From 379b560c75bbd5ba9d73a65b5ddfcf086dab3c48 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Jun 10 2020 14:07:07 +0000
Subject: Fix named.conf update bug NAMED_DNSSEC_VALIDATION


Commit a5cbdb57e50cfc62f61affda19ce878b2abd33de introduced a bug when
updating IPA from 4.8.6 to 4.8.7. NAMED_DNSSEC_VALIDATION template
variable was not declared.

Fixes: https://pagure.io/freeipa/issue/8363
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

---

diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index ac4d369..2adf1a8 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -594,6 +594,15 @@ def named_add_ipa_ext_conf_file():
         logger.info('DNS is not configured.')
         return False
 
+    # migrate value from named.conf
+    dnssec_validation = bindinstance.named_conf_get_directive(
+        "dnssec-validation",
+        bindinstance.NAMED_SECTION_OPTIONS,
+        str_val=False
+    )
+    if dnssec_validation is None:
+        dnssec_validation = "yes"
+
     tasks = [
         bindinstance.named_add_ext_conf_file(
             paths.NAMED_CUSTOM_CFG_SRC,
@@ -601,7 +610,10 @@ def named_add_ipa_ext_conf_file():
         ),
         bindinstance.named_add_ext_conf_file(
             paths.NAMED_CUSTOM_OPTIONS_CFG_SRC,
-            paths.NAMED_CUSTOM_OPTIONS_CONFIG
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG,
+            dict(
+                NAMED_DNSSEC_VALIDATION=dnssec_validation
+            )
         )
     ]
 
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
index 49878c1..95726ca 100644
--- a/ipatests/prci_definitions/gating.yaml
+++ b/ipatests/prci_definitions/gating.yaml
@@ -286,3 +286,15 @@ jobs:
         template: *ci-master-latest
         timeout: 3600
         topology: *master_1repl_1client
+
+  fedora-latest/test_upgrade:
+    requires: [fedora-latest/build]
+    priority: 100
+    job:
+      class: RunPytest
+      args:
+        build_url: '{fedora-latest/build_url}'
+        test_suite: test_integration/test_upgrade.py
+        template: *ci-master-latest
+        timeout: 3600
+        topology: *master_1repl
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
index cd7341d..4995d69 100644
--- a/ipatests/test_integration/test_upgrade.py
+++ b/ipatests/test_integration/test_upgrade.py
@@ -8,6 +8,8 @@ Module provides tests to verify that the upgrade script works.
 
 import base64
 from cryptography.hazmat.primitives import serialization
+
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
@@ -65,3 +67,20 @@ class TestUpgrade(IntegrationTest):
         except ValueError:
             raise AssertionError('%s contains a double-encoded cert'
                                  % entry.dn)
+
+    def test_update_named_conf(self):
+        tasks.install_dns(self.master)
+        # remove files to force a migration
+        self.master.run_command(
+            [
+                "rm",
+                "-f",
+                paths.NAMED_CUSTOM_CONFIG,
+                paths.NAMED_CUSTOM_OPTIONS_CONFIG,
+            ]
+        )
+        self.master.run_command(['ipa-server-upgrade'])
+        txt = self.master.get_file_contents(
+            paths.NAMED_CUSTOM_OPTIONS_CONFIG, encoding="utf-8"
+        )
+        assert "dnssec-validation yes;" in txt