URL: https://github.com/freeipa/freeipa/pull/437 Author: tomaskrizek Title: #437: FIPS: replica install check Action: opened
PR body: """ PR depends on the rest of the FIPS patches. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/437/head:pr437 git checkout pr437
From 0bd1d63ec30eff4583ff314edb6dfa38acf28f63 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 6 Feb 2017 13:08:11 +0100 Subject: [PATCH 1/2] Add fips_mode variabl to env Variable fips_mode indicating whether machine is running in FIPS-enabled mode was added to env. https://fedorahosted.org/freeipa/ticket/5695 --- ipalib/config.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ipalib/config.py b/ipalib/config.py index 20591db..4002164 100644 --- a/ipalib/config.py +++ b/ipalib/config.py @@ -44,6 +44,7 @@ from ipalib.constants import CONFIG_SECTION from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR from ipalib import errors +from ipaplatform.tasks import tasks if six.PY3: unicode = str @@ -497,6 +498,10 @@ def _bootstrap(self, **overrides): if 'plugins_on_demand' not in self: self.plugins_on_demand = (self.context == 'cli') + # Set fips_mode: + if 'fips_mode' not in self: + self.fips_mode = tasks.is_fips_enabled() + def _finalize_core(self, **defaults): """ Complete initialization of standard IPA environment. From b1eeace0fba4f36e20a4e2976cf3a4024aa57917 Mon Sep 17 00:00:00 2001 From: Tomas Krizek <tkri...@redhat.com> Date: Mon, 6 Feb 2017 16:15:49 +0100 Subject: [PATCH 2/2] FIPS: perform replica installation check Check status of remote server's FIPS mode and proceed with installation only if it matches the current replica's FIPS mode. https://fedorahosted.org/freeipa/ticket/5695 --- ipaserver/install/server/replicainstall.py | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 18222c8..67f9e34 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -28,7 +28,7 @@ from ipaplatform import services from ipaplatform.tasks import tasks from ipaplatform.paths import paths -from ipalib import api, constants, create_api, errors, rpc, x509 +from ipalib import _, api, constants, create_api, errors, rpc, x509 from ipalib.config import Env from ipalib.util import ( network_ip_address_warning, @@ -508,22 +508,38 @@ def promote_openldap_conf(hostname, master): root_logger.info("Failed to update {}: {}".format(ldap_conf, e)) -def check_remote_version(api): +def check_remote_compatibility(api): + """Perform a check to verify remote server's version and fips-mode.""" client = rpc.jsonclient(api) client.finalize() client.connect() try: - env = client.forward(u'env', u'version')['result'] + env = client.forward(u'env', u'version', u'fips_mode')['result'] finally: client.disconnect() + # Check version compatibility remote_version = parse_version(env['version']) api_version = parse_version(api.env.version) if remote_version > api_version: - raise RuntimeError( - "Cannot install replica of a server of higher version ({}) than" - "the local version ({})".format(remote_version, api_version)) + raise ScriptError( + _("Cannot install replica of a server of higher version " + "(%(remote_version)s) than the local version (%(api_version)s)") + % dict(remote_version=remote_version, api_version=api_version)) + + # Check FIPS mode compatibility + remote_fips_mode = env['fips_mode'] + fips_mode = tasks.is_fips_enabled() + if fips_mode != remote_fips_mode: + if fips_mode: + raise ScriptError( + _("Cannot join FIPS-enabled replica into existing topology: " + "FIPS is not enabled on the master server.")) + else: + raise ScriptError( + _("Cannot join replica into existing FIPS-enabled topology: " + "FIPS has to be enabled locally first.")) def common_check(no_ntp): @@ -1077,7 +1093,7 @@ def promote_check(installer): remote_api.finalize() installer._remote_api = remote_api - check_remote_version(remote_api) + check_remote_compatibility(remote_api) conn = remote_api.Backend.ldap2 replman = None
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code