andykimpe / rpms / 389-ds-base

Forked from rpms/389-ds-base 5 months ago
Clone
Blob Blame History Raw
From 5f4281601966e9edeabdcec0e9f934c79d4ad8ed Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Fri, 10 Jan 2020 10:29:02 -0500
Subject: [PATCH] Issue 50806 - Fix minor issues in lib389 health checks

Description:  For permissions checks, add a list of permissions
              that is acceptable instead of single value.

              For RI plugin attribute indexing checks, we now check
              if a container scope is specified.  If it is set, we
              skip all the other backends that are not in the scope.
              This prevents false positives.

relates: https://pagure.io/389-ds-base/issue/50806

Reviewed by: mhonek(Thanks!)
---
 src/lib389/lib389/dseldif.py | 40 +++++++++++++++++++++++++-----------
 src/lib389/lib389/plugins.py | 13 ++++++++++--
 2 files changed, 39 insertions(+), 14 deletions(-)

diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py
index 4155abcdd..fbb50623b 100644
--- a/src/lib389/lib389/dseldif.py
+++ b/src/lib389/lib389/dseldif.py
@@ -168,13 +168,27 @@ class FSChecks(object):
         self.dirsrv = dirsrv
         self._certdb = self.dirsrv.get_cert_dir()
         self.ds_files = [
-            ('/etc/resolv.conf', '644', DSPERMLE0001),
-            (self._certdb + "/pin.txt", '600', DSPERMLE0002),
-            (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002),
+            {
+                'name': '/etc/resolv.conf',
+                'perms': [644],
+                'report': DSPERMLE0001
+            },
+            {
+                'name': self._certdb + "/pin.txt",
+                'perms': [400, 600],
+                'report': DSPERMLE0002
+            },
+            {
+                'name': self._certdb + "/pwdfile.txt",
+                'perms': [400, 600],
+                'report': DSPERMLE0002
+            },
         ]
         self._lint_functions = [self._lint_file_perms]
 
     def lint(self):
+        """Run a lint/healthcheck for this class
+        """
         results = []
         for fn in self._lint_functions:
             for result in fn():
@@ -183,14 +197,16 @@ class FSChecks(object):
         return results
 
     def _lint_file_perms(self):
-        # Check file permissions are correct
+        """Test file permissions are safe
+        """
         for ds_file in self.ds_files:
-            perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:])
-            if perms != ds_file[1]:
-                report = copy.deepcopy(ds_file[2])
-                report['items'].append(ds_file[0])
-                report['detail'] = report['detail'].replace('FILE', ds_file[0])
-                report['detail'] = report['detail'].replace('PERMS', ds_file[1])
-                report['fix'] = report['fix'].replace('FILE', ds_file[0])
-                report['fix'] = report['fix'].replace('PERMS', ds_file[1])
+            perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:])
+            if perms not in ds_file['perms']:
+                perms = str(ds_file['perms'][0])
+                report = copy.deepcopy(ds_file['report'])
+                report['items'].append(ds_file['name'])
+                report['detail'] = report['detail'].replace('FILE', ds_file['name'])
+                report['detail'] = report['detail'].replace('PERMS', perms)
+                report['fix'] = report['fix'].replace('FILE', ds_file['name'])
+                report['fix'] = report['fix'].replace('PERMS', perms)
                 yield report
diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
index 97c5d1d3b..0775e464f 100644
--- a/src/lib389/lib389/plugins.py
+++ b/src/lib389/lib389/plugins.py
@@ -455,10 +455,19 @@ class ReferentialIntegrityPlugin(Plugin):
         if self.status():
             from lib389.backend import Backends
             backends = Backends(self._instance).list()
+            attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
+            container = self.get_attr_val_utf8_l("nsslapd-plugincontainerscope")
             for backend in backends:
-                indexes = backend.get_indexes()
                 suffix = backend.get_attr_val_utf8_l('nsslapd-suffix')
-                attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
+                if suffix == "cn=changelog":
+                    # Always skip retro changelog
+                    continue
+                if container is not None:
+                    # Check if this backend is in the scope
+                    if not container.endswith(suffix):
+                        # skip this backend that is not in the scope
+                        continue
+                indexes = backend.get_indexes()
                 for attr in attrs:
                     report = copy.deepcopy(DSRILE0002)
                     try:
-- 
2.21.1