19 changed files with 1172 additions and 1173 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/0.16.tar.gz
+SOURCES/0.12.tar.gz
--- a/.ipa-healthcheck.metadata
+++ b/.ipa-healthcheck.metadata
@ -1 +1 @@
-b6edbda881bceb9e0266169e06eb35984b1a7a77 SOURCES/0.16.tar.gz
+dc05dc0ca441dcb1a87e3b3bd7d440d79c17ac0a SOURCES/0.12.tar.gz
--- a/SOURCES/0001-Remove-ipaclustercheck.patch
+++ b/SOURCES/0001-Remove-ipaclustercheck.patch
@ -1,6 +1,6 @@
-From 378e0a353e670a6b498d454558a9139a859890d4 Mon Sep 17 00:00:00 2001
+From 9d5f9d21442ee483044fc55a5c02039af23869d7 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 9 Nov 2023 10:49:05 -0500
+Date: Thu, 1 Dec 2022 14:22:46 -0500
 Subject: [PATCH] Remove ipaclustercheck

 ---
@ -26,13 +26,13 @@ Subject: [PATCH] Remove ipaclustercheck
 delete mode 100644 tests/test_cluster_ruv.py

 diff --git a/setup.py b/setup.py
-index d926302..cb6265a 100644
+index 0cfa486..b9e1ca1 100644
 --- a/setup.py
 +++ b/setup.py
@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 setup(
     name='ipahealthcheck',
-     version='0.16',
+     version='0.12',
 -    namespace_packages=['ipahealthcheck', 'ipaclustercheck'],
 +    namespace_packages=['ipahealthcheck'],
     package_dir={'': 'src'},
--- a/SOURCES/0002-Disable-two-failing-tests.patch
+++ b/SOURCES/0002-Disable-two-failing-tests.patch
@ -0,0 +1,64 @@
+From d2cd8292d8a1d7c2fd2a5f978f8ed76c0769e5e9 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 8 Feb 2022 14:16:06 -0500
+Subject: [PATCH] Disable two failing tests
+
+These test that healthcheck can properly detect when IPA
+is not installed or configured. Its not ideal to remove them
+from the check process but they aren't critical.
+---
+ tests/test_commands.py | 41 -----------------------------------------
+ 1 file changed, 41 deletions(-)
+
+diff --git a/tests/test_commands.py b/tests/test_commands.py
+index 988d7fc..e14114b 100644
+--- a/tests/test_commands.py
+++ b/tests/test_commands.py
+@@ -14,44 +14,3 @@ def test_version():
+     """
+     output = run(['ipa-healthcheck', '--version'], env=os.environ)
+     assert 'ipahealthcheck' in output.raw_output.decode('utf-8')
+-
+-
+-@pytest.fixture
+-def python_ipalib_dir(tmpdir):
+-    ipalib_dir = tmpdir.mkdir("ipalib")
+-    ipalib_dir.join("__init__.py").write("")
+-
+-    def _make_facts(configured=None):
+-        if configured is None:
+-            module_text = ""
+-        elif isinstance(configured, bool):
+-            module_text = f"def is_ipa_configured(): return {configured}"
+-        else:
+-            raise TypeError(
+-                f"'configured' must be None or bool, got '{configured!r}'"
+-            )
+-
+-        ipalib_dir.join("facts.py").write(module_text)
+-        return str(tmpdir)
+-
+-    return _make_facts
+-
+-
+-def test_ipa_notinstalled(python_ipalib_dir, monkeypatch):
+-    """
+-    Test ipa-healthcheck handles the missing IPA stuff
+-    """
+-    monkeypatch.setenv("PYTHONPATH", python_ipalib_dir(configured=None))
+-    output = run(["ipa-healthcheck"], raiseonerr=False, env=os.environ)
+-    assert output.returncode == 1
+-    assert "IPA server is not installed" in output.raw_output.decode("utf-8")
+-
+-
+-def test_ipa_unconfigured(python_ipalib_dir, monkeypatch):
+-    """
+-    Test ipa-healthcheck handles the unconfigured IPA server
+-    """
+-    monkeypatch.setenv("PYTHONPATH", python_ipalib_dir(configured=False))
+-    output = run(["ipa-healthcheck"], raiseonerr=False, env=os.environ)
+-    assert output.returncode == 1
+-    assert "IPA server is not configured" in output.raw_output.decode("utf-8")
+-- 
+2.31.1
+
--- a/SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch
+++ b/SOURCES/0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch
@ -1,44 +0,0 @@
-From 35ff77300758c12110132d6d638802d5b223bd6d Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 13 Nov 2023 14:09:16 -0500
-Subject: [PATCH] Don't fail if a service name cannot be looked up in LDAP
-
-A new method was introduced to handle more IPA services. This
-requires looking some of them up in LDAP. dirsrv not running
-was not being caught so raised an error instead.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/312
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- src/ipahealthcheck/meta/services.py | 12 ++++++++++--
- 1 file changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py
-index 10fa83f..9838128 100644
--- a/src/ipahealthcheck/meta/services.py
-+++ b/src/ipahealthcheck/meta/services.py
-@@ -25,10 +25,18 @@ class IPAServiceCheck(ServiceCheck):
-     def get_service_name(self, role):
-         """Roles define broad services. Translate a role name into
-            an individual service name.
-+
-+           Returns a string on success, None if the service is not
-+           configured or cannot be determined.
-         """
-         conn = api.Backend.ldap2
-        if not api.Backend.ldap2.isconnected():
-            api.Backend.ldap2.connect()
-+        try:
-+            if not api.Backend.ldap2.isconnected():
-+                api.Backend.ldap2.connect()
-+        except errors.NetworkError:
-+            logger.debug("Service '%s' is not running", self.service_name)
-+            return None
-+
-         dn = DN(
-             ("cn", role), ("cn", api.env.host),
-             ("cn", "masters"), ("cn", "ipa"), ("cn", "etc"),
-- 
-2.41.0
-
--- a/SOURCES/0003-Fix-logging-issue-related-to-dtype.patch
+++ b/SOURCES/0003-Fix-logging-issue-related-to-dtype.patch
@ -0,0 +1,29 @@
+From 0f485a0921a39c08e7259f9b38f0b10e425384a5 Mon Sep 17 00:00:00 2001
+From: root <root@ipa.example.test>
+Date: Mon, 5 Dec 2022 16:17:17 -0500
+Subject: [PATCH] Fix logging issue related to dtype
+
+It is an integer in earlier versions of python3-dns and a class
+in later versions. Log the integer value.
+
+Related: #2099484
+---
+ src/ipahealthcheck/ipa/idns.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipa/idns.py b/ipa/idns.py
+index e294db2..1adb69d 100644
+--- a/src/ipahealthcheck/ipa/idns.py
+++ b/src/ipahealthcheck/ipa/idns.py
+@@ -176,7 +176,7 @@ class IPADNSSystemRecordsCheck(IPAPlugin):
+         qname = "ipa-ca." + api.env.domain + "."
+         ipa_ca_records = []
+         for dtype in (rdatatype.A, rdatatype.AAAA):
+-            logger.debug("Search DNS for %s records of %s", dtype.name, qname)
+            logger.debug("Search DNS for %s records of %s", dtype, qname)
+             try:
+                 answers = resolve(qname, dtype)
+             except DNSException as e:
+-- 
+2.31.1
+
--- a/SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch
+++ b/SOURCES/0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch
@ -1,44 +0,0 @@
-From d1cb1997737c938bbc61d547aae277e308e78fce Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 14 Nov 2023 20:32:54 -0500
-Subject: [PATCH] Temporarily disable the ipa-ods-exporter service status check
-
-There is a bug in this service such that it will almost always
-report as down. Rather than spamming users with this error give
-time for it to be fixed in IPA upstream.
-
-See https://pagure.io/freeipa/issue/9463
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- src/ipahealthcheck/meta/services.py | 14 --------------
- 1 file changed, 14 deletions(-)
-
-diff --git a/src/ipahealthcheck/meta/services.py b/src/ipahealthcheck/meta/services.py
-index 9838128..b8973cb 100644
--- a/src/ipahealthcheck/meta/services.py
-+++ b/src/ipahealthcheck/meta/services.py
-@@ -202,20 +202,6 @@ class ods_enforcerd(IPAServiceCheck):
-         return super().check()
- 
- 
-@registry
-class ipa_ods_exporter(IPAServiceCheck):
-    requires = ('dirsrv',)
-
-    def check(self, instance=''):
-        self.service_name = self.get_service_name('DNSKeyExporter')
-
-        if self.service_name is None:
-            # No service name means it is not configured
-            return ()
-
-        return super().check()
-
-
- @registry
- class ipa_dnskeysyncd(IPAServiceCheck):
-     requires = ('dirsrv',)
-- 
-2.40.1
-
--- a/SOURCES/0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
+++ b/SOURCES/0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
@ -0,0 +1,340 @@
+From 30471ebdc9fe5871c115ca06f78a415275a320e6 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 16 Jun 2022 20:02:51 +0000
+Subject: [PATCH] Skip AD domains with posix ranges in the catalog check
+
+The catalog check is intended to ensure that the trust is
+working by looking up a user. For a non-posix range we can use
+the Administrator user because it has a predicible SID.
+
+With a posix range the UID/GID may not be set so the lookup
+can fail (with an empty return value).
+
+So skip domain which have a posix range associated with it.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1775199
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/trust.py |  34 ++++-
+ tests/test_ipa_trust.py         | 214 +++++++++++++++++++++++++++++++-
+ 2 files changed, 243 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
+index 27a2c86..b962807 100644
+--- a/src/ipahealthcheck/ipa/trust.py
+++ b/src/ipahealthcheck/ipa/trust.py
+@@ -183,6 +183,7 @@ class IPATrustDomainsCheck(IPAPlugin):
+             except Exception as e:
+                 yield Result(self, constants.WARNING,
+                              key='domain-status',
+                             domain=domain,
+                              error=str(e),
+                              msg='Execution of {key} failed: {error}')
+                 continue
+@@ -262,6 +263,10 @@ class IPATrustCatalogCheck(IPAPlugin):
+     This should populate the 'AD Global catalog' and 'AD Domain Controller'
+     fields in 'sssctl domain-status' output (means SSSD actually talks to AD
+     DCs)
+
+    If the associated idrange type is ipa-ad-trust-posix then the
+    check will be skipped because we can't predict what the UID of the
+    Administrator account will be.
