Fixes for MII domain using domainInfo.ServerStartMode: secure (#3642)

jshum2479 · anpanigr · web-flow · commit 493c7f801c14 · 2022-11-10T15:10:55.000-05:00
* Fixes for MII domain using domainInfo.ServerStartMode: secure

Co-authored-by: Antaryami Panigrahi &lt;antaryami.panigrahi@oracle.com&gt;
diff --git a/operator/src/main/resources/scripts/introspectDomain.py b/operator/src/main/resources/scripts/introspectDomain.py
@@ -2004,11 +2004,23 @@ def getRealListenPort(template):
 
 # Derive the default value for SecureMode of a domain
 def isSecureModeEnabledForDomain(domain):
-  secureModeEnabled = false
-  if domain.getSecurityConfiguration().getSecureMode() != None:
-    secureModeEnabled = domain.getSecurityConfiguration().getSecureMode().isSecureModeEnabled()
+  secureModeEnabled = False
+
+  # Do not use domain.getSecurityConfiguration().getSecureMode()
+  # it will result in cie error in MII domain created by ServerStartMode: secure
+  # switched to use lsa() to avoid cie not exposing the function
+
+  cd('/SecurityConfiguration/' + domain.getName())
+  childs = ls(returnType='c', returnMap='true')
+  if 'SecureMode' in childs:
+    cd('SecureMode/NO_NAME_0')
+    attributes = ls(returnType='a', returnMap='true')
+    if attributes['SecureModeEnabled']:
+      secureModeEnabled = True
   else:
     secureModeEnabled = domain.isProductionModeEnabled() and not LegalHelper.versionEarlierThan(domain.getDomainVersion(), "14.1.2.0")
+
+
   return secureModeEnabled
 
 def isAdministrationPortEnabledForDomain(domain):
diff --git a/operator/src/main/resources/scripts/model_wdt_mii_filter.py b/operator/src/main/resources/scripts/model_wdt_mii_filter.py
@@ -376,32 +376,36 @@ def getAdministrationPort(server, topology):
   return port
 
 
-def isAdministrationPortEnabledForServer(server, topology):
+def isAdministrationPortEnabledForServer(server, model):
   administrationPortEnabled = False
   if 'AdministrationPortEnabled' in server:
     administrationPortEnabled = server['AdministrationPortEnabled']
   else:
-    administrationPortEnabled = isAdministrationPortEnabledForDomain(topology)
+    administrationPortEnabled = isAdministrationPortEnabledForDomain(model)
   return administrationPortEnabled
 
 
-def isAdministrationPortEnabledForDomain(topology):
+def isAdministrationPortEnabledForDomain(model):
   administrationPortEnabled = False
-
+  topology = model['topology']
   if 'AdministrationPortEnabled' in topology:
     administrationPortEnabled = topology['AdministrationPortEnabled']
   else:
     # AdministrationPortEnabled is not explicitly set so going with the default
     # Starting with 14.1.2.0, the domain's AdministrationPortEnabled default is derived from the domain's SecureMode
-    administrationPortEnabled = isSecureModeEnabledForDomain(topology)
+    administrationPortEnabled = isSecureModeEnabledForDomain(model)
   return administrationPortEnabled
 
 
 # Derive the default value for SecureMode of a domain
-def isSecureModeEnabledForDomain(topology):
+def isSecureModeEnabledForDomain(model):
   secureModeEnabled = False
+  topology = model['topology']
+  domain_info = model['domainInfo']
   if 'SecurityConfiguration' in topology and 'SecureMode' in topology['SecurityConfiguration'] and 'SecureModeEnabled' in topology['SecurityConfiguration']['SecureMode']:
     secureModeEnabled = topology['SecurityConfiguration']['SecureMode']['SecureModeEnabled']
+  elif 'ServerStartMode' in domain_info and domain_info['ServerStartMode'] == 'secure':
+    secureModeEnabled = True
   else:
     is_production_mode_enabled = False
     if 'ProductionModeEnabled' in topology:
@@ -449,7 +453,7 @@ def _get_ssl_listen_port(server):
     ssl_listen_port = ssl['ListenPort']
     if ssl_listen_port is None:
       ssl_listen_port = "7002"
-  elif ssl is None and isSecureModeEnabledForDomain(model['topology']):
+  elif ssl is None and isSecureModeEnabledForDomain(model):
     ssl_listen_port = "7002"
   return ssl_listen_port
 
@@ -480,8 +484,7 @@ def addAdminChannelPortForwardNetworkAccessPoints(server):
       customAdminChannelPort = nap['ListenPort']
       _writeAdminChannelPortForwardNAP(name='internal-admin' + str(index), server=server,
                                        listen_port=customAdminChannelPort, protocol='admin')
-
-  if isAdministrationPortEnabledForServer(server, model['topology']):
+  if isAdministrationPortEnabledForServer(server, model):
     _writeAdminChannelPortForwardNAP(name='internal-admin', server=server,
                                      listen_port=getAdministrationPort(server, model['topology']), protocol='admin')
   elif index == 0:
@@ -493,7 +496,7 @@ def addAdminChannelPortForwardNetworkAccessPoints(server):
       ssl_listen_port = ssl['ListenPort']
       if ssl_listen_port is None:
         ssl_listen_port = "7002"
-    elif ssl is None and isSecureModeEnabledForDomain(model['topology']):
+    elif ssl is None and isSecureModeEnabledForDomain(model):
       ssl_listen_port = "7002"
 
     if ssl_listen_port is not None:
diff --git a/operator/src/test/python/test_wdt_mii_filter.py b/operator/src/test/python/test_wdt_mii_filter.py
@@ -296,7 +296,7 @@ def test_readDomainNameFromTopologyYaml(self):
 
   def test_isAdministrationPortEnabledForDomain(self):
     model = self.getModel()
-    self.assertTrue(model_wdt_mii_filter.isAdministrationPortEnabledForDomain(model['topology']))
+    self.assertTrue(model_wdt_mii_filter.isAdministrationPortEnabledForDomain(model))
 
   def test_isAdministrationPortEnabledForServer(self):
     model = self.getModel()
@@ -307,7 +307,15 @@ def test_isAdministrationPortEnabledForServer(self):
     # enable Administration port for server
     model['topology']['Server']['admin-server']['AdministrationPortEnabled'] = True
 
-    self.assertTrue(model_wdt_mii_filter.isAdministrationPortEnabledForServer(model['topology']['Server']['admin-server'], model['topology']))
+    self.assertTrue(model_wdt_mii_filter.isAdministrationPortEnabledForServer(model['topology']['Server']['admin-server'], model))
+
+  def test_isAdministrationPortEnabledForServerFromDomainInfo(self):
+    model = self.getModel()
+
+    # disable Administration port for domain
+    model['domainInfo']['ServerStartMode'] = 'secure'
+
+    self.assertTrue(model_wdt_mii_filter.isAdministrationPortEnabledForServer(model['topology']['Server']['admin-server'], model))
 
   def test_isSecureModeEnabledForDomain(self):
     model = self.getModel()
@@ -317,7 +325,7 @@ def test_isSecureModeEnabledForDomain(self):
     model['topology']['SecurityConfiguration']['SecureMode'] = {}
     model['topology']['SecurityConfiguration']['SecureMode']['SecureModeEnabled'] = True
 
-    self.assertTrue(model_wdt_mii_filter.isSecureModeEnabledForDomain(model['topology']))
+    self.assertTrue(model_wdt_mii_filter.isSecureModeEnabledForDomain(model))
 
 
   def test_istioVersionRequiresLocalHostBindings(self):
