ipautil: move is_fips_enabled() to ipaplatform.tasks

The FIPS setting is platform-specific.

https://fedorahosted.org/freeipa/ticket/6474

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

install/tools/ipactl

@@ -31,8 +31,7 @@ from ipaserver.install.dsinstance import config_dirname
 from ipaserver.install.installutils import is_ipa_configured, ScriptError
 from ipalib import api, errors
 from ipapython.ipaldap import LDAPClient
-from ipapython.ipautil import (
+from ipapython.ipautil import wait_for_open_ports, wait_for_open_socket
-    wait_for_open_ports, wait_for_open_socket, is_fips_enabled)
 from ipapython import config
 from ipaplatform.tasks import tasks
 from ipapython.dn import DN
@@ -544,7 +543,7 @@ def main():
     elif args[0] != "start" and args[0] != "stop" and args[0] != "restart" and args[0] != "status":
         raise IpactlError("Unrecognized action [" + args[0] + "]", 2)
 
-    if is_fips_enabled():
+    if tasks.is_fips_enabled():
         raise IpactlError("Starting IPA server in FIPS mode is not supported")
 
     # check if IPA is configured at all

ipaclient/install/client.py

@@ -67,7 +67,6 @@ from ipapython.ipautil import (
     CalledProcessError,
     dir_exists,
     file_exists,
-    is_fips_enabled,
     realm_to_suffix,
     run,
     user_input,
@@ -1967,7 +1966,7 @@ def install_check(options):
             "You must be root to run ipa-client-install.",
             rval=CLIENT_INSTALL_ERROR)
 
-    if is_fips_enabled():
+    if tasks.is_fips_enabled():
         raise ScriptError(
             "Installing IPA client in FIPS mode is not supported",
             rval=CLIENT_INSTALL_ERROR)

ipaplatform/base/tasks.py

@@ -249,3 +249,6 @@ class BaseTaskNamespace(object):
     def remove_httpd_service_ipa_conf(self):
         """Remove configuration of httpd service of IPA"""
         raise NotImplementedError()
+
+    def is_fips_enabled(self):
+        return False

ipaplatform/redhat/tasks.py

@@ -478,4 +478,23 @@ class RedHatTaskNamespace(BaseTaskNamespace):
     def set_hostname(self, hostname):
         ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
 
+    def is_fips_enabled(self):
+        """
+        Checks whether this host is FIPS-enabled.
+
+        Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
+        file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
+        or if the file /proc/sys/crypto/fips_enabled does not exist,
+        the function returns False.
+        """
+        try:
+            with open(paths.PROC_FIPS_ENABLED, 'r') as f:
+                if f.read().strip() != '0':
+                    return True
+        except IOError:
+            # Consider that the host is not fips-enabled if the file does not
+            # exist
+            pass
+        return False
+
 tasks = RedHatTaskNamespace()

ipapython/ipautil.py

@@ -1467,25 +1467,6 @@ else:
     fsdecode = os.fsdecode  #pylint: disable=no-member
 
 
-def is_fips_enabled():
-    """
-    Checks whether this host is FIPS-enabled.
-
-    Returns a boolean indicating if the host is FIPS-enabled, i.e. if the
-    file /proc/sys/crypto/fips_enabled contains a non-0 value. Otherwise,
-    or if the file /proc/sys/crypto/fips_enabled does not exist,
-    the function returns False.
-    """
-    try:
-        with open(paths.PROC_FIPS_ENABLED, 'r') as f:
-            if f.read().strip() != '0':
-                return True
-    except IOError:
-        # Consider that the host is not fips-enabled if the file does not exist
-        pass
-    return False
-
-
 def unescape_seq(seq, *args):
     """
     unescape (remove '\\') all occurences of sequence in input strings.

ipaserver/install/server/install.py

@@ -19,8 +19,7 @@ from ipapython import ipautil
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import root_logger
 from ipapython.ipautil import (
-    decrypt_file, format_netloc, ipa_generate_password, run, user_input,
+    decrypt_file, format_netloc, ipa_generate_password, run, user_input)
-    is_fips_enabled)
 from ipapython.admintool import ScriptError
 from ipaplatform import services
 from ipaplatform.paths import paths
@@ -322,7 +321,7 @@ def install_check(installer):
     external_ca_file = installer._external_ca_file
     http_ca_cert = installer._ca_cert
 
-    if is_fips_enabled():
+    if tasks.is_fips_enabled():
         raise RuntimeError(
             "Installing IPA server in FIPS mode is not supported")
 

ipaserver/install/server/replicainstall.py

@@ -520,7 +520,7 @@ def check_remote_version(api):
 
 
 def common_check(no_ntp):
-    if ipautil.is_fips_enabled():
+    if tasks.is_fips_enabled():
         raise RuntimeError(
             "Installing IPA server in FIPS mode is not supported")