From 4fd1ae18e326ab69d9e22886784ea6b1057ef2a6 Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Wed, 25 Nov 2020 09:53:54 +0100

Subject: [PATCH] Improve PKI subsystem detection

The dogtaginstance.is_installed() method currently relies on

the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},

even if it is empty.

An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA

is installed and crashing when trying to upgrade a not-installed

component.

The fix relies on the command "pki-server subsystem-show {ca|kra}" to

detect if a subsystem is installed. The command does not require PKI

to be running (hence can be called anytime) and is delivered by

the pki-server package which is already required by ipa server pkg.

Fixes: https://pagure.io/freeipa/issue/8596

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-By: Rob Crittenden <rcritten@redhat.com>

Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>

---

 ipaserver/install/dogtaginstance.py | 10 ++++++++--

 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py

index a84368344f5d03fdaab401d35af6156b628cf485..7f26696850c85d35c06f6690dc83bb9073844eb1 100644

--- a/ipaserver/install/dogtaginstance.py

+++ b/ipaserver/install/dogtaginstance.py

@@ -148,8 +148,14 @@ class DogtagInstance(service.Service):

         Returns True/False

         """

-        return os.path.exists(os.path.join(

-            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))

+        try:

+            result = ipautil.run(

+                ['pki-server', 'subsystem-show', self.subsystem.lower()],

+                capture_output=True)

+            # parse the command output

+            return 'Enabled: True' in result.output

+        except ipautil.CalledProcessError:

+            return False

     def spawn_instance(self, cfg_file, nolog_list=()):

         """

-- 

2.26.2