IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Don't allow to hide last server for a role

Browse Source 
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
This commit is contained in:
Christian Heimes
2019-03-26 13:10:23 +01:00
parent f839d3c916
commit e7e0f190bb
2 changed files with 61 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
ipaserver/plugins/server.py
View File

@@ -972,6 +972,35 @@ class server_state(crud.PKQuery):
has_output = output.standard_boolean
def _check_hide_server(self, fqdn):
result = self.api.Command.config_show()['result']
err = []
# single value entries
if result.get("ca_renewal_master_server") == fqdn:
err.append(_("Cannot hide CA renewal master."))
if result.get("dnssec_key_master_server") == fqdn:
err.append(_("Cannot hide DNSSec key master."))
# multi value entries, only fail if we are the last one
checks = [
("ca_server_server", "CA"),
("dns_server_server", "DNS"),
("ipa_master_server", "IPA"),
("kra_server_server", "KRA"),
]
for key, name in checks:
values = result.get(key, [])
if values == [fqdn]: # fqdn is the only entry
err.append(
_("Cannot hide last enabled %(name)s server.") % {
'name': name
}
)
if err:
raise errors.ValidationError(
name=fqdn,
error=' '.join(str(e) for e in err)
)
def execute(self, *keys, **options):
fqdn = keys[0]
if options['state'] == u'enabled':
@@ -994,6 +1023,7 @@ class server_state(crud.PKQuery):
if to_status == ENABLED:
enable_services(fqdn)
else:
self._check_hide_server(fqdn)
hide_services(fqdn)
# update system roles