diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2012-03-19 10:16:49 -0400 |
|---|---|---|
| committer | Martin Kosek <mkosek@redhat.com> | 2012-03-19 16:09:09 +0100 |
| commit | 35521ad6bb92057d5faefa2059d7d800bebb1af0 (patch) | |
| tree | a9a0473fbb2eefada28c6a0adba5004afff82dae | |
| parent | 95df14634663f5ef57875b8ce1e54ca14c111a75 (diff) | |
| download | freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.tar.gz freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.tar.xz freeipa-35521ad6bb92057d5faefa2059d7d800bebb1af0.zip | |
Don't allow hosts and services of IPA masters to be disabled.
https://fedorahosted.org/freeipa/ticket/2487
| -rw-r--r-- | ipalib/plugins/baseldap.py | 2 | ||||
| -rw-r--r-- | ipalib/plugins/host.py | 2 | ||||
| -rw-r--r-- | ipalib/plugins/service.py | 22 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_host_plugin.py | 10 | ||||
| -rw-r--r-- | tests/test_xmlrpc/test_service_plugin.py | 14 |
5 files changed, 42 insertions, 8 deletions
diff --git a/ipalib/plugins/baseldap.py b/ipalib/plugins/baseldap.py index 9562ff987..92540d8ac 100644 --- a/ipalib/plugins/baseldap.py +++ b/ipalib/plugins/baseldap.py @@ -396,7 +396,7 @@ def host_is_master(ldap, fqdn): master_dn = str(DN('cn=%s' % fqdn, 'cn=masters,cn=ipa,cn=etc', api.env.basedn)) try: (dn, entry_attrs) = ldap.get_entry(master_dn, ['objectclass']) - raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted')) + raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted or disabled')) except errors.NotFound: # Good, not a master return diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py index 9db98e713..662cff311 100644 --- a/ipalib/plugins/host.py +++ b/ipalib/plugins/host.py @@ -850,6 +850,8 @@ class host_disable(LDAPQuery): else: fqdn = keys[-1] + host_is_master(ldap, fqdn) + # See if we actually do anthing here, and if not raise an exception done_work = False diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py index e75d71f03..7c563b306 100644 --- a/ipalib/plugins/service.py +++ b/ipalib/plugins/service.py @@ -200,6 +200,18 @@ def set_certificate_attrs(entry_attrs): entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0]) entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0]) +def check_required_principal(ldap, hostname, service): + """ + Raise an error if the host of this prinicipal is an IPA master and one + of the principals required for proper execution. + """ + try: + host_is_master(ldap, hostname) + except errors.ValidationError, e: + service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap'] + if service in service_types: + raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master')) + class service(LDAPObject): """ Service object. @@ -296,12 +308,7 @@ class service_del(LDAPDelete): # deleted. This is a limited few though. If the user has their own # custom services allow them to manage them. (service, hostname, realm) = split_principal(keys[-1]) - try: - host_is_master(ldap, hostname) - except errors.ValidationError, e: - service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap'] - if service in service_types: - raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master')) + check_required_principal(ldap, hostname, service) if self.api.env.enable_ra: (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) cert = entry_attrs.get('usercertificate') @@ -465,6 +472,9 @@ class service_disable(LDAPQuery): dn = self.obj.get_dn(*keys, **options) (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate']) + (service, hostname, realm) = split_principal(keys[-1]) + check_required_principal(ldap, hostname, service) + # See if we do any work at all here and if not raise an exception done_work = False diff --git a/tests/test_xmlrpc/test_host_plugin.py b/tests/test_xmlrpc/test_host_plugin.py index 7068d9a3f..8f5bd7cf3 100644 --- a/tests/test_xmlrpc/test_host_plugin.py +++ b/tests/test_xmlrpc/test_host_plugin.py @@ -673,9 +673,17 @@ class test_host(Declarative): dict( desc='Delete the current host (master?) %s should be caught' % api.env.host, command=('host_del', [api.env.host], {}), - expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted'), + expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted or disabled'), ), + + dict( + desc='Disable the current host (master?) %s should be caught' % api.env.host, + command=('host_disable', [api.env.host], {}), + expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted or disabled'), + ), + + dict( desc='Test that validation is enabled on adds', command=('host_add', [invalidfqdn1], {}), diff --git a/tests/test_xmlrpc/test_service_plugin.py b/tests/test_xmlrpc/test_service_plugin.py index 7eccd2066..501cf024e 100644 --- a/tests/test_xmlrpc/test_service_plugin.py +++ b/tests/test_xmlrpc/test_service_plugin.py @@ -487,4 +487,18 @@ class test_service(Declarative): ), + dict( + desc='Disable the current host (master?) %s HTTP service, should be caught' % api.env.host, + command=('service_disable', ['HTTP/%s' % api.env.host], {}), + expected=errors.ValidationError(name='principal', error='This principal is required by the IPA master'), + ), + + + dict( + desc='Disable the current host (master?) %s ldap service, should be caught' % api.env.host, + command=('service_disable', ['ldap/%s' % api.env.host], {}), + expected=errors.ValidationError(name='principal', error='This principal is required by the IPA master'), + ), + + ] |