19 changed files with 1557 additions and 387 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,12 +1 @@
-/freeipa-healthcheck-0.1.tar.gz
-/freeipa-healthcheck-0.2.tar.gz
-/freeipa-healthcheck-0.3.tar.gz
-/freeipa-healthcheck-0.4.tar.gz
-/freeipa-healthcheck-0.5.tar.gz
-/freeipa-healthcheck-0.6.tar.gz
-/freeipa-healthcheck-0.7.tar.gz
-/0.8.tar.gz
-/0.9.tar.gz
-/0.12.tar.gz
-/0.16.tar.gz
-/0.19.tar.gz
+SOURCES/0.12.tar.gz
--- a/.ipa-healthcheck.metadata
+++ b/.ipa-healthcheck.metadata
@ -0,0 +1 @@
+dc05dc0ca441dcb1a87e3b3bd7d440d79c17ac0a SOURCES/0.12.tar.gz
--- a/README.md
+++ b/README.md
@ -1,3 +0,0 @@
-# freeipa-healthcheck
-
-The freeipa-healthcheck package
--- a/SOURCES/0001-Remove-ipaclustercheck.patch
+++ b/SOURCES/0001-Remove-ipaclustercheck.patch
@ -1,6 +1,6 @@
-From dee0c0842f92b9fb7caf64eb498c4c27d1aa5326 Mon Sep 17 00:00:00 2001
+From 9d5f9d21442ee483044fc55a5c02039af23869d7 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 22 Sep 2025 16:33:24 -0400
+Date: Thu, 1 Dec 2022 14:22:46 -0500
 Subject: [PATCH] Remove ipaclustercheck

 ---
@ -26,13 +26,13 @@ Subject: [PATCH] Remove ipaclustercheck
 delete mode 100644 tests/test_cluster_ruv.py

 diff --git a/setup.py b/setup.py
-index 578fc52..6f47cda 100644
+index 0cfa486..b9e1ca1 100644
 --- a/setup.py
 +++ b/setup.py
@@ -4,7 +4,7 @@ from setuptools import find_packages, setup
 setup(
     name='ipahealthcheck',
-     version='0.19',
+     version='0.12',
 -    namespace_packages=['ipahealthcheck', 'ipaclustercheck'],
 +    namespace_packages=['ipahealthcheck'],
     package_dir={'': 'src'},
@ -53,7 +53,7 @@ index 578fc52..6f47cda 100644
         ],
         # subsystem registries
         'ipahealthcheck.registry': [
-@@ -73,13 +70,6 @@ setup(
+@@ -72,13 +69,6 @@ setup(
         'ipahealthcheck.system': [
             'filesystemspace = ipahealthcheck.system.filesystemspace',
         ],
@ -635,5 +635,5 @@ index 7583c84..0000000
 -        assert result.kw.get('name') == 'dangling_csruv'
 -        assert result.kw.get('value') == '9'
 -- 
-2.49.0
+2.38.1

--- a/SOURCES/0002-Disable-two-failing-tests.patch
+++ b/SOURCES/0002-Disable-two-failing-tests.patch
@ -0,0 +1,64 @@
+From d2cd8292d8a1d7c2fd2a5f978f8ed76c0769e5e9 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 8 Feb 2022 14:16:06 -0500
+Subject: [PATCH] Disable two failing tests
+
+These test that healthcheck can properly detect when IPA
+is not installed or configured. Its not ideal to remove them
+from the check process but they aren't critical.
+---
+ tests/test_commands.py | 41 -----------------------------------------
+ 1 file changed, 41 deletions(-)
+
+diff --git a/tests/test_commands.py b/tests/test_commands.py
+index 988d7fc..e14114b 100644
+--- a/tests/test_commands.py
+++ b/tests/test_commands.py
+@@ -14,44 +14,3 @@ def test_version():
+     """
+     output = run(['ipa-healthcheck', '--version'], env=os.environ)
+     assert 'ipahealthcheck' in output.raw_output.decode('utf-8')
+-
+-
+-@pytest.fixture
+-def python_ipalib_dir(tmpdir):
+-    ipalib_dir = tmpdir.mkdir("ipalib")
+-    ipalib_dir.join("__init__.py").write("")
+-
+-    def _make_facts(configured=None):
+-        if configured is None:
+-            module_text = ""
+-        elif isinstance(configured, bool):
+-            module_text = f"def is_ipa_configured(): return {configured}"
+-        else:
+-            raise TypeError(
+-                f"'configured' must be None or bool, got '{configured!r}'"
+-            )
+-
+-        ipalib_dir.join("facts.py").write(module_text)
+-        return str(tmpdir)
+-
+-    return _make_facts
+-
+-
+-def test_ipa_notinstalled(python_ipalib_dir, monkeypatch):
+-    """
+-    Test ipa-healthcheck handles the missing IPA stuff
+-    """
+-    monkeypatch.setenv("PYTHONPATH", python_ipalib_dir(configured=None))
+-    output = run(["ipa-healthcheck"], raiseonerr=False, env=os.environ)
+-    assert output.returncode == 1
+-    assert "IPA server is not installed" in output.raw_output.decode("utf-8")
+-
+-
+-def test_ipa_unconfigured(python_ipalib_dir, monkeypatch):
+-    """
+-    Test ipa-healthcheck handles the unconfigured IPA server
+-    """
+-    monkeypatch.setenv("PYTHONPATH", python_ipalib_dir(configured=False))
+-    output = run(["ipa-healthcheck"], raiseonerr=False, env=os.environ)
+-    assert output.returncode == 1
+-    assert "IPA server is not configured" in output.raw_output.decode("utf-8")
+-- 
+2.31.1
+
--- a/SOURCES/0003-Fix-logging-issue-related-to-dtype.patch
+++ b/SOURCES/0003-Fix-logging-issue-related-to-dtype.patch
@ -0,0 +1,29 @@
+From 0f485a0921a39c08e7259f9b38f0b10e425384a5 Mon Sep 17 00:00:00 2001
+From: root <root@ipa.example.test>
+Date: Mon, 5 Dec 2022 16:17:17 -0500
+Subject: [PATCH] Fix logging issue related to dtype
+
+It is an integer in earlier versions of python3-dns and a class
+in later versions. Log the integer value.
+
+Related: #2099484
+---
+ src/ipahealthcheck/ipa/idns.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipa/idns.py b/ipa/idns.py
+index e294db2..1adb69d 100644
+--- a/src/ipahealthcheck/ipa/idns.py
+++ b/src/ipahealthcheck/ipa/idns.py
+@@ -176,7 +176,7 @@ class IPADNSSystemRecordsCheck(IPAPlugin):
+         qname = "ipa-ca." + api.env.domain + "."
+         ipa_ca_records = []
+         for dtype in (rdatatype.A, rdatatype.AAAA):
+-            logger.debug("Search DNS for %s records of %s", dtype.name, qname)
+            logger.debug("Search DNS for %s records of %s", dtype, qname)
+             try:
+                 answers = resolve(qname, dtype)
+             except DNSException as e:
+-- 
+2.31.1
+
--- a/SOURCES/0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
+++ b/SOURCES/0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
@ -0,0 +1,340 @@
+From 30471ebdc9fe5871c115ca06f78a415275a320e6 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 16 Jun 2022 20:02:51 +0000
+Subject: [PATCH] Skip AD domains with posix ranges in the catalog check
+
+The catalog check is intended to ensure that the trust is
+working by looking up a user. For a non-posix range we can use
+the Administrator user because it has a predicible SID.
+
+With a posix range the UID/GID may not be set so the lookup
+can fail (with an empty return value).
+
+So skip domain which have a posix range associated with it.
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1775199
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/trust.py |  34 ++++-
+ tests/test_ipa_trust.py         | 214 +++++++++++++++++++++++++++++++-
+ 2 files changed, 243 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
+index 27a2c86..b962807 100644
+--- a/src/ipahealthcheck/ipa/trust.py
+++ b/src/ipahealthcheck/ipa/trust.py
+@@ -183,6 +183,7 @@ class IPATrustDomainsCheck(IPAPlugin):
+             except Exception as e:
+                 yield Result(self, constants.WARNING,
+                              key='domain-status',
+                             domain=domain,
+                              error=str(e),
+                              msg='Execution of {key} failed: {error}')
+                 continue
+@@ -262,6 +263,10 @@ class IPATrustCatalogCheck(IPAPlugin):
+     This should populate the 'AD Global catalog' and 'AD Domain Controller'
+     fields in 'sssctl domain-status' output (means SSSD actually talks to AD
+     DCs)
+
+    If the associated idrange type is ipa-ad-trust-posix then the
+    check will be skipped because we can't predict what the UID of the
+    Administrator account will be.
