diff --git a/src/ipahealthcheck/meta/core.py b/src/ipahealthcheck/meta/core.py index 7e6c6ba..b1f6c33 100644 --- a/src/ipahealthcheck/meta/core.py +++ b/src/ipahealthcheck/meta/core.py @@ -5,6 +5,7 @@ import logging import os import socket +from pathlib import Path from ipahealthcheck.core import constants from ipahealthcheck.core.exceptions import TimeoutError from ipahealthcheck.core.plugin import Result, duration @@ -13,9 +14,6 @@ from ipapython.version import VERSION, API_VERSION from ipaplatform.paths import paths -if 'FIPS_MODE_SETUP' not in dir(paths): - paths.FIPS_MODE_SETUP = '/usr/bin/fips-mode-setup' - logger = logging.getLogger() @@ -25,31 +23,27 @@ class MetaCheck(Plugin): def check(self): rval = constants.SUCCESS - if not os.path.exists(paths.FIPS_MODE_SETUP): - fips = "missing {}".format(paths.FIPS_MODE_SETUP) - logger.debug('%s is not installed, skipping', - paths.FIPS_MODE_SETUP) + if not os.path.exists(paths.PROC_FIPS_ENABLED): + fips = "missing {}".format(paths.PROC_FIPS_ENABLED) + logger.warning("Can't find %s, skipping" % + paths.PROC_FIPS_ENABLED) + rval = constants.WARNING else: try: - result = ipautil.run([paths.FIPS_MODE_SETUP, - '--is-enabled'], - capture_output=True, - raiseonerr=False,) - except TimeoutError: - logger.debug('fips-mode-setup timed out') - fips = "check timed out" - rval = constants.ERROR + proc_fips_enable_path = Path(paths.PROC_FIPS_ENABLED) + result_text = proc_fips_enable_path.read_text() + result = int(result_text) except Exception as e: - logger.debug('fips-mode-setup failed: %s', e) + logger.debug('Reading %s failed: %s' % + (paths.PROC_FIPS_ENABLED, e)) fips = "failed to check" rval = constants.ERROR else: - logger.debug(result.raw_output.decode('utf-8')) - if result.returncode == 0: + logger.debug("%s returns %i" % + (paths.PROC_FIPS_ENABLED, result)) + if result == 1: fips = "enabled" - elif result.returncode == 1: - fips = "inconsistent" - elif result.returncode == 2: + elif result == 0: fips = "disabled" else: fips = "unknown" diff --git a/tests/test_meta.py b/tests/test_meta.py index dadb7c7..027507f 100644 --- a/tests/test_meta.py +++ b/tests/test_meta.py @@ -10,12 +10,8 @@ from ipahealthcheck.core import config, constants from ipahealthcheck.meta.plugin import registry from ipahealthcheck.meta.core import MetaCheck -from ipapython import ipautil from ipaplatform.paths import paths -if 'FIPS_MODE_SETUP' not in dir(paths): - paths.FIPS_MODE_SETUP = '/usr/bin/fips-mode-setup' - def gen_result(returncode, output='', error=''): """ @@ -36,7 +32,7 @@ def gen_result(returncode, output='', error=''): class TestMetaFIPS(BaseTest): @patch('os.path.exists') - def test_fips_no_fips_mode_setup(self, mock_exists): + def test_fips_no_fips_available(self, mock_exists): mock_exists.return_value = False framework = object() @@ -48,18 +44,19 @@ def test_fips_no_fips_mode_setup(self, mock_exists): assert len(self.results) == 1 result = self.results.results[0] - assert result.result == constants.SUCCESS + assert result.result == constants.WARNING assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'missing %s' % paths.FIPS_MODE_SETUP + assert result.kw.get('fips') == 'missing %s' % paths.PROC_FIPS_ENABLED @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_disabled(self, mock_run, mock_exists): + def test_fips_disabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '0' mock_run.side_effect = [ - gen_result(2), gen_result(0, output='ACME is disabled'), ] @@ -78,12 +75,13 @@ def test_fips_disabled(self, mock_run, mock_exists): assert result.kw.get('fips') == 'disabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_enabled(self, mock_run, mock_exists): + def test_fips_enabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is disabled'), ] @@ -102,12 +100,13 @@ def test_fips_enabled(self, mock_run, mock_exists): assert result.kw.get('fips') == 'enabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_inconsistent(self, mock_run, mock_exists): + def test_fips_unknown(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '2' mock_run.side_effect = [ - gen_result(1), gen_result(0, output='ACME is disabled'), ] @@ -123,15 +122,16 @@ def test_fips_inconsistent(self, mock_run, mock_exists): assert result.result == constants.SUCCESS assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'inconsistent' + assert result.kw.get('fips') == 'unknown' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_unknown(self, mock_run, mock_exists): + def test_fips_non_numeric(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = 'test' mock_run.side_effect = [ - gen_result(103), gen_result(0, output='ACME is disabled'), ] @@ -144,20 +144,22 @@ def test_fips_unknown(self, mock_run, mock_exists): assert len(self.results) == 1 result = self.results.results[0] - assert result.result == constants.SUCCESS + assert result.result == constants.ERROR assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' - assert result.kw.get('fips') == 'unknown' + assert result.kw.get('fips') == 'failed to check' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_fips_failed(self, mock_run, mock_exists): + def test_fips_failed(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.side_effect = [ + gen_result(constants.ERROR, output="failed to check"), + ] + mock_run.side_effect = [ - ipautil.CalledProcessError( - 1, 'fips-mode-setup', output='execution failed' - ), gen_result(0, output='ACME is disabled'), ] @@ -190,19 +192,20 @@ def test_acme_no_ipa_acme_status(self, mock_exists): assert len(self.results) == 1 result = self.results.results[0] - assert result.result == constants.SUCCESS + assert result.result == constants.WARNING assert result.source == 'ipahealthcheck.meta.core' assert result.check == 'MetaCheck' assert result.kw.get('acme') == \ 'missing %s' % '/usr/sbin/ipa-acme-manage' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_acme_disabled(self, mock_run, mock_exists): + def test_acme_disabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is disabled'), ] @@ -221,12 +224,13 @@ def test_acme_disabled(self, mock_run, mock_exists): assert result.kw.get('acme') == 'disabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_acme_enabled(self, mock_run, mock_exists): + def test_acme_enabled(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result(0, output='ACME is enabled'), ] @@ -245,12 +249,13 @@ def test_acme_enabled(self, mock_run, mock_exists): assert result.kw.get('acme') == 'enabled' @patch('os.path.exists') + @patch('pathlib.Path.read_text') @patch('ipapython.ipautil.run') - def test_acme_unknown(self, mock_run, mock_exists): + def test_acme_unknown(self, mock_run, mock_result, mock_exists): mock_exists.return_value = True + mock_result.return_value = '1' mock_run.side_effect = [ - gen_result(0), gen_result( 0, error="cannot connect to 'https://somewhere/acme/login"