diff --git a/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch index 22963bb..b9b639f 100644 --- a/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch +++ b/SOURCES/0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch @@ -38,7 +38,7 @@ index eaa2d9c..d6b2357 100644 + # which should set ca_configured in its registry to True or + # False. We will skip the pkihealthcheck plugins only if + # ca_configured is False which means that it was set by IPA. -+ ca_configured = None ++ ca_configured = False for name, registry in find_registries(self.entry_points).items(): try: registry.initialize(framework, config, options) diff --git a/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch b/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch new file mode 100644 index 0000000..8947d73 --- /dev/null +++ b/SOURCES/0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch @@ -0,0 +1,54 @@ +From a63d5ac05157e689e99494661240d43d131c0e91 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 11 May 2021 13:19:41 -0400 +Subject: [PATCH] Don't collect the CRLManager role if the CA is not configured + +This was raising a false positive in the IPA CA-less case. + +https://github.com/freeipa/freeipa-healthcheck/issues/201 + +Signed-off-by: Rob Crittenden +--- + src/ipahealthcheck/ipa/roles.py | 2 ++ + tests/test_ipa_roles.py | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/src/ipahealthcheck/ipa/roles.py b/src/ipahealthcheck/ipa/roles.py +index 0ff2269..aac7b80 100644 +--- a/src/ipahealthcheck/ipa/roles.py ++++ b/src/ipahealthcheck/ipa/roles.py +@@ -25,6 +25,8 @@ class IPACRLManagerCheck(IPAPlugin): + """ + @duration + def check(self): ++ if not self.ca.is_configured(): ++ return + try: + enabled = self.ca.is_crlgen_enabled() + except AttributeError: +diff --git a/tests/test_ipa_roles.py b/tests/test_ipa_roles.py +index 21c0069..7c4a2d1 100644 +--- a/tests/test_ipa_roles.py ++++ b/tests/test_ipa_roles.py +@@ -48,6 +48,18 @@ class TestCRLManagerRole(BaseTest): + assert result.check == 'IPACRLManagerCheck' + assert result.kw.get('crlgen_enabled') is True + ++ @patch('ipaserver.install.cainstance.CAInstance') ++ def test_crlmanager_no_ca(self, mock_ca): ++ """There should be no CRLManagerCheck without a CA""" ++ mock_ca.return_value = CAInstance(False) ++ framework = object() ++ registry.initialize(framework, config.Config) ++ f = IPACRLManagerCheck(registry) ++ ++ self.results = capture_results(f) ++ ++ assert len(self.results) == 0 ++ + + class TestRenewalMaster(BaseTest): + def test_renewal_master_not_set(self): +-- +2.31.1 + diff --git a/SPECS/ipa-healthcheck.spec b/SPECS/ipa-healthcheck.spec index b203abd..b80ecac 100644 --- a/SPECS/ipa-healthcheck.spec +++ b/SPECS/ipa-healthcheck.spec @@ -8,7 +8,7 @@ Name: ipa-healthcheck Version: 0.7 -Release: 7%{?dist} +Release: 8%{?dist} Summary: Health check tool for IdM BuildArch: noarch License: GPLv3 @@ -32,7 +32,7 @@ Patch0014: 0014-Filter-out-the-pki-healthcheck-sources-if-IPA-CA-is-.patch Patch0015: 0015-Work-with-existing-resolve_rrsets-and-newer-resolve_.patch Patch0016: 0016-tests-Generate-a-proper-not-valid-after-field.patch Patch0017: 0017-Fix-the-number-of-expected-results-in-the-fix-file-t.patch - +Patch0018: 0018-Don-t-collect-the-CRLManager-role-if-the-CA-is-not-c.patch Requires: %{name}-core = %{version}-%{release} Requires: ipa-server @@ -136,6 +136,11 @@ install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{long %changelog +* Thu Jan 06 2022 Rob Crittenden - 0.7-8 +- Suppress the CRLManager check false positive when a CA is not + configured (#1983060) +- Fix the backport of the pki.server.healthcheck suppression (#1983060) + * Thu Oct 07 2021 Rob Crittenden - 0.7-7 - ipa-healthcheck command takes some extra time to complete when dirsrv instance is stopped (#1776687)