ipa/0024-hbactest-was-not-collecting-or-returning-messages.patch

From 9e950f89bedeb83267369d60b4a83c77f89e71d6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 27 Nov 2023 16:11:08 -0500
Subject: [PATCH] hbactest was not collecting or returning messages

hbactest does a number of internal searches, one of which
can exceed the configured sizelimit: hbacrule-find

Collect any messages returned from thsi call and display them
to the user on the cli.

Fixes: https://pagure.io/freeipa/issue/9486

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
 ipaclient/plugins/hbactest.py |  2 ++
 ipaserver/plugins/hbactest.py | 14 +++++++++++---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py
index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a66a264d9 100644
--- a/ipaclient/plugins/hbactest.py
+++ b/ipaclient/plugins/hbactest.py
@@ -38,6 +38,8 @@ class hbactest(CommandOverride):
         # Note that we don't actually use --detail below to see if details need
         # to be printed as our execute() method will return None for corresponding
         # entries and None entries will be skipped.
+        self.log_messages(output)
+
         for o in self.output:
             if o == 'value':
                 continue
diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py
index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36dbde549cc2 100644
--- a/ipaserver/plugins/hbactest.py
+++ b/ipaserver/plugins/hbactest.py
@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int
 from ipalib import _
 from ipapython.dn import DN
 from ipalib.plugable import Registry
+from ipalib.messages import VersionMissing
+
 if api.env.in_server:
     try:
         import ipaserver.dcerpc
@@ -323,6 +325,9 @@ class hbactest(Command):
         # 2. Required options are (user, target host, service)
         # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output
         rules = []
+        result = {
+            'warning':None, 'matched':None, 'notmatched':None, 'error':None
+        }
 
         # Use all enabled IPA rules by default
         all_enabled = True
@@ -351,8 +356,12 @@ class hbactest(Command):
 
         hbacset = []
         if len(testrules) == 0:
-            hbacset = self.api.Command.hbacrule_find(
-                sizelimit=sizelimit, no_members=False)['result']
+            hbacrules = self.api.Command.hbacrule_find(
+                sizelimit=sizelimit, no_members=False)
+            hbacset = hbacrules['result']
+            for message in hbacrules['messages']:
+                if message['code'] != VersionMissing.errno:
+                    result.setdefault('messages', []).append(message)
         else:
             for rule in testrules:
                 try:
@@ -469,7 +478,6 @@ class hbactest(Command):
         error_rules = []
         warning_rules = []
 
-        result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None}
         if not options['nodetail']:
             # Validate runs rules one-by-one and reports failed ones
             for ipa_rule in rules:
-- 
2.43.0
ipa-4.11.0-5 - Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca' - Resolves: RHEL-21804 ipa client 4.10.2 - Failed to obtain host TGT - Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix - Resolves: RHEL-21810 ipa-client-install --automount-location does not work - Resolves: RHEL-21811 Handle change in behavior of pki-server ca-config-show in pki 11.5.0 - Resolves: RHEL-21812 Backport latest test fixes in ipa - Resolves: RHEL-21813 krb5kdc fails to start when pkinit and otp auth type is enabled in ipa - Resolves: RHEL-21815 IPA 389ds plugins need to have better logging and tracing - Resolves: RHEL-21937 Make sure a default NetBIOS name is set if not passed in by ADTrust instance constructor Signed-off-by: Florence Blanc-Renaud <flo@redhat.com> 2024-01-18 15:57:59 +00:00			`From 9e950f89bedeb83267369d60b4a83c77f89e71d6 Mon Sep 17 00:00:00 2001`
			`From: Rob Crittenden <rcritten@redhat.com>`
			`Date: Mon, 27 Nov 2023 16:11:08 -0500`
			`Subject: [PATCH] hbactest was not collecting or returning messages`

			`hbactest does a number of internal searches, one of which`
			`can exceed the configured sizelimit: hbacrule-find`

			`Collect any messages returned from thsi call and display them`
			`to the user on the cli.`

			`Fixes: https://pagure.io/freeipa/issue/9486`

			`Signed-off-by: Rob Crittenden <rcritten@redhat.com>`
			`Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>`
			`---`
			`ipaclient/plugins/hbactest.py \| 2 ++`
			`ipaserver/plugins/hbactest.py \| 14 +++++++++++---`
			`2 files changed, 13 insertions(+), 3 deletions(-)`

			`diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py`
			`index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a66a264d9 100644`
			`--- a/ipaclient/plugins/hbactest.py`
			`+++ b/ipaclient/plugins/hbactest.py`
			`@@ -38,6 +38,8 @@ class hbactest(CommandOverride):`
			`# Note that we don't actually use --detail below to see if details need`
			`# to be printed as our execute() method will return None for corresponding`
			`# entries and None entries will be skipped.`
			`+ self.log_messages(output)`
			`+`
			`for o in self.output:`
			`if o == 'value':`
			`continue`
			`diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py`
			`index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36dbde549cc2 100644`
			`--- a/ipaserver/plugins/hbactest.py`
			`+++ b/ipaserver/plugins/hbactest.py`
			`@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int`
			`from ipalib import _`
			`from ipapython.dn import DN`
			`from ipalib.plugable import Registry`
			`+from ipalib.messages import VersionMissing`
			`+`
			`if api.env.in_server:`
			`try:`
			`import ipaserver.dcerpc`
			`@@ -323,6 +325,9 @@ class hbactest(Command):`
			`# 2. Required options are (user, target host, service)`
			`# 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output`
			`rules = []`
			`+ result = {`
			`+ 'warning':None, 'matched':None, 'notmatched':None, 'error':None`
			`+ }`

			`# Use all enabled IPA rules by default`
			`all_enabled = True`
			`@@ -351,8 +356,12 @@ class hbactest(Command):`

			`hbacset = []`
			`if len(testrules) == 0:`
			`- hbacset = self.api.Command.hbacrule_find(`
			`- sizelimit=sizelimit, no_members=False)['result']`
			`+ hbacrules = self.api.Command.hbacrule_find(`
			`+ sizelimit=sizelimit, no_members=False)`
			`+ hbacset = hbacrules['result']`
			`+ for message in hbacrules['messages']:`
			`+ if message['code'] != VersionMissing.errno:`
			`+ result.setdefault('messages', []).append(message)`
			`else:`
			`for rule in testrules:`
			`try:`
			`@@ -469,7 +478,6 @@ class hbactest(Command):`
			`error_rules = []`
			`warning_rules = []`

			`- result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None}`
			`if not options['nodetail']:`
			`# Validate runs rules one-by-one and reports failed ones`
			`for ipa_rule in rules:`
			`--`
			`2.43.0`