldap(ldapentry) ++ ++ results = capture_results(f) ++ ++ for result in results.results: ++ assert result.result == constants.SUCCESS +diff --git a/tests/util.py b/tests/util.py +index 12c1688..fb8750a 100644 +--- a/tests/util.py ++++ b/tests/util.py +@@ -141,6 +141,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts')) + m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc')) + m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts')) + m_api.env.container_masters = DN(('cn', 'masters')) ++m_api.env.container_dns = DN(('cn', 'dns')) + m_api.Backend = Mock() + m_api.Command = Mock() + m_api.Command.ping.return_value = { +-- +2.45.0 + diff --git a/SOURCES/0009-Allow-WARNING-in-the-files-test.patch b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch new file mode 100644 index 0000000..05bddbc --- /dev/null +++ b/SOURCES/0009-Allow-WARNING-in-the-files-test.patch @@ -0,0 +1,28 @@ +From b6346fedcc158a3ed3a70691350bf7ebee4a8460 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 20 Jun 2024 14:27:16 -0400 +Subject: [PATCH] Allow WARNING in the files test + +We are only validating the format and don't need to actually +enforce the results in CI. The validation raises ERROR. + +Related: https://github.com/freeipa/freeipa-healthcheck/issues/325 + +Signed-off-by: Rob Crittenden +--- + tests/test_core_files.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tests/test_core_files.py b/tests/test_core_files.py +index e7010a9..d308410 100644 +--- a/tests/test_core_files.py ++++ b/tests/test_core_files.py +@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit): + results = capture_results(f) + + for result in results.results: +- assert result.result == constants.SUCCESS ++ assert result.result in (constants.SUCCESS, constants.WARNING) +-- +2.45.0 + diff --git a/SOURCES/ipahealthcheck.conf b/SOURCES/ipahealthcheck.conf new file mode 100644 index 0000000..ab109a1 --- /dev/null +++ b/SOURCES/ipahealthcheck.conf @@ -0,0 +1 @@ +[default] diff --git a/SPECS/freeipa-healthcheck.spec b/SPECS/freeipa-healthcheck.spec new file mode 100644 index 0000000..53bf034 --- /dev/null +++ b/SPECS/freeipa-healthcheck.spec @@ -0,0 +1,359 @@ +%if 0%{?rhel} +%global prefix ipa +%global productname IPA +%global alt_prefix freeipa +%else +# Fedora +%global prefix freeipa +%global productname FreeIPA +%global alt_prefix ipa +%endif +%global debug_package %{nil} +%global python3dir %{_builddir}/python3-%{name}-%{version}-%{release} +%{!?python3_sitelib: %global python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")} +%global alt_name %{alt_prefix}-healthcheck + +%bcond_without tests + +Name: %{prefix}-healthcheck +Version: 0.16 +Release: 6%{?dist} +Summary: Health check tool for %{productname} +BuildArch: noarch +License: GPL-3.0-or-later +URL: https://github.com/freeipa/freeipa-healthcheck +Source0: https://github.com/freeipa/freeipa-healthcheck/archive/%{version}.tar.gz +Source1: ipahealthcheck.conf + +Patch0001: 0001-Remove-ipaclustercheck.patch +Patch0002: 0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch +Patch0003: 0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch +Patch0004: 0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch +Patch0005: 0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch +Patch0006: 0006-Handle-CS.cfg-file-missing-in-DogtagCertsConfigCheck.patch +Patch0007: 0007-Fixes-log-file-permissions-as-per-CIS-benchmark.patch +Patch0008: 0008-Fix-some-file-mode-format-issues.patch +Patch0009: 0009-Allow-WARNING-in-the-files-test.patch + +Requires: %{name}-core = %{version}-%{release} +Requires: %{prefix}-server +Requires: python3-ipalib +Requires: python3-ipaserver +Requires: python3-lib389 >= 1.4.2.14-1 +# cronie-anacron provides anacron +Requires: anacron +Requires: logrotate +Requires(post): systemd-units +Requires: %{name}-core = %{version}-%{release} +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: systemd-devel +%{?systemd_requires} +# packages for make check +%if %{with tests} +BuildRequires: python3-pytest +BuildRequires: python3-ipalib +BuildRequires: python3-ipaserver +%endif +BuildRequires: python3-lib389 +BuildRequires: python3-libsss_nss_idmap + +# Cross-provides for sibling OS +Provides: %{alt_name} = %{version} +Conflicts: %{alt_name} +Obsoletes: %{alt_name} < %{version} + +%description +The %{productname} health check tool provides a set of checks to +proactively detect defects in a FreeIPA cluster. + + +%package -n %{name}-core +Summary: Core plugin system for healthcheck + +# Cross-provides for sibling OS +Provides: %{alt_name}-core = %{version} +Conflicts: %{alt_name}-core +Obsoletes: %{alt_name}-core < %{version} + + +%description -n %{name}-core +Core plugin system for healthcheck, usable standalone with other +packages. + + +%prep +%autosetup -p1 -n freeipa-healthcheck-%{version} + + +%build +%py3_build + + +%install +%py3_install + +mkdir -p %{buildroot}%{_sysconfdir}/ipahealthcheck +install -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ipahealthcheck + +mkdir -p %{buildroot}/%{_unitdir} +install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.service %{buildroot}%{_unitdir} +install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.timer %{buildroot}%{_unitdir} + +mkdir -p %{buildroot}/%{_libexecdir}/ipa +install -p -m755 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.sh %{buildroot}%{_libexecdir}/ipa/ + +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/logrotate/ipahealthcheck %{buildroot}%{_sysconfdir}/logrotate.d + +mkdir -p %{buildroot}/%{_localstatedir}/log/ipa/healthcheck + +mkdir -p %{buildroot}/%{_mandir}/man8 +mkdir -p %{buildroot}/%{_mandir}/man5 +install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man8/ipa-healthcheck.8 %{buildroot}%{_mandir}/man8/ +install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man5/ipahealthcheck.conf.5 %{buildroot}%{_mandir}/man5/ + +(cd %{buildroot}/%{python3_sitelib}/ipahealthcheck && find . -type f | \ + grep -v '^./core' | \ + grep -v 'opt-1' | \ + sed -e 's,\.py.*$,.*,g' | sort -u | \ + sed -e 's,\./,%%{python3_sitelib}/ipahealthcheck/,g' ) >healthcheck.list + + +%if %{with tests} +%check +PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_* +%endif + + +%post +%systemd_post ipa-healthcheck.service + + +%preun +%systemd_preun ipa-healthcheck.service + + +%postun +%systemd_postun_with_restart ipa-healthcheck.service + + +%files -f healthcheck.list +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc README.md +%{_bindir}/ipa-healthcheck +%dir %{_sysconfdir}/ipahealthcheck +%dir %{_localstatedir}/log/ipa/healthcheck +%config(noreplace) %{_sysconfdir}/ipahealthcheck/ipahealthcheck.conf +%config(noreplace) %{_sysconfdir}/logrotate.d/ipahealthcheck +%{python3_sitelib}/ipahealthcheck-%{version}-*.egg-info/ +%{python3_sitelib}/ipahealthcheck-%{version}-*-nspkg.pth +%{_unitdir}/* +%{_libexecdir}/* +%{_mandir}/man8/* +%{_mandir}/man5/* + + +%files -n %{name}-core +%{!?_licensedir:%global license %%doc} +%license COPYING +%doc README.md +%{python3_sitelib}/ipahealthcheck/core/ + + +%changelog +* Fri Jul 19 2024 Rob Crittenden - 0.16-6 +- Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0 (RHEL-39701) +- Need to change log file permissions of IPA as per CIS benchmark (RHEL-44305) + +* Mon Jun 24 2024 Troy Dawson - 0.16-5 +- Bump release for June 2024 mass rebuild + +* Wed Jan 24 2024 Fedora Release Engineering - 0.16-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 0.16-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Tue Nov 14 2023 Rob Crittenden - 0.16-2 +- Don't fail if a service name cannot be looked up in LDAP +- Disable the ipa-ods-exporter service check + +* Wed Nov 8 2023 Rob Crittenden - 0.16-1 +- Update to 0.16 release +- This fixes pki-healthcheck + +* Tue Nov 7 2023 Rob Crittenden - 0.15-1 +- Update to 0.15 release + +* Mon Aug 21 2023 Rob Crittenden - 0.14-1 +- Update to 0.14 release + +* Wed Jul 19 2023 Rob Crittenden - 0.13-1 +- Update to 0.13 release + +* Thu Jun 29 2023 Python Maint - 0.12-5 +- Rebuilt for Python 3.12 + +* Wed Jun 28 2023 Python Maint - 0.12-4 +- Bootstrap for Python 3.12 + +* Wed Mar 29 2023 Rob Crittenden - 0.12-3 +- Migrated to SPDX license + +* Thu Jan 19 2023 Fedora Release Engineering - 0.12-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Dec 1 2022 Rob Crittenden - 0.12 +- Update to 0.12 release + +* Thu Jul 21 2022 Fedora Release Engineering - 0.11-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jun 16 2022 Python Maint - 0.11-4 +- Rebuilt for Python 3.11 + +* Thu Jun 16 2022 Python Maint - 0.11-3 +- Bootstrap for Python 3.11 + +* Mon Jun 06 2022 Rob Crittenden - 0.11-2 +- Don't WARN on KDC workers if cpus == 1 and KRB5KDC_ARGS is empty + +* Thu Jun 02 2022 Rob Crittenden - 0.11-1 +- Update to 0.11 release + +* Tue Feb 8 2022 Rob Crittenden - 0.10-1 +- Update to 0.10 release + +* Thu Jan 20 2022 Fedora Release Engineering - 0.9-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jul 21 2021 Fedora Release Engineering - 0.9-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Mon Jun 14 2021 Rob Crittenden - 0.9-2 +- FileCheck would raise a CRITICAL for non-existent files + +* Tue Jun 8 2021 Rob Crittenden - 0.9-1 +- Update to upstream 0.9 +- Fix bad date in 0.8-6.1 changelog entry + +* Mon Jun 07 2021 Python Maint - 0.8-8.1 +- Rebuilt for Python 3.10 + +* Fri Jun 04 2021 Python Maint - 0.8-7.1 +- Bootstrap for Python 3.10 + +* Thu Apr 15 2021 Rob Crittenden - 0.8-6.1 +- Switch from tox to pytest as the test runner. tox is being deprecated + in some distros. + +* Mon Mar 8 2021 François Cami - 0.8-6 +- Make the spec file distribution-agnostic (rhbz#1935773). + +* Tue Mar 2 2021 Alexander Scheel - 0.8-5 +- Make the spec file more distribution-agnostic +- Use tox as the test runner when tests are enabled + +* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek - 0.8-4 +- Rebuilt for updated systemd-rpm-macros + See https://pagure.io/fesco/issue/2583. + +* Tue Jan 26 2021 Fedora Release Engineering - 0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jan 18 2021 Rob Crittenden - 0.8-2 +- A bad file group was reported as a python list, not a string + +* Wed Jan 13 2021 Rob Crittenden - 0.8-1 +- Update to upstream 0.8 +- Fix FTBFS in F34/rawhide (#1915256) + +* Wed Dec 16 2020 Rob Crittenden - 0.7-3 +- Include upstream patch to fix parsing input from json files + +* Tue Nov 17 2020 Rob Crittenden - 0.7-2 +- Include upstream patch to fix collection of AD trust domains +- Include upstream patch to fix failing not-valid-after test + +* Thu Oct 29 2020 Rob Crittenden - 0.7-1 +- Update to upstream 0.7 + +* Wed Jul 29 2020 Rob Crittenden - 0.6-4 +- Set minimum Requires on python3-lib389 +- Don't assume that all users of healthcheck-core provide the same + set of options. + +* Mon Jul 27 2020 Fedora Release Engineering - 0.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Fri Jul 24 2020 Rob Crittenden - 0.6-2 +- Don't collect IPA servers in MetaCheck +- Skip if dirsrv not available in IPAMetaCheck + +* Wed Jul 1 2020 Rob Crittenden - 0.6-1 +- Update to upstream 0.6 +- Don't include cluster checking yet + +* Tue Jun 23 2020 Rob Crittenden - 0.5-5 +- Add BuildRequires on python3-setuptools + +* Tue May 26 2020 Miro Hrončok - 0.5-4 +- Rebuilt for Python 3.9 + +* Tue Jan 28 2020 Fedora Release Engineering - 0.5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Mon Jan 27 2020 Rob Crittenden - 0.5-2 +- Rebuild + +* Thu Jan 2 2020 Rob Crittenden - 0.5-1 +- Update to upstream 0.5 + +* Mon Dec 2 2019 François Cami - 0.4-2 +- Create subpackage to split out core processing (#1771710) + +* Mon Dec 2 2019 François Cami - 0.4-1 +- Update to upstream 0.4 +- Change Source0 to something "spectool -g" can use. +- Correct URL (#1773512) +- Errors not translated to strings (#1752849) +- JSON output not indented by default (#1729043) +- Add dependencies to checks to avoid false-positives (#1727900) +- Verify expected DNS records (#1695125 + +* Thu Oct 03 2019 Miro Hrončok - 0.3-3 +- Rebuilt for Python 3.8.0rc1 (#1748018) + +* Mon Aug 19 2019 Miro Hrončok - 0.3-2 +- Rebuilt for Python 3.8 + +* Thu Jul 25 2019 François Cami - 0.3-1 +- Update to upstream 0.3 +- Add logrotate configs + depend on anacron and logrotate + +* Thu Jul 25 2019 François Cami - 0.2-6 +- Fix permissions + +* Thu Jul 25 2019 Fedora Release Engineering - 0.2-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jul 11 2019 François Cami - 0.2-4 +- Fix ipa-healthcheck.sh installation path (rhbz#1729188) +- Create and own log directory (rhbz#1729188) + +* Tue Apr 30 2019 François Cami - 0.2-3 +- Add python3-lib389 to BRs + +* Tue Apr 30 2019 François Cami - 0.2-2 +- Fix changelog + +* Thu Apr 25 2019 Rob Crittenden - 0.2-1 +- Update to upstream 0.2 + +* Thu Apr 4 2019 François Cami - 0.1-2 +- Explicitly list dependencies + +* Tue Apr 2 2019 François Cami - 0.1-1 +- Initial package import