+     """
+     @duration
+     def check(self):
+@@ -280,20 +285,41 @@ class IPATrustCatalogCheck(IPAPlugin):
+ 
+         for trust_domain in trust_domains:
+             sid = trust_domain.get('domainsid')
+            domain = trust_domain['domain']
+            idrange = api.Command.idrange_find(sid)
+            if len(idrange['result']) == 0:
+                yield Result(self, constants.WARNING,
+                             key=sid,
+                             domain=domain,
+                             msg='Domain {domain} does not have an idrange')
+                continue
+
+            if 'ipa-ad-trust-posix' in idrange['result'][0]['iparangetyperaw']:
+                yield Result(self, constants.SUCCESS,
+                             key=sid,
+                             domain=domain,
+                             type='ipa-ad-trust-posix')
+                logger.debug("Domain %s is a POSIX range, skip the lookup",
+                             domain)
+                continue
+
+             try:
+                 id = pysss_nss_idmap.getnamebysid(sid + '-500')
+             except Exception as e:
+                 yield Result(self, constants.ERROR,
+-                             key=sid,
+                             key=id,
+                             domain=domain,
+                              error=str(e),
+-                             msg='Look up of{key} failed: {error}')
+                             msg='Look up of ID {key} for {domain} failed: '
+                                 '{error}')
+                 continue
+ 
+             if not id:
+                 yield Result(self, constants.WARNING,
+-                             key=sid,
+                             key=id,
+                             domain=trust_domain['domain'],
+                              error='returned nothing',
+-                             msg='Look up of {key} {error}')
+                             msg='Look up of ID {key} for {domain} {error}')
+             else:
+                 yield Result(self, constants.SUCCESS,
+                              key='Domain Security Identifier',
+diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
+index c314b70..6c4754a 100644
+--- a/tests/test_ipa_trust.py
+++ b/tests/test_ipa_trust.py
+@@ -129,6 +129,74 @@ def trustdomain_find():
+     ]
+ 
+ 
+def idrange_find_adrange_type():
+    """
+    Return a set of idranges of type "Active Directory domain range"
+    """
+
+    return {
+            "result": [
+                {
+                    "cn": ["AD.EXAMPLE_id_range"],
+                    "ipabaseid": ["1664000000"],
+                    "ipabaserid": ["0"],
+                    "ipaidrangesize": ["200000"],
+                    "ipanttrusteddomainsid": ["S-1-5-21-abc"],
+                    "iparangetype": ["Active Directory domain range"],
+                    "iparangetyperaw": ["ipa-ad-trust"]
+                },
+                {
+                    "cn": ["CHILD.AD.EXAMPLE_id_range"],
+                    "ipabaseid": ["538600000"],
+                    "ipabaserid": ["0"],
+                    "ipaidrangesize": ["200000"],
+                    "ipanttrusteddomainsid": [
+                        "S-1-5-21-38045160-610119595-3099869984"
+                    ],
+                    "iparangetype": ["Active Directory domain range"],
+                    "iparangetyperaw": ["ipa-ad-trust"]
+                },
+                {
+                    "cn": ["IPA.EXAMPLE_id_range"],
+                    "ipabaseid": ["447400000"],
+                    "ipabaserid": ["1000"],
+                    "ipaidrangesize": ["200000"],
+                    "iparangetype": ["local domain range"],
+                    "iparangetyperaw": ["ipa-local"],
+                    "ipasecondarybaserid": ["100000000"]
+                }]
+        }
+
+
+def idrange_find_adrange_posix():
+    """
+    Return a set of idranges of type
+    "Active Directory trust range with POSIX attributes"
+    """
+
+    return {
+        "result": [
+            {
+                "cn": ["AD.EXAMPLE_id_range"],
+                "ipabaseid": ["1664000000"],
+                "ipaidrangesize": ["200000"],
+                "ipanttrusteddomainsid": ["S-1-5-21-abc"],
+                "iparangetype": [
+                    "Active Directory trust range with POSIX attributes"],
+                "iparangetyperaw": ["ipa-ad-trust-posix"]
+            },
+            {
+                "cn": ["IPA.EXAMPLE_id_range"],
+                "ipabaseid": ["447400000"],
+                "ipabaserid": ["1000"],
+                "ipaidrangesize": ["200000"],
+                "iparangetype": ["local domain range"],
+                "iparangetyperaw": ["ipa-local"],
+                "ipasecondarybaserid": ["100000000"]
+            }]
+        }
+
+
+ class SSSDDomain:
+     def __init__(self, return_ipa_server_mode=True, provider='ipa'):
+         self.return_ipa_server_mode = return_ipa_server_mode
+@@ -454,7 +522,8 @@ class TestTrustCatalog(BaseTest):
+ 
+     @patch('pysss_nss_idmap.getnamebysid')
+     @patch('ipapython.ipautil.run')
+-    def test_trust_catalog_ok(self, mock_run, mock_getnamebysid):
+    def test_trust_catalog_adrange(self, mock_run, mock_getnamebysid):
+        """The associated ID ranges are Active Directory domain range"""
+         # id Administrator@ad.example
+         dsresult = namedtuple('run', ['returncode', 'error_log'])
+         dsresult.returncode = 0
+@@ -478,6 +547,11 @@ class TestTrustCatalog(BaseTest):
+         # get_trust_domains()
+         m_api.Command.trust_find.side_effect = trust_find()
+         m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_type(),
+            idrange_find_adrange_type(),
+            idrange_find_adrange_type()
+        ]
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -550,6 +624,144 @@ class TestTrustCatalog(BaseTest):
+         assert result.kw.get('key') == 'AD Domain Controller'
+         assert result.kw.get('domain') == 'child.example'
+ 
+    @patch('pysss_nss_idmap.getnamebysid')
+    @patch('ipapython.ipautil.run')
+    def test_trust_catalog_posix(self, mock_run, mock_getnamebysid):
+        """AD POSIX ranges"""
+        # id Administrator@ad.example
+        dsresult = namedtuple('run', ['returncode', 'error_log'])
+        dsresult.returncode = 0
+        dsresult.error_log = ''
+        dsresult.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+            'IPA: master.ipa.vm\n\n'
+        ds2result = namedtuple('run', ['returncode', 'error_log'])
+        ds2result.returncode = 0
+        ds2result.error_log = ''
+        ds2result.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+
+        mock_run.side_effect = [dsresult, dsresult, ds2result]
+        mock_getnamebysid.side_effect = [
+           {'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},
+           {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},
+           {'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}
+        ]
+
+        # get_trust_domains()
+        m_api.Command.trust_find.side_effect = trust_find()
+        m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_posix(),
+            idrange_find_adrange_posix(),
+            idrange_find_adrange_posix()
+        ]
+
+        framework = object()
+        registry.initialize(framework, config.Config)
+        registry.trust_agent = True
+        f = IPATrustCatalogCheck(registry)
+
+        self.results = capture_results(f)
+
+        assert len(self.results) == 3
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-abc'
+        assert result.kw.get('domain') == 'ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[1]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-22-def'
+        assert result.kw.get('domain') == 'child.ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[2]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-ghi'
+        assert result.kw.get('domain') == 'child.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+    @patch('pysss_nss_idmap.getnamebysid')
+    @patch('ipapython.ipautil.run')
+    def test_trust_catalog_posix_missing(self, mock_run, mock_getnamebysid):
+        """AD POSIX ranges"""
+        # id Administrator@ad.example
+        dsresult = namedtuple('run', ['returncode', 'error_log'])
+        dsresult.returncode = 0
+        dsresult.error_log = ''
+        dsresult.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+            'IPA: master.ipa.vm\n\n'
+        ds2result = namedtuple('run', ['returncode', 'error_log'])
+        ds2result.returncode = 0
+        ds2result.error_log = ''
+        ds2result.output = 'Active servers:\nAD Global Catalog: ' \
+            'root-dc.ad.vm\nAD Domain Controller: root-dc.ad.vm\n' \
+
+        mock_run.side_effect = [dsresult, dsresult, ds2result]
+        mock_getnamebysid.side_effect = [
+           {'S-1-5-21-abc-500': {'name': 'admin@ad.example', 'type': 3}},
+           {'S-1-5-21-ghi-500': {'name': 'admin@child.ad.example', 'type': 3}},
+           {'S-1-5-21-def-500': {'name': 'admin@child.example', 'type': 3}}
+        ]
+
+        # get_trust_domains()
+        m_api.Command.trust_find.side_effect = trust_find()
+        m_api.Command.trustdomain_find.side_effect = trustdomain_find()
+        m_api.Command.idrange_find.side_effect = [
+            idrange_find_adrange_posix(),
+            {'result': []},
+            {'result': []}
+        ]
+
+        framework = object()
+        registry.initialize(framework, config.Config)
+        registry.trust_agent = True
+        f = IPATrustCatalogCheck(registry)
+
+        self.results = capture_results(f)
+
+        assert len(self.results) == 3
+
+        result = self.results.results[0]
+        assert result.result == constants.SUCCESS
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-abc'
+        assert result.kw.get('domain') == 'ad.example'
+        assert result.kw.get('type') == 'ipa-ad-trust-posix'
+
+        result = self.results.results[1]
+        assert result.result == constants.WARNING
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-22-def'
+        assert result.kw.get('domain') == 'child.ad.example'
+        assert (
+            result.kw.get('msg')
+            == 'Domain {domain} does not have an idrange'
+        )
+
+        result = self.results.results[2]
+        assert result.result == constants.WARNING
+        assert result.source == 'ipahealthcheck.ipa.trust'
+        assert result.check == 'IPATrustCatalogCheck'
+        assert result.kw.get('key') == 'S-1-5-21-ghi'
+        assert result.kw.get('domain') == 'child.example'
+        assert (
+            result.kw.get('msg')
+            == 'Domain {domain} does not have an idrange'
+        )
+
+ 
+ class Testsidgen(BaseTest):
+     patches = {
+-- 
+2.39.2
+
--- a/SOURCES/0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
+++ b/SOURCES/0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
@ -0,0 +1,372 @@
+From 29855ec76bcb445543e1f2b16b13e5bcfeb67723 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 27 Mar 2023 16:43:11 -0400
+Subject: [PATCH] Don't error in DogtagCertsConnectivityCheck with external CAs
+
+The purpose of the check is to validate that communication
+with the CA works. In the past we looked up serial number 1
+for this check. The problem is that if the server was
+installed with RSNv3 so had no predictable CA serial number.