+     """
+     @duration
+     def check(self):
+@@ -280,20 +285,41 @@ class IPATrustCatalogCheck(IPAPlugin):
+ 
+         for trust_domain in trust_domains:
+             sid = trust_domain.get('domainsid')
+            domain = trust_domain['domain']
+            idrange = api.Command.idrange_find(sid)
+            if len(idrange['result']) == 0:
+                yield Result(self, constants.WARNING,
+                             key=sid,
+                             domain=domain,
+                             msg='Domain {domain} does not have an idrange')
+                continue
+
+            if 'ipa-ad-trust-posix' in idrange['result'][0]['iparangetyperaw']:
+                yield Result(self, constants.SUCCESS,
+                             key=sid,
+                             domain=domain,
+                             type='ipa-ad-trust-posix')
+                logger.debug("Domain %s is a POSIX range, skip the lookup",
+                             domain)
+                continue
+
+             try:
+                 id = pysss_nss_idmap.getnamebysid(sid + '-500')
+             except Exception as e:
+                 yield Result(self, constants.ERROR,
+-                             key=sid,
+                             key=id,
+                             domain=domain,
+                              error=str(e),
+-                             msg='Look up of{key} failed: {error}')
+                             msg='Look up of ID {key} for {domain} failed: '
+                                 '{error}')
+                 continue
+ 
+             if not id:
+                 yield Result(self, constants.WARNING,
+-                             key=sid,
+                             key=id,
+                             domain=trust_domain['domain'],
+                              error='returned nothing',
+-                             msg='Look up of {key} {error}')
+                             msg='Look up of ID {key} for {domain} {error}')
+             else:
+                 yield Result(self, constants.SUCCESS,
+                              key='Domain Security Identifier',
+diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
+index c314b70..6c4754a 100644
+--- a/tests/test_ipa_trust.py
+++ b/tests/test_ipa_trust.py
+@@ -129,6 +129,74 @@ def trustdomain_find():
+     ]
+ 
+ 
+def idrange_find_adrange_type():
+    """
+    Return a set of idranges of type "Active Directory domain range"
+    """
+
+    return {
+            "result": [
+                {
+                    "cn": ["AD.EXAMPLE_id_range"],
+                    "ipabaseid": ["1664000000"],
+                    "ipabaserid": ["0"],
+                    "ipaidrangesize": ["200000"],
+                    "ipanttrusteddomainsid": ["S-1-5-21-abc"],
+                    "iparangetype": ["Active Directory domain range"],
+                    "iparangetyperaw": ["ipa-ad-trust"]
+                },
+                {
+                    "cn": ["CHILD.AD.EXAMPLE_id_range"],
+                    "ipabaseid": ["538600000"],
+                    "ipabaserid": ["0"],
+                    "ipaidrangesize": ["200000"],
+                    "ipanttrusteddomainsid": [
+                        "S-1-5-21-38045160-610119595-3099869984"
+                    ],
+                    "iparangetype": ["Active Directory domain range"],
+                    "iparangetyperaw": ["ipa-ad-trust"]
+                },
+                {
+                    "cn": ["IPA.EXAMPLE_id_range"],
+                    "ipabaseid": ["447400000"],
+                    "ipabaserid": ["1000"],
+                    "ipaidrangesize": ["200000"],
+                    "iparangetype": ["local domain range"],
+                    "iparangetyperaw": ["ipa-local"],
+                    "ipasecondarybaserid": ["100000000"]
+                }]
+        }
+
+
+def idrange_find_adrange_posix():
+    """
+    Return a set of idranges of type
+    "Active Directory trust range with POSIX attributes"
+    """
+
+    return {
+        "result": [
+            {
+                "cn": ["AD.EXAMPLE_id_range"],
+                "ipabaseid": ["1664000000"],
+                "ipaidrangesize": ["200000"],
+                "ipanttrusteddomainsid": ["S-1-5-21-abc"],
+                "iparangetype": [
+                    "Active Directory trust range with POSIX attributes"],
+                "iparangetyperaw": ["ipa-ad-trust-posix"]
+            },
+            {
+                "cn": ["IPA.EXAMPLE_id_range"],
+                "ipabaseid": ["447400000"],
+                "ipabaserid": ["1000"],
+                "ipaidrangesize": ["200000"],
+                "iparangetype": ["local domain range"],
+                "iparangetyperaw": ["ipa-local"],
+                "ipasecondarybaserid": ["100000000"]
+            }]
+        }
+
+
+ class SSSDDomain:
+     def __init__(self, return_ipa_server_mode=True, provider='ipa'):
+         self.return_ipa_server_mode = return_ipa_server_mode
+@@ -454,7 +522,8 @@ class TestTrustCatalog(BaseTest):
+ 
+     @patch('pysss_nss_idmap.getnamebysid')
+     @patch('ipapython.ipautil.run')
+-    def test_trust_catalog_ok(self, mock_run, mock_getnamebysid):
+    def test_trust_catalog_adrange(self, mock_run, mock_getnamebysid):
+        """The associated ID ranges are Active Directory domain range"""
+         # id Administrator@ad.example
+         dsresult = namedtuple('run', ['returncode', 'error_log'])
+         dsresult.returncode = 0
+@@ -478,6 +547,11 @@ class TestTrustCatalog(BaseTest):
+         # get_trust_domains()
+         m_api.Command.trust_find.side_effect = trust_find()
+         m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_type(),
+            idrange_find_adrange_type(),
+            idrange_find_adrange_type()
+        ]
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -550,6 +624,144 @@ class TestTrustCatalog(BaseTest):
+         assert result.kw.get('key') == 'AD Domain Controller'
+         assert result.kw.get('domain') == 'child.example'
+ 
+    @patch('pysss_nss_idmap.getnamebysid')
+    @patch('ipapython.ipautil.run')
+    def test_trust_catalog_posix(self, mock_run, mock_getnamebysid):
+        """AD POSIX ranges"""
+        # id Administrator@ad.example
+        dsresult = namedtuple('run', ['returncode', 'error_log'])
+        dsresult.returncode = 0
+        dsresult.error_log = ''
+        dsresult.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+            'IPA: master.ipa.vm\n\n'
+        ds2result = namedtuple('run', ['returncode', 'error_log'])
+        ds2result.returncode = 0
+        ds2result.error_log = ''
+        ds2result.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+
+        mock_run.side_effect = [dsresult, dsresult, ds2result]
+        mock_getnamebysid.side_effect = [
+           {'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},
+           {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},
+           {'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}
+        ]
+
+        # get_trust_domains()
+        m_api.Command.trust_find.side_effect = trust_find()
+        m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_posix(),
+            idrange_find_adrange_posix(),
+            idrange_find_adrange_posix()
+        ]
+
+        framework = object()
+        registry.initialize(framework, config.Config)
+        registry.trust_agent = True
+        f = IPATrustCatalogCheck(registry)
+
+        self.results = capture_results(f)
+
+        assert len(self.results) == 3
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-abc'
+        assert result.kw.get('domain') == 'ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[1]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-22-def'
+        assert result.kw.get('domain') == 'child.ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[2]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-ghi'
+        assert result.kw.get('domain') == 'child.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+    @patch('pysss_nss_idmap.getnamebysid')
+    @patch('ipapython.ipautil.run')
+    def test_trust_catalog_posix_missing(self, mock_run, mock_getnamebysid):
+        """AD POSIX ranges"""
+        # id Administrator@ad.example
+        dsresult = namedtuple('run', ['returncode', 'error_log'])
+        dsresult.returncode = 0
+        dsresult.error_log = ''
+        dsresult.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+            'IPA: master.ipa.vm\n\n'
+        ds2result = namedtuple('run', ['returncode', 'error_log'])
+        ds2result.returncode = 0
+        ds2result.error_log = ''
+        ds2result.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+
+        mock_run.side_effect = [dsresult, dsresult, ds2result]
+        mock_getnamebysid.side_effect = [
+           {'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},
+           {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},
+           {'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}
+        ]
+
+        # get_trust_domains()
+        m_api.Command.trust_find.side_effect = trust_find()
+        m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_posix(),
+            {'result': []},
+            {'result': []}
+        ]
+
+        framework = object()
+        registry.initialize(framework, config.Config)
+        registry.trust_agent = True
+        f = IPATrustCatalogCheck(registry)
+
+        self.results = capture_results(f)
+
+        assert len(self.results) == 3
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-abc'
+        assert result.kw.get('domain') == 'ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[1]
+        assert result.result == constants.WARNING
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-22-def'
+        assert result.kw.get('domain') == 'child.ad.example'
+        assert (
+            result.kw.get('msg')
+            == 'Domain {domain} does not have an idrange'
+        )
+
+        result = self.results.results[2]
+        assert result.result == constants.WARNING
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-ghi'
+        assert result.kw.get('domain') == 'child.example'
+        assert (
+            result.kw.get('msg')
+            == 'Domain {domain} does not have an idrange'
+        )
+
+ 
+ class Testsidgen(BaseTest):
+     patches = {
+-- 
+2.39.2
+
--- a/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
+++ b/SOURCES/0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
@ -1,46 +0,0 @@
-From e556edc0b1cb607caa50f760d5059877f35fbcdc Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 11 Jan 2024 14:40:02 -0500
-Subject: [PATCH] Skip DogtagCertsConfigCheck for PKI versions >= 11.5.0
-
-In 11.5.0 the PKI project stopped storing the certificate
-blobs in CS.cfg. If we continue to check it we will report a
-false positive so skip it in that case.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- src/ipahealthcheck/dogtag/ca.py | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
-index 4afa5d7..ddf5ece 100644
--- a/src/ipahealthcheck/dogtag/ca.py
-+++ b/src/ipahealthcheck/dogtag/ca.py
-@@ -16,6 +16,8 @@ from ipaserver.install import krainstance
- from ipapython.directivesetter import get_directive
- from cryptography.hazmat.primitives.serialization import Encoding
- 
-+import pki.util
-+
- logger = logging.getLogger()
- 
- 
-@@ -30,6 +32,13 @@ class DogtagCertsConfigCheck(DogtagPlugin):
-             logger.debug("No CA configured, skipping dogtag config check")
-             return
- 
-+        pki_version = pki.util.Version(pki.specification_version())
-+        if pki_version >= pki.util.Version("11.5.0"):
-+            logger.debug(
-+                "PKI 11.5.0 no longer stores certificats in CS.cfg"
-+            )
-+            return
-+
-         kra = krainstance.KRAInstance(api.env.realm)
- 
-         blobs = {'auditSigningCert cert-pki-ca': 'ca.audit_signing.cert',
-- 
-2.42.0
-
--- a/SOURCES/0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
+++ b/SOURCES/0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
@ -0,0 +1,372 @@
+From 29855ec76bcb445543e1f2b16b13e5bcfeb67723 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 27 Mar 2023 16:43:11 -0400
+Subject: [PATCH] Don't error in DogtagCertsConnectivityCheck with external CAs
+
+The purpose of the check is to validate that communication
+with the CA works. In the past we looked up serial number 1
+for this check. The problem is that if the server was
+installed with RSNv3 so had no predictable CA serial number.
+
+It also was broken with externally-issued CA certificate which
+cannot be looked up in IPA.
