server-del: harden check for last roles

The current implementation of check for last CA/DNS server and DNSSec key master in `server-del` is quite fragile and wroks with quite a few assumptions which may not be always true (CA and DNS is always configured etc.). This patch hardens the check so that it does not break when the above assuptions do not hold. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Martin Babinsky <mbabinsk@redhat.com> 2016-06-22 15:08:43 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-06-22 17:26:56 +0200
commit: be3ad1ed7a34e90c7107380bb2939f737306ba77 (patch)
tree: a4d8150bbfd708a1c079777d0c847bb5face5ce5 /ipaserver/plugins
parent: 5ffd7ef7c40d7cfa55ae4aac363feb98666bba9e (diff)
download: freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.gz
freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.xz
freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.zip
1 files changed, 34 insertions, 28 deletions
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 42bcb393f..cc53a189b 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -469,7 +469,6 @@ class server_del(LDAPDelete):
                 raise errors.ServerRemovalError(reason=_(msg))
 
         ipa_config = self.api.Command.config_show()['result']
-        dns_config = self.api.Command.dnsconfig_show()['result']
 
         ipa_masters = ipa_config['ipa_master_server']
 
@@ -477,26 +476,43 @@ class server_del(LDAPDelete):
         if ipa_masters == [hostname]:
             return
 
-        ca_servers = ipa_config['ca_server_server']
-        ca_renewal_master = ipa_config['ca_renewal_master_server']
-        dns_servers = dns_config['dns_server_server']
-        dnssec_keymaster = dns_config['dnssec_key_master_server']
+        if self.api.Command.dns_is_enabled()['result']:
+            dns_config = self.api.Command.dnsconfig_show()['result']
 
-        if ca_servers == [hostname]:
-            raise errors.ServerRemovalError(
-                reason=_("Deleting this server is not allowed as it would "
-                         "leave your installation without a CA."))
+            dns_servers = dns_config.get('dns_server_server', [])
+            dnssec_keymaster = dns_config.get('dnssec_key_master_server', [])
 
-        if dnssec_keymaster == hostname:
-            handler(
-                _("Replica is active DNSSEC key master. Uninstall "
-                  "could break your DNS system. Please disable or "
-                  "replace DNSSEC key master first."), ignore_last_of_role)
+            if dnssec_keymaster == hostname:
+                handler(
+                    _("Replica is active DNSSEC key master. Uninstall "
+                      "could break your DNS system. Please disable or "
+                      "replace DNSSEC key master first."), ignore_last_of_role)
 
-        if dns_servers == [hostname]:
-            handler(
-                _("Deleting this server will leave your installation "
-                  "without a DNS."), ignore_last_of_role)
+            if dns_servers == [hostname]:
+                handler(
+                    _("Deleting this server will leave your installation "
+                      "without a DNS."), ignore_last_of_role)
+
+        if self.api.Command.ca_is_enabled()['result']:
+            ca_servers = ipa_config.get('ca_server_server', [])
+            ca_renewal_master = ipa_config.get(
+                'ca_renewal_master_server', [])
+
+            if ca_servers == [hostname]:
+                raise errors.ServerRemovalError(
+                    reason=_("Deleting this server is not allowed as it would "
+                             "leave your installation without a CA."))
+
+            if ca_renewal_master == hostname:
+                other_cas = [ca for ca in ca_servers if ca != hostname]
+
+                # if this is the last CA there is no other server to become
+                # renewal master
+                if not other_cas:
+                    return
+
+                self.api.Command.config_mod(
+                    ca_renewal_master_server=other_cas[0])
 
         if ignore_last_of_role:
             self.add_message(
@@ -504,16 +520,6 @@ class server_del(LDAPDelete):
                     message=_("Ignoring these warnings and proceeding with "
                               "removal")))
 
-        if ca_renewal_master == hostname:
-            other_cas = [ca for ca in ca_servers if ca != hostname]
-
-            # if this is the last CA there is no other server to become renewal
-            # master
-            if not other_cas:
-                return
-
-            self.api.Command.config_mod(ca_renewal_master_server=other_cas[0])
-
     def _check_topology_connectivity(self, topology_connectivity, master_cn):
         try:
             topology_connectivity.check_current_state()
author	Martin Babinsky <mbabinsk@redhat.com>	2016-06-22 15:08:43 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-06-22 17:26:56 +0200
commit	be3ad1ed7a34e90c7107380bb2939f737306ba77 (patch)
tree	a4d8150bbfd708a1c079777d0c847bb5face5ce5 /ipaserver/plugins
parent	5ffd7ef7c40d7cfa55ae4aac363feb98666bba9e (diff)
download	freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.gz freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.tar.xz freeipa-be3ad1ed7a34e90c7107380bb2939f737306ba77.zip