diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2016-06-22 15:08:43 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-06-22 17:26:56 +0200 |
commit | be3ad1ed7a34e90c7107380bb2939f737306ba77 (patch) | |
tree | a4d8150bbfd708a1c079777d0c847bb5face5ce5 /ipaserver/plugins | |
parent | 5ffd7ef7c40d7cfa55ae4aac363feb98666bba9e (diff) | |
download | freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.gz freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.xz freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.zip |
server-del: harden check for last roles
The current implementation of check for last CA/DNS server and DNSSec key
master in `server-del` is quite fragile and wroks with quite a few assumptions
which may not be always true (CA and DNS is always configured etc.).
This patch hardens the check so that it does not break when the above
assuptions do not hold.
https://fedorahosted.org/freeipa/ticket/5960
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/plugins')
-rw-r--r-- | ipaserver/plugins/server.py | 62 |
1 files changed, 34 insertions, 28 deletions
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index 42bcb393f..cc53a189b 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -469,7 +469,6 @@ class server_del(LDAPDelete): raise errors.ServerRemovalError(reason=_(msg)) ipa_config = self.api.Command.config_show()['result'] - dns_config = self.api.Command.dnsconfig_show()['result'] ipa_masters = ipa_config['ipa_master_server'] @@ -477,26 +476,43 @@ class server_del(LDAPDelete): if ipa_masters == [hostname]: return - ca_servers = ipa_config['ca_server_server'] - ca_renewal_master = ipa_config['ca_renewal_master_server'] - dns_servers = dns_config['dns_server_server'] - dnssec_keymaster = dns_config['dnssec_key_master_server'] + if self.api.Command.dns_is_enabled()['result']: + dns_config = self.api.Command.dnsconfig_show()['result'] - if ca_servers == [hostname]: - raise errors.ServerRemovalError( - reason=_("Deleting this server is not allowed as it would " - "leave your installation without a CA.")) + dns_servers = dns_config.get('dns_server_server', []) + dnssec_keymaster = dns_config.get('dnssec_key_master_server', []) - if dnssec_keymaster == hostname: - handler( - _("Replica is active DNSSEC key master. Uninstall " - "could break your DNS system. Please disable or " - "replace DNSSEC key master first."), ignore_last_of_role) + if dnssec_keymaster == hostname: + handler( + _("Replica is active DNSSEC key master. Uninstall " + "could break your DNS system. Please disable or " + "replace DNSSEC key master first."), ignore_last_of_role) - if dns_servers == [hostname]: - handler( - _("Deleting this server will leave your installation " - "without a DNS."), ignore_last_of_role) + if dns_servers == [hostname]: + handler( + _("Deleting this server will leave your installation " + "without a DNS."), ignore_last_of_role) + + if self.api.Command.ca_is_enabled()['result']: + ca_servers = ipa_config.get('ca_server_server', []) + ca_renewal_master = ipa_config.get( + 'ca_renewal_master_server', []) + + if ca_servers == [hostname]: + raise errors.ServerRemovalError( + reason=_("Deleting this server is not allowed as it would " + "leave your installation without a CA.")) + + if ca_renewal_master == hostname: + other_cas = [ca for ca in ca_servers if ca != hostname] + + # if this is the last CA there is no other server to become + # renewal master + if not other_cas: + return + + self.api.Command.config_mod( + ca_renewal_master_server=other_cas[0]) if ignore_last_of_role: self.add_message( @@ -504,16 +520,6 @@ class server_del(LDAPDelete): message=_("Ignoring these warnings and proceeding with " "removal"))) - if ca_renewal_master == hostname: - other_cas = [ca for ca in ca_servers if ca != hostname] - - # if this is the last CA there is no other server to become renewal - # master - if not other_cas: - return - - self.api.Command.config_mod(ca_renewal_master_server=other_cas[0]) - def _check_topology_connectivity(self, topology_connectivity, master_cn): try: topology_connectivity.check_current_state() |