From cf25ea7e300cdada57bd964acb4393cc11ad333e Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Feb 21 2017 16:09:00 +0000 Subject: FIPS: perform replica installation check Check status of remote server's FIPS mode and proceed with installation only if it matches the current replica's FIPS mode. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti Reviewed-By: Jan Cholasta Reviewed-By: Stanislav Laznicka --- diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index d9db50b..c181258 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -529,6 +529,27 @@ def rpc_client(api): client.disconnect() +def check_remote_fips_mode(client, local_fips_mode): + """ + Verify remote server's fips-mode is the same as this server's fips-mode + + :param client: RPC client + :param local_fips_mode: boolean indicating whether FIPS mode is turned on + :raises: ScriptError: if the checks fails + """ + env = client.forward(u'env', u'fips_mode')['result'] + remote_fips_mode = env.get('fips_mode', False) + if local_fips_mode != remote_fips_mode: + if local_fips_mode: + raise ScriptError( + "Cannot join FIPS-enabled replica into existing topology: " + "FIPS is not enabled on the master server.") + else: + raise ScriptError( + "Cannot join replica into existing FIPS-enabled topology: " + "FIPS has to be enabled locally first.") + + def check_remote_version(client, local_version): """ Verify remote server's version is not higher than this server's version @@ -1095,6 +1116,7 @@ def promote_check(installer): with rpc_client(remote_api) as client: check_remote_version(client, api.env.version) + check_remote_fips_mode(client, api.env.fips_mode) conn = remote_api.Backend.ldap2 replman = None