From 750a60a989d7c1fe0872af292191889e7e23382d Mon Sep 17 00:00:00 2001

From: Christian Heimes <cheimes@redhat.com>

Date: Mon, 29 Apr 2019 11:12:30 +0200

Subject: [PATCH] Consider configured servers as valid

Under some conditions, ipa config-show and several other commands were

failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when

some services are left in state 'configuredServices'. The problem even

block uninstallation or removal of replicas. Now configured servers are

also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP

service.

Remark: The original intent of the sanity check is no longer clear to me. I

think it was used to very that all services can be started by ipactl.

Since ipactl starts hidden, configured, and enabled services, the new

logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929

Signed-off-by: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

 ipaserver/servroles.py                     |  9 ++-

 ipatests/test_integration/test_commands.py | 72 ++++++++++++----------

 2 files changed, 45 insertions(+), 36 deletions(-)

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py

index 0988cbdd7eac599ef26c89a015523b2d92e9502f..984d4bc269fffb4c667e9b8a432b1caf8d3b4f18 100644

--- a/ipaserver/servroles.py

+++ b/ipaserver/servroles.py

@@ -346,11 +346,14 @@ class ServerAttribute(LDAPBasedProperty):

     def _get_assoc_role_providers(self, api_instance):

         """get list of all servers on which the associated role is enabled

-        Consider a hidden server as a valid provider for a role.

+        Consider a hidden and configured server as a valid provider for a

+        role, as all services are started.

         """

         return [

-            r[u'server_server'] for r in self.associated_role.status(

-                api_instance) if r[u'status'] in {ENABLED, HIDDEN}]

+            r[u'server_server']

+            for r in self.associated_role.status(api_instance)

+            if r[u'status'] in {ENABLED, HIDDEN, CONFIGURED}

+        ]

     def _remove(self, api_instance, masters):

         """

diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py

index b172a6dd036b5cba4d117f9160ee1ada8712c949..c20213d4b6f0b9d004a8b44afa161a60c538916f 100644

--- a/ipatests/test_integration/test_commands.py

+++ b/ipatests/test_integration/test_commands.py

@@ -24,10 +24,15 @@ from ipalib.constants import IPAAPI_USER

 from ipaplatform.paths import paths

+from ipapython.dn import DN

+

+from ipaserver.masters import (

+    CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE

+)

+

 from ipatests.test_integration.base import IntegrationTest

 from ipatests.pytest_ipa.integration import tasks

 from ipatests.pytest_ipa.integration.create_external_ca import ExternalCA

-from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert

 logger = logging.getLogger(__name__)

@@ -499,36 +504,37 @@ class TestIPACommand(IntegrationTest):

         assert result.returncode != 0

         assert 'HBAC rule not found' in result.stderr_text

-    def test_ipa_cacert_manage_install(self):

-        # Re-install the IPA CA

-        self.master.run_command([

-            paths.IPA_CACERT_MANAGE,

-            'install',

-            paths.IPA_CA_CRT])

-

-        # Test a non-existent file

-        result = self.master.run_command([

-            paths.IPA_CACERT_MANAGE,

-            'install',

-            '/var/run/cert_not_found'], raiseonerr=False)

-        assert result.returncode == 1

+    def test_config_show_configured_services(self):

+        # https://pagure.io/freeipa/issue/7929

+        states = {CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE}

+        dn = DN(

+            ('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'),

+            ('cn', 'ipa'), ('cn', 'etc'),

+            self.master.domain.basedn  # pylint: disable=no-member

+        )

-        cmd = self.master.run_command(['mktemp'])

-        filename = cmd.stdout_text.strip()

-

-        for contents in (good_pkcs7,):

-            self.master.put_file_contents(filename, contents)

-            result = self.master.run_command([

-                paths.IPA_CACERT_MANAGE,

-                'install',

-                filename])

-

-        for contents in (badcert,):

-            self.master.put_file_contents(filename, contents)

-            result = self.master.run_command([

-                paths.IPA_CACERT_MANAGE,

-                'install',

-                filename], raiseonerr=False)

-            assert result.returncode == 1

-

-        self.master.run_command(['rm', '-f', filename])

+        conn = self.master.ldap_connect()

+        entry = conn.get_entry(dn)  # pylint: disable=no-member

+

+        # original setting and all settings without state

+        orig_cfg = list(entry['ipaConfigString'])

+        other_cfg = [item for item in orig_cfg if item not in states]

+

+        try:

+            # test with hidden

+            cfg = [HIDDEN_SERVICE]

+            cfg.extend(other_cfg)

+            entry['ipaConfigString'] = cfg

+            conn.update_entry(entry)  # pylint: disable=no-member

+            self.master.run_command(['ipa', 'config-show'])

+

+            # test with configured

+            cfg = [CONFIGURED_SERVICE]

+            cfg.extend(other_cfg)

+            entry['ipaConfigString'] = cfg

+            conn.update_entry(entry)  # pylint: disable=no-member

+            self.master.run_command(['ipa', 'config-show'])

+        finally:

+            # reset

+            entry['ipaConfigString'] = orig_cfg

+            conn.update_entry(entry)  # pylint: disable=no-member

-- 

2.20.1