server upgrade: always upgrade KRA agent PEM file

Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/6675

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

2 files changed, 5 insertions, 3 deletions

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61f5..5d5fb993f 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -39,6 +39,7 @@ class BasePathNamespace(object):
     HOSTS = "/etc/hosts"
     ETC_HTTPD_DIR = "/etc/httpd"
     HTTPD_ALIAS_DIR = "/etc/httpd/alias"
+    OLD_KRA_AGENT_PEM = "/etc/httpd/alias/kra-agent.pem"
     IPA_RADB_DIR = "/var/lib/ipa/radb"
     HTTPD_CONF_D_DIR = "/etc/httpd/conf.d/"
     HTTPD_IPA_KDCPROXY_CONF = "/etc/ipa/kdcproxy/ipa-kdc-proxy.conf"
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e65592c19..1acad5556 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1386,7 +1386,9 @@ def fix_trust_flags():
 def export_kra_agent_pem():
     root_logger.info('[Exporting KRA agent PEM file]')
 
-    if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
+    sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem')
+
+    if os.path.exists(paths.KRA_AGENT_PEM):
         root_logger.info("KRA agent PEM file already exported")
         return
 
@@ -1395,8 +1397,7 @@ def export_kra_agent_pem():
         return
 
     krainstance.export_kra_agent_pem()
-
-    sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
+    installutils.remove_file(paths.OLD_KRA_AGENT_PEM)
 
 
 def update_mod_nss_protocol(http):