#50887 Issue 50882 - Fix healthcheck errors for instances that do not have TLS enabled
Closed 2 years ago by spichugi. Opened 2 years ago by mreynolds.
mreynolds/389-ds-base issue50882  into  master

file modified
+1 -1
@@ -251,7 +251,7 @@ 

  

      def _lint_check_tls_version(self):

          tls_min = self.get_attr_val('sslVersionMin')

-         if tls_min < ensure_bytes('TLS1.1'):

+         if tls_min is not None and tls_min < ensure_bytes('TLS1.1'):

              report = copy.deepcopy(DSELE0001)

              report['fix'] = report['fix'].replace('YOUR_INSTANCE', self._instance.serverid)

              yield report

file modified
+13 -10
@@ -361,13 +361,16 @@ 

          """Test file permissions are safe

          """

          for ds_file in self.ds_files:

-             perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:])

-             if perms not in ds_file['perms']:

-                 perms = str(ds_file['perms'][0])

-                 report = copy.deepcopy(ds_file['report'])

-                 report['items'].append(ds_file['name'])

-                 report['detail'] = report['detail'].replace('FILE', ds_file['name'])

-                 report['detail'] = report['detail'].replace('PERMS', perms)

-                 report['fix'] = report['fix'].replace('FILE', ds_file['name'])

-                 report['fix'] = report['fix'].replace('PERMS', perms)

-                 yield report

+             try:

+                 perms = int(oct(os.stat(ds_file['name'])[ST_MODE])[-3:])

+                 if perms not in ds_file['perms']:

+                     perms = str(ds_file['perms'][0])

+                     report = copy.deepcopy(ds_file['report'])

+                     report['items'].append(ds_file['name'])

+                     report['detail'] = report['detail'].replace('FILE', ds_file['name'])

+                     report['detail'] = report['detail'].replace('PERMS', perms)

+                     report['fix'] = report['fix'].replace('FILE', ds_file['name'])

+                     report['fix'] = report['fix'].replace('PERMS', perms)

+                     yield report

+             except FileNotFoundError:

+                 pass

file modified
+1 -2
@@ -224,8 +224,7 @@ 

      'dsle': 'DSREPLLE0002',

      'severity': 'LOW',

      'items' : ['Replication', 'Conflict Entries'],

-     'detail': """There were COUNT conflict entries found under the replication suffix "SUFFIX".

- Status message: MSG""",

+     'detail': "There were COUNT conflict entries found under the replication suffix \"SUFFIX\".",

      'fix' : """While conflict entries are expected to occur in an MMR environment, they

  should be resolved.  In regards to conflict entries there is always the original/counterpart

  entry that has a normal DN, and then the conflict version of that entry.  Technically both

@@ -395,6 +395,9 @@ 

          for line in lines:

              if line == '':

                  continue

+             if line == 'Database needs user init':

+                 # There are no certs, abort...

+                 return []

              cert_values.append(re.match(r'^(.+[^\s])[\s]+([^\s]+)$', line.rstrip()).groups())

          return cert_values

  

Bug Description:

The config and FSChecks fail when TLS is not setup

Fix Description:

Properly check for conditions when TLS is not enabled, and ignore errors if TLS related files are not present during the FS permissions check.

relates: https://pagure.io/389-ds-base/issue/50882

rebased onto ea0381f41660981ad34924b640ca7f6e79e6aeae

2 years ago

rebased onto 68a1c77ef0bcdcfe361760d6553673d2fcb499fd

2 years ago

rebased onto e4433b3d6628efc083a10f24d74ee0639e0b4bd6

2 years ago

In this case could we recommend they setup tls? Otherwise ack from me.

In this case could we recommend they setup tls? Otherwise ack from me.

I'm on the fence about this one. Should healthcheck complain that you are not using TLS? Doesn't seem to fit in the scope of what healthcheck is really supposed to do. It should not be a "surprise" or an "error" to an Admin that they don't have TLS enabled. Let me sleep on it...

In this case could we recommend they setup tls? Otherwise ack from me.

I'm on the fence about this one. Should healthcheck complain that you are not using TLS? Doesn't seem to fit in the scope of what healthcheck is really supposed to do. It should not be a "surprise" or an "error" to an Admin that they don't have TLS enabled. Let me sleep on it...

We can address this in a different ticket is needed. Merging for now as I need to get a build done.

rebased onto 827c97d

2 years ago

Pull-Request has been merged by mreynolds

2 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This pull request has been cloned to Github as issue and is available here:
- https://github.com/389ds/389-ds-base/issues/3940

If you want to continue to work on the PR, please navigate to the github issue,
download the patch from the attachments and file a new pull request.

Thank you for understanding. We apologize for all inconvenience.

Pull-Request has been closed by spichugi

2 years ago