Synchronize hidden state from IPA master role

ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the new service as hidden service. Fixes: https://pagure.io/freeipa/issue/7892 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2024-12-23 07:33:27 -06:00 · 2019-03-26 13:27:35 +01:00 · 2019-03-26 13:27:35 +01:00 · 8b1bb211c4
commit 8b1bb211c4
parent e7e0f190bb
5 changed files with 28 additions and 4 deletions
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@ -213,7 +213,7 @@ def main():
    adtrust.install(True, options, fstore, api)

    # Enable configured services and update DNS SRV records
-    service.enable_services(api.env.host)
+    service.sync_services_state(api.env.host)
    api.Command.dns_update_system_records()

    print("""
--- a/install/tools/ipa-ca-install.in
+++ b/install/tools/ipa-ca-install.in
@ -306,7 +306,7 @@ def main():
    api.Backend.ldap2.connect()

    # Enable configured services and update DNS SRV records
-    service.enable_services(api.env.host)
+    service.sync_services_state(api.env.host)
    api.Command.dns_update_system_records()
    api.Backend.ldap2.disconnect()

--- a/ipaserver/install/ipa_kra_install.py
+++ b/ipaserver/install/ipa_kra_install.py
@ -220,6 +220,6 @@ class KRAInstaller(KRAInstall):
        api.Backend.ldap2.connect()

        # Enable configured services and update DNS SRV records
-        service.enable_services(api.env.host)
+        service.sync_services_state(api.env.host)
        api.Command.dns_update_system_records()
        api.Backend.ldap2.disconnect()
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@ -41,6 +41,7 @@ from ipaplatform.paths import paths
 from ipaserver.masters import (
    CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE, SERVICE_LIST
 )
+from ipaserver.servroles import HIDDEN

 logger = logging.getLogger(__name__)

@ -202,6 +203,27 @@ def hide_services(fqdn):
    _set_services_state(fqdn, HIDDEN_SERVICE)


+def sync_services_state(fqdn):
+    """Synchronize services state from IPA master role state
+
+    Hide all services if the IPA master role state is in hidden state.
+    Otherwise enable all services.
+
+    :param fqdn: hostname of server
+    """
+    result = api.Command.server_role_find(
+        server_server=fqdn,
+        role_servrole='IPA master',
+        status=HIDDEN
+    )
+    if result['count']:
+        # one hidden server role
+        hide_services(fqdn)
+    else:
+        # IPA master is either enabled or configured, enable all
+        enable_services(fqdn)
+
+
 def _set_services_state(fqdn, dest_state):
    """Change all services of a host

--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@ -740,9 +740,11 @@ class TestHiddenReplicaPromotion(IntegrationTest):
        # hidden replica with CA and DNS
        tasks.install_replica(
            cls.master, cls.replicas[0],
-            setup_dns=True, setup_kra=True,
+            setup_dns=True, setup_kra=False,
            extra_args=('--hidden-replica',)
        )
+        # manually install KRA to verify that hidden state is synced
+        tasks.install_kra(cls.replicas[0])

    def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
        domain = DNSName(self.master.domain.name).make_absolute()