+
+Instead use the IPA RA agent certificate which should definitely
+have a serial number in the IPA CA if one is configured.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/285
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/dogtag/ca.py   |  45 +++-----
+ tests/test_dogtag_connectivity.py | 175 +++++-------------------------
+ 2 files changed, 39 insertions(+), 181 deletions(-)
+
+diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
+index 868876f..4afa5d7 100644
+--- a/src/ipahealthcheck/dogtag/ca.py
+++ b/src/ipahealthcheck/dogtag/ca.py
+@@ -12,10 +12,8 @@ from ipahealthcheck.core import constants
+ from ipalib import api, errors, x509
+ from ipaplatform.paths import paths
+ from ipaserver.install import certs
+-from ipaserver.install import ca
+ from ipaserver.install import krainstance
+ from ipapython.directivesetter import get_directive
+-from ipapython.dn import DN
+ from cryptography.hazmat.primitives.serialization import Encoding
+ 
+ logger = logging.getLogger()
+@@ -95,6 +93,10 @@ class DogtagCertsConfigCheck(DogtagPlugin):
+ class DogtagCertsConnectivityCheck(DogtagPlugin):
+     """
+     Test basic connectivity by using cert-show to fetch a cert
+
+    The RA agent certificate is used because if a CA is configured we
+    know this certificate should exist. Use its serial number to do
+    the lookup.
+     """
+     requires = ('dirsrv',)
+ 
+@@ -104,59 +106,38 @@ class DogtagCertsConnectivityCheck(DogtagPlugin):
+             logger.debug('CA is not configured, skipping connectivity check')
+             return
+ 
+-        config = api.Command.config_show()
+-
+-        subject_base = config['result']['ipacertificatesubjectbase'][0]
+-        ipa_subject = ca.lookup_ca_subject(api, subject_base)
+         try:
+-            certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
+            cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
+         except Exception as e:
+             yield Result(self, constants.ERROR,
+-                         key='ipa_ca_crt_file_missing',
+-                         path=paths.IPA_CA_CRT,
+                         key='ipa_ra_crt_file_missing',
+                         path=paths.RA_AGENT_PEM,
+                          error=str(e),
+-                         msg='The IPA CA cert file {path} could not be '
+                         msg='The IPA RA cert file {path} could not be '
+                              'opened: {error}')
+             return
+ 
+-        found = False
+-        for cert in certs:
+-            if DN(cert.subject) == ipa_subject:
+-                found = True
+-                break
+-
+-        if not found:
+-            yield Result(self, constants.ERROR,
+-                         key='ipa_ca_cert_not_found',
+-                         subject=str(ipa_subject),
+-                         path=paths.IPA_CA_CRT,
+-                         msg='The CA certificate with subject {subject} '
+-                             'was not found in {path}')
+-            return
+-        # Load the IPA CA certificate to obtain its serial number. This
+-        # was traditionally 1 prior to random serial number support.
+-        # There is nothing special about cert 1. Even if there is no cert
+-        # serial number 1 but the connection is ok it is considered passing.
+        # We used to use serial #1 but with RSNv3 it can be anything.
+         try:
+             api.Command.cert_show(cert.serial_number, all=True)
+         except errors.CertificateOperationError as e:
+             if 'not found' in str(e):
+                 yield Result(self, constants.ERROR,
+-                             key='cert_show_1',
+                             key='cert_show_ra',
+                              error=str(e),
+                              serial=str(cert.serial_number),
+                              msg='Serial number not found: {error}')
+             else:
+                 yield Result(self, constants.ERROR,
+-                             key='cert_show_1',
+                             key='cert_show_ra',
+                              error=str(e),
+                              serial=str(cert.serial_number),
+                              msg='Request for certificate failed: {error}')
+         except Exception as e:
+             yield Result(self, constants.ERROR,
+-                         key='cert_show_1',
+                         key='cert_show_ra',
+                              error=str(e),
+                          serial=str(cert.serial_number),
+-                         msg='Request for certificate failed: {error')
+                         msg='Request for certificate failed: {error}')
+         else:
+             yield Result(self, constants.SUCCESS)
+diff --git a/tests/test_dogtag_connectivity.py b/tests/test_dogtag_connectivity.py
+index d81e598..4413fe1 100644
+--- a/tests/test_dogtag_connectivity.py
+++ b/tests/test_dogtag_connectivity.py
+@@ -13,14 +13,23 @@ from ipahealthcheck.dogtag.ca import DogtagCertsConnectivityCheck
+ 
+ from ipalib.errors import CertificateOperationError
+ from ipaplatform.paths import paths
+-from ipapython.dn import DN
+
+
+default_subject_base = [{
+    'result':
+        {
+            'ipacertificatesubjectbase': [f'O={m_api.env.realm}'],
+        },
+}]
+ 
+ 
+ class IPACertificate:
+     def __init__(self, serial_number=1,
+-                 subject='CN=Certificate Authority, O=%s' % m_api.env.realm):
+                 subject='CN=Certificate Authority, O=%s' % m_api.env.realm,
+                 issuer='CN=Certificate Authority, O=%s' % m_api.env.realm):
+         self.serial_number = serial_number
+         self.subject = subject
+        self.issuer = issuer
+ 
+     def __eq__(self, other):
+         return self.serial_number == other.serial_number
+@@ -50,18 +59,15 @@ class TestCAConnectivity(BaseTest):
+         Mock(return_value=CAInstance()),
+     }
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_ok(self, mock_load_cert, mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_ok(self, mock_load_cert):
+         """CA connectivity check when cert_show returns a valid value"""
+         m_api.Command.cert_show.side_effect = None
+         m_api.Command.config_show.side_effect = subject_base
+         m_api.Command.cert_show.return_value = {
+             u'result': {u'revoked': False}
+         }
+-        mock_load_cert.return_value = [IPACertificate(12345)]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate(12345)
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -76,10 +82,8 @@ class TestCAConnectivity(BaseTest):
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_not_found(self, mock_load_cert,
+-                                          mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_cert_not_found(self, mock_load_cert):
+         """CA connectivity check for a cert that doesn't exist"""
+         m_api.Command.cert_show.reset_mock()
+         m_api.Command.config_show.side_effect = subject_base
+@@ -87,9 +91,7 @@ class TestCAConnectivity(BaseTest):
+             message='Certificate operation cannot be completed: '
+                     'EXCEPTION (Certificate serial number 0x0 not found)'
+         )
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate(serial_number=7)
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -103,46 +105,16 @@ class TestCAConnectivity(BaseTest):
+         assert result.result == constants.ERROR
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+-        assert result.kw.get('key') == 'cert_show_1'
+-        assert result.kw.get('serial') == '1'
+        assert result.kw.get('key') == 'cert_show_ra'
+        assert result.kw.get('serial') == '7'
+         assert result.kw.get('msg') == 'Serial number not found: {error}'
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_file_not_found(self, mock_load_cert,
+-                                               mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_cert_file_not_found(self, mock_load_cert):
+         """CA connectivity check for a cert that doesn't exist"""
+         m_api.Command.cert_show.reset_mock()
+         m_api.Command.config_show.side_effect = subject_base
+         mock_load_cert.side_effect = FileNotFoundError()
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.ERROR
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-        assert result.check == 'DogtagCertsConnectivityCheck'
+-        assert result.kw.get('key') == 'ipa_ca_crt_file_missing'
+-        assert result.kw.get('path') == paths.IPA_CA_CRT
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_not_in_file_list(self, mock_load_cert,
+-                                                 mock_ca_subject):
+-        """CA connectivity check for a cert that isn't in IPA_CA_CRT"""
+-        m_api.Command.cert_show.reset_mock()
+-        m_api.Command.config_show.side_effect = bad_subject_base
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          'O=BAD')
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -156,26 +128,18 @@ class TestCAConnectivity(BaseTest):
+         assert result.result == constants.ERROR
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+-        bad = bad_subject_base[0]['result']['ipacertificatesubjectbase'][0]
+-        bad_subject = DN(f'CN=Certificate Authority,{bad}')
+-        assert DN(result.kw['subject']) == bad_subject
+-        assert result.kw['path'] == paths.IPA_CA_CRT
+-        assert result.kw['msg'] == (
+-            'The CA certificate with subject {subject} was not found in {path}'
+-        )
+        assert result.kw.get('key') == 'ipa_ra_crt_file_missing'
+        assert result.kw.get('path') == paths.RA_AGENT_PEM
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_down(self, mock_load_cert, mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_down(self, mock_load_cert):
+         """CA connectivity check with the CA down"""
+         m_api.Command.cert_show.side_effect = CertificateOperationError(
+             message='Certificate operation cannot be completed: '
+                     'Unable to communicate with CMS (503)'
+         )
+         m_api.Command.config_show.side_effect = subject_base
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate()
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -192,90 +156,3 @@ class TestCAConnectivity(BaseTest):
+         assert result.kw.get('msg') == (
+             'Request for certificate failed: {error}'
+         )
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_multiple_ok(self, mock_load_cert, mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(1, 'CN=something'),
+-            IPACertificate(12345),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.SUCCESS
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_multiple_ok_reverse(self, mock_load_cert,
+-                                               mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(12345),
+-            IPACertificate(1, 'CN=something'),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.SUCCESS
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_not_found(self, mock_load_cert, mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(1, 'CN=something'),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.ERROR
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-        assert result.kw['msg'] == (
+-            'The CA certificate with subject {subject} was not found in {path}'
+-        )
+-- 
+2.41.0
+
--- a/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
+++ b/SOURCES/0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
@ -1,59 +0,0 @@
-From cafe01a23a36c408c8c60357ad2651688dc63599 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 12 Jan 2024 10:17:18 -0500
-Subject: [PATCH] test: Handle PKI >= 11.5.0 not storing certs in CS.cfg
-
-Update the test to expect 0 results if the PKI version is
->= 11.5.0.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/317
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- tests/test_dogtag_ca.py | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/tests/test_dogtag_ca.py b/tests/test_dogtag_ca.py
-index 0820aba..1f61dea 100644
--- a/tests/test_dogtag_ca.py
-+++ b/tests/test_dogtag_ca.py
-@@ -2,12 +2,16 @@
- # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
- #
- 
-+import pki.util
- from util import capture_results, CAInstance, KRAInstance
- from base import BaseTest
- from ipahealthcheck.core import config, constants
- from ipahealthcheck.dogtag.plugin import registry
- from ipahealthcheck.dogtag.ca import DogtagCertsConfigCheck
- from unittest.mock import Mock, patch
-+import pytest
-+
-+pki_version = pki.util.Version(pki.specification_version())
- 
- 
- class mock_Cert:
-@@ -43,6 +47,9 @@ class TestCACerts(BaseTest):
-         Mock(return_value=KRAInstance()),
-     }
- 
-+    @pytest.mark.skipif(
-+        pki_version >= pki.util.Version("11.5.0"),
-+        reason='Does not apply to PKI 11.5.0+')
-     @patch('ipahealthcheck.dogtag.ca.get_directive')
-     @patch('ipaserver.install.certs.CertDB')
-     def test_ca_certs_ok(self, mock_certdb, mock_directive):
-@@ -71,6 +78,9 @@ class TestCACerts(BaseTest):
-             assert result.source == 'ipahealthcheck.dogtag.ca'
-             assert result.check == 'DogtagCertsConfigCheck'
- 
-+    @pytest.mark.skipif(
-+        pki_version >= pki.util.Version("11.5.0"),
-+        reason='Does not apply to PKI 11.5.0+')
-     @patch('ipahealthcheck.dogtag.ca.get_directive')
-     @patch('ipaserver.install.certs.CertDB')
-     def test_cert_missing_from_file(self, mock_certdb, mock_directive):
-- 
-2.42.0
-
--- a/SOURCES/0007-Fix-some-file-mode-format-issues.patch
+++ b/SOURCES/0007-Fix-some-file-mode-format-issues.patch
@ -1,7 +1,7 @@
-From 2206b9915606c555163dec775a99a355dc02bee0 Mon Sep 17 00:00:00 2001
+From 54e2e9b8bff0bc84b6179eac44993b460f02ad02 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
-Date: Tue, 28 May 2024 11:15:48 -0400
-Subject: [PATCH 3/4] Fix some file mode format issues
+Date: Fri, 21 Jun 2024 15:15:36 -0400
+Subject: [PATCH 1/2] Fix some file mode format issues

 When specifying multiple possible modes for a file the values must
 be a tuple. There were two occurances where they were listed
@ -17,15 +17,15 @@ Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 ---
 src/ipahealthcheck/core/files.py | 12 +++++-
 src/ipahealthcheck/ipa/files.py  |  6 +--
- tests/test_core_files.py         | 72 +++++++++++++++++++++++++++++++-
+ tests/test_core_files.py         | 71 +++++++++++++++++++++++++++++++-
 tests/util.py                    |  1 +
- 4 files changed, 85 insertions(+), 6 deletions(-)
+ 4 files changed, 85 insertions(+), 5 deletions(-)

 diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
-index 85d42bc..32bc5b2 100644
+index 59e8b76..58dd74a 100644
 --- a/src/ipahealthcheck/core/files.py
 +++ b/src/ipahealthcheck/core/files.py
-@@ -31,7 +31,17 @@ class FileCheck:
+@@ -28,7 +28,17 @@ class FileCheck:
 
     @duration
     def check(self):
@ -73,7 +73,7 @@ index d914014..c80fd5b 100644
 
         for globpath in glob.glob(
 diff --git a/tests/test_core_files.py b/tests/test_core_files.py
-index 924d7fa..e7010a9 100644
+index 6e3ec38..09fc216 100644
 --- a/tests/test_core_files.py
 +++ b/tests/test_core_files.py
@@ -2,14 +2,22 @@
@ -138,11 +138,10 @@ index 924d7fa..e7010a9 100644
 
 def make_stat(mode=33200, uid=0, gid=0):
     """Return a mocked-up stat.