+
+It also was broken with externally-issued CA certificate which
+cannot be looked up in IPA.
+
+Instead use the IPA RA agent certificate which should definitely
+have a serial number in the IPA CA if one is configured.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/285
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/dogtag/ca.py   |  45 +++-----
+ tests/test_dogtag_connectivity.py | 175 +++++-------------------------
+ 2 files changed, 39 insertions(+), 181 deletions(-)
+
+diff --git a/src/ipahealthcheck/dogtag/ca.py b/src/ipahealthcheck/dogtag/ca.py
+index 868876f..4afa5d7 100644
+--- a/src/ipahealthcheck/dogtag/ca.py
+++ b/src/ipahealthcheck/dogtag/ca.py
+@@ -12,10 +12,8 @@ from ipahealthcheck.core import constants
+ from ipalib import api, errors, x509
+ from ipaplatform.paths import paths
+ from ipaserver.install import certs
+-from ipaserver.install import ca
+ from ipaserver.install import krainstance
+ from ipapython.directivesetter import get_directive
+-from ipapython.dn import DN
+ from cryptography.hazmat.primitives.serialization import Encoding
+ 
+ logger = logging.getLogger()
+@@ -95,6 +93,10 @@ class DogtagCertsConfigCheck(DogtagPlugin):
+ class DogtagCertsConnectivityCheck(DogtagPlugin):
+     """
+     Test basic connectivity by using cert-show to fetch a cert
+
+    The RA agent certificate is used because if a CA is configured we
+    know this certificate should exist. Use its serial number to do
+    the lookup.
+     """
+     requires = ('dirsrv',)
+ 
+@@ -104,59 +106,38 @@ class DogtagCertsConnectivityCheck(DogtagPlugin):
+             logger.debug('CA is not configured, skipping connectivity check')
+             return
+ 
+-        config = api.Command.config_show()
+-
+-        subject_base = config['result']['ipacertificatesubjectbase'][0]
+-        ipa_subject = ca.lookup_ca_subject(api, subject_base)
+         try:
+-            certs = x509.load_certificate_list_from_file(paths.IPA_CA_CRT)
+            cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
+         except Exception as e:
+             yield Result(self, constants.ERROR,
+-                         key='ipa_ca_crt_file_missing',
+-                         path=paths.IPA_CA_CRT,
+                         key='ipa_ra_crt_file_missing',
+                         path=paths.RA_AGENT_PEM,
+                          error=str(e),
+-                         msg='The IPA CA cert file {path} could not be '
+                         msg='The IPA RA cert file {path} could not be '
+                              'opened: {error}')
+             return
+ 
+-        found = False
+-        for cert in certs:
+-            if DN(cert.subject) == ipa_subject:
+-                found = True
+-                break
+-
+-        if not found:
+-            yield Result(self, constants.ERROR,
+-                         key='ipa_ca_cert_not_found',
+-                         subject=str(ipa_subject),
+-                         path=paths.IPA_CA_CRT,
+-                         msg='The CA certificate with subject {subject} '
+-                             'was not found in {path}')
+-            return
+-        # Load the IPA CA certificate to obtain its serial number. This
+-        # was traditionally 1 prior to random serial number support.
+-        # There is nothing special about cert 1. Even if there is no cert
+-        # serial number 1 but the connection is ok it is considered passing.
+        # We used to use serial #1 but with RSNv3 it can be anything.
+         try:
+             api.Command.cert_show(cert.serial_number, all=True)
+         except errors.CertificateOperationError as e:
+             if 'not found' in str(e):
+                 yield Result(self, constants.ERROR,
+-                             key='cert_show_1',
+                             key='cert_show_ra',
+                              error=str(e),
+                              serial=str(cert.serial_number),
+                              msg='Serial number not found: {error}')
+             else:
+                 yield Result(self, constants.ERROR,
+-                             key='cert_show_1',
+                             key='cert_show_ra',
+                              error=str(e),
+                              serial=str(cert.serial_number),
+                              msg='Request for certificate failed: {error}')
+         except Exception as e:
+             yield Result(self, constants.ERROR,
+-                         key='cert_show_1',
+                         key='cert_show_ra',
+                              error=str(e),
+                          serial=str(cert.serial_number),
+-                         msg='Request for certificate failed: {error')
+                         msg='Request for certificate failed: {error}')
+         else:
+             yield Result(self, constants.SUCCESS)
+diff --git a/tests/test_dogtag_connectivity.py b/tests/test_dogtag_connectivity.py
+index d81e598..4413fe1 100644
+--- a/tests/test_dogtag_connectivity.py
+++ b/tests/test_dogtag_connectivity.py
+@@ -13,14 +13,23 @@ from ipahealthcheck.dogtag.ca import DogtagCertsConnectivityCheck
+ 
+ from ipalib.errors import CertificateOperationError
+ from ipaplatform.paths import paths
+-from ipapython.dn import DN
+
+
+default_subject_base = [{
+    'result':
+        {
+            'ipacertificatesubjectbase': [f'O={m_api.env.realm}'],
+        },
+}]
+ 
+ 
+ class IPACertificate:
+     def __init__(self, serial_number=1,
+-                 subject='CN=Certificate Authority, O=%s' % m_api.env.realm):
+                 subject='CN=Certificate Authority, O=%s' % m_api.env.realm,
+                 issuer='CN=Certificate Authority, O=%s' % m_api.env.realm):
+         self.serial_number = serial_number
+         self.subject = subject
+        self.issuer = issuer
+ 
+     def __eq__(self, other):
+         return self.serial_number == other.serial_number
+@@ -50,18 +59,15 @@ class TestCAConnectivity(BaseTest):
+         Mock(return_value=CAInstance()),
+     }
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_ok(self, mock_load_cert, mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_ok(self, mock_load_cert):
+         """CA connectivity check when cert_show returns a valid value"""
+         m_api.Command.cert_show.side_effect = None
+         m_api.Command.config_show.side_effect = subject_base
+         m_api.Command.cert_show.return_value = {
+             u'result': {u'revoked': False}
+         }
+-        mock_load_cert.return_value = [IPACertificate(12345)]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate(12345)
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -76,10 +82,8 @@ class TestCAConnectivity(BaseTest):
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_not_found(self, mock_load_cert,
+-                                          mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_cert_not_found(self, mock_load_cert):
+         """CA connectivity check for a cert that doesn't exist"""
+         m_api.Command.cert_show.reset_mock()
+         m_api.Command.config_show.side_effect = subject_base
+@@ -87,9 +91,7 @@ class TestCAConnectivity(BaseTest):
+             message='Certificate operation cannot be completed: '
+                     'EXCEPTION (Certificate serial number 0x0 not found)'
+         )
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate(serial_number=7)
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -103,46 +105,16 @@ class TestCAConnectivity(BaseTest):
+         assert result.result == constants.ERROR
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+-        assert result.kw.get('key') == 'cert_show_1'
+-        assert result.kw.get('serial') == '1'
+        assert result.kw.get('key') == 'cert_show_ra'
+        assert result.kw.get('serial') == '7'
+         assert result.kw.get('msg') == 'Serial number not found: {error}'
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_file_not_found(self, mock_load_cert,
+-                                               mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_cert_file_not_found(self, mock_load_cert):
+         """CA connectivity check for a cert that doesn't exist"""
+         m_api.Command.cert_show.reset_mock()
+         m_api.Command.config_show.side_effect = subject_base
+         mock_load_cert.side_effect = FileNotFoundError()
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.ERROR
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-        assert result.check == 'DogtagCertsConnectivityCheck'
+-        assert result.kw.get('key') == 'ipa_ca_crt_file_missing'
+-        assert result.kw.get('path') == paths.IPA_CA_CRT
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_cert_not_in_file_list(self, mock_load_cert,
+-                                                 mock_ca_subject):
+-        """CA connectivity check for a cert that isn't in IPA_CA_CRT"""
+-        m_api.Command.cert_show.reset_mock()
+-        m_api.Command.config_show.side_effect = bad_subject_base
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          'O=BAD')
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -156,26 +128,18 @@ class TestCAConnectivity(BaseTest):
+         assert result.result == constants.ERROR
+         assert result.source == 'ipahealthcheck.dogtag.ca'
+         assert result.check == 'DogtagCertsConnectivityCheck'
+-        bad = bad_subject_base[0]['result']['ipacertificatesubjectbase'][0]
+-        bad_subject = DN(f'CN=Certificate Authority,{bad}')
+-        assert DN(result.kw['subject']) == bad_subject
+-        assert result.kw['path'] == paths.IPA_CA_CRT
+-        assert result.kw['msg'] == (
+-            'The CA certificate with subject {subject} was not found in {path}'
