Don't allow standalone KRA uninstalls

KRA uninstallation is very likely to break the user's setup. Don't
allow it at least till we can be safely sure we are able to remove
it in a standalone manner without breaking anything.

https://pagure.io/freeipa/issue/6538

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

install/tools/man/ipa-kra-install.1

@@ -31,7 +31,7 @@ ipa\-kra\-install will contact the CA to determine if a KRA has already been ins
 
 The replica_file is created using the ipa\-replica\-prepare utility.  A new replica_file should be generated on the master IPA server after the KRA has been installed and configured, so that the replica_file will contain the master KRA configuration and system certificates.
 
-The uninstall option can be  used to remove the KRA from the local IPA server. KRA instances on other replicas are not affected.  The KRA will also be removed if the entire server is removed using ipa\-server\-install \-\-uninstall.
+KRA can only be removed along with the entire server using ipa\-server\-install \-\-uninstall.
 .SH "OPTIONS"
 \fB\-p\fR \fIDM_PASSWORD\fR, \fB\-\-password\fR=\fIDM_PASSWORD\fR
 Directory Manager (existing master) password
@@ -39,9 +39,6 @@ Directory Manager (existing master) password
 \fB\-U\fR, \fB\-\-unattended\fR
 An unattended installation that will never prompt for user input
 .TP
-\fB\-\-uninstall\fR
-Uninstall the KRA from the local IPA server.
-.TP
 \fB\-v\fR, \fB\-\-verbose\fR
 Enable debug output when more verbose output is needed
 .TP

ipaplatform/base/paths.py

@@ -309,7 +309,6 @@ class BasePathNamespace(object):
     IPARESTORE_LOG = "/var/log/iparestore.log"
     IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
     IPASERVER_KRA_INSTALL_LOG = "/var/log/ipaserver-kra-install.log"
-    IPASERVER_KRA_UNINSTALL_LOG = "/var/log/ipaserver-kra-uninstall.log"
     IPASERVER_UNINSTALL_LOG = "/var/log/ipaserver-uninstall.log"
     IPAUPGRADE_LOG = "/var/log/ipaupgrade.log"
     KADMIND_LOG = "/var/log/kadmind.log"

ipaserver/install/ipa_kra_install.py

@@ -20,7 +20,9 @@
 
 from __future__ import print_function
 
+import sys
 import tempfile
+from optparse import SUPPRESS_HELP
 
 from textwrap import dedent
 from ipalib import api
@@ -69,8 +71,7 @@ class KRAInstall(admintool.AdminTool):
         parser.add_option(
             "--uninstall",
             dest="uninstall", action="store_true", default=False,
-            help="uninstall an existing installation. The uninstall can "
-                 "be run with --unattended option")
+            help=SUPPRESS_HELP)
 
     def validate_options(self, needs_root=True):
         super(KRAInstall, self).validate_options(needs_root=True)
@@ -83,33 +84,14 @@ class KRAInstall(admintool.AdminTool):
     @classmethod
     def get_command_class(cls, options, args):
         if options.uninstall:
-            return KRAUninstaller
+            sys.exit(
+                'ERROR: Standalone KRA uninstallation was removed in '
+                'FreeIPA 4.5 as it had never worked properly and only caused '
+                'issues.')
         else:
             return KRAInstaller
 
 
-class KRAUninstaller(KRAInstall):
-    log_file_name = paths.IPASERVER_KRA_UNINSTALL_LOG
-
-    def validate_options(self, needs_root=True):
-        super(KRAUninstaller, self).validate_options(needs_root=True)
-
-        if self.args:
-            self.option_parser.error("Too many parameters provided.")
-
-        _kra = krainstance.KRAInstance(api)
-        if not _kra.is_installed():
-            self.option_parser.error(
-                "Cannot uninstall.  There is no KRA installed on this system."
-            )
-
-    def run(self):
-        super(KRAUninstaller, self).run()
-        api.Backend.ldap2.connect()
-        kra.uninstall(True)
-        api.Backend.ldap2.disconnect()
-
-
 class KRAInstaller(KRAInstall):
     log_file_name = paths.IPASERVER_KRA_INSTALL_LOG
 

