From 60b57639295ab94949986ec59de3c8e6c92bee7d Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 22 Mar 2017 17:26:51 +0100 Subject: [PATCH] Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 Reviewed-By: Martin Basti --- install/tools/man/ipa-replica-install.1 | 2 +- install/tools/man/ipa-server-install.1 | 2 +- ipaserver/install/server/__init__.py | 21 +++++++++++++++++++++ 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c7018bd09a8567688a1f8d4db0c698ac3f..7d241324818dd3a5294da5e84b67a19d0d9a31b6 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae7485a34d72381188191d6423ca2d16044..d5d28df8e72295296a9ac321623ead49fe4692a3 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c4ebfaeba51d3c85625cda0d0eee305696..096cb0142fc7fe70fdc3d2ad1e5caedf0f65b643 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -332,9 +332,24 @@ class ServerInstallInterface(ServerCertificateInstallInterface, if not os.path.exists(value): raise ValueError("File %s does not exist." % value) + def _is_promote(self): + """ + :returns: True if domain level options correspond to domain level > 0 + """ + raise NotImplementedError() + def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) + # pkinit is not supported on DL0, don't allow related options + if not self._is_promote(): + if (self.no_pkinit or self.pkinit_cert_files is not None or + self.pkinit_pin is not None): + raise RuntimeError( + "pkinit on domain level 0 is not supported. Please " + "don't use any pkinit-related options.") + self.no_pkinit = True + # If any of the key file options are selected, all are required. cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) cert_file_opt = (self.pkinit_cert_files,) @@ -557,6 +572,9 @@ class ServerMasterInstall(ServerMasterInstallInterface): add_sids = True add_agents = False + def _is_promote(self): + return self.domain_level > constants.DOMAIN_LEVEL_0 + def __init__(self, **kwargs): super(ServerMasterInstall, self).__init__(**kwargs) master_init(self) @@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface): description="Kerberos password for the specified admin principal", ) + def _is_promote(self): + return self.replica_file is None + def __init__(self, **kwargs): super(ServerReplicaInstall, self).__init__(**kwargs) replica_init(self) -- 2.12.2