From 6119dbb9a915283434f718b38a70017e3ad00840 Mon Sep 17 00:00:00 2001
From: Martin Basti <mbasti@redhat.com>
Date: Nov 02 2015 12:31:27 +0000
Subject: ipa-csreplica-manage: disable connect/disconnect/del with domain level > 0


* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa
topologysegment-*' commands
* ipa-csreplica-manage del - a user should use ipa-replica-manage del

https://fedorahosted.org/freeipa/ticket/5405

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 202a3cc..88ca629 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -30,6 +30,7 @@ from ipaserver.install import (replication, installutils, bindinstance,
     cainstance, certs)
 from ipalib import api, errors
 from ipalib.constants import CACERT
+from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN
 
@@ -392,6 +393,19 @@ def set_renewal_master(realm, replica):
 
     print("%s is now the renewal master" % replica)
 
+
+def exit_on_managed_topology(what, hint="topologysegment"):
+    if hint == "topologysegment":
+        hinttext = ("Please use `ipa topologysegment-*` commands to manage "
+                   "the topology.")
+    elif hint == "ipa-replica-manage-del":
+        hinttext = ("Please use the `ipa-replica-manage del` command.")
+    else:
+        assert False, "Unexpected value"
+    sys.exit("{0} is deprecated with managed IPA replication topology. {1}"
+             .format(what, hinttext))
+
+
 def main():
     options, args = parse_options()
 
@@ -427,12 +441,19 @@ def main():
 
     options.dirman_passwd = dirman_passwd
 
+    api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+                              bind_pw=options.dirman_passwd)
+
     if args[0] == "list":
         replica = None
         if len(args) == 2:
             replica = args[1]
         list_replicas(realm, host, replica, dirman_passwd, options.verbose)
     elif args[0] == "del":
+        if has_managed_topology(api):
+            exit_on_managed_topology(
+                "Removal of IPA CS replication agreement and replication data",
+                hint="ipa-replica-manage-del")
         del_master(realm, args[1], options)
     elif args[0] == "re-initialize":
         re_initialize(realm, options)
@@ -441,6 +462,8 @@ def main():
             sys.exit("force-sync requires the option --from <host name>")
         force_sync(realm, host, options.fromhost, options.dirman_passwd)
     elif args[0] == "connect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Creation of IPA CS replication agreement")
         if len(args) == 3:
             replica1 = args[1]
             replica2 = args[2]
@@ -449,6 +472,8 @@ def main():
             replica2 = args[1]
         add_link(realm, replica1, replica2, dirman_passwd, options)
     elif args[0] == "disconnect":
+        if has_managed_topology(api):
+            exit_on_managed_topology("Removal of IPA CS replication agreement")
         if len(args) == 3:
             replica1 = args[1]
             replica2 = args[2]
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1350590..b9998da 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -37,8 +37,9 @@ from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
-from ipalib.constants import CACERT, DOMAIN_LEVEL_0
-from ipalib.util import create_topology_graph, get_topology_connection_errors
+from ipalib.constants import CACERT
+from ipalib.util import (create_topology_graph,
+    get_topology_connection_errors, has_managed_topology)
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
@@ -247,7 +248,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 
     repl2 = None
     what = "Removal of IPA replication agreement"
-    managed_topology = has_managed_topology()
+    managed_topology = has_managed_topology(api)
 
     try:
         repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
@@ -698,7 +699,7 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):
 
 def del_master(realm, hostname, options):
 
-    if has_managed_topology():
+    if has_managed_topology(api):
         del_master_managed(realm, hostname, options)
     else:
         del_master_direct(realm, hostname, options)
@@ -957,7 +958,7 @@ def add_link(realm, replica1, replica2, dirman_passwd, options):
         if os.getegid() != 0:
             root_logger.error("winsync agreements need to be created as root")
             sys.exit(1)
-    elif has_managed_topology():
+    elif has_managed_topology(api):
         exit_on_managed_topology("Creation of IPA replication agreement")
 
     try:
@@ -1349,9 +1350,6 @@ def set_DNA_range(hostname, range, realm, dirman_passwd, next_range=False,
         except Exception as e:
             sys.exit("Updating range failed: %s" % e)
 
-def has_managed_topology():
-    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
-    return domainlevel > DOMAIN_LEVEL_0
 
 def exit_on_managed_topology(what):
     sys.exit("{0} is deprecated with managed IPA replication topology. "
diff --git a/ipalib/util.py b/ipalib/util.py
index 29b4ca1..89d67e6 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -39,6 +39,7 @@ from netaddr.core import AddrFormatError
 import six
 
 from ipalib import errors, messages
+from ipalib.constants import DOMAIN_LEVEL_0
 from ipalib.text import _
 from ipapython.ssh import SSHPublicKey
 from ipapython.dn import DN, RDN
@@ -856,3 +857,7 @@ def detect_dns_zone_realm_type(api, domain):
 
     # If we could not detect type with certainity, return unknown
     return 'unknown'
+
+def has_managed_topology(api):
+    domainlevel = api.Command['domainlevel_get']().get('result', DOMAIN_LEVEL_0)
+    return domainlevel > DOMAIN_LEVEL_0