ipatests: test_replica_promotion.py: test KRA on Hidden Replica

The Hidden replica tests did not test what happened when KRA was
installed on a hidden replica and then other KRAs instantiated from
this original one. Add a test scenario that covers this.

Related: https://pagure.io/freeipa/issue/8240
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>

ipatests/prci_definitions/nightly_latest.yaml

@@ -884,6 +884,18 @@ jobs:
         timeout: 7200
         topology: *master_2repl_1client
 
+  fedora-latest/test_replica_promotion_TestHiddenReplicaKRA:
+    requires: [fedora-latest/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA
+        template: *ci-master-latest
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-latest/test_upgrade:
     requires: [fedora-latest/build]
     priority: 50

ipatests/prci_definitions/nightly_latest_testing.yaml

@@ -940,6 +940,19 @@ jobs:
         timeout: 7200
         topology: *master_2repl_1client
 
+  testing-fedora/test_replica_promotion_TestHiddenReplicaKRA:
+    requires: [testing-fedora/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{testing-fedora/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA
+        template: *testing-master-latest
+        timeout: 7200
+        topology: *master_2repl_1client
+
   testing-fedora/test_upgrade:
     requires: [testing-fedora/build]
     priority: 50

ipatests/prci_definitions/nightly_previous.yaml

@@ -884,6 +884,18 @@ jobs:
         timeout: 7200
         topology: *master_2repl_1client
 
+  fedora-previous/test_replica_promotion_TestHiddenReplicaKRA:
+    requires: [fedora-previous/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-previous/build_url}'
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA
+        template: *ci-master-previous
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-previous/test_upgrade:
     requires: [fedora-previous/build]
     priority: 50

ipatests/prci_definitions/nightly_rawhide.yaml

@@ -953,6 +953,19 @@ jobs:
         timeout: 7200
         topology: *master_2repl_1client
 
+  fedora-rawhide/test_replica_promotion_TestHiddenReplicaKRA:
+    requires: [fedora-rawhide/build]
+    priority: 50
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-rawhide/build_url}'
+        update_packages: True
+        test_suite: test_integration/test_replica_promotion.py::TestHiddenReplicaKRA
+        template: *ci-master-frawhide
+        timeout: 7200
+        topology: *master_2repl_1client
+
   fedora-rawhide/test_upgrade:
     requires: [fedora-rawhide/build]
     priority: 50

ipatests/test_integration/test_replica_promotion.py

@@ -970,3 +970,63 @@ class TestHiddenReplicaPromotion(IntegrationTest):
         result = self.replicas[0].run_command([
             'ipa-crlgen-manage', 'status'])
         assert "CRL generation: enabled" in result.stdout_text
+
+
+class TestHiddenReplicaKRA(IntegrationTest):
+    """Test KRA & hidden replica features.
+    """
+    topology = 'star'
+    num_replicas = 2
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=True, setup_kra=False)
+        # hidden replica with CA and DNS
+        tasks.install_replica(
+            cls.master, cls.replicas[0],
+            setup_dns=True, setup_kra=False,
+            extra_args=('--hidden-replica',)
+        )
+        # normal replica with CA and DNS
+        tasks.install_replica(
+            cls.replicas[0], cls.replicas[1],
+            setup_dns=True, setup_kra=False
+        )
+
+    def test_install_kra_on_hidden_replica(self):
+        # manually install KRA on hidden replica.
+        tasks.install_kra(self.replicas[0])
+
+    @pytest.mark.xfail(reason='freeipa ticket 8240', strict=True)
+    def test_kra_hidden_no_preconfig(self):
+        """Test installing KRA on a replica when all KRAs are hidden.
+           https://pagure.io/freeipa/issue/8240
+        """
+
+        result = tasks.install_kra(self.replicas[1], raiseonerr=False)
+
+        if result.returncode == 0:
+            # If KRA installation was successful, the only clean-up possible is
+            # uninstalling the whole replica as hiding the last visible KRA
+            # member is inhibited by design.
+            # This step is necessary so that the next test runs with all KRA
+            # members hidden too.
+            tasks.uninstall_replica(self.master, self.replicas[1])
+
+        assert "Failed to find an active KRA server!" not in result.stderr_text
+        assert result.returncode == 0
+
+    def test_kra_hidden_temp(self):
+        """Test for workaround: temporarily un-hide the hidden replica.
+           https://pagure.io/freeipa/issue/8240
+        """
+        self.replicas[0].run_command([
+            'ipa', 'server-state',
+            self.replicas[0].hostname, '--state=enabled'
+        ])
+        result = tasks.install_kra(self.master, raiseonerr=False)
+        self.replicas[0].run_command([
+            'ipa', 'server-state',
+            self.replicas[0].hostname, '--state=hidden'
+        ])
+        assert result.returncode == 0