URL: https://github.com/freeipa/freeipa/pull/5919 Author: rcritten Title: #5919: [Backport][ipa-4-9] Use new method in check to prevent removal of last KRA Action: opened
PR body: """ This PR was opened automatically because PR #5908 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5919/head:pr5919 git checkout pr5919
From f1e482c04a0adc257cb12df72e477b1832213266 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 19 Jul 2021 17:51:44 -0400 Subject: [PATCH 1/2] Use new method in check to prevent removal of last KRA It previously used a vault connection to determine if any KRA servers were installed. This would fail if the last KRA was not available. Use server roles instead to determine if the last KRA server is to be removed. https://pagure.io/freeipa/issue/8397 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipaserver/plugins/server.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index b3dda846923..5fa7a58bdc8 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -508,17 +508,19 @@ def handler(msg, ignore_last_of_role): if self.api.Command.ca_is_enabled()['result']: try: - vault_config = self.api.Command.vaultconfig_show()['result'] - kra_servers = vault_config.get('kra_server_server', []) - except errors.InvocationError: - # KRA is not configured - pass - else: - if kra_servers == [hostname]: - handler( - _("Deleting this server is not allowed as it would " - "leave your installation without a KRA."), - ignore_last_of_role) + roles = self.api.Command.server_role_find( + server_server=hostname, + role_servrole='KRA server', + status='enabled', + include_master=True, + )['result'] + except errors.NotFound: + roles = () + if len(roles) == 1 and roles[0]['server_server'] == hostname: + handler( + _("Deleting this server is not allowed as it would " + "leave your installation without a KRA."), + ignore_last_of_role) ca_servers = ipa_config.get('ca_server_server', []) ca_renewal_master = ipa_config.get( From 3c0b040fe0b8e28c7028a697d2a5c94298ced81f Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Mon, 19 Jul 2021 21:54:22 -0400 Subject: [PATCH 2/2] ipatests: test removing last KRA when it is not running Use the new role-based mechanism, one that doesn't rely on direct communication to the server, to determine whether the server being removed by `ipa server-del` contains the last KRA server. https://pagure.io/freeipa/issue/8397 Signed-off-by: Rob Crittenden <rcrit...@redhat.com> --- ipatests/test_integration/test_server_del.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ipatests/test_integration/test_server_del.py b/ipatests/test_integration/test_server_del.py index 5e627d5db10..9d7f5ef7ae0 100644 --- a/ipatests/test_integration/test_server_del.py +++ b/ipatests/test_integration/test_server_del.py @@ -302,6 +302,23 @@ def test_removal_of_master_raises_error_about_last_ca(self): 1 ) + def test_removal_of_server_raises_error_about_last_kra(self): + """ + test that removal of server fails on the last KRA + + We shut it down to verify that it can be removed if it failed. + """ + tasks.install_kra(self.master) + self.master.run_command(['ipactl', 'stop']) + tasks.assert_error( + tasks.run_server_del(self.replicas[0], self.master.hostname), + "Deleting this server is not allowed as it would leave your " + "installation without a KRA.", + 1 + ) + # Restarting the server we stopped is not necessary as it will + # be removed in the next test. + def test_forced_removal_of_master(self): """ Tests that we can still force remove the master using
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
