From 2e73c964e5896eb18006e1ae8b70f2faef484ab3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 6 Mar 2019 21:12:49 +0100
Subject: [PATCH] ipa server: prevent uninstallation if the server is CRL
 master

If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.

Related to https://pagure.io/freeipa/issue/5803

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
 ipaserver/install/ca.py             | 33 ++++++++++++++++++++++++++++-
 ipaserver/install/server/install.py |  2 ++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 557af07f0..c29759cfe 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -31,7 +31,7 @@ from ipaserver.install.replication import replica_conn_check
 from ipalib import api, errors
 from ipapython.dn import DN
 
-from . import conncheck, dogtag
+from . import conncheck, dogtag, cainstance
 
 if six.PY3:
     unicode = str
@@ -115,6 +115,37 @@ def print_ca_configuration(options):
     print("Chaining:     {}".format(chaining))
 
 
+def uninstall_check(options):
+    """Check if the host is CRL generation master"""
+    # Skip the checks if the host is not a CA instance
+    ca = cainstance.CAInstance(api.env.realm)
+    if not (api.Command.ca_is_enabled()['result'] and
+       cainstance.is_ca_installed_locally()):
+        return
+
+    # skip the checks if the host is the last master
+    ipa_config = api.Command.config_show()['result']
+    ipa_masters = ipa_config['ipa_master_server']
+    if len(ipa_masters) <= 1:
+        return
+
+    try:
+        crlgen_enabled = ca.is_crlgen_enabled()
+    except cainstance.InconsistentCRLGenConfigException:
+        # If config is inconsistent, let's be safe and act as if
+        # crl gen was enabled
+        crlgen_enabled = True
+
+    if crlgen_enabled:
+        print("Deleting this server will leave your installation "
+              "without a CRL generation master.")
+        if (options.unattended and not options.ignore_last_of_role) or \
+           not (options.unattended or ipautil.user_input(
+                "Are you sure you want to continue with the uninstall "
+                "procedure?", False)):
+            raise ScriptError("Aborting uninstall operation.")
+
+
 def install_check(standalone, replica_config, options):
     global external_cert_file
     global external_ca_file
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 04c9f3adc..0c1df6279 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -1056,6 +1056,8 @@ def uninstall_check(installer):
     else:
         dns.uninstall_check(options)
 
+        ca.uninstall_check(options)
+
         if domain_level == DOMAIN_LEVEL_0:
             rm = replication.ReplicationManager(
                 realm=api.env.realm,