Don't allow setting pkinit-related options on DL0

pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>

install/tools/man/ipa-replica-install.1

@@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then
 certificate operations will be forwarded to a master with a CA installed.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=FILE
 File containing the Directory Server SSL certificate and private key

install/tools/man/ipa-server-install.1

@@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i
 File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times.
 .TP
 \fB\-\-no\-pkinit\fR
-Disables pkinit setup steps
+Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0.
 .TP
 \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR
 File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times.

ipaserver/install/server/__init__.py

@@ -332,9 +332,24 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
         if not os.path.exists(value):
             raise ValueError("File %s does not exist." % value)
 
+    def _is_promote(self):
+        """
+        :returns: True if domain level options correspond to domain level > 0
+        """
+        raise NotImplementedError()
+
     def __init__(self, **kwargs):
         super(ServerInstallInterface, self).__init__(**kwargs)
 
+        # pkinit is not supported on DL0, don't allow related options
+        if not self._is_promote():
+            if (self.no_pkinit or self.pkinit_cert_files is not None or
+                    self.pkinit_pin is not None):
+                raise RuntimeError(
+                    "pkinit on domain level 0 is not supported. Please "
+                    "don't use any pkinit-related options.")
+            self.no_pkinit = True
+
         # If any of the key file options are selected, all are required.
         cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
         cert_file_opt = (self.pkinit_cert_files,)
@@ -557,6 +572,9 @@ class ServerMasterInstall(ServerMasterInstallInterface):
     add_sids = True
     add_agents = False
 
+    def _is_promote(self):
+        return self.domain_level > constants.DOMAIN_LEVEL_0
+
     def __init__(self, **kwargs):
         super(ServerMasterInstall, self).__init__(**kwargs)
         master_init(self)
@@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface):
         description="Kerberos password for the specified admin principal",
     )
 
+    def _is_promote(self):
+        return self.replica_file is None
+
     def __init__(self, **kwargs):
         super(ServerReplicaInstall, self).__init__(**kwargs)
         replica_init(self)