From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 19 Jul 2021 17:51:44 -0400
Subject: [PATCH] Use new method in check to prevent removal of last KRA
It previously used a vault connection to determine if any
KRA servers were installed. This would fail if the last KRA
was not available.
Use server roles instead to determine if the last KRA server
is to be removed.
https://pagure.io/freeipa/issue/8397
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipaserver/plugins/server.py | 24 +++++++++++++-----------
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py
index b3dda8469..5fa7a58bd 100644
--- a/ipaserver/plugins/server.py
+++ b/ipaserver/plugins/server.py
@@ -508,17 +508,19 @@ class server_del(LDAPDelete):
if self.api.Command.ca_is_enabled()['result']:
try:
- vault_config = self.api.Command.vaultconfig_show()['result']
- kra_servers = vault_config.get('kra_server_server', [])
- except errors.InvocationError:
- # KRA is not configured
- pass
- else:
- if kra_servers == [hostname]:
- handler(
- _("Deleting this server is not allowed as it would "
- "leave your installation without a KRA."),
- ignore_last_of_role)
+ roles = self.api.Command.server_role_find(
+ server_server=hostname,
+ role_servrole='KRA server',
+ status='enabled',
+ include_master=True,
+ )['result']
+ except errors.NotFound:
+ roles = ()
+ if len(roles) == 1 and roles[0]['server_server'] == hostname:
+ handler(
+ _("Deleting this server is not allowed as it would "
+ "leave your installation without a KRA."),
+ ignore_last_of_role)
ca_servers = ipa_config.get('ca_server_server', [])
ca_renewal_master = ipa_config.get(
--
2.26.3