-@@ -234,4 +273,33 @@ def test_files_group_not_found(mock_grgid, mock_grnam, mock_stat):
-     my_results = get_results(results, 'group')
-     for result in my_results.results:
-         assert result.result == constants.WARNING
-        assert result.kw.get('got') == 'Unknown gid 0'
+@@ -197,3 +236,33 @@ def test_files_not_found(mock_exists):
+         for result in my_results.results:
+             assert result.result == constants.SUCCESS
+             assert result.kw.get('msg') == 'File does not exist'
 +
 +
 +def test_bad_modes():
@ -174,10 +173,10 @@ index 924d7fa..e7010a9 100644
 +    for result in results.results:
 +        assert result.result == constants.SUCCESS
 diff --git a/tests/util.py b/tests/util.py
-index 12c1688..fb8750a 100644
+index 8081595..5dcb0cd 100644
 --- a/tests/util.py
 +++ b/tests/util.py
-@@ -141,6 +141,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
+@@ -140,6 +140,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
 m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc'))
 m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts'))
 m_api.env.container_masters = DN(('cn', 'masters'))
--- a/SOURCES/0009-Address-issues-uncovered-by-pylint-2.15.5.patch
+++ b/SOURCES/0009-Address-issues-uncovered-by-pylint-2.15.5.patch
@ -0,0 +1,70 @@
+From 18178ba09b221eef7f0bb869980e1c043a8e764f Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 31 May 2023 17:21:55 -0400
+Subject: [PATCH] Address issues uncovered by pylint 2.15.5
+
+Two variables used before assignment
+
+Three Useless suppression of 'unexpected-keyword-arg'
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/295
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/certs.py | 5 +----
+ src/ipahealthcheck/ipa/trust.py | 2 +-
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/certs.py b/src/ipahealthcheck/ipa/certs.py
+index 11ac0c1..4ea5112 100644
+--- a/src/ipahealthcheck/ipa/certs.py
+++ b/src/ipahealthcheck/ipa/certs.py
+@@ -343,7 +343,6 @@ class IPACertfileExpirationCheck(IPAPlugin):
+ 
+                 try:
+                     if 'pwd_file' in signature(certdb.NSSDatabase).parameters:
+-                        # pylint: disable=unexpected-keyword-arg
+                         db = certdb.NSSDatabase(
+                             dbdir, token=token,
+                             pwd_file=pwd_file.name if pwd_file else None)
+@@ -624,7 +623,6 @@ class IPACertNSSTrust(IPAPlugin):
+             pwd_file = get_token_password_file(self.ca.hsm_enabled,
+                                                token)
+ 
+-            # pylint: disable=unexpected-keyword-arg
+             db = certdb.NSSDatabase(
+                 paths.PKI_TOMCAT_ALIAS_DIR, token=token,
+                 pwd_file=pwd_file.name if pwd_file else None)
+@@ -987,7 +985,7 @@ class IPANSSChainValidation(IPAPlugin):
+                         key=key,
+                         dbdir=dbdir,
+                         nickname=nickname,
+-                        reason=response.output_error,
+                        reason=str(e),
+                         msg='Validation of {nickname} in {dbdir} failed: '
+                             '{reason}')
+                 else:
+@@ -1251,7 +1249,6 @@ class IPACertRevocation(IPAPlugin):
+                 dbdir = request.get('cert-database')
+                 try:
+                     if 'pwd_file' in signature(certdb.NSSDatabase).parameters:
+-                        # pylint: disable=unexpected-keyword-arg
+                         db = certdb.NSSDatabase(
+                             dbdir, token=token,
+                             pwd_file=pwd_file.name if pwd_file else None
+diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
+index b962807..243502f 100644
+--- a/src/ipahealthcheck/ipa/trust.py
+++ b/src/ipahealthcheck/ipa/trust.py
+@@ -307,7 +307,7 @@ class IPATrustCatalogCheck(IPAPlugin):
+                 id = pysss_nss_idmap.getnamebysid(sid + '-500')
+             except Exception as e:
+                 yield Result(self, constants.ERROR,
+-                             key=id,
+                             key='getnamebysid',
+                              domain=domain,
+                              error=str(e),
+                              msg='Look up of ID {key} for {domain} failed: '
+-- 
+2.48.1
+
--- a/SOURCES/0009-Check-user-provided-certificates-for-expiration.patch
+++ b/SOURCES/0009-Check-user-provided-certificates-for-expiration.patch
@ -1,345 +0,0 @@
-From 7480a65f13cd17cc57a82f36ddb4fe3fbc7fdf64 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 10 Feb 2025 13:08:50 -0500
-Subject: [PATCH] Check user-provided certificates for expiration
-
-Validate the Apache, DS and PKINIT certificates and
-warn if they are going to expire soon. This should help
-users avoid expired certificates they provide themselves.
-
-These were originally logged and skipped.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/347
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- src/ipahealthcheck/ipa/certs.py           |  81 ++++++++++++++++
- tests/common.py                           |  71 ++++++++++++++
- tests/test_ipa_nssdb.py                   |  23 +----
- tests/test_ipa_userprovided_expiration.py | 110 ++++++++++++++++++++++
- 4 files changed, 263 insertions(+), 22 deletions(-)
- create mode 100644 tests/common.py
- create mode 100644 tests/test_ipa_userprovided_expiration.py
-
-diff --git a/src/ipahealthcheck/ipa/certs.py b/src/ipahealthcheck/ipa/certs.py
-index b8332e0..fc626a6 100644
--- a/src/ipahealthcheck/ipa/certs.py
-+++ b/src/ipahealthcheck/ipa/certs.py
-@@ -453,6 +453,87 @@ class IPACertfileExpirationCheck(IPAPlugin):
-                 yield Result(self, constants.SUCCESS, key=id)
- 
- 
-+@registry
-+class IPAUserProvidedExpirationCheck(IPAPlugin):
-+    """
-+    If we detect user-provided certificates then check to see if
-+    they are expiring soon.
-+
-+    This only applies to the HTTP, DS and KRB certificates.
-+    """
-+    def validate_cert(self, id, cert, certfile=None, nssdb=None,
-+                      nickname=None):
-+        now = datetime.now(tz=timezone.utc)
-+        notafter = cert.not_valid_after_utc
-+
-+        if certfile:
-+            location = certfile
-+        if nssdb:
-+            location = "{}:{}".format(nssdb, nickname)
-+
-+        if now > notafter:
-+            logger.debug("expired")
-+            yield Result(self, constants.ERROR,
-+                         key=id,
-+                         location=location,
-+                         expiration_date=generalized_time(notafter),
-+                         msg='Request id {key} expired on '
-+                             '{expiration_date}')
-+            return
-+
-+        delta = notafter - now
-+        diff = int(delta.total_seconds() / DAY)
-+        if diff < int(self.config.cert_expiration_days):
-+            logger.debug("expiring soon")
-+            yield Result(self, constants.WARNING,
-+                         key=id,
-+                         location=location,
-+                         expiration_date=generalized_time(notafter),
-+                         days=diff,
-+                         msg='Request id {key} expires in {days} '
-+                             'days. You need to manually renew this '
-+                             'certificate.')
-+            return
-+
-+        yield Result(self, constants.SUCCESS, location=location, key=id)
-+
-+    @duration
-+    def check(self):
-+        for id, certfile in (
-+            ("HTTP", paths.HTTPD_CERT_FILE),
-+            ("KDC", paths.KDC_CERT)
-+        ):
-+            try:
-+                cert = x509.load_certificate_from_file(certfile)
-+            except Exception as e:
-+                yield Result(self, constants.ERROR,
-+                             key=id,
-+                             certfile=certfile,
-+                             error=str(e),
-+                             msg='Request id {key}: Unable to open cert '
-+                                 'file \'{certfile}\': {error}')
-+                continue
-+            issued = is_ipa_issued_cert(api, cert)
-+            if issued is None:
-+                logger.debug('Unable to determine if \'%s\' was issued by IPA '
-+                             'because no LDAP connection, assuming yes.')
-+                continue
-+            elif issued is True:
-+                logging.debug("Issued by IPA, skipping")
-+                continue
-+            yield from self.validate_cert(id, cert, certfile=certfile)
-+
-+        ds_db_dirname = dsinstance.config_dirname(self.serverid)
-+        ds_db = certs.CertDB(api.env.realm, nssdir=ds_db_dirname)
-+        nickname = self.ds.get_server_cert_nickname(self.serverid)
-+        cert = ds_db.get_cert_from_db(nickname)
-+        if is_ipa_issued_cert(api, cert):
-+            logging.debug("Issued by IPA, skipping")
-+            return
-+        yield from self.validate_cert("LDAP", cert, nssdb=ds_db_dirname,
-+                                      nickname=nickname)
-+
-+
- @registry
- class IPACertTracking(IPAPlugin):
-     """Compare the certificates tracked by certmonger to those that
-diff --git a/tests/common.py b/tests/common.py
-new file mode 100644
-index 0000000..91799cc
--- /dev/null
-+++ b/tests/common.py
-@@ -0,0 +1,71 @@
-+#
-+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
-+#
-+from datetime import datetime, timedelta, timezone
-+
-+
-+class mock_Cert:
-+    """Fake up a certificate.
-+
-+    The contents are the NSS nickname of the certificate.
-+    """
-+
-+    def __init__(
-+        self,
-+        text,
-+        issuer="CN=Someone",
-+        not_after=datetime.now(tz=timezone.utc),
-+    ):
-+        self.text = text
-+        self._issuer = issuer
-+        self._not_valid_after_utc = not_after
-+
-+    def public_bytes(self, encoding):
-+        return self.text.encode("utf-8")
-+
-+    @property
-+    def issuer(self):
-+        return self._issuer
-+
-+    @property
-+    def not_valid_after_utc(self):
-+        return self._not_valid_after_utc
-+
-+
-+class mock_CertDB:
-+    def __init__(self, trust, expiration_days=0):
-+        """A dict of nickname + NSSdb trust flags"""
-+        self.trust = trust
-+        self._expiration_days = expiration_days
-+
-+    def list_certs(self):
-+        return [
-+            (nickname, self.trust[nickname]) for nickname in self.trust
-+        ]
-+
-+    def get_cert_from_db(self, nickname):
-+        """Return the nickname. This will match the value of get_directive"""
-+        notafter = datetime.now(tz=timezone.utc) + timedelta(
-+            days=self._expiration_days
-+        )
-+        return mock_Cert(nickname, not_after=notafter)
-+
-+
-+class mock_NSSDatabase:
-+    def __init__(self, nssdir, token=None, pwd_file=None, trust=None):
-+        self.trust = trust
-+        self.token = token
-+
-+    def list_certs(self):
-+        return [
-+            (nickname, self.trust[nickname]) for nickname in self.trust
-+        ]
-+
-+
-+def my_unparse_trust_flags(trust_flags):
-+    return trust_flags
-+
-+
-+class DsInstance:
-+    def get_server_cert_nickname(self, serverid):
-+        return "Server-Cert"
-diff --git a/tests/test_ipa_nssdb.py b/tests/test_ipa_nssdb.py
-index cbf7277..8694f82 100644
--- a/tests/test_ipa_nssdb.py
-+++ b/tests/test_ipa_nssdb.py
-@@ -9,28 +9,7 @@ from ipahealthcheck.ipa.plugin import registry
- from ipahealthcheck.ipa.certs import IPACertNSSTrust
- from ipaplatform.paths import paths
- from unittest.mock import Mock, patch
-
-
-class mock_CertDB:
-    def __init__(self, trust):
-        """A dict of nickname + NSSdb trust flags"""
-        self.trust = trust
-
-    def list_certs(self):
-        return [(nickname, self.trust[nickname]) for nickname in self.trust]
-
-
-class mock_NSSDatabase:
-    def __init__(self, nssdir, token=None, pwd_file=None, trust=None):
-        self.trust = trust
-        self.token = token
-
-    def list_certs(self):
-        return [(nickname, self.trust[nickname]) for nickname in self.trust]
-
-
-def my_unparse_trust_flags(trust_flags):
-    return trust_flags
-+from common import mock_NSSDatabase, my_unparse_trust_flags
- 
- 
- # These tests make some assumptions about the order in which the
-diff --git a/tests/test_ipa_userprovided_expiration.py b/tests/test_ipa_userprovided_expiration.py
-new file mode 100644
-index 0000000..71ceb6c
--- /dev/null
-+++ b/tests/test_ipa_userprovided_expiration.py
-@@ -0,0 +1,110 @@
-+#
-+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
-+#
-+
-+from util import capture_results
-+from base import BaseTest
-+from common import DsInstance
-+from ipahealthcheck.core import config, constants
-+from ipahealthcheck.ipa.plugin import registry
-+from ipahealthcheck.ipa.certs import IPAUserProvidedExpirationCheck
-+from unittest.mock import Mock, patch
-+from ipapython.dn import DN
-+from common import mock_CertDB
-+
-+from datetime import datetime, timedelta, timezone
-+
-+CERT_EXPIRATION_DAYS = 30
-+
-+
-+class IPACertificate:
-+    def __init__(self, not_valid_after, serial_number=1):
-+        self.subject = 'CN=RA AGENT'
-+        self.issuer = 'CN=ISSUER'
-+        self.serial_number = serial_number
-+        self.not_valid_after_utc = not_valid_after
-+
-+
-+class TestIPACertificateFile(BaseTest):
-+    patches = {
-+        'ipaserver.install.dsinstance.DsInstance':
-+        Mock(return_value=DsInstance()),
-+        'ipalib.install.certstore.get_ca_subject':
-+        Mock(return_value=DN("CN=EXTERNAL")),
-+        'ipaserver.install.certs.is_ipa_issued_cert':
-+        Mock(return_value=False),
-+    }
-+
-+    @patch('ipalib.x509.load_certificate_from_file')
-+    @patch('ipaserver.install.certs.CertDB')
-+    def test_certfile_expiration(self, mock_certdb, mock_load_cert):
-+        cert = IPACertificate(not_valid_after=datetime.now(tz=timezone.utc) +
-+                              timedelta(days=CERT_EXPIRATION_DAYS))
-+        mock_load_cert.return_value = cert
-+        mock_certdb.return_value = mock_CertDB({
-+            'Server-Cert cert-pki-ca': 'u,u,u',
-+        }, expiration_days=CERT_EXPIRATION_DAYS)
-+
-+        framework = object()
-+        registry.initialize(framework, config.Config)
-+        f = IPAUserProvidedExpirationCheck(registry)
-+
-+        f.config.cert_expiration_days = '28'
-+        self.results = capture_results(f)
-+
-+        assert len(self.results) == 3
-+
-+        for result in self.results.results:
-+            assert result.result == constants.SUCCESS
-+            assert result.source == 'ipahealthcheck.ipa.certs'
-+            assert result.check == 'IPAUserProvidedExpirationCheck'
-+
-+    @patch('ipalib.x509.load_certificate_from_file')
-+    @patch('ipaserver.install.certs.CertDB')
-+    def test_certfile_expiration_warning(self, mock_certdb, mock_load_cert):
-+        cert = IPACertificate(not_valid_after=datetime.now(tz=timezone.utc) +
-+                              timedelta(days=7))
-+        mock_load_cert.return_value = cert
-+        mock_certdb.return_value = mock_CertDB({
-+            'Server-Cert cert-pki-ca': 'u,u,u',
-+        }, expiration_days=7)
-+
-+        framework = object()
-+        registry.initialize(framework, config.Config)
-+        f = IPAUserProvidedExpirationCheck(registry)
-+
-+        f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS)
-+        self.results = capture_results(f)
-+
-+        assert len(self.results) == 3
-+
-+        for result in self.results.results:
-+            assert result.result == constants.WARNING
-+            assert result.source == 'ipahealthcheck.ipa.certs'
-+            assert result.check == 'IPAUserProvidedExpirationCheck'
-+            assert result.kw.get('days') == 6
-+
-+    @patch('ipalib.x509.load_certificate_from_file')
-+    @patch('ipaserver.install.certs.CertDB')
-+    def test_certfile_expiration_expired(self, mock_certdb, mock_load_cert):
-+        cert = IPACertificate(not_valid_after=datetime.now(tz=timezone.utc) +
-+                              timedelta(days=-100))
-+        mock_load_cert.return_value = cert
-+        mock_certdb.return_value = mock_CertDB({
-+            'Server-Cert cert-pki-ca': 'u,u,u',
-+        }, expiration_days=-100)
-+
-+        framework = object()
-+        registry.initialize(framework, config.Config)
-+        f = IPAUserProvidedExpirationCheck(registry)
-+
-+        f.config.cert_expiration_days = str(CERT_EXPIRATION_DAYS)
-+        self.results = capture_results(f)
-+
-+        assert len(self.results) == 3
-+
-+        for result in self.results.results:
-+            assert result.result == constants.ERROR
-+            assert result.source == 'ipahealthcheck.ipa.certs'
-+            assert result.check == 'IPAUserProvidedExpirationCheck'
-+            assert 'expiration_date' in result.kw
-- 
-2.48.1
-
--- a/SOURCES/0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
+++ b/SOURCES/0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
@ -1,6 +1,6 @@
-From 57cda16e67c5b5b5972452b8623534b0a567a264 Mon Sep 17 00:00:00 2001
+From 7539b4aee19c7e28539ec853369a3230f2ae08f3 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 23 Jun 2025 16:07:34 -0400
+Date: Mon, 23 Jun 2025 13:30:26 -0400
 Subject: [PATCH] Don't rely on order in trust agent/controller role check

 The code expected that the local server would always be the
@ -22,7 +22,7 @@ index f1a325c..efaa947 100644
@@ -35,6 +35,13 @@ class IPARegistry(Registry):
         self.trust_controller = False
         self.ca_configured = False
- 
+
 +    def has_role(self, roles):
 +        for role in roles:
 +            if role.get('server_server') == api.env.host:
@ -45,8 +45,8 @@ index f1a325c..efaa947 100644
 -            self.trust_controller = True
 +        self.trust_agent = self.has_role(roles[0].status(api))
 +        self.trust_controller = self.has_role(roles[1].status(api))
- 
- 
+
+
 registry = IPARegistry()
 diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
 index 6c4754a..0faa702 100644
@ -54,7 +54,7 @@ index 6c4754a..0faa702 100644
 +++ b/tests/test_ipa_trust.py
@@ -11,7 +11,8 @@ from util import capture_results
 from util import m_api
- 
+
 from ipahealthcheck.core import config, constants
 -from ipahealthcheck.ipa.plugin import registry
 +from ipahealthcheck.core.plugin import Results
--- a/SOURCES/0010-Warn-if-krbLastSuccessfulAuth-replication-is-enabled.patch
+++ b/SOURCES/0010-Warn-if-krbLastSuccessfulAuth-replication-is-enabled.patch
@ -1,146 +0,0 @@
-From 4127298975d4625006a8cb5183583df34c67107d Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 27 Feb 2025 12:17:41 -0500
-Subject: [PATCH] Warn if krbLastSuccessfulAuth replication is enabled
-
-This is controlled in IPA via the ipaconfigstring value including
-KDC:Disable Last Success.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/315
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
---
- setup.py                         |  1 +
- src/ipahealthcheck/ipa/config.py | 46 +++++++++++++++++++++++++++
- tests/test_ipa_config.py         | 54 ++++++++++++++++++++++++++++++++
- 3 files changed, 101 insertions(+)
- create mode 100644 src/ipahealthcheck/ipa/config.py
- create mode 100644 tests/test_ipa_config.py
-
-diff --git a/setup.py b/setup.py
-index fe47b55..7126082 100644
--- a/setup.py
-+++ b/setup.py
-@@ -39,6 +39,7 @@ setup(
-         # plugin modules for ipahealthcheck.ipa registry
-         'ipahealthcheck.ipa': [
-             'ipacerts = ipahealthcheck.ipa.certs',
-+            'ipaconfig = ipahealthcheck.ipa.config',
-             'ipadna = ipahealthcheck.ipa.dna',
-             'ipadns = ipahealthcheck.ipa.idns',
-             'ipafiles = ipahealthcheck.ipa.files',
-diff --git a/src/ipahealthcheck/ipa/config.py b/src/ipahealthcheck/ipa/config.py
-new file mode 100644
-index 0000000..c14ee8f
--- /dev/null
-+++ b/src/ipahealthcheck/ipa/config.py
-@@ -0,0 +1,46 @@
-+
-+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
-+#
-+
-+from ipahealthcheck.ipa.plugin import IPAPlugin, registry
-+from ipahealthcheck.core.plugin import Result, duration
-+from ipahealthcheck.core import constants
-+
-+from ipalib import api
-+
-+
-+@registry
-+class IPAkrbLastSuccessfulAuth(IPAPlugin):
-+    """Warn if krbLastSuccessfulAuth is enabled. It can cause
-+       performance issues.
