Description of problem:

improve the way IPA detects PKI services, do not rely on files or directories,
try to rely on the Dogtag tools or interfaces, example:

use
pki-server subsystem-find
from
base/server/python/pki/server/cli/subsystem.py
class SubsystemFindCLI(pki.cli.CLI):

pki-server subsystem-find
-----------------
2 entries matched
-----------------
  Subsystem ID: ca
  Instance ID: pki-tomcat
  Enabled: True

  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: True


instead of

/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

    def is_installed(self):
        """
        Determine if subsystem instance has been installed.
        Returns True/False
        """
        return os.path.exists(os.path.join(
            paths.VAR_LIB_PKI_TOMCAT_DIR, self.subsystem.lower()))


this directory path testing return an incorrect true status because for
example, there is no "ipa-kra-install --uninstall" ( removed in 2018 / bz
1454444 ):
ipa-kra-install --uninstall
ERROR: Standalone KRA uninstallation was removed in IPA 4.5 as it had never
worked properly and only caused issues.


real world scenario example:

there is a RHEL-7 IPA replica deployed
that system is updated from RHEL-7.8 to RHEL-7.9
the update fails in IPA, leading to failing "ipactl restart", then to some
serious other problems:


in this case, there was no PKI KRA subsystem configured listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b "ou=Security
Domain,o=ipaca"
nor from a
ipa config-show --all

and no ipara listed from
ldapsearch -o ldif-wrap=no -LLLxD cn=directory\ manager -W -b o=ipaca
'(|(uid=ipara)(uid=ipakra))'

but we till had a directory
/var/lib/pki/pki-tomcat/kra/

so the test in
/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

incorrectly returned a true status in is_installed(self)

that all lead to a LDAP error on no ipakra user entry, then to a failed IPA
update, then to a failed ipactl start, and a bad situation.


Version-Release number of selected component (if applicable):
RHEL-7
RHEL-8

How reproducible:


Steps to Reproduce:
1. IPA with CA, NO KRA
2. add a /var/lib/pki/pki-tomcat/kra/ directory
3. try to run the ipa console for
api.Updater[fix_kra_people_entry]()


Actual results:

2020-11-03T17:27:14Z DEBUG Executing upgrade plugin: fix_kra_people_entry
...
2020-11-03T17:27:14Z ERROR Upgrade failed with no such entry
2020-11-03T17:27:14Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/upgradeinstance.py",
line 274, in __upgrade
    self.modified = (ld.update(self.files) or self.modified)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ldapupdate.py", line
966, in update
    self._run_updates(all_updates)
...
  File "/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_peop
le_entry.py", line 35, in execute
    entry = self.api.Backend.ldap2.get_entry(krainstance.KRA_AGENT_DN)

then I realize there is no KRA agent LDAP entry
uid=ipakra,ou=people,o=kra,o=ipaca
because that RHEL IPA system has no KRA installed (but has a CA)

so why the failure in fix_kra_people_entry.py if there is no KRA ??

the IPA update uses "plug-ins" to update various elements, listed from
/usr/share/ipa/updates/90-post_upgrade_plugins.update

and one of them is
/usr/lib/python2.7/site-packages/ipaserver/install/plugins/fix_kra_people_entry
.py

which calls
/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py

which calls a function is_installed()

the problem is is_installed() simply check for a directory path to decide a PKI
subsystem is installed and configured, which is not a sufficient way to detect
the availability of a service.


Expected results:
yes


Additional info: