Add check to prevent removal of last KRA

https://pagure.io/freeipa/issue/6538

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>

1 files changed, 13 insertions, 0 deletions

diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index 08caa1cf7..b1ee47228 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -494,6 +494,19 @@ class server_del(LDAPDelete):
                       "without a DNS."), ignore_last_of_role)
 
         if self.api.Command.ca_is_enabled()['result']:
+            try:
+                vault_config = self.api.Command.vaultconfig_show()['result']
+                kra_servers = vault_config.get('kra_server_server', [])
+            except errors.InvocationError:
+                # KRA is not configured
+                pass
+            else:
+                if kra_servers == [hostname]:
+                    handler(
+                        _("Deleting this server is not allowed as it would "
+                          "leave your installation without a KRA."),
+                        ignore_last_of_role)
+
             ca_servers = ipa_config.get('ca_server_server', [])
             ca_renewal_master = ipa_config.get(
                 'ca_renewal_master_server', [])