-+    """
-+    requires = ('dirsrv',)
-+
-+    @duration
-+    def check(self):
-+        try:
-+            result = api.Command.config_show()
-+        except Exception as e:
-+            yield Result(self, constants.ERROR,
-+                         key='krbLastSuccessfulAuth',
-+                         msg='Request for configuration failed, %s' % e)
-+            return
-+
-+        configstring = result["result"].get(
-+            "ipaconfigstring", []
-+        )
-+
-+        if 'KDC:Disable Last Success' not in configstring:
-+            yield Result(
-+                self,
-+                constants.WARNING,
-+                key='krbLastSuccessfulAuth',
-+                configstring=configstring,
-+                msg="Last Successful Auth is enabled. It may cause "
-+                    "performance problems.")
-+        else:
-+            yield Result(
-+                self,
-+                constants.SUCCESS,
-+                key='krbLastSuccessfulAuth'
-+            )
-diff --git a/tests/test_ipa_config.py b/tests/test_ipa_config.py
-new file mode 100644
-index 0000000..5cc0c1e
--- /dev/null
-+++ b/tests/test_ipa_config.py
-@@ -0,0 +1,54 @@
-+#
-+# Copyright (C) 2025 FreeIPA Contributors see COPYING for license
-+#
-+
-+from util import capture_results, m_api
-+from base import BaseTest
-+from ipahealthcheck.core import config, constants
-+from ipahealthcheck.ipa.plugin import registry
-+from ipahealthcheck.ipa.config import IPAkrbLastSuccessfulAuth
-+
-+
-+class TestkrbLastSuccessfulAuth(BaseTest):
-+
-+    def test_last_success_disabled(self):
-+        """Test that no warning is issued in the default config"""
-+
-+        m_api.Command.config_show.side_effect = [{
-+            'result': {
-+                'ipaconfigstring': ['KDC:Disable Last Success',]
-+            }
-+        }]
-+
-+        framework = object()
-+        registry.initialize(framework, config.Config())
-+        f = IPAkrbLastSuccessfulAuth(registry)
-+        self.results = capture_results(f)
-+
-+        assert len(self.results) == 1
-+        result = self.results.results[0]
-+        assert result.result == constants.SUCCESS
-+        assert result.source == 'ipahealthcheck.ipa.config'
-+        assert result.check == 'IPAkrbLastSuccessfulAuth'
-+
-+    def test_last_success_enabled(self):
-+        """Test that a warning is issued when krbLastSuccessfulAuth is
-+           replicated.
-+        """
-+
-+        m_api.Command.config_show.side_effect = [{
-+            'result': {
-+                'ipaconfigstring': ['',]
-+            }
-+        }]
-+
-+        framework = object()
-+        registry.initialize(framework, config.Config())
-+        f = IPAkrbLastSuccessfulAuth(registry)
-+        self.results = capture_results(f)
-+
-+        assert len(self.results) == 1
-+        result = self.results.results[0]
-+        assert result.result == constants.WARNING
-+        assert result.source == 'ipahealthcheck.ipa.config'
-+        assert result.check == 'IPAkrbLastSuccessfulAuth'
-- 
-2.48.1
-
--- a/SOURCES/0011-Warn-about-unexpected-umask.patch
+++ b/SOURCES/0011-Warn-about-unexpected-umask.patch
@ -1,103 +0,0 @@
-From 1607150d30a6f7da4dc4661b4e946d037da513e3 Mon Sep 17 00:00:00 2001
-From: David Hanina <dhanina@redhat.com>
-Date: Wed, 26 Mar 2025 09:26:39 +0100
-Subject: [PATCH] Warn about unexpected umask
-
-We should let users know, that their umask set wrong to
-an unsupported value, it does not make much sense to check file
-permissions when wrong umask is set.
-
-Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/353
-Signed-off-by: David Hanina <dhanina@redhat.com>
---
- src/ipahealthcheck/core/files.py | 25 ++++++++++++++++++++++++-
- tests/test_core_files.py         | 19 ++++++++++++++++++-
- 2 files changed, 42 insertions(+), 2 deletions(-)
-
-diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
-index 32bc5b2..6749d26 100644
--- a/src/ipahealthcheck/core/files.py
-+++ b/src/ipahealthcheck/core/files.py
-@@ -12,6 +12,19 @@ from ipahealthcheck.core.plugin import Result, duration
- 
- logger = logging.getLogger()
- 
-+EXPECTED_UMASK = 0o022
-+
-+
-+def current_umask():
-+    """
-+    Retrieves current umask by setting it temporarily
-+
-+    :returns: int umask
-+    """
-+    umask = os.umask(EXPECTED_UMASK)
-+    os.umask(umask)
-+    return umask
-+
- 
- class FileCheck:
-     """Generic check to validate permission and ownership of files
-@@ -41,6 +54,16 @@ class FileCheck:
-                 yield Result(self, constants.ERROR, key=file,
-                              msg='Code format is incorrect for file')
- 
-+        umask = current_umask()
-+        correct_umask = umask == EXPECTED_UMASK
-+        if not correct_umask:
-+            yield Result(self, constants.WARNING, type='umask',
-+                         expected=oct(EXPECTED_UMASK), got=oct(umask),
-+                         msg='Unexpected umask %s expected %s, '
-+                         'skipping file permissions.' %
-+                         ('0o' + format(umask, 'o').zfill(3),
-+                          '0o' + format(EXPECTED_UMASK, 'o').zfill(3)))
-+
-         for (path, owner, group, mode) in process_files:
-             if not isinstance(owner, tuple):
-                 owner = tuple((owner,))
-@@ -58,7 +81,7 @@ class FileCheck:
-             stat = os.stat(path)
-             fmode = str(oct(stat.st_mode)[-4:])
-             key = '%s_mode' % path.replace('/', '_')
-            if fmode not in mode:
-+            if correct_umask and fmode not in mode:
-                 if len(mode) == 1:
-                     modes = mode[0]
-                 else:
-diff --git a/tests/test_core_files.py b/tests/test_core_files.py
-index d308410..094305a 100644
--- a/tests/test_core_files.py
-+++ b/tests/test_core_files.py
-@@ -9,7 +9,7 @@ from util import m_api
- from util import capture_results
- 
- from ipahealthcheck.core import config
-from ipahealthcheck.core.files import FileCheck
-+from ipahealthcheck.core.files import EXPECTED_UMASK, FileCheck
- from ipahealthcheck.core import constants
- from ipahealthcheck.core.plugin import Results
- from ipahealthcheck.ipa.files import IPAFileCheck
-@@ -303,3 +303,20 @@ def test_ipa_files_format(mock_pkinit):
- 
-     for result in results.results:
-         assert result.result in (constants.SUCCESS, constants.WARNING)
-+
-+
-+@patch('os.umask')
-+def test_bad_umask(mock_umask):
-+    mock_umask.return_value = 0o027
-+
-+    f = FileCheck()
-+    f.files = files
-+
-+    results = capture_results(f)
-+    my_results = get_results(results, 'umask')
-+    assert my_results.results[0].result == constants.WARNING
-+    assert my_results.results[0].kw.get('got') == oct(0o027)
-+    assert my_results.results[0].kw.get('expected') == oct(EXPECTED_UMASK)
-+    assert my_results.results[0].kw.get('type') == 'umask'
-+    assert my_results.results[0].kw.get('msg') == \
-+        'Unexpected umask 0o027 expected 0o022, skipping file permissions.'
