From 5f4281601966e9edeabdcec0e9f934c79d4ad8ed Mon Sep 17 00:00:00 2001 From: Mark Reynolds Date: Fri, 10 Jan 2020 10:29:02 -0500 Subject: [PATCH] Issue 50806 - Fix minor issues in lib389 health checks Description: For permissions checks, add a list of permissions that is acceptable instead of single value. For RI plugin attribute indexing checks, we now check if a container scope is specified. If it is set, we skip all the other backends that are not in the scope. This prevents false positives. relates: https://pagure.io/389-ds-base/issue/50806 Reviewed by: mhonek(Thanks!) --- src/lib389/lib389/dseldif.py | 40 +++++++++++++++++++++++++----------- src/lib389/lib389/plugins.py | 13 ++++++++++-- 2 files changed, 39 insertions(+), 14 deletions(-) diff --git a/src/lib389/lib389/dseldif.py b/src/lib389/lib389/dseldif.py index 4155abcdd..fbb50623b 100644 --- a/src/lib389/lib389/dseldif.py +++ b/src/lib389/lib389/dseldif.py @@ -168,13 +168,27 @@ class FSChecks(object): self.dirsrv = dirsrv self._certdb = self.dirsrv.get_cert_dir() self.ds_files = [ - ('/etc/resolv.conf', '644', DSPERMLE0001), - (self._certdb + "/pin.txt", '600', DSPERMLE0002), - (self._certdb + "/pwdfile.txt", '600', DSPERMLE0002), + { + 'name': '/etc/resolv.conf', + 'perms': [644], + 'report': DSPERMLE0001 + }, + { + 'name': self._certdb + "/pin.txt", + 'perms': [400, 600], + 'report': DSPERMLE0002 + }, + { + 'name': self._certdb + "/pwdfile.txt", + 'perms': [400, 600], + 'report': DSPERMLE0002 + }, ] self._lint_functions = [self._lint_file_perms] def lint(self): + """Run a lint/healthcheck for this class + """ results = [] for fn in self._lint_functions: for result in fn(): @@ -183,14 +197,16 @@ class FSChecks(object): return results def _lint_file_perms(self): - # Check file permissions are correct + """Test file permissions are safe + """ for ds_file in self.ds_files: - perms = str(oct(os.stat(ds_file[0])[ST_MODE])[-3:]) - if perms != ds_file[1]: - report = copy.deepcopy(ds_file[2]) - report['items'].append(ds_file[0]) - report['detail'] = report['detail'].replace('FILE', ds_file[0]) - report['detail'] = report['detail'].replace('PERMS', ds_file[1]) - report['fix'] = report['fix'].replace('FILE', ds_file[0]) - report['fix'] = report['fix'].replace('PERMS', ds_file[1]) + perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:]) + if perms not in ds_file['perms']: + perms = str(ds_file['perms'][0]) + report = copy.deepcopy(ds_file['report']) + report['items'].append(ds_file['name']) + report['detail'] = report['detail'].replace('FILE', ds_file['name']) + report['detail'] = report['detail'].replace('PERMS', perms) + report['fix'] = report['fix'].replace('FILE', ds_file['name']) + report['fix'] = report['fix'].replace('PERMS', perms) yield report diff --git a/src/lib389/lib389/plugins.py b/src/lib389/lib389/plugins.py index 97c5d1d3b..0775e464f 100644 --- a/src/lib389/lib389/plugins.py +++ b/src/lib389/lib389/plugins.py @@ -455,10 +455,19 @@ class ReferentialIntegrityPlugin(Plugin): if self.status(): from lib389.backend import Backends backends = Backends(self._instance).list() + attrs = self.get_attr_vals_utf8_l("referint-membership-attr") + container = self.get_attr_val_utf8_l("nsslapd-plugincontainerscope") for backend in backends: - indexes = backend.get_indexes() suffix = backend.get_attr_val_utf8_l('nsslapd-suffix') - attrs = self.get_attr_vals_utf8_l("referint-membership-attr") + if suffix == "cn=changelog": + # Always skip retro changelog + continue + if container is not None: + # Check if this backend is in the scope + if not container.endswith(suffix): + # skip this backend that is not in the scope + continue + indexes = backend.get_indexes() for attr in attrs: report = copy.deepcopy(DSRILE0002) try: -- 2.21.1