From a497288b3eafe00ab9c819dd4a51d0b421824b36 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Wed, 2 Dec 2015 12:22:45 +0100
Subject: [PATCH] replica install: improvements in the handling of CA-related
 IPA config entries

When a CA-less replica is installed, its IPA config file should be updated so
that ca_host points to nearest CA master and all certificate requests are
forwarded to it. A subsequent installation of CA subsystem on the replica
should clear this entry from the config so that all certificate requests are
handled by freshly installed local CA.

https://fedorahosted.org/freeipa/ticket/5506

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 ipaserver/install/ca.py                    | 16 ----------------
 ipaserver/install/cainstance.py            | 19 ++++++++++++++++++-
 ipaserver/install/server/replicainstall.py |  7 +++++++
 3 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index fcead1891..1a51ebc8c 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -7,8 +7,6 @@ from __future__ import print_function
 import sys
 import os.path
 
-from six.moves.configparser import RawConfigParser
-
 from ipaserver.install import cainstance, dsinstance, bindinstance
 from ipapython import ipautil, certdb
 from ipaplatform import services
@@ -236,20 +234,6 @@ def install_step_1(standalone, replica_config, options):
     if standalone:
         ca.start('pki-tomcat')
 
-        # Update config file
-        try:
-            parser = RawConfigParser()
-            parser.read(paths.IPA_DEFAULT_CONF)
-            parser.set('global', 'enable_ra', 'True')
-            parser.set('global', 'ra_plugin', 'dogtag')
-            parser.set('global', 'dogtag_version', '10')
-            with open(paths.IPA_DEFAULT_CONF, 'w') as f:
-                parser.write(f)
-        except IOError as e:
-            print("Failed to update /etc/ipa/default.conf")
-            root_logger.error(str(e))
-            sys.exit(1)
-
         # We need to restart apache as we drop a new config file in there
         services.knownservices.httpd.restart(capture_output=True)
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 65f9e463d..2ca718a7b 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -41,7 +41,7 @@ import shlex
 import pipes
 
 from six.moves import urllib
-from six.moves.configparser import ConfigParser
+from six.moves.configparser import ConfigParser, RawConfigParser
 
 from ipalib import api
 from ipalib import pkcs10, x509
@@ -429,6 +429,7 @@ class CAInstance(DogtagInstance):
             self.step("importing IPA certificate profiles",
                       import_included_profiles)
             self.step("adding default CA ACL", ensure_default_caacl)
+            self.step("updating IPA configuration", update_ipa_conf)
 
         self.start_creation(runtime=210)
 
@@ -1343,6 +1344,7 @@ class CAInstance(DogtagInstance):
                   self.track_servercert)
         self.step("Configure HTTP to proxy connections",
                   self.http_proxy)
+        self.step("updating IPA configuration", update_ipa_conf)
         self.step("Restart HTTP server to pick up changes",
                   self.__restart_http_instance)
 
@@ -1768,6 +1770,21 @@ def ensure_default_caacl():
         api.Backend.ldap2.disconnect()
 
 
+def update_ipa_conf():
+    """
+    Update IPA configuration file to ensure that RA plugins are enabled and
+    that CA host points to localhost
+    """
+    parser = RawConfigParser()
+    parser.read(paths.IPA_DEFAULT_CONF)
+    parser.set('global', 'enable_ra', 'True')
+    parser.set('global', 'ra_plugin', 'dogtag')
+    parser.set('global', 'dogtag_version', '10')
+    parser.remove_option('global', 'ca_host')
+    with open(paths.IPA_DEFAULT_CONF, 'w') as f:
+        parser.write(f)
+
+
 if __name__ == "__main__":
     standard_logging_setup("install.log")
     ds = dsinstance.DsInstance()
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index ec77ab21b..d2b03431e 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -483,6 +483,9 @@ def install_check(installer):
             fd.write("enable_ra=True\n")
             fd.write("ra_plugin=dogtag\n")
             fd.write("dogtag_version=10\n")
+
+            if not config.setup_ca:
+                fd.write("ca_host={0}\n".format(config.master_host_name))
         else:
             fd.write("enable_ra=False\n")
             fd.write("ra_plugin=none\n")
@@ -1174,6 +1177,10 @@ def promote(installer):
             ipaconf.setOption('enable_ra', 'True'),
             ipaconf.setOption('ra_plugin', 'dogtag'),
             ipaconf.setOption('dogtag_version', '10')]
+
+        if not options.setup_ca:
+            gopts.append(ipaconf.setOption('ca_host', config.ca_host_name))
+
         opts = [ipaconf.setSection('global', gopts)]
 
         ipaconf.changeConf(target_fname, opts)