-- 
-2.49.0
-
--- a/SPECS/freeipa-healthcheck.spec
+++ b/SPECS/freeipa-healthcheck.spec
@ -1,359 +0,0 @@
-%if 0%{?rhel}
-%global prefix ipa
-%global productname IPA
-%global alt_prefix freeipa
-%else
-# Fedora
-%global prefix freeipa
-%global productname FreeIPA
-%global alt_prefix ipa
-%endif
-%global debug_package %{nil}
-%global python3dir %{_builddir}/python3-%{name}-%{version}-%{release}
-%{!?python3_sitelib: %global python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%global alt_name %{alt_prefix}-healthcheck
-
-%bcond_without tests
-
-Name:           %{prefix}-healthcheck
-Version:        0.16
-Release:        9%{?dist}
-Summary:        Health check tool for %{productname}
-BuildArch:      noarch
-License:        GPLv3
-URL:            https://github.com/freeipa/freeipa-healthcheck
-Source0:        https://github.com/freeipa/freeipa-healthcheck/archive/%{version}.tar.gz
-Source1:        ipahealthcheck.conf
-
-Patch0001:      0001-Remove-ipaclustercheck.patch
-Patch0002:      0002-Don-t-fail-if-a-service-name-cannot-be-looked-up-in-.patch
-Patch0003:      0003-Temporarily-disable-the-ipa-ods-exporter-service-sta.patch
-Patch0004:      0004-Skip-DogtagCertsConfigCheck-for-PKI-versions-11.5.0.patch
-Patch0005:      0005-test-Handle-PKI-11.5.0-not-storing-certs-in-CS.cfg.patch
-Patch0006:      0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
-Patch0007:      0007-Fix-some-file-mode-format-issues.patch
-Patch0008:      0008-Allow-WARNING-in-the-files-test.patch
-Patch0009:      0009-Check-user-provided-certificates-for-expiration.patch 
-Patch0010:      0010-Warn-if-krbLastSuccessfulAuth-replication-is-enabled.patch
-Patch0011:      0011-Warn-about-unexpected-umask.patch 
-Patch0012:      0012-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch 
-
-Requires:       %{name}-core = %{version}-%{release}
-Requires:       %{prefix}-server
-Requires:       python3-ipalib
-Requires:       python3-ipaserver
-Requires:       python3-lib389 >= 1.4.2.14-1
-# cronie-anacron provides anacron
-Requires:       anacron
-Requires:       logrotate
-Requires(post): systemd-units
-Requires:       %{name}-core = %{version}-%{release}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  systemd-devel
-%{?systemd_requires}
-# packages for make check
-%if %{with tests}
-BuildRequires:  python3-pytest
-BuildRequires:  python3-ipalib
-BuildRequires:  python3-ipaserver
-%endif
-BuildRequires:  python3-lib389
-BuildRequires:  python3-libsss_nss_idmap
-
-# Cross-provides for sibling OS
-Provides:       %{alt_name} = %{version}
-Conflicts:      %{alt_name}
-Obsoletes:      %{alt_name} < %{version}
-
-%description
-The %{productname} health check tool provides a set of checks to
-proactively detect defects in a FreeIPA cluster.
-
-
-%package -n %{name}-core
-Summary: Core plugin system for healthcheck
-
-# Cross-provides for sibling OS
-Provides:       %{alt_name}-core = %{version}
-Conflicts:      %{alt_name}-core
-Obsoletes:      %{alt_name}-core < %{version}
-
-
-%description -n %{name}-core
-Core plugin system for healthcheck, usable standalone with other
-packages.
-
-
-%prep
-%autosetup -p1  -n freeipa-healthcheck-%{version}
-
-
-%build
-%py3_build
-
-
-%install
-%py3_install
-
-mkdir -p %{buildroot}%{_sysconfdir}/ipahealthcheck
-install -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ipahealthcheck
-
-mkdir -p %{buildroot}/%{_unitdir}
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.service %{buildroot}%{_unitdir}
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.timer %{buildroot}%{_unitdir}
-
-mkdir -p %{buildroot}/%{_libexecdir}/ipa
-install -p -m755 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.sh %{buildroot}%{_libexecdir}/ipa/
-
-mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/logrotate/ipahealthcheck %{buildroot}%{_sysconfdir}/logrotate.d
-
-mkdir -p %{buildroot}/%{_localstatedir}/log/ipa/healthcheck
-
-mkdir -p %{buildroot}/%{_mandir}/man8
-mkdir -p %{buildroot}/%{_mandir}/man5
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man8/ipa-healthcheck.8  %{buildroot}%{_mandir}/man8/
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man5/ipahealthcheck.conf.5  %{buildroot}%{_mandir}/man5/
-
-(cd %{buildroot}/%{python3_sitelib}/ipahealthcheck && find . -type f  | \
-    grep -v '^./core' | \
-    grep -v 'opt-1' | \
-    sed -e 's,\.py.*$,.*,g' | sort -u | \
-    sed -e 's,\./,%%{python3_sitelib}/ipahealthcheck/,g' ) >healthcheck.list
-
-
-%if %{with tests}
-%check
-PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_*
-%endif
-
-
-%post
-%systemd_post ipa-healthcheck.service
-
-
-%preun
-%systemd_preun ipa-healthcheck.service
-
-
-%postun
-%systemd_postun_with_restart ipa-healthcheck.service
-
-
-%files -f healthcheck.list
-%{!?_licensedir:%global license %%doc}
-%license COPYING
-%doc README.md
-%{_bindir}/ipa-healthcheck
-%dir %{_sysconfdir}/ipahealthcheck
-%dir %{_localstatedir}/log/ipa/healthcheck
-%config(noreplace) %{_sysconfdir}/ipahealthcheck/ipahealthcheck.conf
-%config(noreplace) %{_sysconfdir}/logrotate.d/ipahealthcheck
-%{python3_sitelib}/ipahealthcheck-%{version}-*.egg-info/
-%{python3_sitelib}/ipahealthcheck-%{version}-*-nspkg.pth
-%{_unitdir}/*
-%{_libexecdir}/*
-%{_mandir}/man8/*
-%{_mandir}/man5/*
-
-
-%files -n %{name}-core
-%{!?_licensedir:%global license %%doc}
-%license COPYING
-%doc README.md
-%{python3_sitelib}/ipahealthcheck/core/
-
-
-%changelog
-* Mon Jun 30 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-9
- Don't rely on order in trust roles (RHEL-99531)
-
-* Thu Jun 26 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-8
- Incorrect patch merged
-
-* Tue May 27 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-7
- Warn in ipa-healthcheck if umask is not 022 (RHEL-67901)
-
-* Mon Mar 24 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-6
- Check for krbLastSuccessfulAuth being enabled (RHEL-4957)
-
-* Tue Feb 25 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-5
- Check expiration dates of user-provided certificates (RHEL-80670)
-
-* Tue Jun 18 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-4
- Change log file permissions of IPA as per CIS benchmark (RHEL-28575)
-
-* Fri Jan 12 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-3
- Skip DogtagCertsConfigCheck for PKI versions 11.5.0 (RHEL-21367)
-
-* Tue Nov 14 2023 Rob Crittenden <rcritten@redhat.com> - 0.16-2
- Don't fail if a service name cannot be looked up in LDAP
- Disable the ipa-ods-exporter service check
-
-* Thu Nov  9 2023 Rob Crittenden <rcritten@redhat.com> - 0.16-1
- Update to upstream 0.16 (RHEL-12494)
-
-* Mon Jul 24 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-4
- Error in DogtagCertsConnectivityCheckCA with external CA (#2224595)
-
-* Thu Jul 06 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-3
- Catch exceptions during user/group name lookup in FileCheck (#2218912)
-
-* Tue Apr 25 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-2
- Skip AD domains with posix ranges in the catalog check (#2188135)
-
-* Thu Dec 01 2022 Rob Crittenden <rcritten@redhat.com> - 0.12-1
- Update to upstream 0.12 (#2139531)
-
-* Wed Jul 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-9
- Add support for the DNS URI type (#2104495)
-
-* Wed May 18 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-8
- Validate that a known output type has been selected (#2079698)
-
-* Wed May 04 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-7
- debug='True' in ipahealthcheck.conf doesn't enable debug output (#2079861)
- Validate value formats in the ipahealthcheck.conf file (#2079739)
- Validate output_type options from ipahealthcheck.conf file (#2079698)
-
-* Thu Apr 28 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-6
- Allow multiple file modes in the FileChecker (#2072708)
-
-* Wed Apr 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-5
- Add CLI options to healthcheck configuration file (#2070981)
-
-* Wed Mar 30 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-4
- Use the subject base from the IPA configuration, not REALM (#2067213) 
-
-* Tue Oct 12 2021 Rob Crittenden <rcritten@redhat.com> - 0.9-3
- IPATrustControllerServiceCheck doesn't handle HIDDEN_SERVICE (#1976878)
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Thu Jun 17 2021 Rob Crittenden <rcritten@redhat.com> - 0.9-1
- Rebase to upstream 0.9 (#1969539)
-
-* Thu Apr 22 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7.2
- rpminspect: specname match on suffix to allow for differing
-  spec/package naming (#1951733)
-
-* Mon Apr 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7.1
- Switch from tox to pytest as the test runner. tox is being deprecated
-  in some distros. (#1942157)
-
-* Mon Apr 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7
- Add check to validate the KRA Agent is correct (#1894781)
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-6.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Fri Mar 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.8-5.1
- Re-enable package self-tests after bootstrap
-
-* Mon Mar  8 2021 François Cami <fcami@redhat.com> - 0.8-5
- Make the spec file distribution-agnostic (rhbz#1935773).
-
-* Tue Mar  2 2021 Alexander Scheel <ascheel@redhat.com> - 0.8-4
- Make the spec file more distribution-agnostic
- Use tox as the test runner when tests are enabled
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Jan 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-2
- A bad file group was reported as a python list, not a string
-
-* Wed Jan 13 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-1
- Update to upstream 0.8
- Fix FTBFS in F34/rawhide (#1915256)
-
-* Wed Dec 16 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-3
- Include upstream patch to fix parsing input from json files
-
-* Tue Nov 17 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-2
- Include upstream patch to fix collection of AD trust domains
- Include upstream patch to fix failing not-valid-after test
-
-* Thu Oct 29 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-1
- Update to upstream 0.7
-
-* Wed Jul 29 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-4
- Set minimum Requires on python3-lib389
- Don't assume that all users of healthcheck-core provide the same
-  set of options.
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Fri Jul 24 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-2
- Don't collect IPA servers in MetaCheck
- Skip if dirsrv not available in IPAMetaCheck
-
-* Wed Jul  1 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-1
- Update to upstream 0.6
- Don't include cluster checking yet
-
-* Tue Jun 23 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-5
- Add BuildRequires on python3-setuptools
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.5-4
- Rebuilt for Python 3.9
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 27 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-2
- Rebuild
-
-* Thu Jan  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-1
- Update to upstream 0.5
-
-* Mon Dec 2 2019 François Cami <fcami@redhat.com> - 0.4-2
- Create subpackage to split out core processing (#1771710)
-
-* Mon Dec 2 2019 François Cami <fcami@redhat.com> - 0.4-1
- Update to upstream 0.4
- Change Source0 to something "spectool -g" can use. 
