From ebd3e00298f5abaa99377800bd29def15d696d08 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 14 2022 02:51:57 +0000 Subject: import ipa-healthcheck-0.7-10.module+el8.6.0+14292+18b36d36 --- diff --git a/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch index b9b639f..3bc4afe 100644 --- a/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch +++ b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch @@ -1,4 +1,4 @@ -From b1ede44aed3c58a9c1abcb35a78e0fc15bfc37f6 Mon Sep 17 00:00:00 2001 +From eb377fed539e44194fb1ad822c0d4c6e9ea38d03 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 11 May 2021 13:26:00 -0400 Subject: [PATCH] Filter out the pki healthcheck sources if IPA CA is not @@ -20,12 +20,12 @@ https://github.com/freeipa/freeipa-healthcheck/issues/201 Signed-off-by: Rob Crittenden --- - src/ipahealthcheck/core/core.py | 12 ++++++++++++ + src/ipahealthcheck/core/core.py | 13 +++++++++++++ src/ipahealthcheck/ipa/plugin.py | 4 ++++ - 2 files changed, 16 insertions(+) + 2 files changed, 17 insertions(+) diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py -index eaa2d9c..d6b2357 100644 +index eaa2d9c..a6b4fe8 100644 --- a/src/ipahealthcheck/core/core.py +++ b/src/ipahealthcheck/core/core.py @@ -281,6 +281,13 @@ class RunChecks: @@ -42,12 +42,13 @@ index eaa2d9c..d6b2357 100644 for name, registry in find_registries(self.entry_points).items(): try: registry.initialize(framework, config, options) -@@ -292,6 +299,11 @@ class RunChecks: +@@ -292,6 +299,12 @@ class RunChecks: except Exception as e: logger.error("Unable to initialize %s: %s" % (name, e)) continue + if hasattr(registry, 'ca_configured'): + ca_configured = registry.ca_configured ++ for name, registry in find_registries(self.entry_points).items(): + if 'pkihealthcheck' in name and ca_configured is False: + logger.debug('IPA CA is not configured, skipping %s', name) + continue @@ -55,7 +56,7 @@ index eaa2d9c..d6b2357 100644 plugins.append(plugin) diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py -index 67d93e5..54d1ed3 100644 +index 67d93e5..debb1bb 100644 --- a/src/ipahealthcheck/ipa/plugin.py +++ b/src/ipahealthcheck/ipa/plugin.py @@ -35,6 +35,7 @@ class IPARegistry(Registry): @@ -66,15 +67,16 @@ index 67d93e5..54d1ed3 100644 def initialize(self, framework, config, options=None): super(IPARegistry, self).initialize(framework, config) -@@ -82,5 +83,8 @@ class IPARegistry(Registry): - if role.get('status') == 'enabled': - self.trust_controller = True +@@ -58,6 +59,9 @@ class IPARegistry(Registry): + logging.debug('Failed to connect to LDAP: %s', e) + return + ca = cainstance.CAInstance(api.env.realm, host_name=api.env.host) + self.ca_configured = ca.is_configured() + - - registry = IPARegistry() + # This package is pulled in when the trust package is installed + # and is required to lookup trust users. If this is not installed + # then it can be inferred that trust is not enabled. -- 2.31.1 diff --git a/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch b/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch new file mode 100644 index 0000000..df29ffb --- /dev/null +++ b/SOURCES/0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch @@ -0,0 +1,71 @@ +From 62c14dbff5a947b50194df197de9f7052597ffb4 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 17 Feb 2022 08:56:38 -0500 +Subject: [PATCH] Don't depend on IPA status when suppressing pki checks + +The pki healthchecks are noisy if a CA is not configured. We +want to suppresse these in IPA so don't make the checks visible +if a CA is not configured. + +So this means we need to be able to run in these conditions: + +1. IPA is configured with a CA: the pki checks are run +2. IPA is configured without a CA: the pki checks are not run +3. IPA is not configured: the pki checks are run + +Which basically equates to three states: True, False, None + +This was done originally with the ca_configured variable set to +None. Using some inside knowledge the registries are loaded which +will set ca_configured to True or False in the IPA registry. +Using that we can determine if the pki checks should be available. +Unfortunately I changed the initialization to False so it always +assumes that IPA is installed. ca_configured will be False for the +case of IPA not installed instead of None so we can't handle that +last state. + +So initialize ca_configured to None so we can satisfy all three +states. + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/core/core.py | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py +index a6b4fe8..19f7818 100644 +--- a/src/ipahealthcheck/core/core.py ++++ b/src/ipahealthcheck/core/core.py +@@ -281,13 +281,23 @@ class RunChecks: + if rval is not None: + return rval + ++ # The pki checks are noisy if a CA is not configured so we ++ # want to suppress that for IPA. ++ # ++ # There are 3 possible states: ++ # 1. IPA is configured with a CA ++ # 2. IPA is configured without a CA ++ # 3. IPA is not configured ++ # + # If we have IPA configured without a CA then we want to skip +- # the pkihealthcheck plugins otherwise they will generated a +- # lot of false positives. The IPA plugins are loaded first so +- # which should set ca_configured in its registry to True or +- # False. We will skip the pkihealthcheck plugins only if +- # ca_configured is False which means that it was set by IPA. +- ca_configured = False ++ # the pkihealthcheck plugins ++ # ++ # The IPA registry will set ca_configured in its registry to True ++ # or False. We will skip the pkihealthcheck plugins only if ++ # ca_configured is False which means that it was set by IPA. So ++ # we initialize ca_configured to None so that the pki checks ++ # will always be executed with pki-healthcheck. ++ ca_configured = None + for name, registry in find_registries(self.entry_points).items(): + try: + registry.initialize(framework, config, options) +-- +2.31.1 + diff --git a/SPECS/ipa-healthcheck.spec b/SPECS/ipa-healthcheck.spec index b80ecac..baa4912 100644 --- a/SPECS/ipa-healthcheck.spec +++ b/SPECS/ipa-healthcheck.spec @@ -8,7 +8,7 @@ Name: ipa-healthcheck Version: 0.7 -Release: 8%{?dist} +Release: 10%{?dist} Summary: Health check tool for IdM BuildArch: noarch License: GPLv3 @@ -33,6 +33,7 @@ Patch0015: 0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch Patch0016: 0016-tests-Generate-a-proper-not-valid-after-field.patch Patch0017: 0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch Patch0018: 0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch +Patch0019: 0019-Don-t-depend-on-IPA-status-when-suppressing-pki-chec.patch Requires: %{name}-core = %{version}-%{release} Requires: ipa-server @@ -136,6 +137,13 @@ install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{long %changelog +* Thu Feb 17 2022 Rob Crittenden - 0.7-10 +- Don't depend on IPA status when suppressing pki checks (#2055316) + +* Mon Jan 17 2022 Rob Crittenden - 0.7-9 +- Don't assume the entry_point order when determining if there is a + CA installed (#2041995) + * Thu Jan 06 2022 Rob Crittenden - 0.7-8 - Suppress the CRLManager check false positive when a CA is not configured (#1983060)