4.6.3-3: fix KRA upgrade issue, remove mod_wsgi confict

- Don't fail on upgrades if KRA is not installed
- Remove Conflicts between mod_wsgi and python3-mod_wsgi

0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch

@@ -0,0 +1,71 @@
+From 8821f7ae8e666b4ae42e232c672d616bf7fbffeb Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Sun, 4 Feb 2018 11:40:24 -0500
+Subject: [PATCH] Fix detection of KRA installation so upgrades can succeed
+
+Use is_installed() instead of is_configured() because
+is_installed() does a config file check to see if the service
+is in use.
+
+https://pagure.io/freeipa/issue/7389
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/server/upgrade.py       |  4 ++--
+ ipatests/test_integration/test_upgrade.py | 21 +++++++++++++++++++++
+ 2 files changed, 23 insertions(+), 2 deletions(-)
+ create mode 100644 ipatests/test_integration/test_upgrade.py
+
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 07cc18a78..23173c0ca 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1710,7 +1710,7 @@ def upgrade_configuration():
+             )
+         upgrade_pki(ca, fstore)
+ 
+-        if kra.is_configured():
++        if kra.is_installed():
+             logger.info('[Ensuring ephemeralRequest is enabled in KRA]')
+             kra.backup_config()
+             value = installutils.get_directive(
+@@ -1728,7 +1728,7 @@ def upgrade_configuration():
+     # by checking status using http
+     if ca.is_configured():
+         ca.start('pki-tomcat')
+-    if kra.is_configured() and not kra.is_running():
++    if kra.is_installed() and not kra.is_running():
+         # This is for future-proofing in case the KRA is ever standalone.
+         kra.start('pki-tomcat')
+ 
+diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
+new file mode 100644
+index 000000000..951747b0b
+--- /dev/null
++++ b/ipatests/test_integration/test_upgrade.py
+@@ -0,0 +1,21 @@
++#
++# Copyright (C) 2018  FreeIPA Contributors see COPYING for license
++#
++
++"""
++Module provides tests to verify that the upgrade script works.
++"""
++
++from ipatests.test_integration.base import IntegrationTest
++from ipatests.pytest_plugins.integration import tasks
++
++
++class TestUpgrade(IntegrationTest):
++    @classmethod
++    def install(cls, mh):
++        tasks.install_master(cls.master, setup_dns=False)
++
++    def test_invoke_upgrader(self):
++        cmd = self.master.run_command(['ipa-server-upgrade'],
++                                      raiseonerr=False)
++        assert cmd.returncode == 0
+-- 
+2.14.3
+