+-        )
+        assert result.kw.get('key') == 'ipa_ra_crt_file_missing'
+        assert result.kw.get('path') == paths.RA_AGENT_PEM
+ 
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_down(self, mock_load_cert, mock_ca_subject):
+    @patch('ipalib.x509.load_certificate_from_file')
+    def test_ca_connection_down(self, mock_load_cert):
+         """CA connectivity check with the CA down"""
+         m_api.Command.cert_show.side_effect = CertificateOperationError(
+             message='Certificate operation cannot be completed: '
+                     'Unable to communicate with CMS (503)'
+         )
+         m_api.Command.config_show.side_effect = subject_base
+-        mock_load_cert.return_value = [IPACertificate()]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+        mock_load_cert.return_value = IPACertificate()
+ 
+         framework = object()
+         registry.initialize(framework, config.Config)
+@@ -192,90 +156,3 @@ class TestCAConnectivity(BaseTest):
+         assert result.kw.get('msg') == (
+             'Request for certificate failed: {error}'
+         )
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_multiple_ok(self, mock_load_cert, mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(1, 'CN=something'),
+-            IPACertificate(12345),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.SUCCESS
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_multiple_ok_reverse(self, mock_load_cert,
+-                                               mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(12345),
+-            IPACertificate(1, 'CN=something'),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.SUCCESS
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-
+-    @patch('ipaserver.install.ca.lookup_ca_subject')
+-    @patch('ipalib.x509.load_certificate_list_from_file')
+-    def test_ca_connection_not_found(self, mock_load_cert, mock_ca_subject):
+-        """CA connectivity check when cert_show returns a valid value"""
+-        m_api.Command.cert_show.side_effect = None
+-        m_api.Command.config_show.side_effect = subject_base
+-        m_api.Command.cert_show.return_value = {
+-            u'result': {u'revoked': False}
+-        }
+-        mock_load_cert.return_value = [
+-            IPACertificate(1, 'CN=something'),
+-        ]
+-        mock_ca_subject.return_value = DN(('cn', 'Certificate Authority'),
+-                                          f'O={m_api.env.realm}')
+-
+-        framework = object()
+-        registry.initialize(framework, config.Config)
+-        f = DogtagCertsConnectivityCheck(registry)
+-
+-        self.results = capture_results(f)
+-
+-        assert len(self.results) == 1
+-
+-        result = self.results.results[0]
+-        assert result.result == constants.ERROR
+-        assert result.source == 'ipahealthcheck.dogtag.ca'
+-        assert result.kw['msg'] == (
+-            'The CA certificate with subject {subject} was not found in {path}'
+-        )
+-- 
+2.41.0
+
--- a/SOURCES/0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+++ b/SOURCES/0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
@ -0,0 +1,47 @@
+From e0c09f9f1388bbce43775f40a39266e692e231da Mon Sep 17 00:00:00 2001
+From: Thorsten Scherf <tscherf@redhat.com>
+Date: Wed, 13 Mar 2024 12:57:34 +0100
+Subject: [PATCH 1/4] Fixes log file permissions as per CIS benchmark
+
+As per CIS benchmark the log file permissions should be 640 for some log
+files but if we change /var/log/ipa-custodia.audit.log permissions to
+640 then "ipa-healthcheck" reports a permission issue.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/325
+Signed-off-by: Thorsten Scherf <tscherf@redhat.com>
+---
+ src/ipahealthcheck/ipa/files.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index b7ca116..d914014 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644'))
+                          'root', 'root', '0644', '0640'))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -133,11 +133,13 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+         self.files.append((paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % inst,
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+-        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root', '0644'))
+        self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+                           '0644', '0640'))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+-                (globpath, constants.PKI_USER, constants.PKI_GROUP, "0644")
+                (globpath, constants.PKI_USER, constants.PKI_GROUP,
+                 "0644", "0640")
+             )
+ 
+         for globpath in glob.glob(
+-- 
+2.45.0
+
--- a/SOURCES/0007-Fix-some-file-mode-format-issues.patch
+++ b/SOURCES/0007-Fix-some-file-mode-format-issues.patch
@ -0,0 +1,189 @@
+From 54e2e9b8bff0bc84b6179eac44993b460f02ad02 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 21 Jun 2024 15:15:36 -0400
+Subject: [PATCH 1/2] Fix some file mode format issues
+
+When specifying multiple possible modes for a file the values must
+be a tuple. There were two occurances where they were listed
+separately.
+
+Add in a pre-check on the formatting to raise an error for badly
+formatted files. This may be annoying for users if one sneaks in
+again but the CI should catch it.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/core/files.py | 12 +++++-
+ src/ipahealthcheck/ipa/files.py  |  6 +--
+ tests/test_core_files.py         | 71 +++++++++++++++++++++++++++++++-
+ tests/util.py                    |  1 +
+ 4 files changed, 85 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/core/files.py b/src/ipahealthcheck/core/files.py
+index 59e8b76..58dd74a 100644
+--- a/src/ipahealthcheck/core/files.py
+++ b/src/ipahealthcheck/core/files.py
+@@ -28,7 +28,17 @@ class FileCheck:
+ 
+     @duration
+     def check(self):
+-        for (path, owner, group, mode) in self.files:
+        # first validate that the list of files to check is in the correct
+        # format
+        process_files = []
+        for file in self.files:
+            if len(file) == 4:
+                process_files.append(file)
+            else:
+                yield Result(self, constants.ERROR, key=file,
+                             msg='Code format is incorrect for file')
+
+        for (path, owner, group, mode) in process_files:
+             if not isinstance(owner, tuple):
+                 owner = tuple((owner,))
+             if not isinstance(group, tuple):
+diff --git a/src/ipahealthcheck/ipa/files.py b/src/ipahealthcheck/ipa/files.py
+index d914014..c80fd5b 100644
+--- a/src/ipahealthcheck/ipa/files.py
+++ b/src/ipahealthcheck/ipa/files.py
+@@ -121,7 +121,7 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                 self.files.append((filename, 'root', 'root', '0600'))
+ 
+         self.files.append((paths.IPA_CUSTODIA_AUDIT_LOG,
+-                          'root', 'root', '0644', '0640'))
+                          'root', 'root', ('0644', '0640')))
+ 
+         self.files.append((paths.KADMIND_LOG, 'root', 'root',
+                           ('0600', '0640')))
+@@ -134,12 +134,12 @@ class IPAFileCheck(IPAPlugin, FileCheck):
+                            constants.DS_USER, constants.DS_GROUP, '0600'))
+ 
+         self.files.append((paths.VAR_LOG_HTTPD_ERROR, 'root', 'root',
+-                           '0644', '0640'))
+                           ('0644', '0640')))
+ 
+         for globpath in glob.glob("%s/debug*.log" % paths.TOMCAT_CA_DIR):
+             self.files.append(
+                 (globpath, constants.PKI_USER, constants.PKI_GROUP,
+-                 "0644", "0640")
+                 ("0644", "0640"))
+             )
+ 
+         for globpath in glob.glob(
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index 6e3ec38..09fc216 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -2,14 +2,22 @@
+ # Copyright (C) 2019 FreeIPA Contributors see COPYING for license
+ #
+ 
+from ldap import OPT_X_SASL_SSF_MIN
+ import pwd
+ import posix
+from util import m_api
+from util import capture_results
+
+from ipahealthcheck.core import config
+ from ipahealthcheck.core.files import FileCheck
+ from ipahealthcheck.core import constants
+ from ipahealthcheck.core.plugin import Results
+from ipahealthcheck.ipa.files import IPAFileCheck
+from ipahealthcheck.system.plugin import registry
+ from unittest.mock import patch
+from ipapython.dn import DN
+from ipapython.ipaldap import LDAPClient, LDAPEntry
+ 
+-from util import capture_results
+ 
+ nobody = pwd.getpwnam('nobody')
+ 
+@@ -20,6 +28,37 @@ files = (('foo', 'root', 'root', '0660'),
+          ('fiz', ('root', 'bin'), ('root', 'bin'), '0664'),
+          ('zap', ('root', 'bin'), ('root', 'bin'), ('0664', '0640'),))
+ 
+bad_modes = (('biz', ('root', 'bin'), ('root', 'bin'), '0664', '0640'),)
+
+
+class mock_ldap:
+    SCOPE_BASE = 1
+    SCOPE_ONELEVEL = 2
+    SCOPE_SUBTREE = 4
+
+    def __init__(self, ldapentry):
+        """Initialize the results that we will return from get_entries"""
+        self.results = ldapentry
+
+    def get_entry(self, dn, attrs_list=None, time_limit=None,
+                  size_limit=None, get_effective_rights=False):
+        return []  # the call doesn't check the value
+
+
+class mock_ldap_conn:
+    def set_option(self, option, invalue):
+        pass
+
+    def get_option(self, option):
+        if option == OPT_X_SASL_SSF_MIN:
+            return 256
+
+        return None
+
+    def search_s(self, base, scope, filterstr=None,
+                 attrlist=None, attrsonly=0):
+        return tuple()
+
+ 
+ def make_stat(mode=33200, uid=0, gid=0):
+     """Return a mocked-up stat.
