FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

1 files changed, 22 insertions, 0 deletions

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index d9db50bbe..c18125842 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -529,6 +529,27 @@ def rpc_client(api):
         client.disconnect()
 
 
+def check_remote_fips_mode(client, local_fips_mode):
+    """
+    Verify remote server's fips-mode is the same as this server's fips-mode
+
+    :param client: RPC client
+    :param local_fips_mode: boolean indicating whether FIPS mode is turned on
+    :raises: ScriptError: if the checks fails
+    """
+    env = client.forward(u'env', u'fips_mode')['result']
+    remote_fips_mode = env.get('fips_mode', False)
+    if local_fips_mode != remote_fips_mode:
+        if local_fips_mode:
+            raise ScriptError(
+                "Cannot join FIPS-enabled replica into existing topology: "
+                "FIPS is not enabled on the master server.")
+        else:
+            raise ScriptError(
+                "Cannot join replica into existing FIPS-enabled topology: "
+                "FIPS has to be enabled locally first.")
+
+
 def check_remote_version(client, local_version):
     """
     Verify remote server's version is not higher than this server's version
@@ -1095,6 +1116,7 @@ def promote_check(installer):
 
     with rpc_client(remote_api) as client:
         check_remote_version(client, api.env.version)
+        check_remote_fips_mode(client, api.env.fips_mode)
 
     conn = remote_api.Backend.ldap2
     replman = None