Don't allow hosts and services of IPA masters to be disabled.

https://fedorahosted.org/freeipa/ticket/2487
2025-02-25 18:55:28 -06:00 · 2012-03-19 10:16:49 -04:00 · 2012-03-19 10:16:49 -04:00 · 35521ad6bb
commit 35521ad6bb
parent 95df146346
5 changed files with 42 additions and 8 deletions
--- a/ipalib/plugins/baseldap.py
+++ b/ipalib/plugins/baseldap.py
@ -396,7 +396,7 @@ def host_is_master(ldap, fqdn):
    master_dn = str(DN('cn=%s' % fqdn, 'cn=masters,cn=ipa,cn=etc', api.env.basedn))
    try:
        (dn, entry_attrs) = ldap.get_entry(master_dn, ['objectclass'])
-        raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted'))
+        raise errors.ValidationError(name='hostname', error=_('An IPA master host cannot be deleted or disabled'))
    except errors.NotFound:
        # Good, not a master
        return
--- a/ipalib/plugins/host.py
+++ b/ipalib/plugins/host.py
@ -850,6 +850,8 @@ class host_disable(LDAPQuery):
        else:
            fqdn = keys[-1]

+        host_is_master(ldap, fqdn)
+
        # See if we actually do anthing here, and if not raise an exception
        done_work = False

--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@ -200,6 +200,18 @@ def set_certificate_attrs(entry_attrs):
    entry_attrs['md5_fingerprint'] = unicode(nss.data_to_hex(nss.md5_digest(cert.der_data), 64)[0])
    entry_attrs['sha1_fingerprint'] = unicode(nss.data_to_hex(nss.sha1_digest(cert.der_data), 64)[0])

+def check_required_principal(ldap, hostname, service):
+    """
+    Raise an error if the host of this prinicipal is an IPA master and one
+    of the principals required for proper execution.
+    """
+    try:
+        host_is_master(ldap, hostname)
+    except errors.ValidationError, e:
+        service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap']
+        if service in service_types:
+            raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master'))
+
 class service(LDAPObject):
    """
    Service object.
@ -296,12 +308,7 @@ class service_del(LDAPDelete):
        # deleted. This is a limited few though. If the user has their own
        # custom services allow them to manage them.
        (service, hostname, realm) = split_principal(keys[-1])
-        try:
-            host_is_master(ldap, hostname)
-        except errors.ValidationError, e:
-            service_types = ['HTTP', 'ldap', 'DNS' 'dogtagldap']
-            if service in service_types:
-                raise errors.ValidationError(name='principal', error=_('This principal is required by the IPA master'))
+        check_required_principal(ldap, hostname, service)
        if self.api.env.enable_ra:
            (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])
            cert = entry_attrs.get('usercertificate')
@ -465,6 +472,9 @@ class service_disable(LDAPQuery):
        dn = self.obj.get_dn(*keys, **options)
        (dn, entry_attrs) = ldap.get_entry(dn, ['usercertificate'])

+        (service, hostname, realm) = split_principal(keys[-1])
+        check_required_principal(ldap, hostname, service)
+
        # See if we do any work at all here and if not raise an exception
        done_work = False

--- a/tests/test_xmlrpc/test_host_plugin.py
+++ b/tests/test_xmlrpc/test_host_plugin.py
@ -673,9 +673,17 @@ class test_host(Declarative):
        dict(
            desc='Delete the current host (master?) %s should be caught' % api.env.host,
            command=('host_del', [api.env.host], {}),
-            expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted'),
+            expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted or disabled'),
        ),

+
+        dict(
+            desc='Disable the current host (master?) %s should be caught' % api.env.host,
+            command=('host_disable', [api.env.host], {}),
+            expected=errors.ValidationError(name='fqdn', error='An IPA master host cannot be deleted or disabled'),
+        ),
+
+
        dict(
            desc='Test that validation is enabled on adds',
            command=('host_add', [invalidfqdn1], {}),
--- a/tests/test_xmlrpc/test_service_plugin.py
+++ b/tests/test_xmlrpc/test_service_plugin.py
@ -487,4 +487,18 @@ class test_service(Declarative):
        ),


+        dict(
+            desc='Disable the current host (master?) %s HTTP service, should be caught' % api.env.host,
+            command=('service_disable', ['HTTP/%s' % api.env.host], {}),
+            expected=errors.ValidationError(name='principal', error='This principal is required by the IPA master'),
+        ),
+
+
+        dict(
+            desc='Disable the current host (master?) %s ldap service, should be caught' % api.env.host,
+            command=('service_disable', ['ldap/%s' % api.env.host], {}),
+            expected=errors.ValidationError(name='principal', error='This principal is required by the IPA master'),
+        ),
+
+
    ]