+@@ -197,3 +236,33 @@ def test_files_not_found(mock_exists):
+         for result in my_results.results:
+             assert result.result == constants.SUCCESS
+             assert result.kw.get('msg') == 'File does not exist'
+
+
+def test_bad_modes():
+    f = FileCheck()
+    f.files = bad_modes
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.ERROR
+        assert result.kw.get('msg') == 'Code format is incorrect for file'
+
+
+@patch('ipaserver.install.krbinstance.is_pkinit_enabled')
+def test_ipa_files_format(mock_pkinit):
+    mock_pkinit.return_value = True
+
+    fake_conn = LDAPClient('ldap://localhost', no_schema=True)
+    ldapentry = LDAPEntry(fake_conn, DN(m_api.env.container_dns,
+                          m_api.env.basedn))
+    framework = object()
+    registry.initialize(framework, config.Config)
+    f = IPAFileCheck(registry)
+
+    f.conn = mock_ldap(ldapentry)
+
+    results = capture_results(f)
+
+    for result in results.results:
+        assert result.result == constants.SUCCESS
+diff --git a/tests/util.py b/tests/util.py
+index 8081595..5dcb0cd 100644
+--- a/tests/util.py
+++ b/tests/util.py
+@@ -140,6 +140,7 @@ m_api.env.container_host = DN(('cn', 'computers'), ('cn', 'accounts'))
+ m_api.env.container_sysaccounts = DN(('cn', 'sysaccounts'), ('cn', 'etc'))
+ m_api.env.container_service = DN(('cn', 'services'), ('cn', 'accounts'))
+ m_api.env.container_masters = DN(('cn', 'masters'))
+m_api.env.container_dns = DN(('cn', 'dns'))
+ m_api.Backend = Mock()
+ m_api.Command = Mock()
+ m_api.Command.ping.return_value = {
+-- 
+2.45.0
+
--- a/SOURCES/0008-Allow-WARNING-in-the-files-test.patch
+++ b/SOURCES/0008-Allow-WARNING-in-the-files-test.patch
@ -0,0 +1,28 @@
+From 79cca342b3c440a045cadbff871ff977e35222c6 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Thu, 20 Jun 2024 14:27:16 -0400
+Subject: [PATCH] Allow WARNING in the files test
+
+We are only validating the format and don't need to actually
+enforce the results in CI. The validation raises ERROR.
+
+Related: https://github.com/freeipa/freeipa-healthcheck/issues/325
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ tests/test_core_files.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tests/test_core_files.py b/tests/test_core_files.py
+index e7010a9..d308410 100644
+--- a/tests/test_core_files.py
+++ b/tests/test_core_files.py
+@@ -302,4 +302,4 @@ def test_ipa_files_format(mock_pkinit):
+     results = capture_results(f)
+ 
+     for result in results.results:
+-        assert result.result == constants.SUCCESS
+        assert result.result in (constants.SUCCESS, constants.WARNING)
+-- 
+2.45.0
+
--- a/SOURCES/0009-Address-issues-uncovered-by-pylint-2.15.5.patch
+++ b/SOURCES/0009-Address-issues-uncovered-by-pylint-2.15.5.patch
@ -0,0 +1,70 @@
+From 18178ba09b221eef7f0bb869980e1c043a8e764f Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Wed, 31 May 2023 17:21:55 -0400
+Subject: [PATCH] Address issues uncovered by pylint 2.15.5
+
+Two variables used before assignment
+
+Three Useless suppression of 'unexpected-keyword-arg'
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/295
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/certs.py | 5 +----
+ src/ipahealthcheck/ipa/trust.py | 2 +-
+ 2 files changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/certs.py b/src/ipahealthcheck/ipa/certs.py
+index 11ac0c1..4ea5112 100644
+--- a/src/ipahealthcheck/ipa/certs.py
+++ b/src/ipahealthcheck/ipa/certs.py
+@@ -343,7 +343,6 @@ class IPACertfileExpirationCheck(IPAPlugin):
+ 
+                 try:
+                     if 'pwd_file' in signature(certdb.NSSDatabase).parameters:
+-                        # pylint: disable=unexpected-keyword-arg
+                         db = certdb.NSSDatabase(
+                             dbdir, token=token,
+                             pwd_file=pwd_file.name if pwd_file else None)
+@@ -624,7 +623,6 @@ class IPACertNSSTrust(IPAPlugin):
+             pwd_file = get_token_password_file(self.ca.hsm_enabled,
+                                                token)
+ 
+-            # pylint: disable=unexpected-keyword-arg
+             db = certdb.NSSDatabase(
+                 paths.PKI_TOMCAT_ALIAS_DIR, token=token,
+                 pwd_file=pwd_file.name if pwd_file else None)
+@@ -987,7 +985,7 @@ class IPANSSChainValidation(IPAPlugin):
+                         key=key,
+                         dbdir=dbdir,
+                         nickname=nickname,
+-                        reason=response.output_error,
+                        reason=str(e),
+                         msg='Validation of {nickname} in {dbdir} failed: '
+                             '{reason}')
+                 else:
+@@ -1251,7 +1249,6 @@ class IPACertRevocation(IPAPlugin):
+                 dbdir = request.get('cert-database')
+                 try:
+                     if 'pwd_file' in signature(certdb.NSSDatabase).parameters:
+-                        # pylint: disable=unexpected-keyword-arg
+                         db = certdb.NSSDatabase(
+                             dbdir, token=token,
+                             pwd_file=pwd_file.name if pwd_file else None
+diff --git a/src/ipahealthcheck/ipa/trust.py b/src/ipahealthcheck/ipa/trust.py
+index b962807..243502f 100644
+--- a/src/ipahealthcheck/ipa/trust.py
+++ b/src/ipahealthcheck/ipa/trust.py
+@@ -307,7 +307,7 @@ class IPATrustCatalogCheck(IPAPlugin):
+                 id = pysss_nss_idmap.getnamebysid(sid + '-500')
+             except Exception as e:
+                 yield Result(self, constants.ERROR,
+-                             key=id,
+                             key='getnamebysid',
+                              domain=domain,
+                              error=str(e),
+                              msg='Look up of ID {key} for {domain} failed: '
+-- 
+2.48.1
+
--- a/SOURCES/0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
+++ b/SOURCES/0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
@ -0,0 +1,139 @@
+From 7539b4aee19c7e28539ec853369a3230f2ae08f3 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 23 Jun 2025 13:30:26 -0400
+Subject: [PATCH] Don't rely on order in trust agent/controller role check
+
+The code expected that the local server would always be the
+first one returned. Instead loop through the returned list
+to find the current server and set the state based on that.
+
+Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/356
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ src/ipahealthcheck/ipa/plugin.py | 15 ++++---
+ tests/test_ipa_trust.py          | 71 +++++++++++++++++++++++++++++++-
+ 2 files changed, 79 insertions(+), 7 deletions(-)
+
+diff --git a/src/ipahealthcheck/ipa/plugin.py b/src/ipahealthcheck/ipa/plugin.py
+index f1a325c..efaa947 100644
+--- a/src/ipahealthcheck/ipa/plugin.py
+++ b/src/ipahealthcheck/ipa/plugin.py
+@@ -35,6 +35,13 @@ class IPARegistry(Registry):
+         self.trust_controller = False
+         self.ca_configured = False
+
+    def has_role(self, roles):
+        for role in roles:
+            if role.get('server_server') == api.env.host:
+                if role.get('status') == 'enabled':
+                    return True
+        return False
+
+     def initialize(self, framework, config, options=None):
+         super().initialize(framework, config)
+         # deferred import for mock
+@@ -81,12 +88,8 @@ class IPARegistry(Registry):
+                 component_services=['ADTRUST']
+             ),
+         )
+-        role = roles[0].status(api)[0]
+-        if role.get('status') == 'enabled':
+-            self.trust_agent = True
+-        role = roles[1].status(api)[0]
+-        if role.get('status') == 'enabled':
+-            self.trust_controller = True
+        self.trust_agent = self.has_role(roles[0].status(api))
+        self.trust_controller = self.has_role(roles[1].status(api))
+
+
+ registry = IPARegistry()
+diff --git a/tests/test_ipa_trust.py b/tests/test_ipa_trust.py
+index 6c4754a..0faa702 100644
+--- a/tests/test_ipa_trust.py
+++ b/tests/test_ipa_trust.py
+@@ -11,7 +11,8 @@ from util import capture_results
+ from util import m_api
+
+ from ipahealthcheck.core import config, constants
+-from ipahealthcheck.ipa.plugin import registry
+from ipahealthcheck.core.plugin import Results
+from ipahealthcheck.ipa.plugin import registry, IPARegistry
+ from ipahealthcheck.ipa.trust import (IPATrustAgentCheck,
+                                       IPATrustDomainsCheck,
+                                       IPADomainCheck,
+@@ -1287,3 +1288,71 @@ class TestPackageCheck(BaseTest):
+         assert result.source == 'ipahealthcheck.ipa.trust'
+         assert result.check == 'IPATrustPackageCheck'
+         sys.modules['ipaserver.install'] = save
+
+
+class TestHasRole(BaseTest):
+    """Verify that the output of server-role-find which is used to
+       determine whether a host is a trust agent or controller
+      (or neither) isn't dependent upon the order the hosts are
+      returned.
