freeipa · rcritten · Oct 17, 2022 · Jul 1, 2022 · Jul 5, 2022
diff --git a/src/ipahealthcheck/core/core.py b/src/ipahealthcheck/core/core.py
@@ -7,8 +7,9 @@
 import logging
 import pkg_resources
 import signal
-import warnings
+import sys
 import traceback
+import warnings
 
 from datetime import datetime
 
@@ -244,8 +245,7 @@ def parse_options(parser):
 
     # Validation
     if options.check and not options.source:
-        print("--source is required when --check is used")
-        return 1
+        raise ValueError("--source is required when --check is used")
 
     return options
 
@@ -328,7 +328,10 @@ def run_healthcheck(self):
                             self.default_output)
         add_output_options(self.parser, self.output_registry)
         self.add_options()
-        options = parse_options(self.parser)
+        try:
+            options = parse_options(self.parser)
+        except ValueError as e:
+            sys.exit(str(e))
 
         if options.version:
             for registry in self.entry_points:

diff --git a/src/ipahealthcheck/ipa/idns.py b/src/ipahealthcheck/ipa/idns.py
@@ -171,72 +171,72 @@ def check(self):
                                  key=realm,
                                  msg='expected realm missing')
 
-        if a_rec:
-            # Look up the ipa-ca records
-            qname = "ipa-ca." + api.env.domain + "."
-            logger.debug("Search DNS for A record of %s", qname)
+        # Verify that all of the ipa-ca record IPs match those of
+        # servers with a CA role. Report any missing or unexpected.
+        qname = "ipa-ca." + api.env.domain + "."
+        ipa_ca_records = []
+        for dtype in (rdatatype.A, rdatatype.AAAA):
+            logger.debug("Search DNS for %s records of %s", dtype.name, qname)
             try:
-                answers = resolve(qname, rdatatype.A)
+                answers = resolve(qname, dtype)
             except DNSException as e:
                 logger.debug("DNS record not found: %s", e.__class__.__name__)
                 answers = []
-
-            for answer in answers:
-                logger.debug("DNS record found: %s", answer)
-                ipaddr = answer.to_text()
-                try:
-                    yield Result(self, constants.SUCCESS,
-                                 key=ipaddr)
-                except ValueError:
-                    yield Result(self, constants.WARNING,
-                                 key=ipaddr,
-                                 msg='expected ipa-ca IPv4 address missing')
-
-            ca_count = 0
-            for server in system_records.servers_data:
-                master = system_records.servers_data.get(server)
-                if 'CA server' in master.get('roles'):
-                    ca_count += 1
-
-            if len(answers) != ca_count:
-                yield Result(
-                    self, constants.WARNING,
-                    key='ca_count_a_rec',
-                    msg='Got {count} ipa-ca A records, expected {expected}',
-                    count=len(answers),
-                    expected=ca_count)
-
-        if aaaa_rec:
-            # Look up the ipa-ca records
-            qname = "ipa-ca." + api.env.domain + "."
-            logger.debug("Search DNS for AAAA record of %s", qname)
-            try:
-                answers = resolve(qname, rdatatype.AAAA)
-            except DNSException as e:
-                logger.debug("DNS record not found: %s", e.__class__.__name__)
-                answers = []
-
             for answer in answers:
-                logger.debug("DNS record found: %s", answer)
-                ipaddr = answer.to_text()
-                try:
-                    yield Result(self, constants.SUCCESS,
-                                 key=ipaddr)
-                except ValueError:
-                    yield Result(self, constants.WARNING,
-                                 key=ipaddr,
-                                 msg='expected ipa-ca IPv6 address missing')
-
-            ca_count = 0
-            for server in system_records.servers_data:
-                master = system_records.servers_data.get(server)
-                if 'CA server' in master.get('roles'):
-                    ca_count += 1
-
-            if len(answers) != ca_count:
-                yield Result(
-                    self, constants.WARNING,
-                    key='ca_count_aaaa_rec',
-                    msg='Got {count} ipa-ca AAAA records, expected {expected}',
-                    count=len(answers),
-                    expected=ca_count)
+                ipa_ca_records.append(answer.to_text())
+
+        # Get the set of servers with the 'CA server' role
+        ca_servers = {}
+        for server in system_records.servers_data:
+            host = system_records.servers_data.get(server)
+            if 'CA server' in host.get('roles'):
+                for dtype in (rdatatype.A, rdatatype.AAAA):
+                    try:
+                        a = resolve(server + '.', dtype)
+                    except DNSException:
+                        pass
+                    else:
+                        for answer in a:
+                            if server in ca_servers:
+                                ca_servers[server].append(answer.to_text())
+                            else:
+                                ca_servers[server] = [answer.to_text()]
+
+        all_ca_ipaddr = []
+        for server, ipaddrs in ca_servers.items():
+            for ipaddr in ipaddrs:
+                all_ca_ipaddr.append(ipaddr)
+
+        # Loop through the ipa-ca records to determine if any are not
+        # in the collection of all the reported CA server IPs.
+        errors = 0
+        for ipaddr in ipa_ca_records:
+            if ipaddr not in all_ca_ipaddr:
+                errors += 1
+                yield Result(self, constants.WARNING,
+                             key='ipa_ca_non_server_%s' % ipaddr,
+                             ipaddr=ipaddr,
+                             msg='Unexpected ipa-ca address {ipaddr}')
+
+        # Remove any IP addresses we found for ipa-ca from the set of
+        # IP addresses for all the IPA servers. Any remaining ones
+        # are not in the ipa-ca A/AAAA record. We're only looking at
+        # the DNS advertised servers so hidden ones should not be
+        # here.
+        for server, ipaddrs in ca_servers.items():
+            for ipaddr in ipa_ca_records:
+                if ipaddr in ipaddrs:
+                    ipaddrs.remove(ipaddr)
+
+        for server, ipaddrs in ca_servers.items():
+            if ipaddrs:
+                errors += 1
+                yield Result(self, constants.WARNING,
+                             key='ipa_ca_missing_%s' % server,
+                             server=server,
+                             ipaddr=', '.join(ipaddrs),
+                             msg='expected ipa-ca to contain {ipaddr} for '
+                                 '{server}')
+
+        if errors == 0:
+            yield Result(self, constants.SUCCESS, key='ipa_ca_check')