You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
93 lines
3.5 KiB
93 lines
3.5 KiB
From c780755c57286949d4c6d62dec6f0ce7d718dd13 Mon Sep 17 00:00:00 2001
|
|
From: Rob Crittenden <rcritten@redhat.com>
|
|
Date: Mon, 18 Mar 2024 16:54:47 -0400
|
|
Subject: [PATCH] Handle CS.cfg file missing in DogtagCertsConfigCheck
|
|
|
|
This should never happen but if that file disappears things have
|
|
gone really, really badly. Throw a CRITICAL error.
|
|
|
|
Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/327
|
|
|
|
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
---
|
|
src/ipahealthcheck/dogtag/ca.py | 10 ++++++++++
|
|
tests/test_dogtag_ca.py | 9 +++++++--
|
|
2 files changed, 17 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
|
|
index ddf5ece..5c2f6af 100644
|
|
--- a/src/ipahealthcheck/dogtag/ca.py
|
|
+++ b/src/ipahealthcheck/dogtag/ca.py
|
|
@@ -3,6 +3,7 @@
|
|
#
|
|
|
|
import logging
|
|
+import os
|
|
|
|
from ipahealthcheck.dogtag.plugin import DogtagPlugin, registry
|
|
from ipahealthcheck.core.plugin import Result
|
|
@@ -32,6 +33,15 @@ class DogtagCertsConfigCheck(DogtagPlugin):
|
|
logger.debug("No CA configured, skipping dogtag config check")
|
|
return
|
|
|
|
+ if not os.path.exists(paths.CA_CS_CFG_PATH):
|
|
+ yield Result(
|
|
+ self, constants.CRITICAL,
|
|
+ key=f'{paths.CA_CS_CFG_PATH}_missing',
|
|
+ configfile=paths.CA_CS_CFG_PATH,
|
|
+ msg=f'Configuration file {paths.CA_CS_CFG_PATH} is missing'
|
|
+ )
|
|
+ return
|
|
+
|
|
pki_version = pki.util.Version(pki.specification_version())
|
|
if pki_version >= pki.util.Version("11.5.0"):
|
|
logger.debug(
|
|
diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
|
|
index 1f61dea..a78e5de 100644
|
|
--- a/tests/test_dogtag_ca.py
|
|
+++ b/tests/test_dogtag_ca.py
|
|
@@ -50,9 +50,10 @@ class TestCACerts(BaseTest):
|
|
@pytest.mark.skipif(
|
|
pki_version >= pki.util.Version("11.5.0"),
|
|
reason='Does not apply to PKI 11.5.0+')
|
|
+ @patch('os.path.exists')
|
|
@patch('ipahealthcheck.dogtag.ca.get_directive')
|
|
@patch('ipaserver.install.certs.CertDB')
|
|
- def test_ca_certs_ok(self, mock_certdb, mock_directive):
|
|
+ def test_ca_certs_ok(self, mock_certdb, mock_directive, mock_exists):
|
|
"""Test what should be the standard case"""
|
|
trust = {
|
|
'ocspSigningCert cert-pki-ca': 'u,u,u',
|
|
@@ -62,6 +63,7 @@ class TestCACerts(BaseTest):
|
|
'caSigningCert cert-pki-ca': 'CT,C,C',
|
|
'transportCert cert-pki-kra': 'u,u,u',
|
|
}
|
|
+ mock_exists.return_value = True
|
|
mock_certdb.return_value = mock_CertDB(trust)
|
|
mock_directive.side_effect = [name for name, nsstrust in trust.items()]
|
|
|
|
@@ -81,9 +83,11 @@ class TestCACerts(BaseTest):
|
|
@pytest.mark.skipif(
|
|
pki_version >= pki.util.Version("11.5.0"),
|
|
reason='Does not apply to PKI 11.5.0+')
|
|
+ @patch('os.path.exists')
|
|
@patch('ipahealthcheck.dogtag.ca.get_directive')
|
|
@patch('ipaserver.install.certs.CertDB')
|
|
- def test_cert_missing_from_file(self, mock_certdb, mock_directive):
|
|
+ def test_cert_missing_from_file(self, mock_certdb, mock_directive,
|
|
+ mock_exists):
|
|
"""Test a missing certificate.
|
|
|
|
Note that if it is missing from the database then this check
|
|
@@ -103,6 +107,7 @@ class TestCACerts(BaseTest):
|
|
location = nicknames.index('auditSigningCert cert-pki-ca')
|
|
nicknames[location] = 'NOT auditSigningCert cert-pki-ca'
|
|
|
|
+ mock_exists.return_value = True
|
|
mock_certdb.return_value = mock_CertDB(trust)
|
|
mock_directive.side_effect = nicknames
|
|
|
|
--
|
|
2.45.0
|
|
|