Don't allow to hide last server for a role

DNSSec key master and CA renewal master can't be hidden. There must be at least one enabled server available for each role, too. Fixes: https://pagure.io/freeipa/issue/7892 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2025-02-25 18:55:28 -06:00 · 2019-03-26 13:10:23 +01:00 · 2019-03-26 13:10:23 +01:00 · e7e0f190bb
commit e7e0f190bb
parent f839d3c916
2 changed files with 61 additions and 0 deletions
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@ -972,6 +972,35 @@ class server_state(crud.PKQuery):

    has_output = output.standard_boolean

+    def _check_hide_server(self, fqdn):
+        result = self.api.Command.config_show()['result']
+        err = []
+        # single value entries
+        if result.get("ca_renewal_master_server") == fqdn:
+            err.append(_("Cannot hide CA renewal master."))
+        if result.get("dnssec_key_master_server") == fqdn:
+            err.append(_("Cannot hide DNSSec key master."))
+        # multi value entries, only fail if we are the last one
+        checks = [
+            ("ca_server_server", "CA"),
+            ("dns_server_server", "DNS"),
+            ("ipa_master_server", "IPA"),
+            ("kra_server_server", "KRA"),
+        ]
+        for key, name in checks:
+            values = result.get(key, [])
+            if values == [fqdn]:  # fqdn is the only entry
+                err.append(
+                    _("Cannot hide last enabled %(name)s server.") % {
+                        'name': name
+                    }
+                )
+        if err:
+            raise errors.ValidationError(
+                name=fqdn,
+                error=' '.join(str(e) for e in err)
+            )
+
    def execute(self, *keys, **options):
        fqdn = keys[0]
        if options['state'] == u'enabled':
@ -994,6 +1023,7 @@ class server_state(crud.PKQuery):
        if to_status == ENABLED:
            enable_services(fqdn)
        else:
+            self._check_hide_server(fqdn)
            hide_services(fqdn)

        # update system roles
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@ -729,7 +729,15 @@ class TestHiddenReplicaPromotion(IntegrationTest):

    @classmethod
    def install(cls, mh):
+        # master with DNSSEC master
        tasks.install_master(cls.master, setup_dns=True, setup_kra=True)
+        cls.master.run_command([
+            "ipa-dns-install",
+            "--dnssec-master",
+            "--forwarder", cls.master.config.dns_forwarder,
+            "-U",
+        ])
+        # hidden replica with CA and DNS
        tasks.install_replica(
            cls.master, cls.replicas[0],
            setup_dns=True, setup_kra=True,
@ -796,6 +804,29 @@ class TestHiddenReplicaPromotion(IntegrationTest):
        self._check_dnsrecords([self.master], [self.replicas[0]])
        self._check_config([self.master], [self.replicas[0]])

+    def test_hide_master_fails(self):
+        # verify state
+        self._check_config([self.master], [self.replicas[0]])
+        # nothing to do
+        result = self.master.run_command([
+            'ipa', 'server-state',
+            self.master.hostname, '--state=enabled'
+        ], raiseonerr=False)
+        assert result.returncode == 1
+        assert "no modifications to be performed" in result.stderr_text
+        # hiding the last master fails
+        result = self.master.run_command([
+            'ipa', 'server-state',
+            self.master.hostname, '--state=hidden'
+        ], raiseonerr=False)
+        assert result.returncode == 1
+        keys = [
+            "CA renewal master", "DNSSec key master", "CA server",
+            "KRA server", "DNS server", "IPA server"
+        ]
+        for key in keys:
+            assert key in result.stderr_text
+
    def test_hidden_replica_promote(self):
        self.replicas[0].run_command([
            'ipa', 'server-state',