URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
 Title: #640: Master replica dl0
Action: opened

PR body:
"""
This patchset removes the ability of setting pkinit options on domain level 0 
for server/replica installs. Also fixes a usability issue with `--no-pkinit` I 
noticed and did not care creating ticket for.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 1869c6ee53550fb6b8dbf8618ae0f47eba7c6b20 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/2] Fix the order of cert-files check

Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801
---
 ipaserver/install/server/__init__.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
         cert_file_opt = (self.pkinit_cert_files,)
         if not self.no_pkinit:
             cert_file_req += cert_file_opt
-        if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-            raise RuntimeError(
-                "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-                "or --no-pkinit are required if any key file options are used."
-            )
         if self.no_pkinit and self.pkinit_cert_files:
             raise RuntimeError(
                 "--no-pkinit and --pkinit-cert-file cannot be specified "
                 "together"
             )
+        if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+            raise RuntimeError(
+                "--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+                "or --no-pkinit are required if any key file options are used."
+            )
 
         if not self.interactive:
             if self.dirsrv_cert_files and self.dirsrv_pin is None:

From 8662e66f83bf55dcd772325f371edc7509eeb19b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka <slazn...@redhat.com>
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/2] Don't allow setting pkinit-related options on DL0

pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801
---
 ipaserver/install/server/__init__.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..aac2236 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -335,6 +335,14 @@ def dirsrv_config_file(self, value):
     def __init__(self, **kwargs):
         super(ServerInstallInterface, self).__init__(**kwargs)
 
+        if self.domain_level == constants.DOMAIN_LEVEL_0:
+            if (self.no_pkinit or self.pkinit_cert_files is not None or
+                    self.pkinit_pin is not None):
+                raise RuntimeError(
+                    "pkinit on domain level 0 is not supported. Please don't "
+                    "use any pkinit-related options.")
+            self.no_pkinit = True
+
         # If any of the key file options are selected, all are required.
         cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
         cert_file_opt = (self.pkinit_cert_files,)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to