From a1ad1ffa3540da4b5d5c1963b3818d9c9260e1a2 Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Mar 30 2017 13:41:35 +0000 Subject: Don't allow setting pkinit-related options on DL0 pkinit is not supported on DL0, remove options that allow to set it from ipa-{server,replica}-install. https://pagure.io/freeipa/issue/6801 Reviewed-By: Martin Basti --- diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index d63912c..7d24132 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -114,7 +114,7 @@ Install and configure a CA on this replica. If a CA is not configured then certificate operations will be forwarded to a master with a CA installed. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=FILE File containing the Directory Server SSL certificate and private key diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index c48bdae..d5d28df 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -93,7 +93,7 @@ Type of the external CA. Possible values are "generic", "ms-cs". Default value i File containing the IPA CA certificate and the external CA certificate chain. The file is accepted in PEM and DER certificate and PKCS#7 certificate chain formats. This option may be used multiple times. .TP \fB\-\-no\-pkinit\fR -Disables pkinit setup steps +Disables pkinit setup steps. This is the default and only allowed behavior on domain level 0. .TP \fB\-\-dirsrv\-cert\-file\fR=\fIFILE\fR File containing the Directory Server SSL certificate and private key. The files are accepted in PEM and DER certificate, PKCS#7 certificate chain, PKCS#8 and raw private key and PKCS#12 formats. This option may be used multiple times. diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py index 117f51c..096cb01 100644 --- a/ipaserver/install/server/__init__.py +++ b/ipaserver/install/server/__init__.py @@ -332,9 +332,24 @@ class ServerInstallInterface(ServerCertificateInstallInterface, if not os.path.exists(value): raise ValueError("File %s does not exist." % value) + def _is_promote(self): + """ + :returns: True if domain level options correspond to domain level > 0 + """ + raise NotImplementedError() + def __init__(self, **kwargs): super(ServerInstallInterface, self).__init__(**kwargs) + # pkinit is not supported on DL0, don't allow related options + if not self._is_promote(): + if (self.no_pkinit or self.pkinit_cert_files is not None or + self.pkinit_pin is not None): + raise RuntimeError( + "pkinit on domain level 0 is not supported. Please " + "don't use any pkinit-related options.") + self.no_pkinit = True + # If any of the key file options are selected, all are required. cert_file_req = (self.dirsrv_cert_files, self.http_cert_files) cert_file_opt = (self.pkinit_cert_files,) @@ -557,6 +572,9 @@ class ServerMasterInstall(ServerMasterInstallInterface): add_sids = True add_agents = False + def _is_promote(self): + return self.domain_level > constants.DOMAIN_LEVEL_0 + def __init__(self, **kwargs): super(ServerMasterInstall, self).__init__(**kwargs) master_init(self) @@ -590,6 +608,9 @@ class ServerReplicaInstall(ServerReplicaInstallInterface): description="Kerberos password for the specified admin principal", ) + def _is_promote(self): + return self.replica_file is None + def __init__(self, **kwargs): super(ServerReplicaInstall, self).__init__(**kwargs) replica_init(self)