Require that hosts be resolvable in DNS. Use --force to ignore warnings.

This also requires a resolvable hostname on services as well. I want
people to think long and hard about adding things that aren't resolvable.

The cert plugin can automatically create services on the user's behalf when
issuing a cert. It will always set the force flag to True.

We use a lot of made-up host names in the test system, all of which require
the force flag now.

ticket #25

5 files changed, 46 insertions, 16 deletions

diff --git a/ipalib/errors.py b/ipalib/errors.py
index d1d39a378..c35d424a7 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1054,6 +1054,22 @@ class DefaultGroupError(ExecutionError):
     errno = 4018
     format = _('The default users group cannot be removed')
 
+class DNSNotARecordError(ExecutionError):
+    """
+    **4019** Raised when a hostname is not a DNS A record
+
+    For example:
+
+    >>> raise DNSNotARecordError()
+    Traceback (most recent call last):
+      ...
+    DNSNotARecordError: Host does not have corresponding DNS A record
+
+    """
+
+    errno = 4019
+    format = _('Host does not have corresponding DNS A record')
+
 class BuiltinError(ExecutionError):
     """
     **4100** Base class for builtin execution errors (*4100 - 4199*).
diff --git a/ipalib/plugins/cert.py b/ipalib/plugins/cert.py
index ed1d65ad2..8920cfe4f 100644
--- a/ipalib/plugins/cert.py
+++ b/ipalib/plugins/cert.py
@@ -269,7 +269,7 @@ class cert_request(VirtualCommand):
             if not add:
                 raise errors.NotFound(reason="The service principal for this request doesn't exist.")
             try:
-                service = api.Command['service_add'](principal, **{})['result']
+                service = api.Command['service_add'](principal, **{'force': True})['result']
                 dn = service['dn']
             except errors.ACIError:
                 raise errors.ACIError(info='You need to be a member of the serviceadmin role to add services')
diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
index b42cbbcb7..78d4d5a02 100644
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@@ -84,7 +84,6 @@ def validate_host(ugettext, fqdn):
         return _('Fully-qualified hostname required')
     return None
 
-
 class host(LDAPObject):
     """
     Host object.
@@ -196,8 +195,15 @@ class host_add(LDAPCreate):
     """
 
     msg_summary = _('Added host "%(value)s"')
+    takes_options = (
+        Flag('force',
+            doc=_('force host name even if not in DNS'),
+        ),
+    )
 
     def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+        if not options.get('force', False):
+            util.validate_host_dns(self.log, keys[-1])
         if 'locality' in entry_attrs:
             entry_attrs['l'] = entry_attrs['locality']
             del entry_attrs['locality']
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index 392ae60eb..ac949b788 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -60,7 +60,7 @@ EXAMPLES:
 """
 import base64
 
-from ipalib import api, errors
+from ipalib import api, errors, util
 from ipalib import Str, Flag, Bytes
 from ipalib.plugins.baseldap import *
 from ipalib import x509
@@ -183,19 +183,11 @@ class service_add(LDAPCreate):
             entry_attrs['usercertificate'] = base64.b64decode(cert)
             # FIXME: shouldn't we request signing at this point?
 
-        # TODO: once DNS client is done (code below for reference only!)
-        # if not kw['force']:
-        #     fqdn = hostname + '.'
-        #     rs = dnsclient.query(fqdn, dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
-        #     if len(rs) == 0:
-        #         self.log.debug(
-        #             'IPA: DNS A record lookup failed for '%s'" % hostname
-        #         )
-        #         raise ipaerror.gen_exception(ipaerror.INPUT_NOT_DNS_A_RECORD)
-        #     else:
-        #         self.log.debug(
-        #             'IPA: found %d records for '%s'" % (len(rs), hostname)
-        #         )
+        if not options.get('force', False):
+             # We know the host exists if we've gotten this far but we
+             # really want to discourage creating services for hosts that
+             # don't exist in DNS.
+             util.validate_host_dns(self.log, hostname)
 
         return dn
 
diff --git a/ipalib/util.py b/ipalib/util.py
index 76be9a6d7..570d66e00 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -28,6 +28,7 @@ import time
 import krbV
 import socket
 from ipalib import errors
+from ipapython import dnsclient
 
 
 def get_current_principal():
@@ -113,3 +114,18 @@ def realm_to_suffix(realm_name):
     s = realm_name.split(".")
     terms = ["dc=" + x.lower() for x in s]
     return ",".join(terms)
+
+def validate_host_dns(log, fqdn):
+    """
+    See if the hostname has a DNS A record.
+    """
+    rs = dnsclient.query(fqdn + '.', dnsclient.DNS_C_IN, dnsclient.DNS_T_A)
+    if len(rs) == 0:
+        log.debug(
+            'IPA: DNS A record lookup failed for %s' % fqdn
+        )
+        raise errors.DNSNotARecordError()
+    else:
+        log.debug(
+            'IPA: found %d records for %s' % (len(rs), fqdn)
+        )