server-del: harden check for last roles

The current implementation of check for last CA/DNS server and DNSSec key master in `server-del` is quite fragile and wroks with quite a few assumptions which may not be always true (CA and DNS is always configured etc.). This patch hardens the check so that it does not break when the above assuptions do not hold. https://fedorahosted.org/freeipa/ticket/5960 Reviewed-By: Martin Basti <mbasti@redhat.com>
2025-01-11 00:31:56 -06:00 · 2016-06-22 15:08:43 +02:00 · 2016-06-22 15:08:43 +02:00 · be3ad1ed7a
commit be3ad1ed7a
parent 5ffd7ef7c4
1 changed files with 34 additions and 28 deletions
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@ -469,7 +469,6 @@ class server_del(LDAPDelete):
                raise errors.ServerRemovalError(reason=_(msg))

        ipa_config = self.api.Command.config_show()['result']
-        dns_config = self.api.Command.dnsconfig_show()['result']

        ipa_masters = ipa_config['ipa_master_server']

@ -477,15 +476,11 @@ class server_del(LDAPDelete):
        if ipa_masters == [hostname]:
            return

-        ca_servers = ipa_config['ca_server_server']
-        ca_renewal_master = ipa_config['ca_renewal_master_server']
-        dns_servers = dns_config['dns_server_server']
-        dnssec_keymaster = dns_config['dnssec_key_master_server']
+        if self.api.Command.dns_is_enabled()['result']:
+            dns_config = self.api.Command.dnsconfig_show()['result']

-        if ca_servers == [hostname]:
-            raise errors.ServerRemovalError(
-                reason=_("Deleting this server is not allowed as it would "
-                         "leave your installation without a CA."))
+            dns_servers = dns_config.get('dns_server_server', [])
+            dnssec_keymaster = dns_config.get('dnssec_key_master_server', [])

            if dnssec_keymaster == hostname:
                handler(
@ -498,22 +493,33 @@ class server_del(LDAPDelete):
                    _("Deleting this server will leave your installation "
                      "without a DNS."), ignore_last_of_role)

+        if self.api.Command.ca_is_enabled()['result']:
+            ca_servers = ipa_config.get('ca_server_server', [])
+            ca_renewal_master = ipa_config.get(
+                'ca_renewal_master_server', [])
+
+            if ca_servers == [hostname]:
+                raise errors.ServerRemovalError(
+                    reason=_("Deleting this server is not allowed as it would "
+                             "leave your installation without a CA."))
+
+            if ca_renewal_master == hostname:
+                other_cas = [ca for ca in ca_servers if ca != hostname]
+
+                # if this is the last CA there is no other server to become
+                # renewal master
+                if not other_cas:
+                    return
+
+                self.api.Command.config_mod(
+                    ca_renewal_master_server=other_cas[0])
+
        if ignore_last_of_role:
            self.add_message(
                messages.ServerRemovalWarning(
                    message=_("Ignoring these warnings and proceeding with "
                              "removal")))

-        if ca_renewal_master == hostname:
-            other_cas = [ca for ca in ca_servers if ca != hostname]
-
-            # if this is the last CA there is no other server to become renewal
-            # master
-            if not other_cas:
-                return
-
-            self.api.Command.config_mod(ca_renewal_master_server=other_cas[0])
-
    def _check_topology_connectivity(self, topology_connectivity, master_cn):
        try:
            topology_connectivity.check_current_state()