URL: https://github.com/freeipa/freeipa/pull/5928 Author: antoniotorresm Title: #5928: [Backport][ipa-4-9] ipa-kra-install: exit if ca_host is overriden Action: opened
PR body: """ This PR was opened automatically because PR #5613 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5928/head:pr5928 git checkout pr5928
From 3eaf087056acec38bcfdfb8699d38c71a3450c8b Mon Sep 17 00:00:00 2001 From: Antonio Torres <antor...@redhat.com> Date: Fri, 5 Mar 2021 13:48:50 +0100 Subject: [PATCH 1/2] ipa-kra-install: exit if ca_host is overriden ipa-kra-install should exit if ca_host line is present in /etc/ipa/default.conf, as it may lead to a misconfigured setup. Fixes: https://pagure.io/freeipa/issue/8245 Signed-off-by: Antonio Torres <antor...@redhat.com> --- ipaserver/install/kra.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py index ffed5df1402..857c5165b80 100644 --- a/ipaserver/install/kra.py +++ b/ipaserver/install/kra.py @@ -53,6 +53,11 @@ def install_check(api, replica_config, options): "KRA is not installed on the master system. Please use " "'ipa-kra-install' command to install the first instance.") + if api.env.ca_host is not None and api.env.ca_host != api.env.host: + raise RuntimeError( + "KRA can not be installed when 'ca_host' is overriden in " + "IPA configuration file.") + def install(api, replica_config, options, custodia): if replica_config is None: From 2e6d9e5326d61104984042cdd5a55ce6692ca922 Mon Sep 17 00:00:00 2001 From: Antonio Torres <antor...@redhat.com> Date: Fri, 5 Mar 2021 13:50:36 +0100 Subject: [PATCH 2/2] ipatests: test if KRA install fails when ca_host is overriden KRA install on a replica should fail if ca_host is overriden in /etc/ipa/default.conf. Related: https://pagure.io/freeipa/issue/8245 Signed-off-by: Antonio Torres <antor...@redhat.com> --- .../test_integration/test_installation.py | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 27f15dbe542..e76fd0efecf 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -1543,6 +1543,38 @@ def test_KRA_install_after_cert_renew(self): self.master.run_command(['systemctl', 'start', 'chronyd']) +class TestKRAinstallOnReplicaWithCAHost(IntegrationTest): + """ Test that KRA install on replica with ca_host overriden fails + + KRA install on a replica should fail + if the ca_host line in /etc/ipa/default.conf is present + + Related: https://pagure.io/freeipa/issue/8245 + """ + + num_replicas = 1 + + def test_kra_install_on_replica_with_ca_host_overriden(self): + tasks.install_master(self.master) + tasks.install_replica(self.master, self.replicas[0]) + + content = self.replicas[0].get_file_contents(paths.IPA_DEFAULT_CONF, + encoding='utf-8') + ca_host_line = "ca_host = %s" % self.master.hostname + new_content = content + '\n' + ca_host_line + self.replicas[0].put_file_contents(paths.IPA_DEFAULT_CONF, + new_content) + + self.master.run_command(['firewall-cmd', '--add-port=8443/tcp']) + + result = tasks.install_kra(self.replicas[0], raiseonerr=False) + + err_str = "KRA can not be installed when 'ca_host' is overriden in IPA" + "configuration file." + assert result.returncode == 1 + assert err_str in result.stderr_text + + class TestMaskInstall(IntegrationTest): """ Test master and replica installation with wrong mask
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
