andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone

Blame SOURCES/0010-Issue-50806-Fix-minor-issues-in-lib389-health-checks.patch

8394b4
From 5f4281601966e9edeabdcec0e9f934c79d4ad8ed Mon Sep 17 00:00:00 2001
8394b4
From: Mark Reynolds <mreynolds@redhat.com>
8394b4
Date: Fri, 10 Jan 2020 10:29:02 -0500
8394b4
Subject: [PATCH] Issue 50806 - Fix minor issues in lib389 health checks
8394b4
8394b4
Description:  For permissions checks, add a list of permissions
8394b4
              that is acceptable instead of single value.
8394b4
8394b4
              For RI plugin attribute indexing checks, we now check
8394b4
              if a container scope is specified.  If it is set, we
8394b4
              skip all the other backends that are not in the scope.
8394b4
              This prevents false positives.
8394b4
8394b4
relates: https://pagure.io/389-ds-base/issue/50806
8394b4
8394b4
Reviewed by: mhonek(Thanks!)
8394b4
---
8394b4
 src/lib389/lib389/dseldif.py | 40 +++++++++++++++++++++++++-----------
8394b4
 src/lib389/lib389/plugins.py | 13 ++++++++++--
8394b4
 2 files changed, 39 insertions(+), 14 deletions(-)
8394b4
8394b4
diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py
8394b4
index 4155abcdd..fbb50623b 100644
8394b4
--- a/src/lib389/lib389/dseldif.py
8394b4
+++ b/src/lib389/lib389/dseldif.py
8394b4
@@ -168,13 +168,27 @@ class FSChecks(object):
8394b4
         self.dirsrv = dirsrv
8394b4
         self._certdb = self.dirsrv.get_cert_dir()
8394b4
         self.ds_files = [
8394b4
-            ('/etc/resolv.conf', '644', DSPERMLE0001),
8394b4
-            (self._certdb + "/pin.txt", '600', DSPERMLE0002),
8394b4
-            (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002),
8394b4
+            {
8394b4
+                'name': '/etc/resolv.conf',
8394b4
+                'perms': [644],
8394b4
+                'report': DSPERMLE0001
8394b4
+            },
8394b4
+            {
8394b4
+                'name': self._certdb + "/pin.txt",
8394b4
+                'perms': [400, 600],
8394b4
+                'report': DSPERMLE0002
8394b4
+            },
8394b4
+            {
8394b4
+                'name': self._certdb + "/pwdfile.txt",
8394b4
+                'perms': [400, 600],
8394b4
+                'report': DSPERMLE0002
8394b4
+            },
8394b4
         ]
8394b4
         self._lint_functions = [self._lint_file_perms]
8394b4
 
8394b4
     def lint(self):
8394b4
+        """Run a lint/healthcheck for this class
8394b4
+        """
8394b4
         results = []
8394b4
         for fn in self._lint_functions:
8394b4
             for result in fn():
8394b4
@@ -183,14 +197,16 @@ class FSChecks(object):
8394b4
         return results
8394b4
 
8394b4
     def _lint_file_perms(self):
8394b4
-        # Check file permissions are correct
8394b4
+        """Test file permissions are safe
8394b4
+        """
8394b4
         for ds_file in self.ds_files:
8394b4
-            perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:])
8394b4
-            if perms != ds_file[1]:
8394b4
-                report = copy.deepcopy(ds_file[2])
8394b4
-                report['items'].append(ds_file[0])
8394b4
-                report['detail'] = report['detail'].replace('FILE', ds_file[0])
8394b4
-                report['detail'] = report['detail'].replace('PERMS', ds_file[1])
8394b4
-                report['fix'] = report['fix'].replace('FILE', ds_file[0])
8394b4
-                report['fix'] = report['fix'].replace('PERMS', ds_file[1])
8394b4
+            perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:])
8394b4
+            if perms not in ds_file['perms']:
8394b4
+                perms = str(ds_file['perms'][0])
8394b4
+                report = copy.deepcopy(ds_file['report'])
8394b4
+                report['items'].append(ds_file['name'])
8394b4
+                report['detail'] = report['detail'].replace('FILE', ds_file['name'])
8394b4
+                report['detail'] = report['detail'].replace('PERMS', perms)
8394b4
+                report['fix'] = report['fix'].replace('FILE', ds_file['name'])
8394b4
+                report['fix'] = report['fix'].replace('PERMS', perms)
8394b4
                 yield report
8394b4
diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
8394b4
index 97c5d1d3b..0775e464f 100644
8394b4
--- a/src/lib389/lib389/plugins.py
8394b4
+++ b/src/lib389/lib389/plugins.py
8394b4
@@ -455,10 +455,19 @@ class ReferentialIntegrityPlugin(Plugin):
8394b4
         if self.status():
8394b4
             from lib389.backend import Backends
8394b4
             backends = Backends(self._instance).list()
8394b4
+            attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
8394b4
+            container = self.get_attr_val_utf8_l("nsslapd-plugincontainerscope")
8394b4
             for backend in backends:
8394b4
-                indexes = backend.get_indexes()
8394b4
                 suffix = backend.get_attr_val_utf8_l('nsslapd-suffix')
8394b4
-                attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
8394b4
+                if suffix == "cn=changelog":
8394b4
+                    # Always skip retro changelog
8394b4
+                    continue
8394b4
+                if container is not None:
8394b4
+                    # Check if this backend is in the scope
8394b4
+                    if not container.endswith(suffix):
8394b4
+                        # skip this backend that is not in the scope
8394b4
+                        continue
8394b4
+                indexes = backend.get_indexes()
8394b4
                 for attr in attrs:
8394b4
                     report = copy.deepcopy(DSRILE0002)
8394b4
                     try:
8394b4
-- 
8394b4
2.21.1
8394b4