CP-41796 prevent changes to https_only in CC_PREPARATIONS=true

R7.3 Attempts to modify the firewall to open or close port 80 must be
rejected in CC mode (P2).

Introduce an error and prevent changing https_only when in FIPS/CC mode.

Signed-off-by: Christian Lindig <[email protected]>

ocaml/xapi-consts/api_errors.ml

@@ -1288,3 +1288,6 @@ let vtpm_max_amount_reached = "VTPM_MAX_AMOUNT_REACHED"
 
 (* Telemetry *)
 let telemetry_next_collection_too_late = "TELEMETRY_NEXT_COLLECTION_TOO_LATE"
+
+(* FIPS/CC_PREPARATIONS *)
+let illegal_in_fips_mode = "ILLEGAL_IN_FIPS_MODE"

ocaml/xapi/xapi_host.ml

@@ -2994,8 +2994,30 @@ let apply_updates ~__context ~self ~hash =
    *)
   warnings
 
+let cc_prep () =
+  let cc = "CC_PREPARATIONS" in
+  Xapi_inventory.lookup ~default:"false" cc |> String.lowercase_ascii
+  |> function
+  | "true" ->
+      true
+  | "false" ->
+      false
+  | other ->
+      D.warn "%s: %s=%s (assuming true)" __MODULE__ cc other ;
+      true
+
 let set_https_only ~__context ~self ~value =
   let state = match value with true -> "close" | false -> "open" in
-  ignore
-  @@ Helpers.call_script !Xapi_globs.firewall_port_config_script [state; "80"] ;
-  Db.Host.set_https_only ~__context ~self ~value
+  match cc_prep () with
+  | false ->
+      ignore
+      @@ Helpers.call_script
+           !Xapi_globs.firewall_port_config_script
+           [state; "80"] ;
+      Db.Host.set_https_only ~__context ~self ~value
+  | true when value = Db.Host.get_https_only ~__context ~self ->
+      (* the new value is the same as the old value *)
+      ()
+  | true ->
+      (* it is illegal changing the firewall/https config in CC/FIPS mode *)
+      raise (Api_errors.Server_error (Api_errors.illegal_in_fips_mode, []))