ipa server: prevent uninstallation if the server is CRL master

If ipa-server-install --uninstall is called on a server that is CRL generation master, refuse uninstallation unless --ignore-last-of-role is specified or (in interactive mode) the admin is OK to force uninstallation. Related to https://pagure.io/freeipa/issue/5803 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-06 21:12:49 +01:00 · 2019-03-06 21:12:49 +01:00 · 2e73c964e5
commit 2e73c964e5
parent 4e3a64f703
2 changed files with 34 additions and 1 deletions
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@ -31,7 +31,7 @@ from ipaserver.install.replication import replica_conn_check
 from ipalib import api, errors
 from ipapython.dn import DN

-from . import conncheck, dogtag
+from . import conncheck, dogtag, cainstance

 if six.PY3:
    unicode = str
@ -115,6 +115,37 @@ def print_ca_configuration(options):
    print("Chaining:     {}".format(chaining))


+def uninstall_check(options):
+    """Check if the host is CRL generation master"""
+    # Skip the checks if the host is not a CA instance
+    ca = cainstance.CAInstance(api.env.realm)
+    if not (api.Command.ca_is_enabled()['result'] and
+       cainstance.is_ca_installed_locally()):
+        return
+
+    # skip the checks if the host is the last master
+    ipa_config = api.Command.config_show()['result']
+    ipa_masters = ipa_config['ipa_master_server']
+    if len(ipa_masters) <= 1:
+        return
+
+    try:
+        crlgen_enabled = ca.is_crlgen_enabled()
+    except cainstance.InconsistentCRLGenConfigException:
+        # If config is inconsistent, let's be safe and act as if
+        # crl gen was enabled
+        crlgen_enabled = True
+
+    if crlgen_enabled:
+        print("Deleting this server will leave your installation "
+              "without a CRL generation master.")
+        if (options.unattended and not options.ignore_last_of_role) or \
+           not (options.unattended or ipautil.user_input(
+                "Are you sure you want to continue with the uninstall "
+                "procedure?", False)):
+            raise ScriptError("Aborting uninstall operation.")
+
+
 def install_check(standalone, replica_config, options):
    global external_cert_file
    global external_ca_file
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@ -1056,6 +1056,8 @@ def uninstall_check(installer):
    else:
        dns.uninstall_check(options)

+        ca.uninstall_check(options)
+
        if domain_level == DOMAIN_LEVEL_0:
            rm = replication.ReplicationManager(
                realm=api.env.realm,