URL: https://github.com/freeipa/freeipa/pull/437
Author: tomaskrizek
 Title: #437: FIPS: replica install check
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/437/head:pr437
git checkout pr437
From bef382c8b3039c39aafdad7203932d92e7670162 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Mon, 6 Feb 2017 13:08:11 +0100
Subject: [PATCH 1/3] Add fips_mode variable to env

Variable fips_mode indicating whether machine is running in
FIPS-enabled mode was added to env.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipalib/config.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..4002164 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -44,6 +44,7 @@
 from ipalib.constants import CONFIG_SECTION
 from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
 from ipalib import errors
+from ipaplatform.tasks import tasks
 
 if six.PY3:
     unicode = str
@@ -497,6 +498,10 @@ def _bootstrap(self, **overrides):
         if 'plugins_on_demand' not in self:
             self.plugins_on_demand = (self.context == 'cli')
 
+        # Set fips_mode:
+        if 'fips_mode' not in self:
+            self.fips_mode = tasks.is_fips_enabled()
+
     def _finalize_core(self, **defaults):
         """
         Complete initialization of standard IPA environment.

From cd8a3982dadc32fe65fc8b2e4d98c3c574a84f33 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Mon, 6 Feb 2017 17:17:49 +0100
Subject: [PATCH 2/3] check_remote_version: update exception and string

Refactor function to use ScriptError exception and proper
string formatting.
---
 ipaserver/install/server/replicainstall.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 18222c8..f9951b0 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -518,12 +518,15 @@ def check_remote_version(api):
     finally:
         client.disconnect()
 
+    # Check version compatibility
     remote_version = parse_version(env['version'])
     api_version = parse_version(api.env.version)
     if remote_version > api_version:
-        raise RuntimeError(
-            "Cannot install replica of a server of higher version ({}) than"
-            "the local version ({})".format(remote_version, api_version))
+        raise ScriptError(
+            "Cannot install replica of a server of higher version "
+            "(%(remote_version)s) than the local version (%(api_version)s)"
+            % dict(remote_version=remote_version, api_version=api_version))
+
 
 
 def common_check(no_ntp):

From 8b07c3bbedf1b873fd96604ea462965b08457f26 Mon Sep 17 00:00:00 2001
From: Tomas Krizek <tkri...@redhat.com>
Date: Mon, 6 Feb 2017 17:31:56 +0100
Subject: [PATCH 3/3] FIPS: perform replica installation check

Check status of remote server's FIPS mode and proceed with
installation only if it matches the current replica's FIPS mode.

https://fedorahosted.org/freeipa/ticket/5695
---
 ipaserver/install/server/replicainstall.py | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f9951b0..620c37c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -508,13 +508,20 @@ def promote_openldap_conf(hostname, master):
         root_logger.info("Failed to update {}: {}".format(ldap_conf, e))
 
 
-def check_remote_version(api):
+def check_remote_compatibility(api):
+    """
+    Perform a check to verify remote server's version and fips-mode
+
+    :param api: remote api
+
+    :raises: ``ScriptError`` if the checks fails
+    """
     client = rpc.jsonclient(api)
     client.finalize()
 
     client.connect()
     try:
-        env = client.forward(u'env', u'version')['result']
+        env = client.forward(u'env', u'version', u'fips_mode')['result']
     finally:
         client.disconnect()
 
@@ -527,6 +534,18 @@ def check_remote_version(api):
             "(%(remote_version)s) than the local version (%(api_version)s)"
             % dict(remote_version=remote_version, api_version=api_version))
 
+    # Check FIPS mode compatibility
+    remote_fips_mode = env['fips_mode']
+    fips_mode = tasks.is_fips_enabled()
+    if fips_mode != remote_fips_mode:
+        if fips_mode:
+            raise ScriptError(
+                "Cannot join FIPS-enabled replica into existing topology: "
+                "FIPS is not enabled on the master server.")
+        else:
+            raise ScriptError(
+                "Cannot join replica into existing FIPS-enabled topology: "
+                "FIPS has to be enabled locally first.")
 
 
 def common_check(no_ntp):
@@ -1080,7 +1099,7 @@ def promote_check(installer):
     remote_api.finalize()
     installer._remote_api = remote_api
 
-    check_remote_version(remote_api)
+    check_remote_compatibility(remote_api)
 
     conn = remote_api.Backend.ldap2
     replman = None
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to