From 0b9adf1d8d5efb48e734650e4101e8816b01e1d3 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Mon, 19 Jul 2021 17:51:44 -0400 Subject: [PATCH] Use new method in check to prevent removal of last KRA It previously used a vault connection to determine if any KRA servers were installed. This would fail if the last KRA was not available. Use server roles instead to determine if the last KRA server is to be removed. https://pagure.io/freeipa/issue/8397 Signed-off-by: Rob Crittenden Reviewed-By: Francois Cami --- ipaserver/plugins/server.py | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py index b3dda8469..5fa7a58bd 100644 --- a/ipaserver/plugins/server.py +++ b/ipaserver/plugins/server.py @@ -508,17 +508,19 @@ class server_del(LDAPDelete): if self.api.Command.ca_is_enabled()['result']: try: - vault_config = self.api.Command.vaultconfig_show()['result'] - kra_servers = vault_config.get('kra_server_server', []) - except errors.InvocationError: - # KRA is not configured - pass - else: - if kra_servers == [hostname]: - handler( - _("Deleting this server is not allowed as it would " - "leave your installation without a KRA."), - ignore_last_of_role) + roles = self.api.Command.server_role_find( + server_server=hostname, + role_servrole='KRA server', + status='enabled', + include_master=True, + )['result'] + except errors.NotFound: + roles = () + if len(roles) == 1 and roles[0]['server_server'] == hostname: + handler( + _("Deleting this server is not allowed as it would " + "leave your installation without a KRA."), + ignore_last_of_role) ca_servers = ipa_config.get('ca_server_server', []) ca_renewal_master = ipa_config.get( -- 2.26.3