From e2e380e83be8bafd8cf23e0a395edf065b1ae961 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Tue, 27 Jun 2017 16:03:16 +0200
Subject: [PATCH] Do not remove the old masters when setting the attribute
 fails

If the setting of server attribute fails (e.g. due to master not having
the associated role enabled) the error would pop up *after* the old
values were cleared from LDAP. Fix this behavior so that all checks are
performed before manipulating any data.

https://pagure.io/freeipa/issue/7029

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/servroles.py | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index f6e79338b..bf33923de 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -371,11 +371,18 @@ class ServerAttribute(LDAPBasedProperty):
                    on the master
         """
 
+        ldap = api_instance.Backend.ldap2
+
+        master_dns = self._get_master_dns(api_instance, masters)
+        service_entries = self._get_masters_service_entries(ldap, master_dns)
+        for service_entry in service_entries:
+            self._add_attribute_to_svc_entry(ldap, service_entry)
+
+    def _check_receiving_masters_having_associated_role(self, api_instance,
+                                                      masters):
         assoc_role_providers = set(
             self._get_assoc_role_providers(api_instance))
         masters_set = set(masters)
-        ldap = api_instance.Backend.ldap2
-
         masters_without_role = masters_set - assoc_role_providers
 
         if masters_without_role:
@@ -385,11 +392,6 @@ class ServerAttribute(LDAPBasedProperty):
                         {'role': self.associated_role.name})
             )
 
-        master_dns = self._get_master_dns(api_instance, masters)
-        service_entries = self._get_masters_service_entries(ldap, master_dns)
-        for service_entry in service_entries:
-            self._add_attribute_to_svc_entry(ldap, service_entry)
-
     def set(self, api_instance, masters):
         """
         set the attribute on masters
@@ -407,6 +409,9 @@ class ServerAttribute(LDAPBasedProperty):
         if sorted(old_masters) == sorted(masters):
             raise errors.EmptyModlist
 
+        self._check_receiving_masters_having_associated_role(
+            api_instance, masters)
+
         if old_masters:
             self._remove(api_instance, old_masters)