From 750a60a989d7c1fe0872af292191889e7e23382d Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 29 Apr 2019 11:12:30 +0200
Subject: [PATCH] Consider configured servers as valid

Under some conditions, ipa config-show and several other commands were
failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP
service.

Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
 ipaserver/servroles.py                     |  9 ++-
 ipatests/test_integration/test_commands.py | 72 ++++++++++++----------
 2 files changed, 45 insertions(+), 36 deletions(-)

diff --git a/ipaserver/servroles.py b/ipaserver/servroles.py
index 0988cbdd7eac599ef26c89a015523b2d92e9502f..984d4bc269fffb4c667e9b8a432b1caf8d3b4f18 100644
--- a/ipaserver/servroles.py
+++ b/ipaserver/servroles.py
@@ -346,11 +346,14 @@ class ServerAttribute(LDAPBasedProperty):
     def _get_assoc_role_providers(self, api_instance):
         """get list of all servers on which the associated role is enabled
 
-        Consider a hidden server as a valid provider for a role.
+        Consider a hidden and configured server as a valid provider for a
+        role, as all services are started.
         """
         return [
-            r[u'server_server'] for r in self.associated_role.status(
-                api_instance) if r[u'status'] in {ENABLED, HIDDEN}]
+            r[u'server_server']
+            for r in self.associated_role.status(api_instance)
+            if r[u'status'] in {ENABLED, HIDDEN, CONFIGURED}
+        ]
 
     def _remove(self, api_instance, masters):
         """
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index b172a6dd036b5cba4d117f9160ee1ada8712c949..c20213d4b6f0b9d004a8b44afa161a60c538916f 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -24,10 +24,15 @@ from ipalib.constants import IPAAPI_USER
 
 from ipaplatform.paths import paths
 
+from ipapython.dn import DN
+
+from ipaserver.masters import (
+    CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE
+)
+
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
 from ipatests.pytest_ipa.integration.create_external_ca import ExternalCA
-from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
 
 logger = logging.getLogger(__name__)
 
@@ -499,36 +504,37 @@ class TestIPACommand(IntegrationTest):
         assert result.returncode != 0
         assert 'HBAC rule not found' in result.stderr_text
 
-    def test_ipa_cacert_manage_install(self):
-        # Re-install the IPA CA
-        self.master.run_command([
-            paths.IPA_CACERT_MANAGE,
-            'install',
-            paths.IPA_CA_CRT])
-
-        # Test a non-existent file
-        result = self.master.run_command([
-            paths.IPA_CACERT_MANAGE,
-            'install',
-            '/var/run/cert_not_found'], raiseonerr=False)
-        assert result.returncode == 1
+    def test_config_show_configured_services(self):
+        # https://pagure.io/freeipa/issue/7929
+        states = {CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE}
+        dn = DN(
+            ('cn', 'HTTP'), ('cn', self.master.hostname), ('cn', 'masters'),
+            ('cn', 'ipa'), ('cn', 'etc'),
+            self.master.domain.basedn  # pylint: disable=no-member
+        )
 
-        cmd = self.master.run_command(['mktemp'])
-        filename = cmd.stdout_text.strip()
-
-        for contents in (good_pkcs7,):
-            self.master.put_file_contents(filename, contents)
-            result = self.master.run_command([
-                paths.IPA_CACERT_MANAGE,
-                'install',
-                filename])
-
-        for contents in (badcert,):
-            self.master.put_file_contents(filename, contents)
-            result = self.master.run_command([
-                paths.IPA_CACERT_MANAGE,
-                'install',
-                filename], raiseonerr=False)
-            assert result.returncode == 1
-
-        self.master.run_command(['rm', '-f', filename])
+        conn = self.master.ldap_connect()
+        entry = conn.get_entry(dn)  # pylint: disable=no-member
+
+        # original setting and all settings without state
+        orig_cfg = list(entry['ipaConfigString'])
+        other_cfg = [item for item in orig_cfg if item not in states]
+
+        try:
+            # test with hidden
+            cfg = [HIDDEN_SERVICE]
+            cfg.extend(other_cfg)
+            entry['ipaConfigString'] = cfg
+            conn.update_entry(entry)  # pylint: disable=no-member
+            self.master.run_command(['ipa', 'config-show'])
+
+            # test with configured
+            cfg = [CONFIGURED_SERVICE]
+            cfg.extend(other_cfg)
+            entry['ipaConfigString'] = cfg
+            conn.update_entry(entry)  # pylint: disable=no-member
+            self.master.run_command(['ipa', 'config-show'])
+        finally:
+            # reset
+            entry['ipaConfigString'] = orig_cfg
+            conn.update_entry(entry)  # pylint: disable=no-member
-- 
2.20.1