From a63d5ac05157e689e99494661240d43d131c0e91 Mon Sep 17 00:00:00 2001

From: Rob Crittenden <rcritten@redhat.com>

Date: Tue, 11 May 2021 13:19:41 -0400

Subject: [PATCH] Don't collect the CRLManager role if the CA is not configured

This was raising a false positive in the IPA CA-less case.

https://github.com/freeipa/freeipa-healthcheck/issues/201

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

---

 src/ipahealthcheck/ipa/roles.py |  2 ++

 tests/test_ipa_roles.py         | 12 ++++++++++++

 2 files changed, 14 insertions(+)

diff --git a/src/ipahealthcheck/ipa/roles.py b/src/ipahealthcheck/ipa/roles.py

index 0ff2269..aac7b80 100644

--- a/src/ipahealthcheck/ipa/roles.py

+++ b/src/ipahealthcheck/ipa/roles.py

@@ -25,6 +25,8 @@ class IPACRLManagerCheck(IPAPlugin):

     """

     @duration

     def check(self):

+        if not self.ca.is_configured():

+            return

         try:

             enabled = self.ca.is_crlgen_enabled()

         except AttributeError:

diff --git a/tests/test_ipa_roles.py b/tests/test_ipa_roles.py

index 21c0069..7c4a2d1 100644

--- a/tests/test_ipa_roles.py

+++ b/tests/test_ipa_roles.py

@@ -48,6 +48,18 @@ class TestCRLManagerRole(BaseTest):

         assert result.check == 'IPACRLManagerCheck'

         assert result.kw.get('crlgen_enabled') is True

+    @patch('ipaserver.install.cainstance.CAInstance')

+    def test_crlmanager_no_ca(self, mock_ca):

+        """There should be no CRLManagerCheck without a CA"""

+        mock_ca.return_value = CAInstance(False)

+        framework = object()

+        registry.initialize(framework, config.Config)

+        f = IPACRLManagerCheck(registry)

+

+        self.results = capture_results(f)

+

+        assert len(self.results) == 0

+

 class TestRenewalMaster(BaseTest):

     def test_renewal_master_not_set(self):

-- 

2.31.1