From d584eb700111bb57f6d10018f4b56d6f10a96d21 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tbabej@redhat.com>
Date: Jul 02 2015 11:23:21 +0000
Subject: winsync-migrate: Require explicit specification of the target server and validate existing agreement


https://fedorahosted.org/freeipa/ticket/4524

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/ipaserver/winsync_migrate/base.py b/ipaserver/winsync_migrate/base.py
index 936a7ee..afdbda2 100644
--- a/ipaserver/winsync_migrate/base.py
+++ b/ipaserver/winsync_migrate/base.py
@@ -26,6 +26,7 @@ from ipapython import admintool
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import log_mgr
 from ipaserver.plugins.ldap2 import ldap2
+from ipaserver.install import replication
 
 DEFAULT_TRUST_VIEW_NAME = u'Default Trust View'
 
@@ -58,6 +59,10 @@ class MigrateWinsync(admintool.AdminTool):
             dest="realm",
             help="The AD realm the winsynced users belong to")
         parser.add_option(
+            "--server",
+            dest="server",
+            help="The AD DC the winsync agreement is established with")
+        parser.add_option(
             "-U", "--unattended",
             dest="interactive",
             action="store_false",
@@ -91,6 +96,34 @@ class MigrateWinsync(admintool.AdminTool):
                     "An error occured during detection of the established "
                     "trust with %s: %s" % (self.options.realm, str(e)))
 
+        if self.options.server is None:
+            raise admintool.ScriptError(
+                "The AD DC the winsync agreement is established with "
+                "needs to be specified.")
+        else:
+            # Validate the replication agreement between given host and localhost
+            try:
+                manager = replication.ReplicationManager(
+                    api.env.realm,
+                    api.env.host,
+                    None)  # Use GSSAPI instead of raw directory manager access
+
+                replica_type = manager.get_agreement_type(self.options.server)
+            except errors.ACIError as e:
+                raise admintool.ScriptError(
+                    "Used Kerberos account does not have privileges to access "
+                    "the replication agreement info: %s" % str(e))
+            except errors.NotFound as e:
+                raise admintool.ScriptError(
+                    "The replication agreement between %s and %s could not "
+                    "be detected" % (api.env.host, self.options.server))
+
+            # Check that the replication agreement is indeed WINSYNC
+            if replica_type != replication.WINSYNC:
+                raise admintool.ScriptError(
+                    "Replication agreement between %s and %s is not winsync."
+                    % (api.env.host, self.options.server))
+
     def create_id_user_override(self, entry):
         """
         Creates ID override corresponding to this user entry.