ipaserver/install/kra.py

@@ -9,12 +9,11 @@ KRA installer module
 import os
 import shutil
 
-from ipalib import api, errors
+from ipalib import api
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import certdb
 from ipapython import ipautil
-from ipapython.dn import DN
 from ipapython.install.core import group
 from ipaserver.install import custodiainstance
 from ipaserver.install import cainstance
@@ -125,19 +124,9 @@ def install(api, replica_config, options):
     services.knownservices.httpd.restart(capture_output=True)
 
 
-def uninstall(standalone):
+def uninstall():
     kra = krainstance.KRAInstance(api.env.realm)
-
-    if standalone:
-        try:
-            api.Backend.ldap2.delete_entry(
-                DN(('cn', 'KRA'), ('cn', api.env.host),
-                   ('cn', 'masters'), ('cn', 'ipa'),
-                   ('cn', 'etc'), api.env.basedn))
-        except errors.NotFound:
-            pass
-
-    kra.stop_tracking_certificates(stop_certmonger=not standalone)
+    kra.stop_tracking_certificates()
     if kra.is_installed():
         kra.uninstall()
 

ipaserver/install/server/install.py

@@ -1051,7 +1051,7 @@ def uninstall(installer):
 
     ntpinstance.NTPInstance(fstore).uninstall()
 
-    kra.uninstall(False)
+    kra.uninstall()
 
     ca.uninstall()
 

ipatests/test_integration/tasks.py

@@ -68,9 +68,7 @@ def setup_server_logs_collecting(host):
     host.collect_log(paths.IPA_CUSTODIA_AUDIT_LOG)
 
     # IPA uninstall logs
-    host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG)
     host.collect_log(paths.IPACLIENT_UNINSTALL_LOG)
-    host.collect_log(paths.IPASERVER_KRA_UNINSTALL_LOG)
 
     # IPA backup and restore logs
     host.collect_log(paths.IPARESTORE_LOG)

ipatests/test_integration/test_vault.py

@@ -140,61 +140,3 @@ class TestInstallKRA(IntegrationTest):
             self.vault_name_master,
             self.vault_name_replica_without_KRA,
         ])
-
-
-    def test_create_and_retrieve_vault_after_kra_uninstall_on_replica(self):
-        # uninstall KRA on replica
-        self.replicas[0].run_command([
-            "ipa-kra-install",
-            "-U",
-            "--uninstall",
-        ])
-
-        # create vault
-        self.replicas[0].run_command([
-            "ipa", "vault-add",
-            self.vault_name_replica_KRA_uninstalled,
-            "--password", self.vault_password,
-            "--type", "symmetric",
-        ])
-
-        # archive secret
-        self.replicas[0].run_command([
-            "ipa", "vault-archive",
-            self.vault_name_replica_KRA_uninstalled,
-            "--password", self.vault_password,
-            "--data", self.vault_data,
-        ])
-        time.sleep(WAIT_AFTER_ARCHIVE)
-
-        self._retrieve_secret([self.vault_name_replica_KRA_uninstalled])
-
-        ################# master #################
-        # test master again after KRA was uninstalled on replica
-        # create vault
-        self.master.run_command([
-            "ipa", "vault-add",
-            self.vault_name_master3,
-            "--password", self.vault_password,
-            "--type", "symmetric",
-        ])
-
-        # archive secret
-        self.master.run_command([
-            "ipa", "vault-archive",
-            self.vault_name_master3,
-            "--password", self.vault_password,
-            "--data", self.vault_data,
-        ])
-        time.sleep(WAIT_AFTER_ARCHIVE)
-
-        self._retrieve_secret([self.vault_name_master3,])
-
-        ################ old vaults ###############
-        # test if old vaults are still accessible
-        self._retrieve_secret([
-            self.vault_name_master,
-            self.vault_name_master2,
-            self.vault_name_replica_without_KRA,
-            self.vault_name_replica_with_KRA,
-        ])