0002-Replace-wsgi-package-conflict-with-config-file.patch

@@ -0,0 +1,252 @@
+From 748ca34eae43f50b2c9e3ff3295b6ad490633df2 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Tue, 6 Feb 2018 10:05:49 +0100
+Subject: [PATCH] Replace wsgi package conflict with config file
+
+Instead of a package conflict, freeIPA now uses an Apache config file to
+enforce the correct wsgi module. The workaround only applies to Fedora
+since it is the only platform that permits parallel installation of
+Python 2 and Python 3 mod_wsgi modules. RHEL 7 has only Python 2 and
+Debian doesn't permit installation of both variants.
+
+See: https://pagure.io/freeipa/issue/7161
+Fixes: https://pagure.io/freeipa/issue/7394
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+---
+ install/share/Makefile.am                  |  1 +
+ install/share/ipa-httpd-wsgi.conf.template |  7 +++++++
+ ipaplatform/base/constants.py              |  4 ++++
+ ipaplatform/base/paths.py                  |  2 ++
+ ipaplatform/base/tasks.py                  |  4 ++++
+ ipaplatform/debian/tasks.py                |  5 +++++
+ ipaplatform/fedora/constants.py            |  6 +++++-
+ ipaplatform/fedora/paths.py                |  4 +++-
+ ipaplatform/redhat/tasks.py                | 31 ++++++++++++++++++++++++++++++
+ ipaserver/install/httpinstance.py          |  7 ++++++-
+ ipaserver/install/server/upgrade.py        |  7 +++++++
+ 11 files changed, 75 insertions(+), 3 deletions(-)
+ create mode 100644 install/share/ipa-httpd-wsgi.conf.template
+
+diff --git a/install/share/Makefile.am b/install/share/Makefile.am
+index b1285854ea..abdf3ac648 100644
+--- a/install/share/Makefile.am
++++ b/install/share/Makefile.am
+@@ -85,6 +85,7 @@ dist_app_DATA =				\
+ 	kdcproxy-enable.uldif		\
+ 	kdcproxy-disable.uldif		\
+ 	ipa-httpd.conf.template		\
++	ipa-httpd-wsgi.conf.template	\
+ 	gssapi.login			\
+ 	gssproxy.conf.template		\
+ 	kdcproxy.wsgi			\
+diff --git a/install/share/ipa-httpd-wsgi.conf.template b/install/share/ipa-httpd-wsgi.conf.template
+new file mode 100644
+index 0000000000..89d424665a
+--- /dev/null
++++ b/install/share/ipa-httpd-wsgi.conf.template
+@@ -0,0 +1,7 @@
++# Do not edit. Created by IPA installer.
++
++# Some platforms allow parallel installation of Python 2 and 3 mod_wsgi
++# modules, but the modules can't coexist. Enforce loading of correct
++# WSGI module before the package's default config.
++
++LoadModule wsgi_module $WSGI_MODULE
+diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
+index 94bd0f8a10..ca4a12ec01 100644
+--- a/ipaplatform/base/constants.py
++++ b/ipaplatform/base/constants.py
+@@ -39,5 +39,9 @@ class BaseConstantsNamespace(object):
+     SSSD_USER = "sssd"
+     # sql (new format), dbm (old format)
+     NSS_DEFAULT_DBTYPE = 'dbm'
++    # WSGI module override, only used on Fedora
++    MOD_WSGI_PYTHON2 = None
++    MOD_WSGI_PYTHON3 = None
++
+ 
+ constants = BaseConstantsNamespace()
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 3bb32416d6..753e8e80e7 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -48,6 +48,8 @@ class BasePathNamespace(object):
+     HTTPD_IPA_CONF = "/etc/httpd/conf.d/ipa.conf"
+     HTTPD_NSS_CONF = "/etc/httpd/conf.d/nss.conf"
+     HTTPD_SSL_CONF = "/etc/httpd/conf.d/ssl.conf"
++    # only used on Fedora
++    HTTPD_IPA_WSGI_MODULES_CONF = None
+     OLD_IPA_KEYTAB = "/etc/httpd/conf/ipa.keytab"
+     HTTP_KEYTAB = "/var/lib/ipa/gssproxy/http.keytab"
+     HTTPD_PASSWORD_CONF = "/etc/httpd/conf/password.conf"
+diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
+index 8f73eaddc2..d4b56318e3 100644
+--- a/ipaplatform/base/tasks.py
++++ b/ipaplatform/base/tasks.py
+@@ -211,6 +211,10 @@ def remove_httpd_service_ipa_conf(self):
+         """Remove configuration of httpd service of IPA"""
+         raise NotImplementedError()
+ 
++    def configure_httpd_wsgi_conf(self):
++        """Configure WSGI for correct Python version"""
++        raise NotImplementedError()
++
+     def is_fips_enabled(self):
+         return False
+ 
+diff --git a/ipaplatform/debian/tasks.py b/ipaplatform/debian/tasks.py
+index 6c41a35e77..4537260146 100644
+--- a/ipaplatform/debian/tasks.py
++++ b/ipaplatform/debian/tasks.py
+@@ -47,4 +47,9 @@ def restore_auth_configuration(path):
+     def parse_ipa_version(version):
+         return BaseTaskNamespace.parse_ipa_version(version)
+ 
++    def configure_httpd_wsgi_conf(self):
++        # Debian doesn't require special mod_wsgi configuration
++        pass
++
++
+ tasks = DebianTaskNamespace()
+diff --git a/ipaplatform/fedora/constants.py b/ipaplatform/fedora/constants.py
+index ce03f58cf9..79e7bd9a5e 100644
+--- a/ipaplatform/fedora/constants.py
++++ b/ipaplatform/fedora/constants.py
+@@ -11,6 +11,10 @@
+ 
+ 
+ class FedoraConstantsNamespace(RedHatConstantsNamespace):
+-    pass
++    # Fedora allows installation of Python 2 and 3 mod_wsgi, but the modules
++    # can't coexist. For Apache to load correct module.
++    MOD_WSGI_PYTHON2 = "modules/mod_wsgi.so"
++    MOD_WSGI_PYTHON3 = "modules/mod_wsgi_python3.so"
++
+ 
+ constants = FedoraConstantsNamespace()
+diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
+index 49a904f2f2..5238cdb4f4 100644
+--- a/ipaplatform/fedora/paths.py
++++ b/ipaplatform/fedora/paths.py
+@@ -27,7 +27,9 @@
+ 
+ 
+ class FedoraPathNamespace(RedHatPathNamespace):
+-    pass
++    HTTPD_IPA_WSGI_MODULES_CONF = (
++        "/etc/httpd/conf.modules.d/02-ipa-wsgi.conf"
++    )
+ 
+ 
+ paths = FedoraPathNamespace()
+diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
+index 79bd5335ea..701c280ec0 100644
+--- a/ipaplatform/redhat/tasks.py
++++ b/ipaplatform/redhat/tasks.py
+@@ -30,6 +30,7 @@
+ import socket
+ import traceback
+ import errno
++import sys
+ 
+ from ctypes.util import find_library
+ from functools import total_ordering
+@@ -484,6 +485,36 @@ def configure_http_gssproxy_conf(self, ipaapi_user):
+         os.chmod(paths.GSSPROXY_CONF, 0o600)
+         self.restore_context(paths.GSSPROXY_CONF)
+ 
++    def configure_httpd_wsgi_conf(self):
++        """Configure WSGI for correct Python version (Fedora)
++
++        See https://pagure.io/freeipa/issue/7394
++        """
++        conf = paths.HTTPD_IPA_WSGI_MODULES_CONF
++        if sys.version_info.major == 2:
++            wsgi_module = constants.MOD_WSGI_PYTHON2
++        else:
++            wsgi_module = constants.MOD_WSGI_PYTHON3
++
++        if conf is None or wsgi_module is None:
++            logger.info("Nothing to do for configure_httpd_wsgi_conf")
++            return
++
++        confdir = os.path.dirname(conf)
++        if not os.path.isdir(confdir):
++            os.makedirs(confdir)
++
++        ipautil.copy_template_file(
++            os.path.join(
++                paths.USR_SHARE_IPA_DIR, 'ipa-httpd-wsgi.conf.template'
++            ),
++            conf,
++            dict(WSGI_MODULE=wsgi_module)
++        )
++
++        os.chmod(conf, 0o644)
++        self.restore_context(conf)
++
+     def remove_httpd_service_ipa_conf(self):
+         """Remove systemd config for httpd service of IPA"""
+         try:
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 8f3b5937fd..46764e6aa7 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -213,6 +213,7 @@ def remove_httpd_ccaches(self):
+ 
+     def __configure_http(self):
+         self.update_httpd_service_ipa_conf()
++        self.update_httpd_wsgi_conf()
+ 
+         target_fname = paths.HTTPD_IPA_CONF
+         http_txt = ipautil.template_file(
+@@ -508,6 +509,9 @@ def enable_and_start_oddjobd(self):
+     def update_httpd_service_ipa_conf(self):
+         tasks.configure_httpd_service_ipa_conf()
+ 
++    def update_httpd_wsgi_conf(self):
++        tasks.configure_httpd_wsgi_conf()
++
+     def uninstall(self):
+         if self.is_configured():
+             self.print_msg("Unconfiguring web server")
+@@ -564,7 +568,8 @@ def uninstall(self):
+         installutils.remove_file(paths.HTTPD_IPA_PKI_PROXY_CONF)
+         installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK)
+         installutils.remove_file(paths.HTTPD_IPA_KDCPROXY_CONF)
+-        tasks.remove_httpd_service_ipa_conf()
++        if paths.HTTPD_IPA_WSGI_MODULES_CONF is not None:
++            installutils.remove_file(paths.HTTPD_IPA_WSGI_MODULES_CONF)
+ 
+         # Restore SELinux boolean states
+         boolean_states = {name: self.restore_state(name)
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index 07cc18a78c..b12d80f105 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -1458,11 +1458,17 @@ def update_mod_nss_cipher_suite(http):
+         'cipher_suite_updated',
+         httpinstance.NSS_CIPHER_REVISION)
+ 
++
+ def update_ipa_httpd_service_conf(http):
+     logger.info('[Updating HTTPD service IPA configuration]')
+     http.update_httpd_service_ipa_conf()
+ 
+ 
++def update_ipa_http_wsgi_conf(http):
++    logger.info('[Updating HTTPD service IPA WSGI configuration]')
++    http.update_httpd_wsgi_conf()
++
++
+ def update_http_keytab(http):
+     logger.info('[Moving HTTPD service keytab to gssproxy]')
+     if os.path.exists(paths.OLD_IPA_KEYTAB):
+@@ -1782,6 +1788,7 @@ def upgrade_configuration():
+     http.stop()
+     disable_httpd_system_trust(http)
+     update_ipa_httpd_service_conf(http)
++    update_ipa_http_wsgi_conf(http)
+     update_mod_nss_protocol(http)
+     update_mod_nss_cipher_suite(http)
+     disable_mod_nss_ocsp(http)

