[Pkg-freeipa-devel] [Git][freeipa-team/freeipa-healthcheck][upstream] 23 commits: Handle files that don't exist in FileCheck

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Tue Mar 29 09:02:57 BST 2022 


Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa-healthcheck


Commits:
7db48931 by Rob Crittenden at 2021-06-14T11:45:06-04:00
Handle files that don't exist in FileCheck

A raw os.stat() was called which could raise an exception if the file
doesn't exist. Instead call os.path.exists() and if the result is False
then raise a SUCCESS with a message that the file doesn't exist.

https://github.com/freeipa/freeipa-healthcheck/issues/213

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
2dc43359 by Stanislav Levin at 2021-06-18T11:05:17-04:00
pylint: Fix new recommendations

- use-a-generator (R1729)
> Use a generator instead '%s(%s)' Comprehension inside of 'any' or
'all' is unnecessary. A generator would be sufficient and faster.

- http://pylint.pycqa.org/en/latest/technical_reference/c_extensions.html

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/215
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
de203248 by Rob Crittenden at 2021-09-17T16:33:13+02:00
Allow for HIDDEN_SERVICE when checking ADTRUST service

If the host is a trust controller then the ADTRUST service
must be enabled. This is defined as both ENABLED_SERVICE and
HIDDEN_SERVICE.

https://github.com/freeipa/freeipa-healthcheck/issues/217

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
34205464 by Rob Crittenden at 2021-09-17T17:29:42+02:00
Collect and report ACME enablement status

https://github.com/freeipa/freeipa-healthcheck/issues/157

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
6675fdb8 by Rob Crittenden at 2021-09-17T17:31:29+02:00
Use the new IPA import for is_ipa_configured()

The ipaserver.install.installutils version is deprecated

https://github.com/freeipa/freeipa-healthcheck/issues/221

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
8c2bfa6e by Rob Crittenden at 2021-09-17T17:31:29+02:00
Use compatibility shim for dns.resolver.resolve()

Loosely based on ipa commit 49e643783d22ded7a44d84599020af4e8a3d4d5a

https://github.com/freeipa/freeipa-healthcheck/issues/221

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
43d55b2d by Rob Crittenden at 2021-09-17T17:31:29+02:00
Add support for the DNS URI type

URI records are not required but if they exist they are
validated.

https://github.com/freeipa/freeipa-healthcheck/issues/222

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
0bdd0f86 by Rob Crittenden at 2021-09-17T17:31:29+02:00
Re-sync the pylint configuration with freeIPA and resolve issues

This is mostly from the freeip commit
eefbe8558b25ca9e9da10b391ec41e2987b8bd2d

Also fix a few legitimate issues the newer pylint uncovered.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
23abcf55 by MIZUTA Takeshi at 2021-11-02T10:50:41-04:00
Fix typo in README.md

- - - - -
02eb4b29 by Stanislav Levin at 2021-12-01T15:06:54-05:00
core: Relax dependency on IPA stuff

The core plugin system ideally should not depend on IPA, but the
freeipa-healthcheck plugin itself. For example, being reusable the
core may be called outside of console script (ipa-healthcheck) by
any lib/application (if ipaserver is not installed):

```console
[root at 281a5762c1bd /]# python3 -c 'import ipahealthcheck.core.main as main; main.main()'
Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "/usr/lib/python3.10/site-packages/ipahealthcheck/core/main.py", line 12, in <module>
    from ipaserver.install.installutils import is_ipa_configured
ModuleNotFoundError: No module named 'ipaserver'
```

Actual problem is that every plugin of healthcheck system gains extra
IPA stack as the indirect dependency even if IPA is not used by a plugin.
For example, in ALTLinux dogtag-pki-server requires freeipa-healthcheck-core
which in turn, wants ipaserver, but actually dogtag-pki-server works
just fine without the latter. Moreover, this can lead to build loops
known as bootstrap issues like `dogtag -> healthcheck -> ipa -> dogtag`.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/237
Signed-off-by: Stanislav Levin <slev at altlinux.org>

- - - - -
ea5d29c3 by Gordon Bleux at 2022-01-10T12:34:36-05:00
add support for prometheus text metric exposition format output.

this new output plugin generates metrics from the check results in
the prometheus text exposition format. it is intended to be used in
combination with the prometheus node_exporter [textfile collector][].
the output plugin generates similar metrics as the [ipahealthcheck_exporter][]

[ipahealthcheck_exporter]: https://github.com/camptocamp/ipahealthcheck_exporter
[textfile collector]: https://github.com/camptocamp/ipahealthcheck_exporter

Signed-off-by: Gordon Bleux <UiP9AV6Y+git at protonmail.com>

- - - - -
839000ba by Rob Crittenden at 2022-02-01T13:30:04-05:00
Unify command-line options and configuration

This makes it possible to add command-line options to the
configuration file.

The config file is loaded then the command-line options are
merged in. The first one option set takes precedence. So if
an option, say output_type, is in the configuration file then
passing output-type on the command-line will not override it.
The workaround is to pass --config= to ipa-healthcheck in order
to not load the configuration file.

