|
 |
8394b4 |
From 5f4281601966e9edeabdcec0e9f934c79d4ad8ed Mon Sep 17 00:00:00 2001
|
|
|
8394b4 |
From: Mark Reynolds <mreynolds@redhat.com>
|
|
|
8394b4 |
Date: Fri, 10 Jan 2020 10:29:02 -0500
|
|
|
8394b4 |
Subject: [PATCH] Issue 50806 - Fix minor issues in lib389 health checks
|
|
|
8394b4 |
|
|
|
8394b4 |
Description: For permissions checks, add a list of permissions
|
|
|
8394b4 |
that is acceptable instead of single value.
|
|
|
8394b4 |
|
|
|
8394b4 |
For RI plugin attribute indexing checks, we now check
|
|
|
8394b4 |
if a container scope is specified. If it is set, we
|
|
|
8394b4 |
skip all the other backends that are not in the scope.
|
|
|
8394b4 |
This prevents false positives.
|
|
|
8394b4 |
|
|
|
8394b4 |
relates: https://pagure.io/389-ds-base/issue/50806
|
|
|
8394b4 |
|
|
|
8394b4 |
Reviewed by: mhonek(Thanks!)
|
|
|
8394b4 |
---
|
|
|
8394b4 |
src/lib389/lib389/dseldif.py | 40 +++++++++++++++++++++++++-----------
|
|
|
8394b4 |
src/lib389/lib389/plugins.py | 13 ++++++++++--
|
|
|
8394b4 |
2 files changed, 39 insertions(+), 14 deletions(-)
|
|
|
8394b4 |
|
|
|
8394b4 |
diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py
|
|
|
8394b4 |
index 4155abcdd..fbb50623b 100644
|
|
|
8394b4 |
--- a/src/lib389/lib389/dseldif.py
|
|
|
8394b4 |
+++ b/src/lib389/lib389/dseldif.py
|
|
|
8394b4 |
@@ -168,13 +168,27 @@ class FSChecks(object):
|
|
|
8394b4 |
self.dirsrv = dirsrv
|
|
|
8394b4 |
self._certdb = self.dirsrv.get_cert_dir()
|
|
|
8394b4 |
self.ds_files = [
|
|
|
8394b4 |
- ('/etc/resolv.conf', '644', DSPERMLE0001),
|
|
|
8394b4 |
- (self._certdb + "/pin.txt", '600', DSPERMLE0002),
|
|
|
8394b4 |
- (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002),
|
|
|
8394b4 |
+ {
|
|
|
8394b4 |
+ 'name': '/etc/resolv.conf',
|
|
|
8394b4 |
+ 'perms': [644],
|
|
|
8394b4 |
+ 'report': DSPERMLE0001
|
|
|
8394b4 |
+ },
|
|
|
8394b4 |
+ {
|
|
|
8394b4 |
+ 'name': self._certdb + "/pin.txt",
|
|
|
8394b4 |
+ 'perms': [400, 600],
|
|
|
8394b4 |
+ 'report': DSPERMLE0002
|
|
|
8394b4 |
+ },
|
|
|
8394b4 |
+ {
|
|
|
8394b4 |
+ 'name': self._certdb + "/pwdfile.txt",
|
|
|
8394b4 |
+ 'perms': [400, 600],
|
|
|
8394b4 |
+ 'report': DSPERMLE0002
|
|
|
8394b4 |
+ },
|
|
|
8394b4 |
]
|
|
|
8394b4 |
self._lint_functions = [self._lint_file_perms]
|
|
|
8394b4 |
|
|
|
8394b4 |
def lint(self):
|
|
|
8394b4 |
+ """Run a lint/healthcheck for this class
|
|
|
8394b4 |
+ """
|
|
|
8394b4 |
results = []
|
|
|
8394b4 |
for fn in self._lint_functions:
|
|
|
8394b4 |
for result in fn():
|
|
|
8394b4 |
@@ -183,14 +197,16 @@ class FSChecks(object):
|
|
|
8394b4 |
return results
|
|
|
8394b4 |
|
|
|
8394b4 |
def _lint_file_perms(self):
|
|
|
8394b4 |
- # Check file permissions are correct