freeipa.spec

@@ -88,7 +88,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -98,6 +98,10 @@ Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
+# https://pagure.io/freeipa/issue/7389
+Patch0001:		0001-Fix-detection-of-KRA-installation-so-upgrades-can-su.patch
+# https://pagure.io/freeipa/issue/7394
+Patch0002:		0002-Replace-wsgi-package-conflict-with-config-file.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -328,14 +332,12 @@ Requires(postun): python3
 Requires: python3-gssapi >= 1.2.0-5
 Requires: python3-systemd
 Requires: python3-mod_wsgi
-Conflicts: mod_wsgi
 %else
 Requires(preun): python2
 Requires(postun): python2
 Requires: python2-gssapi >= 1.2.0-5
 Requires: python2-systemd
 Requires: mod_wsgi
-Conflicts: python3-mod_wsgi
 %endif
 Requires: mod_auth_gssapi >= 1.5.0
 # 1.0.14-3: https://bugzilla.redhat.com/show_bug.cgi?id=1431206
@@ -1775,6 +1777,10 @@ fi
 %endif # with_ipatests
 
 %changelog
+* Thu Feb  8 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.3-3
+- Don't fail on upgrades if KRA is not installed
+- Remove Conflicts between mod_wsgi and python3-mod_wsgi
+
 * Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 4.6.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild