Synchronize hidden state from IPA master role

ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.

Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>

install/tools/ipa-adtrust-install.in

@@ -213,7 +213,7 @@ def main():
     adtrust.install(True, options, fstore, api)
 
     # Enable configured services and update DNS SRV records
-    service.enable_services(api.env.host)
+    service.sync_services_state(api.env.host)
     api.Command.dns_update_system_records()
 
     print("""

install/tools/ipa-ca-install.in

@@ -306,7 +306,7 @@ def main():
     api.Backend.ldap2.connect()
 
     # Enable configured services and update DNS SRV records
-    service.enable_services(api.env.host)
+    service.sync_services_state(api.env.host)
     api.Command.dns_update_system_records()
     api.Backend.ldap2.disconnect()
 

ipaserver/install/ipa_kra_install.py

@@ -220,6 +220,6 @@ class KRAInstaller(KRAInstall):
         api.Backend.ldap2.connect()
 
         # Enable configured services and update DNS SRV records
-        service.enable_services(api.env.host)
+        service.sync_services_state(api.env.host)
         api.Command.dns_update_system_records()
         api.Backend.ldap2.disconnect()

ipaserver/install/service.py

@@ -41,6 +41,7 @@ from ipaplatform.paths import paths
 from ipaserver.masters import (
     CONFIGURED_SERVICE, ENABLED_SERVICE, HIDDEN_SERVICE, SERVICE_LIST
 )
+from ipaserver.servroles import HIDDEN
 
 logger = logging.getLogger(__name__)
 
@@ -202,6 +203,27 @@ def hide_services(fqdn):
     _set_services_state(fqdn, HIDDEN_SERVICE)
 
 
+def sync_services_state(fqdn):
+    """Synchronize services state from IPA master role state
+
+    Hide all services if the IPA master role state is in hidden state.
+    Otherwise enable all services.
+
+    :param fqdn: hostname of server
+    """
+    result = api.Command.server_role_find(
+        server_server=fqdn,
+        role_servrole='IPA master',
+        status=HIDDEN
+    )
+    if result['count']:
+        # one hidden server role
+        hide_services(fqdn)
+    else:
+        # IPA master is either enabled or configured, enable all
+        enable_services(fqdn)
+
+
 def _set_services_state(fqdn, dest_state):
     """Change all services of a host
 

ipatests/test_integration/test_replica_promotion.py

@@ -740,9 +740,11 @@ class TestHiddenReplicaPromotion(IntegrationTest):
         # hidden replica with CA and DNS
         tasks.install_replica(
             cls.master, cls.replicas[0],
-            setup_dns=True, setup_kra=True,
+            setup_dns=True, setup_kra=False,
             extra_args=('--hidden-replica',)
         )
+        # manually install KRA to verify that hidden state is synced
+        tasks.install_kra(cls.replicas[0])
 
     def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
         domain = DNSName(self.master.domain.name).make_absolute()