[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0

2017-03-29 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
 Title: #640: Remove pkinit options from master/replica on DL0
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/4] Fix the order of cert-files check

Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801
---
 ipaserver/install/server/__init__.py | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
 cert_file_opt = (self.pkinit_cert_files,)
 if not self.no_pkinit:
 cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-raise RuntimeError(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
 if self.no_pkinit and self.pkinit_cert_files:
 raise RuntimeError(
 "--no-pkinit and --pkinit-cert-file cannot be specified "
 "together"
 )
+if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+raise RuntimeError(
+"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+"or --no-pkinit are required if any key file options are used."
+)
 
 if not self.interactive:
 if self.dirsrv_cert_files and self.dirsrv_pin is None:

From 6620562bc9ec874723ae32b54a53734666ec4271 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0

pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801
---
 install/tools/man/ipa-replica-install.1 |  2 +-
 install/tools/man/ipa-server-install.1  |  2 +-
 ipaserver/install/server/__init__.py| 21 +
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index d63912c..7d24132 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
 certificate operations will be forwarded to a master with a CA installed.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=FILE
 File containing the Directory Server SSL certificate and private key
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index c48bdae..d5d28df 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
 File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..096cb01 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -332,9 +332,24 @@ def dirsrv_config_file(self, value):
 if not os.path.exists(value):
 raise ValueError("File %s does not exist." % value)
 
+def _is_promote(self):
+"""
+:returns: True if domain level options correspond to domain level > 0
+"""
+raise NotImplementedError()
+
 def __init__(self, **kwargs):
 super(ServerInstallInterface, self).__init__(**kwargs)
 
+# p

[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0

2017-03-29 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
 Title: #640: Remove pkinit options from master/replica on DL0
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 53cdc14d5e006634817a1cddfee8954db3434785 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/4] Fix the order of cert-files check

Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801
---
 ipaserver/install/server/__init__.py | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
 cert_file_opt = (self.pkinit_cert_files,)
 if not self.no_pkinit:
 cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-raise RuntimeError(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
 if self.no_pkinit and self.pkinit_cert_files:
 raise RuntimeError(
 "--no-pkinit and --pkinit-cert-file cannot be specified "
 "together"
 )
+if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+raise RuntimeError(
+"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+"or --no-pkinit are required if any key file options are used."
+)
 
 if not self.interactive:
 if self.dirsrv_cert_files and self.dirsrv_pin is None:

From 835dbe9dbecfe02ec26a98d52bb4c8c9c2b4cb8a Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/4] Don't allow setting pkinit-related options on DL0

pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801
---
 install/tools/man/ipa-replica-install.1 |  2 +-
 install/tools/man/ipa-server-install.1  |  2 +-
 ipaserver/install/server/__init__.py| 16 
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index d63912c..7d24132 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
 certificate operations will be forwarded to a master with a CA installed.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=FILE
 File containing the Directory Server SSL certificate and private key
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index c48bdae..d5d28df 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
 File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..6fd4957 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -335,6 +335,22 @@ def dirsrv_config_file(self, value):
 def __init__(self, **kwargs):
 super(ServerInstallInterface, self).__init__(**kwargs)
 
+is_dl0 = (
+# in server-install, we have the domain_level option
+(hasattr(self, 'domain_level') and
+ self.domain_level == constants.DOMAIN_LEVEL_0) or
+# on replica we have to decide depending on replica_file appearance
+(ha

[Freeipa-devel] [freeipa PR#640][synchronized] Remove pkinit options from master/replica on DL0

2017-03-24 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/640
Author: stlaz
 Title: #640: Remove pkinit options from master/replica on DL0
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/640/head:pr640
git checkout pr640
From 1869c6ee53550fb6b8dbf8618ae0f47eba7c6b20 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:10:56 +0100
Subject: [PATCH 1/3] Fix the order of cert-files check

Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801
---
 ipaserver/install/server/__init__.py | 10 +-
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 14f1ec4..117f51c 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -340,16 +340,16 @@ def __init__(self, **kwargs):
 cert_file_opt = (self.pkinit_cert_files,)
 if not self.no_pkinit:
 cert_file_req += cert_file_opt
-if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
-raise RuntimeError(
-"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
-"or --no-pkinit are required if any key file options are used."
-)
 if self.no_pkinit and self.pkinit_cert_files:
 raise RuntimeError(
 "--no-pkinit and --pkinit-cert-file cannot be specified "
 "together"
 )
+if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
+raise RuntimeError(
+"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
+"or --no-pkinit are required if any key file options are used."
+)
 
 if not self.interactive:
 if self.dirsrv_cert_files and self.dirsrv_pin is None:

From 93628f3b744dfb42988b07020dad42cac76e0cd4 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 22 Mar 2017 17:26:51 +0100
Subject: [PATCH 2/3] Don't allow setting pkinit-related options on DL0

pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801
---
 install/tools/man/ipa-replica-install.1 | 2 +-
 install/tools/man/ipa-server-install.1  | 2 +-
 ipaserver/install/server/__init__.py| 8 
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index d63912c..7d24132 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
 certificate operations will be forwarded to a master with a CA installed.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=FILE
 File containing the Directory Server SSL certificate and private key
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index c48bdae..d5d28df 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
 File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.
diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
index 117f51c..aac2236 100644
--- a/ipaserver/install/server/__init__.py
+++ b/ipaserver/install/server/__init__.py
@@ -335,6 +335,14 @@ def dirsrv_config_file(self, value):
 def __init__(self, **kwargs):
 super(ServerInstallInterface, self).__init__(**kwargs)
 
+if self.domain_level == constants.DOMAIN_LEVEL_0:
+if (self.no_pkinit or self.pkinit_cert_files is not None or
+self.pkinit_pin is not None):
+raise RuntimeError(
+"pkinit on domain level 0 is not supported. Please don't "
+