+
+      Only trust agent is tested here but there is no difference
+      between an agent and a trust in the way they are stored in
+      a server role.
+    """
+    def test_role_last(self):
+        self.results = Results()
+        reg = IPARegistry()
+
+        roles = [
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "replica.ipa.example",
+                "status": "absent",
+            },
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "server.ipa.example",
+                "status": "enabled",
+            },
+        ]
+
+        assert reg.has_role(roles) is True
+
+    def test_role_first(self):
+        self.results = Results()
+        reg = IPARegistry()
+
+        roles = [
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "server.ipa.example",
+                "status": "enabled",
+            },
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "replica.ipa.example",
+                "status": "absent",
+            },
+        ]
+
+        assert reg.has_role(roles) is True
+
+    def test_no_role(self):
+        self.results = Results()
+        reg = IPARegistry()
+
+        roles = [
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "server.ipa.example",
+                "status": "absent",
+            },
+            {
+                "role_servrole": "AD trust agent",
+                "server_server": "replica.ipa.example",
+                "status": "enabled",
+            },
+        ]
+
+        assert reg.has_role(roles) is False
+-- 
+2.49.0
+
--- a/SOURCES/ipahealthcheck.conf
+++ b/SOURCES/ipahealthcheck.conf
--- a/SPECS/ipa-healthcheck.spec
+++ b/SPECS/ipa-healthcheck.spec
@ -0,0 +1,271 @@
+%global project freeipa
+%global shortname healthcheck
+%global longname ipa%{shortname}
+%global debug_package %{nil}
+%global python3dir %{_builddir}/python3-%{name}-%{version}-%{release}
+%{!?python3_sitelib: %global python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
+
+
+Name:           ipa-healthcheck
+Version:        0.12
+Release:        6%{?dist}
+Summary:        Health check tool for IdM
+BuildArch:      noarch
+License:        GPLv3
+URL:            https://github.com/%{project}/freeipa-healthcheck
+Source0:        https://github.com/%{project}/%{name}/archive/%{version}.tar.gz#/%{version}.tar.gz
+Source1:        %{longname}.conf
+
+Patch0001:      0001-Remove-ipaclustercheck.patch
+Patch0002:      0002-Disable-two-failing-tests.patch
+Patch0003:      0003-Fix-logging-issue-related-to-dtype.patch
+Patch0004:      0004-Skip-AD-domains-with-posix-ranges-in-the-catalog-che.patch
+Patch0005:      0005-Don-t-error-in-DogtagCertsConnectivityCheck-with-ext.patch
+Patch0006:      0006-Fixes-log-file-permissions-as-per-CIS-benchmark.patch
+Patch0007:      0007-Fix-some-file-mode-format-issues.patch
+Patch0008:      0008-Allow-WARNING-in-the-files-test.patch
+Patch0009:      0009-Address-issues-uncovered-by-pylint-2.15.5.patch
+Patch0010:      0010-Don-t-rely-on-order-in-trust-agent-controller-role-c.patch
+
+Requires:       %{name}-core = %{version}-%{release}
+Requires:       ipa-server
+Requires:       python3-ipalib
+Requires:       python3-ipaserver
+Requires:       python3-lib389
+Requires:       python3-libsss_nss_idmap
+# cronie-anacron provides anacron
+Requires:       anacron
+Requires:       logrotate
+Requires(post): systemd-units
+Requires:       %{name}-core = %{version}-%{release}
+BuildRequires:  python3-devel
+BuildRequires:  systemd-devel
+%{?systemd_requires}
+
+
+%description
+The FreeIPA health check tool provides a set of checks to
+proactively detect defects in a FreeIPA cluster.
+
+%package -n %{name}-core
+Summary: Core plugin system for healthcheck
+# No Requires on %%{name} = %%{version}-%%{release} since this can be
+# installed standalone
+Conflicts: %{name} < 0.4
+
+%description -n %{name}-core
+Core files
+
+
+%prep
+%autosetup -p1 -n %{project}-%{shortname}-%{version}
+
+
+%build
+%py3_build
+
+
+%install
+%py3_install
+
+mkdir -p %{buildroot}%{_sysconfdir}/%{longname}
+install -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/%{longname}
+
+mkdir -p %{buildroot}/%{_unitdir}
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.service %{buildroot}%{_unitdir}
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.timer %{buildroot}%{_unitdir}
+
+mkdir -p %{buildroot}/%{_libexecdir}/ipa
+install -p -m755 %{_builddir}/%{project}-%{shortname}-%{version}/systemd/ipa-%{shortname}.sh %{buildroot}%{_libexecdir}/ipa/
+
+mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/logrotate/%{longname} %{buildroot}%{_sysconfdir}/logrotate.d
+
+mkdir -p %{buildroot}/%{_localstatedir}/log/ipa/%{shortname}
+
+mkdir -p %{buildroot}/%{_mandir}/man8
+mkdir -p %{buildroot}/%{_mandir}/man5
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man8/ipa-%{shortname}.8  %{buildroot}%{_mandir}/man8/
+install -p -m644 %{_builddir}/%{project}-%{shortname}-%{version}/man/man5/%{longname}.conf.5  %{buildroot}%{_mandir}/man5/
+
+(cd %{buildroot}/%{python3_sitelib}/ipahealthcheck && find . -type f  | \
+    grep -v '^./core' | \
+    grep -v 'opt-1' | \
+    sed -e 's,\.py.*$,.*,g' | sort -u | \
+    sed -e 's,\./,%%{python3_sitelib}/ipahealthcheck/,g' ) >healthcheck.list
+
+%post
+%systemd_post ipa-%{shortname}.service
+
+
+%preun
+%systemd_preun ipa-%{shortname}.service
+
+
+%postun
+%systemd_postun_with_restart ipa-%{shortname}.service
+
+
+%files -f healthcheck.list
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README.md
+%{_bindir}/ipa-%{shortname}
+%dir %{_sysconfdir}/%{longname}
+%dir %{_localstatedir}/log/ipa/%{shortname}
+%config(noreplace) %{_sysconfdir}/%{longname}/%{longname}.conf
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{longname}
+%{python3_sitelib}/%{longname}-%{version}-*.egg-info/
+%{python3_sitelib}/%{longname}-%{version}-*-nspkg.pth
+%{_unitdir}/*
+%{_libexecdir}/*
+%{_mandir}/man8/*
+%{_mandir}/man5/*
+
+%files -n %{name}-core
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc README.md
+%{python3_sitelib}/%{longname}/core/
+
+
+%changelog
+* Mon Jun 23 2025 Rob Crittenden <rcritten@redhat.com> - 0.12-6
+- Don't rely on order in trust roles (RHEL-99487)
+
+* Thu Feb 27 2025 Rob Crittenden <rcritten@redhat.com> - 0.12-5
+- Pull in lint fixes. Prevents exception when testing for AD trust (RHEL-79081)
+- Add direct requires on python3-libsss_nss_idmap.