|
|
|
8394b4 |
+ """Test file permissions are safe
|
|
|
8394b4 |
+ """
|
|
|
8394b4 |
for ds_file in self.ds_files:
|
|
|
8394b4 |
- perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:])
|
|
|
8394b4 |
- if perms != ds_file[1]:
|
|
|
8394b4 |
- report = copy.deepcopy(ds_file[2])
|
|
|
8394b4 |
- report['items'].append(ds_file[0])
|
|
|
8394b4 |
- report['detail'] = report['detail'].replace('FILE', ds_file[0])
|
|
|
8394b4 |
- report['detail'] = report['detail'].replace('PERMS', ds_file[1])
|
|
|
8394b4 |
- report['fix'] = report['fix'].replace('FILE', ds_file[0])
|
|
|
8394b4 |
- report['fix'] = report['fix'].replace('PERMS', ds_file[1])
|
|
|
8394b4 |
+ perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:])
|
|
|
8394b4 |
+ if perms not in ds_file['perms']:
|
|
|
8394b4 |
+ perms = str(ds_file['perms'][0])
|
|
|
8394b4 |
+ report = copy.deepcopy(ds_file['report'])
|
|
|
8394b4 |
+ report['items'].append(ds_file['name'])
|
|
|
8394b4 |
+ report['detail'] = report['detail'].replace('FILE', ds_file['name'])
|
|
|
8394b4 |
+ report['detail'] = report['detail'].replace('PERMS', perms)
|
|
|
8394b4 |
+ report['fix'] = report['fix'].replace('FILE', ds_file['name'])
|
|
|
8394b4 |
+ report['fix'] = report['fix'].replace('PERMS', perms)
|
|
|
8394b4 |
yield report
|
|
|
8394b4 |
diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py
|
|
|
8394b4 |
index 97c5d1d3b..0775e464f 100644
|
|
|
8394b4 |
--- a/src/lib389/lib389/plugins.py
|
|
|
8394b4 |
+++ b/src/lib389/lib389/plugins.py
|
|
|
8394b4 |
@@ -455,10 +455,19 @@ class ReferentialIntegrityPlugin(Plugin):
|
|
|
8394b4 |
if self.status():
|
|
|
8394b4 |
from lib389.backend import Backends
|
|
|
8394b4 |
backends = Backends(self._instance).list()
|
|
|
8394b4 |
+ attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
|
|
|
8394b4 |
+ container = self.get_attr_val_utf8_l("nsslapd-plugincontainerscope")
|
|
|
8394b4 |
for backend in backends:
|
|
|
8394b4 |
- indexes = backend.get_indexes()
|
|
|
8394b4 |
suffix = backend.get_attr_val_utf8_l('nsslapd-suffix')
|
|
|
8394b4 |
- attrs = self.get_attr_vals_utf8_l("referint-membership-attr")
|
|
|
8394b4 |
+ if suffix == "cn=changelog":
|
|
|
8394b4 |
+ # Always skip retro changelog
|
|
|
8394b4 |
+ continue
|
|
|
8394b4 |
+ if container is not None:
|
|
|
8394b4 |
+ # Check if this backend is in the scope
|
|
|
8394b4 |
+ if not container.endswith(suffix):
|
|
|
8394b4 |
+ # skip this backend that is not in the scope
|
|
|
8394b4 |
+ continue
|
|
|
8394b4 |
+ indexes = backend.get_indexes()
|
|
|
8394b4 |
for attr in attrs:
|
|
|
8394b4 |
report = copy.deepcopy(DSRILE0002)
|
|
|
8394b4 |
try:
|
|
|
8394b4 |
--
|
|
|
8394b4 |
2.21.1
|
|
|
8394b4 |
|