- Correct URL (#1773512)
- Errors not translated to strings (#1752849)
- JSON output not indented by default (#1729043)
- Add dependencies to checks to avoid false-positives (#1727900)
- Verify expected DNS records (#1695125
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3-3
- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3-2
- Rebuilt for Python 3.8
-
-* Thu Jul 25 2019 François Cami <fcami@redhat.com> - 0.3-1
- Update to upstream 0.3
- Add logrotate configs + depend on anacron and logrotate
-
-* Thu Jul 25 2019 François Cami <fcami@redhat.com> - 0.2-6
- Fix permissions
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jul 11 2019 François Cami <fcami@redhat.com> - 0.2-4
- Fix ipa-healthcheck.sh installation path (rhbz#1729188)
- Create and own log directory (rhbz#1729188)
-
-* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-3
- Add python3-lib389 to BRs
-
-* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-2
- Fix changelog
-
-* Thu Apr 25 2019 Rob Crittenden <rcritten@redhat.com> - 0.2-1
- Update to upstream 0.2
-
-* Thu Apr 4 2019 François Cami <fcami@redhat.com> - 0.1-2
- Explicitly list dependencies
-
-* Tue Apr 2 2019 François Cami <fcami@redhat.com> - 0.1-1
- Initial package import
--- a/SPECS/ipa-healthcheck.spec
+++ b/SPECS/ipa-healthcheck.spec
@ -0,0 +1,271 @@
+%global project freeipa
+%global shortname healthcheck
+%global longname ipa%{shortname}
+%global debug_package %{nil}
+%global python3dir %{_builddir}/python3-%{name}-%{version}-%{release}
+%{!?python3_sitelib: %global python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
+
+
+Name:           ipa-healthcheck
+Version:        0.12
+Release:        6%{?dist}
+Summary:        Health check tool for IdM
+BuildArch:      noarch
+License:        GPLv3
+URL:            https://github.com/%{project}/freeipa-healthcheck
+Source0:        https://github.com/%{project}/%{name}/archive/%{version}.tar.gz#/%{version}.tar.gz
+Source1:        %{longname}.conf
+
+Patch0001:      0001-Remove-ipaclustercheck.patch
+Patch0002:      0002-Disable-two-failing-tests.patch
+Patch0003:      0003-Fix-logging-issue-related-to-dtype.patch
+Patch0004:      0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
+Patch0005:      0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
+Patch0006:      0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+Patch0007:      0007-Fix-some-file-mode-format-issues.patch
+Patch0008:      0008-Allow-WARNING-in-the-files-test.patch
+Patch0009:      0009-Address-issues-uncovered-by-pylint-2.15.5.patch
+Patch0010:      0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
+
+Requires:       %{name}-core = %{version}-%{release}
+Requires:       ipa-server
+Requires:       python3-ipalib
+Requires:       python3-ipaserver
+Requires:       python3-lib389
+Requires:       python3-libsss_nss_idmap
+# cronie-anacron provides anacron
+Requires:       anacron
+Requires:       logrotate
+Requires(post): systemd-units
+Requires:       %{name}-core = %{version}-%{release}
+BuildRequires:  python3-devel
+BuildRequires:  systemd-devel
+%{?systemd_requires}
+
+
+%description
+The FreeIPA health check tool provides a set of checks to
+proactively detect defects in a FreeIPA cluster.
+
+%package -n %{name}-core
+Summary: Core plugin system for healthcheck
+# No Requires on %%{name} = %%{version}-%%{release} since this can be
+# installed standalone
+Conflicts: %{name} < 0.4
+
+%description -n %{name}-core
+Core files
+
+
+%prep
+%autosetup -p1 -n %{project}-%{shortname}-%{version}
+
+
+%build
+%py3_build
+
+
+%install
+%py3_install
+
+mkdir -p %{buildroot}%{_sysconfdir}/%{longname}
+install -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{longname}
+
+mkdir -p %{buildroot}/%{_unitdir}
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.service %{buildroot}%{_unitdir}
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.timer %{buildroot}%{_unitdir}
+
+mkdir -p %{buildroot}/%{_libexecdir}/ipa
+install -p -m755 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.sh %{buildroot}%{_libexecdir}/ipa/
+
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/logrotate/%{longname} %{buildroot}%{_sysconfdir}/logrotate.d
+
+mkdir -p %{buildroot}/%{_localstatedir}/log/ipa/%{shortname}
+
+mkdir -p %{buildroot}/%{_mandir}/man8
+mkdir -p %{buildroot}/%{_mandir}/man5
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man8/ipa-%{shortname}.8  %{buildroot}%{_mandir}/man8/
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{longname}.conf.5  %{buildroot}%{_mandir}/man5/
+
+(cd %{buildroot}/%{python3_sitelib}/ipahealthcheck && find . -type f  | \
+    grep -v '^./core' | \
+    grep -v 'opt-1' | \
+    sed -e 's,\.py.*$,.*,g' | sort -u | \
+    sed -e 's,\./,%%{python3_sitelib}/ipahealthcheck/,g' ) >healthcheck.list
+
+%post
+%systemd_post ipa-%{shortname}.service
+
+
+%preun
+%systemd_preun ipa-%{shortname}.service
+
+
+%postun
+%systemd_postun_with_restart ipa-%{shortname}.service
+
+
+%files -f healthcheck.list
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README.md
+%{_bindir}/ipa-%{shortname}
+%dir %{_sysconfdir}/%{longname}
+%dir %{_localstatedir}/log/ipa/%{shortname}
+%config(noreplace) %{_sysconfdir}/%{longname}/%{longname}.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{longname}
+%{python3_sitelib}/%{longname}-%{version}-*.egg-info/
+%{python3_sitelib}/%{longname}-%{version}-*-nspkg.pth
+%{_unitdir}/*
+%{_libexecdir}/*
+%{_mandir}/man8/*
+%{_mandir}/man5/*
+
+%files -n %{name}-core
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README.md
+%{python3_sitelib}/%{longname}/core/
+
+
+%changelog
+* Mon Jun 23 2025 Rob Crittenden <rcritten@redhat.com> - 0.12-6
+- Don't rely on order in trust roles (RHEL-99487)
+
+* Thu Feb 27 2025 Rob Crittenden <rcritten@redhat.com> - 0.12-5
+- Pull in lint fixes. Prevents exception when testing for AD trust (RHEL-79081)
+- Add direct requires on python3-libsss_nss_idmap.
+
+* Fri Jun 21 2024 Rob Crittenden <rcritten@redhat.com> - 0.12-4
+- Change log file permissions of IPA as per CIS benchmark (RHEL-38929)
+
+* Mon Jul 24 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-3
+- Error in DogtagCertsConnectivityCheckCA with external CA (#2223942)
+
+* Wed May 03 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-2
+- Skip AD domains with posix ranges in the catalog check (#1775199)
+
+* Thu Dec 01 2022 Rob Crittenden <rcritten@redhat.com> - 0.12-1
+- Update to upstream 0.12 (#2139529)
+- Verify that the number of krb5kdc worker processes is aligned to the
+  number of configured CPUs (#2052930)
+- IPADNSSystemRecordsCheck displays warning message for 2 expected
+  ipa-ca AAAA records (#2099484)
+
+* Wed May 25 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-14
+- Add CLI options to healthcheck configuration file (#1872467)
+
+* Fri Apr 29 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-13
+- Allow multiple file modes in the FileChecker (#2058239)
+
+* Thu Mar 31 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-12
+- Use the subject base from the IPA configuration, not REALM (#2066308)
+
+* Fri Mar 18 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-11
+- Add support for the DNS URI type (#2037847)
+
+* Thu Feb 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-10
+- Don't depend on IPA status when suppressing pki checks (#2055316)
+
+* Mon Jan 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-9
+- Don't assume the entry_point order when determining if there is a
+  CA installed (#2041995)
+
+* Thu Jan 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-8
+- Suppress the CRLManager check false positive when a CA is not
+  configured (#1983060)
+- Fix the backport of the pki.server.healthcheck suppression (#1983060)
+
+* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-7
+- ipa-healthcheck command takes some extra time to complete when dirsrv
+  instance is stopped (#1776687)
+- ipa-healthcheck complains about pki.server.healthcheck errors even CA
+  is not configured on the replica (#1983060)
+
+* Mon Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-6
+- Fix patch fuzz issues, apply add'l upstream for log files (#1780020)
+
+* Wed Jun  2 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-5
+- Return a user-friendly message when no issues are found (#1780062)
+- Report on FIPS status (#1781107)
+- Detect mismatches beteween certificates in LDAP and filesystem (#1886770)
+- Verify owner/perms for important log files (#1780020)
+
+* Tue Apr  6 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-4
+- Add check to validate the KRA Agent is correct (#1894781)
+
+* Fri Dec  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-3
+- Translate result names when reading input from a json file (#1866558)
+
+* Tue Nov  3 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-2
+- Fix collection of AD trust domains (#1891505) 
+
+* Tue Nov  3 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-1
+- Update to upstream 0.7 (#1891850)
+- Include Directory Server healthchecks (#1824193)
+- Document that default output format is JSON (#1780328)
+- Fix return value on exit with --input-file (#1866558)
+- Fix examples in man page (#1809215)
+- Replace man page reference to output-format with output-type (#1780303)
+- Add dependencies on services to avoid false positives (#1780510)
+
+* Wed Aug 19 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-6
+- The core subpackage can be installed standalone, drop the Requires
+  on the base package. (#1852244)
+- Add Conflicts < 0.4 to to core to allow downgrading with
+  --allowerasing (#1852244)
+
+* Tue Aug  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-5
+- Remove the Obsoletes < 0.4 and add same-version Requires to each
+  subpackage so that upgrades from 0.3 will work (#1852244)
+
+* Thu Jan 16 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-4
+- Allow plugins to read contents from config during initialization (#1784037)
+
+* Thu Dec  5 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-3
+- Add Obsoletes to core subpackage (#1780121)
+
+* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-2
+- Abstract processing so core package is standalone (#1771710)
+
+* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-1
+- Rebase to upstream 0.4 (#1770346)
+- Create subpackage to split out core processing (#1771710)
+- Correct URL (#1773512)
+- Errors not translated to strings (#1752849)
+- JSON output not indented by default (#1729043)
+- Add dependencies to checks to avoid false-positives (#1727900)
+- Verify expected DNS records (#1695125)
+
+* Mon Aug 12 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-4
+- Lookup AD user by SID and not by hardcoded username (#1739500)
+
+* Thu Aug  8 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-3
+- The AD trust agent and controller are not being initialized (#1738314)
+
+* Mon Aug  5 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-2
+- Change DNA plugin to return WARNING if no range is set (#1737492)
+
+* Mon Jul 29 2019 François Cami <fcami@redhat.com> - 0.3-1
+- Update to upstream 0.3 (#1701351)
+- Add logrotate configs + depend on anacron and logrotate (#1729207)
+
+* Thu Jul 11 2019 François Cami <fcami@redhat.com> - 0.2-4
+- Fix ipa-healthcheck.sh installation path (rhbz#1729188)
+- Create and own log directory (rhbz#1729188)
+
+* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-3
+- Add python3-lib389 to BRs
+
+* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-2
+- Fix changelog
+
+* Thu Apr 25 2019 Rob Crittenden <rcritten@redhat.com> - 0.2-1
+- Update to upstream 0.2
+
+* Thu Apr 4 2019 François Cami <fcami@redhat.com> - 0.1-2
+- Explicitly list dependencies
+
+* Tue Apr 2 2019 François Cami <fcami@redhat.com> - 0.1-1
+- Initial package import