+
+* Fri Jun 21 2024 Rob Crittenden <rcritten@redhat.com> - 0.12-4
+- Change log file permissions of IPA as per CIS benchmark (RHEL-38929)
+
+* Mon Jul 24 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-3
+- Error in DogtagCertsConnectivityCheckCA with external CA (#2223942)
+
+* Wed May 03 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-2
+- Skip AD domains with posix ranges in the catalog check (#1775199)
+
+* Thu Dec 01 2022 Rob Crittenden <rcritten@redhat.com> - 0.12-1
+- Update to upstream 0.12 (#2139529)
+- Verify that the number of krb5kdc worker processes is aligned to the
+  number of configured CPUs (#2052930)
+- IPADNSSystemRecordsCheck displays warning message for 2 expected
+  ipa-ca AAAA records (#2099484)
+
+* Wed May 25 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-14
+- Add CLI options to healthcheck configuration file (#1872467)
+
+* Fri Apr 29 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-13
+- Allow multiple file modes in the FileChecker (#2058239)
+
+* Thu Mar 31 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-12
+- Use the subject base from the IPA configuration, not REALM (#2066308)
+
+* Fri Mar 18 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-11
+- Add support for the DNS URI type (#2037847)
+
+* Thu Feb 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-10
+- Don't depend on IPA status when suppressing pki checks (#2055316)
+
+* Mon Jan 17 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-9
+- Don't assume the entry_point order when determining if there is a
+  CA installed (#2041995)
+
+* Thu Jan 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.7-8
+- Suppress the CRLManager check false positive when a CA is not
+  configured (#1983060)
+- Fix the backport of the pki.server.healthcheck suppression (#1983060)
+
+* Thu Oct 07 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-7
+- ipa-healthcheck command takes some extra time to complete when dirsrv
+  instance is stopped (#1776687)
+- ipa-healthcheck complains about pki.server.healthcheck errors even CA
+  is not configured on the replica (#1983060)
+
+* Mon Jun 14 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-6
+- Fix patch fuzz issues, apply add'l upstream for log files (#1780020)
+
+* Wed Jun  2 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-5
+- Return a user-friendly message when no issues are found (#1780062)
+- Report on FIPS status (#1781107)
+- Detect mismatches beteween certificates in LDAP and filesystem (#1886770)
+- Verify owner/perms for important log files (#1780020)
+
+* Tue Apr  6 2021 Rob Crittenden <rcritten@redhat.com> - 0.7-4
+- Add check to validate the KRA Agent is correct (#1894781)
+
+* Fri Dec  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-3
+- Translate result names when reading input from a json file (#1866558)
+
+* Tue Nov  3 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-2
+- Fix collection of AD trust domains (#1891505) 
+
+* Tue Nov  3 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-1
+- Update to upstream 0.7 (#1891850)
+- Include Directory Server healthchecks (#1824193)
+- Document that default output format is JSON (#1780328)
+- Fix return value on exit with --input-file (#1866558)
+- Fix examples in man page (#1809215)
+- Replace man page reference to output-format with output-type (#1780303)
+- Add dependencies on services to avoid false positives (#1780510)
+
+* Wed Aug 19 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-6
+- The core subpackage can be installed standalone, drop the Requires
+  on the base package. (#1852244)
+- Add Conflicts < 0.4 to to core to allow downgrading with
+  --allowerasing (#1852244)
+
+* Tue Aug  4 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-5
+- Remove the Obsoletes < 0.4 and add same-version Requires to each
+  subpackage so that upgrades from 0.3 will work (#1852244)
+
+* Thu Jan 16 2020 Rob Crittenden <rcritten@redhat.com> - 0.4-4
+- Allow plugins to read contents from config during initialization (#1784037)
+
+* Thu Dec  5 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-3
+- Add Obsoletes to core subpackage (#1780121)
+
+* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-2
+- Abstract processing so core package is standalone (#1771710)
+
+* Mon Dec  2 2019 Rob Crittenden <rcritten@redhat.com> - 0.4-1
+- Rebase to upstream 0.4 (#1770346)
+- Create subpackage to split out core processing (#1771710)
+- Correct URL (#1773512)
+- Errors not translated to strings (#1752849)
+- JSON output not indented by default (#1729043)
+- Add dependencies to checks to avoid false-positives (#1727900)
+- Verify expected DNS records (#1695125)
+
+* Mon Aug 12 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-4
+- Lookup AD user by SID and not by hardcoded username (#1739500)
+
+* Thu Aug  8 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-3
+- The AD trust agent and controller are not being initialized (#1738314)
+
+* Mon Aug  5 2019 Rob Crittenden <rcritten@redhat.com> - 0.3-2
+- Change DNA plugin to return WARNING if no range is set (#1737492)
+
+* Mon Jul 29 2019 François Cami <fcami@redhat.com> - 0.3-1
+- Update to upstream 0.3 (#1701351)
+- Add logrotate configs + depend on anacron and logrotate (#1729207)
+
+* Thu Jul 11 2019 François Cami <fcami@redhat.com> - 0.2-4
+- Fix ipa-healthcheck.sh installation path (rhbz#1729188)
+- Create and own log directory (rhbz#1729188)
+
+* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-3
+- Add python3-lib389 to BRs
+
+* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-2
+- Fix changelog
+
+* Thu Apr 25 2019 Rob Crittenden <rcritten@redhat.com> - 0.2-1
+- Update to upstream 0.2
+
+* Thu Apr 4 2019 François Cami <fcami@redhat.com> - 0.1-2
+- Explicitly list dependencies
+
+* Tue Apr 2 2019 François Cami <fcami@redhat.com> - 0.1-1
+- Initial package import
--- a/freeipa-healthcheck.spec
+++ b/freeipa-healthcheck.spec
@ -1,355 +0,0 @@
-%if 0%{?rhel}
-%global prefix ipa
-%global productname IPA
-%global alt_prefix freeipa
-%else
-# Fedora
-%global prefix freeipa
-%global productname FreeIPA
-%global alt_prefix ipa
-%endif
-%global debug_package %{nil}
-%global python3dir %{_builddir}/python3-%{name}-%{version}-%{release}
-%{!?python3_sitelib: %global python3_sitelib %(%{__python3} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}
-%global alt_name %{alt_prefix}-healthcheck
-
-%bcond_without tests
-
-Name:           %{prefix}-healthcheck
-Version:        0.19
-Release:        1%{?dist}
-Summary:        Health check tool for %{productname}
-BuildArch:      noarch
-License:        GPLv3
-URL:            https://github.com/freeipa/freeipa-healthcheck
-Source0:        https://github.com/freeipa/freeipa-healthcheck/archive/%{version}.tar.gz
-Source1:        ipahealthcheck.conf
-
-Patch0001:      0001-Remove-ipaclustercheck.patch
-
-Requires:       %{name}-core = %{version}-%{release}
-Requires:       %{prefix}-server
-Requires:       python3-ipalib
-Requires:       python3-ipaserver
-Requires:       python3-lib389 >= 1.4.2.14-1
-# cronie-anacron provides anacron
-Requires:       anacron
-Requires:       logrotate
-Requires(post): systemd-units
-Requires:       %{name}-core = %{version}-%{release}
-BuildRequires:  python3-devel
-BuildRequires:  python3-setuptools
-BuildRequires:  systemd-devel
-%{?systemd_requires}
-# packages for make check
-%if %{with tests}
-BuildRequires:  python3-pytest
-BuildRequires:  python3-ipalib
-BuildRequires:  python3-ipaserver
-%endif
-BuildRequires:  python3-lib389
-BuildRequires:  python3-libsss_nss_idmap
-
-# Cross-provides for sibling OS
-Provides:       %{alt_name} = %{version}
-Conflicts:      %{alt_name}
-Obsoletes:      %{alt_name} < %{version}
-
-%description
-The %{productname} health check tool provides a set of checks to
-proactively detect defects in a FreeIPA cluster.
-
-
-%package -n %{name}-core
-Summary: Core plugin system for healthcheck
-
-# Cross-provides for sibling OS
-Provides:       %{alt_name}-core = %{version}
-Conflicts:      %{alt_name}-core
-Obsoletes:      %{alt_name}-core < %{version}
-
-
-%description -n %{name}-core
-Core plugin system for healthcheck, usable standalone with other
-packages.
-
-
-%prep
-%autosetup -p1  -n freeipa-healthcheck-%{version}
-
-
-%build
-%py3_build
-
-
-%install
-%py3_install
-
-mkdir -p %{buildroot}%{_sysconfdir}/ipahealthcheck
-install -m644 %{SOURCE1} %{buildroot}%{_sysconfdir}/ipahealthcheck
-
-mkdir -p %{buildroot}/%{_unitdir}
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.service %{buildroot}%{_unitdir}
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.timer %{buildroot}%{_unitdir}
-
-mkdir -p %{buildroot}/%{_libexecdir}/ipa
-install -p -m755 %{_builddir}/freeipa-healthcheck-%{version}/systemd/ipa-healthcheck.sh %{buildroot}%{_libexecdir}/ipa/
-
-mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/logrotate/ipahealthcheck %{buildroot}%{_sysconfdir}/logrotate.d
-
-mkdir -p %{buildroot}/%{_localstatedir}/log/ipa/healthcheck
-
-mkdir -p %{buildroot}/%{_mandir}/man8
-mkdir -p %{buildroot}/%{_mandir}/man5
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man8/ipa-healthcheck.8  %{buildroot}%{_mandir}/man8/
-install -p -m644 %{_builddir}/freeipa-healthcheck-%{version}/man/man5/ipahealthcheck.conf.5  %{buildroot}%{_mandir}/man5/
-
-(cd %{buildroot}/%{python3_sitelib}/ipahealthcheck && find . -type f  | \
-    grep -v '^./core' | \
-    grep -v 'opt-1' | \
-    sed -e 's,\.py.*$,.*,g' | sort -u | \
-    sed -e 's,\./,%%{python3_sitelib}/ipahealthcheck/,g' ) >healthcheck.list