This will allow for greater flexibility when running this automatically
without having to manually change test timer scripting directly.

https://bugzilla.redhat.com/show_bug.cgi?id=1872467

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
63016f5c by Rob Crittenden at 2022-02-01T14:17:50-05:00
Compare proxy shared secret configuration

Compare the ProxyPassMatch secret(s) with those in server.xml

For now we are skipping checking to see if both secret and
requiredSecret are configured since it doesn't seem to cause
tomcat any issues. As long as the secrets match up with
ipa-pki-proxy.conf then things work fine.

https://github.com/freeipa/freeipa-healthcheck/issues/231

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
b3a917c5 by Rob Crittenden at 2022-02-01T14:18:07-05:00
Check expected group memberships

The initial purpose of this is for privilege separation
where if the group membership is not correct the ccaches
may not be readable. It's possible this will expand to other
purposes.

https://github.com/freeipa/freeipa-healthcheck/issues/233

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
0274da1c by Rob Crittenden at 2022-02-01T15:27:39-05:00
Add a timeout wrapper around each check execution

A timeout will raise a new exception, TimeoutError. This
can be caught and handled inside an individual check, otherwise
it will be handled by run_plugin.

https://github.com/freeipa/freeipa-healthcheck/issues/236

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
b6ade2ed by Rob Crittenden at 2022-02-01T15:27:55-05:00
Loop through the registry twice in order to collect ca_configured

Skipping the pki plugins was dependent upon the order the registry
was being processed. The assumption was that the ipa plugin would
be done first so ca_configured would be defined. If this isn't the
case the the pki plugins are incorrectly skipped. So run through
the list twice (it's short).

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/201

- - - - -
94b4082e by Rob Crittenden at 2022-02-01T15:27:55-05:00
Collect ca_configured status prior to checking for trust packages

python3-libsss_nss_idmap isn't required but if it is not present
then the asumption is that trust is not available. This code
was executing prior to collecting the ca_configured status so
if the package was not installed then ca_configured could never
be True.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/201

- - - - -
dfc8caed by Rob Crittenden at 2022-02-04T11:10:13-05:00
Add a way to exclude sources, checks and/or keys from results

We allow to exclude on three different levels:

 * source
 * check
 * key

Excluding a source could be used to disable a misbehaving set of
checks, particularly one not provided by upstream. A check would
be similar.

Not all results have a key but most do. If we run into corner
cases we can address them as they come up.

The example I had in mind is an untracked certificate that is
otherwise legitimate. This could be marked as excluded by key
so ipa-healthcheck will no longer return failures.

Filtering happens twice. Any sources or checks excluded will simply
not be executed. keys are excluded after execution.

This adds new section, [exclusions], which will contain three types
of exclusions and can be repeated:

source
config
key

https://github.com/freeipa/freeipa-healthcheck/issues/176

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
f0a43d4b by Rob Crittenden at 2022-02-04T11:10:13-05:00
Add keys to some Results that were missing

Being able to suppress a specific key rather than a whole
source or check is better.

I'm not ready yet to assert that there is a key in each
Result since that would be a rather impactful change but
for the purposes of this change I added an assert and ran
it through the unit tests.

https://github.com/freeipa/freeipa-healthcheck/issues/176

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
4079d628 by Rob Crittenden at 2022-02-04T11:10:13-05:00
Test suppressing results

Create a new source and register two plugins to it.

Use an Output plugin to collect the results in a global
variable so the results can be evaluated after the run is
complete.

Use a temporary configuration file to set the test
configuration.

Test suppressing:

- nothing
- the source
- one check
- one key

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

https://github.com/freeipa/freeipa-healthcheck/issues/176

- - - - -
896824f4 by Rob Crittenden at 2022-02-04T11:10:13-05:00
Update timeout test to use new API in run_plugins

A config option was added which needs to be passed in during
the test call.

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
d9619c93 by Rob Crittenden at 2022-02-04T11:10:40-05:00
Include an exception on outer-level failures when running plugins

The traceback will be both in the debug output and within the
Result value for the call so we have half a chance to fix what
is broken.

https://github.com/freeipa/freeipa-healthcheck/issues/224

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -
d6035fe2 by Rob Crittenden at 2022-02-08T13:39:59-05:00
Become 0.10

Signed-off-by: Rob Crittenden <rcritten at redhat.com>

- - - - -


30 changed files:

- README.md
- man/man5/ipahealthcheck.conf.5
- man/man8/ipa-healthcheck.8
- pylint_plugins.py
- pylintrc
- setup.py
- src/ipaclustercheck/core/output.py
- src/ipaclustercheck/ipa/plugin.py
- src/ipaclustercheck/ipa/ruv.py
- src/ipahealthcheck/core/config.py
- src/ipahealthcheck/core/constants.py
- src/ipahealthcheck/core/core.py
- + src/ipahealthcheck/core/exceptions.py
- src/ipahealthcheck/core/files.py
- src/ipahealthcheck/core/main.py
- src/ipahealthcheck/core/output.py
- src/ipahealthcheck/dogtag/ca.py
- src/ipahealthcheck/ipa/certs.py
- src/ipahealthcheck/ipa/dna.py
- src/ipahealthcheck/ipa/idns.py
- + src/ipahealthcheck/ipa/nss.py
- src/ipahealthcheck/ipa/plugin.py
- + src/ipahealthcheck/ipa/proxy.py
- src/ipahealthcheck/ipa/trust.py
- src/ipahealthcheck/meta/core.py
- src/ipahealthcheck/system/filesystemspace.py
- tests/test_commands.py
- tests/test_core_files.py
- tests/test_init.py
- tests/test_ipa_dns.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/compare/55cb92b07fb5d74b8fa24ef086b3b00f97949c91...d6035fe2c490c801a1b0c2774f93df7f0dbfd136

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa-healthcheck/-/compare/55cb92b07fb5d74b8fa24ef086b3b00f97949c91...d6035fe2c490c801a1b0c2774f93df7f0dbfd136
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20220329/e24a089e/attachment-0001.htm>

More information about the Pkg-freeipa-devel mailing list