-
-
-%if %{with tests}
-%check
-PYTHONPATH=src PATH=$PATH:$RPM_BUILD_ROOT/usr/bin pytest-3 tests/test_*
-%endif
-
-
-%post
-%systemd_post ipa-healthcheck.service
-
-
-%preun
-%systemd_preun ipa-healthcheck.service
-
-
-%postun
-%systemd_postun_with_restart ipa-healthcheck.service
-
-
-%files -f healthcheck.list
-%{!?_licensedir:%global license %%doc}
-%license COPYING
-%doc README.md
-%{_bindir}/ipa-healthcheck
-%dir %{_sysconfdir}/ipahealthcheck
-%dir %{_localstatedir}/log/ipa/healthcheck
-%config(noreplace) %{_sysconfdir}/ipahealthcheck/ipahealthcheck.conf
-%config(noreplace) %{_sysconfdir}/logrotate.d/ipahealthcheck
-%{python3_sitelib}/ipahealthcheck-%{version}-*.egg-info/
-%{python3_sitelib}/ipahealthcheck-%{version}-*-nspkg.pth
-%{_unitdir}/*
-%{_libexecdir}/*
-%{_mandir}/man8/*
-%{_mandir}/man5/*
-
-
-%files -n %{name}-core
-%{!?_licensedir:%global license %%doc}
-%license COPYING
-%doc README.md
-%{python3_sitelib}/ipahealthcheck/core/
-
-
-%changelog
-* Tue Sep 23 2025 Rob Crittenden <rcritten@redhat.com> - 0.19-1
- Update to 0.19 release
-  - Add a message if not a trust agent/controller (RHEL-116896)
-  - Check that expected NSS token matches the current FIPS state (RHEL-116897)
-  - Add /etc/pki/tls/certs/ directory to file checker (RHEL-116898)
-  - Check that allowed_uids in the SSSD config is valid (RHEL-79092)
-
-* Mon Jun 30 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-9
- Don't rely on order in trust roles (RHEL-99531)
-
-* Thu Jun 26 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-8
- Incorrect patch merged
-
-* Tue May 27 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-7
- Warn in ipa-healthcheck if umask is not 022 (RHEL-67901)
-
-* Mon Mar 24 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-6
- Check for krbLastSuccessfulAuth being enabled (RHEL-4957)
-
-* Tue Feb 25 2025 Rob Crittenden <rcritten@redhat.com> - 0.16-5
- Check expiration dates of user-provided certificates (RHEL-80670)
-
-* Tue Jun 18 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-4
- Change log file permissions of IPA as per CIS benchmark (RHEL-28575)
-
-* Fri Jan 12 2024 Rob Crittenden <rcritten@redhat.com> - 0.16-3
- Skip DogtagCertsConfigCheck for PKI versions 11.5.0 (RHEL-21367)
-
-* Tue Nov 14 2023 Rob Crittenden <rcritten@redhat.com> - 0.16-2
- Don't fail if a service name cannot be looked up in LDAP
- Disable the ipa-ods-exporter service check
-
-* Thu Nov  9 2023 Rob Crittenden <rcritten@redhat.com> - 0.16-1
- Update to upstream 0.16 (RHEL-12494)
-
-* Mon Jul 24 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-4
- Error in DogtagCertsConnectivityCheckCA with external CA (#2224595)
-
-* Thu Jul 06 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-3
- Catch exceptions during user/group name lookup in FileCheck (#2218912)
-
-* Tue Apr 25 2023 Rob Crittenden <rcritten@redhat.com> - 0.12-2
- Skip AD domains with posix ranges in the catalog check (#2188135)
-
-* Thu Dec 01 2022 Rob Crittenden <rcritten@redhat.com> - 0.12-1
- Update to upstream 0.12 (#2139531)
-
-* Wed Jul 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-9
- Add support for the DNS URI type (#2104495)
-
-* Wed May 18 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-8
- Validate that a known output type has been selected (#2079698)
-
-* Wed May 04 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-7
- debug='True' in ipahealthcheck.conf doesn't enable debug output (#2079861)
- Validate value formats in the ipahealthcheck.conf file (#2079739)
- Validate output_type options from ipahealthcheck.conf file (#2079698)
-
-* Thu Apr 28 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-6
- Allow multiple file modes in the FileChecker (#2072708)
-
-* Wed Apr 06 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-5
- Add CLI options to healthcheck configuration file (#2070981)
-
-* Wed Mar 30 2022 Rob Crittenden <rcritten@redhat.com> - 0.9-4
- Use the subject base from the IPA configuration, not REALM (#2067213) 
-
-* Tue Oct 12 2021 Rob Crittenden <rcritten@redhat.com> - 0.9-3
- IPATrustControllerServiceCheck doesn't handle HIDDEN_SERVICE (#1976878)
-
-* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.9-2
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
-  Related: rhbz#1991688
-
-* Thu Jun 17 2021 Rob Crittenden <rcritten@redhat.com> - 0.9-1
- Rebase to upstream 0.9 (#1969539)
-
-* Thu Apr 22 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7.2
- rpminspect: specname match on suffix to allow for differing
-  spec/package naming (#1951733)
-
-* Mon Apr 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7.1
- Switch from tox to pytest as the test runner. tox is being deprecated
-  in some distros. (#1942157)
-
-* Mon Apr 19 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-7
- Add check to validate the KRA Agent is correct (#1894781)
-
-* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.8-6.1
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
-
-* Fri Mar 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.8-5.1
- Re-enable package self-tests after bootstrap
-
-* Mon Mar  8 2021 François Cami <fcami@redhat.com> - 0.8-5
- Make the spec file distribution-agnostic (rhbz#1935773).
-
-* Tue Mar  2 2021 Alexander Scheel <ascheel@redhat.com> - 0.8-4
- Make the spec file more distribution-agnostic
- Use tox as the test runner when tests are enabled
-
-* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.8-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
-
-* Mon Jan 18 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-2
- A bad file group was reported as a python list, not a string
-
-* Wed Jan 13 2021 Rob Crittenden <rcritten@redhat.com> - 0.8-1
- Update to upstream 0.8
- Fix FTBFS in F34/rawhide (#1915256)
-
-* Wed Dec 16 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-3
- Include upstream patch to fix parsing input from json files
-
-* Tue Nov 17 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-2
- Include upstream patch to fix collection of AD trust domains
- Include upstream patch to fix failing not-valid-after test
-
-* Thu Oct 29 2020 Rob Crittenden <rcritten@redhat.com> - 0.7-1
- Update to upstream 0.7
-
-* Wed Jul 29 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-4
- Set minimum Requires on python3-lib389
- Don't assume that all users of healthcheck-core provide the same
-  set of options.
-
-* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
-
-* Fri Jul 24 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-2
- Don't collect IPA servers in MetaCheck
- Skip if dirsrv not available in IPAMetaCheck
-
-* Wed Jul  1 2020 Rob Crittenden <rcritten@redhat.com> - 0.6-1
- Update to upstream 0.6
- Don't include cluster checking yet
-
-* Tue Jun 23 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-5
- Add BuildRequires on python3-setuptools
-
-* Tue May 26 2020 Miro Hrončok <mhroncok@redhat.com> - 0.5-4
- Rebuilt for Python 3.9
-
-* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.5-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
-
-* Mon Jan 27 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-2
- Rebuild
-
-* Thu Jan  2 2020 Rob Crittenden <rcritten@redhat.com> - 0.5-1
- Update to upstream 0.5
-
-* Mon Dec 2 2019 François Cami <fcami@redhat.com> - 0.4-2
- Create subpackage to split out core processing (#1771710)
-
-* Mon Dec 2 2019 François Cami <fcami@redhat.com> - 0.4-1
- Update to upstream 0.4
- Change Source0 to something "spectool -g" can use. 
- Correct URL (#1773512)
- Errors not translated to strings (#1752849)
- JSON output not indented by default (#1729043)
- Add dependencies to checks to avoid false-positives (#1727900)
- Verify expected DNS records (#1695125
-
-* Thu Oct 03 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3-3
- Rebuilt for Python 3.8.0rc1 (#1748018)
-
-* Mon Aug 19 2019 Miro Hrončok <mhroncok@redhat.com> - 0.3-2
- Rebuilt for Python 3.8
-
-* Thu Jul 25 2019 François Cami <fcami@redhat.com> - 0.3-1
- Update to upstream 0.3
- Add logrotate configs + depend on anacron and logrotate
-
-* Thu Jul 25 2019 François Cami <fcami@redhat.com> - 0.2-6
- Fix permissions
-
-* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.2-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
-
-* Thu Jul 11 2019 François Cami <fcami@redhat.com> - 0.2-4
- Fix ipa-healthcheck.sh installation path (rhbz#1729188)
- Create and own log directory (rhbz#1729188)
-
-* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-3
- Add python3-lib389 to BRs
-
-* Tue Apr 30 2019 François Cami <fcami@redhat.com> - 0.2-2
- Fix changelog
-
-* Thu Apr 25 2019 Rob Crittenden <rcritten@redhat.com> - 0.2-1
- Update to upstream 0.2
-
-* Thu Apr 4 2019 François Cami <fcami@redhat.com> - 0.1-2
- Explicitly list dependencies
-
-* Tue Apr 2 2019 François Cami <fcami@redhat.com> - 0.1-1
- Initial package import
--- a/gating.yaml
+++ b/gating.yaml
@ -1,7 +0,0 @@
-# recipients: abokovoy, frenaud, kaleem, ftrivino
--- !Policy
-product_versions:
-  - rhel-9
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,3 +0,0 @@
---
-specname:
-    match: suffix
--- a/1
+++ b/1
@ -1 +0,0 @@
-SHA512 (0.19.tar.gz) = 7f40e9451c4207f4bbb02644ba8abd14eed3b818227f6ad5c5957487a4a401f294f2f8d57a663f06d84b6926864baec0494d88ae02542aa15eef08ff001da734
				`@ -0,0 +1 @@`
				`dc05dc0ca441dcb1a87e3b3bd7d440d79c17ac0a SOURCES/0.12.tar.gz`
				`@ -1 +0,0 @@`
				`SHA512 (0.19.tar.gz) = 7f40e9451c4207f4bbb02644ba8abd14eed3b818227f6ad5c5957487a4a401f294f2f8d57a663f06d84b6926864baec0494d88ae02542aa15eef08ff001da734`