Merge pull request #4947 from lindig/private/christianlin/CP-41796

CP-41796 enable HTTPS migration by default

ocaml/xapi-consts/api_errors.ml

@@ -1288,3 +1288,6 @@ let vtpm_max_amount_reached = "VTPM_MAX_AMOUNT_REACHED"
 
 (* Telemetry *)
 let telemetry_next_collection_too_late = "TELEMETRY_NEXT_COLLECTION_TOO_LATE"
+
+(* FIPS/CC_PREPARATIONS *)
+let illegal_in_fips_mode = "ILLEGAL_IN_FIPS_MODE"

ocaml/xapi/xapi_globs.ml

@@ -817,7 +817,7 @@ let web_dir = ref "/opt/xensource/www"
 
 let website_https_only = ref true
 
-let migration_https_only = ref false
+let migration_https_only = ref true
 
 let cluster_stack_root = ref "/usr/libexec/xapi/cluster-stack"
 

ocaml/xapi/xapi_host.ml

@@ -2994,8 +2994,30 @@ let apply_updates ~__context ~self ~hash =
    *)
   warnings
 
+let cc_prep () =
+  let cc = "CC_PREPARATIONS" in
+  Xapi_inventory.lookup ~default:"false" cc |> String.lowercase_ascii
+  |> function
+  | "true" ->
+      true
+  | "false" ->
+      false
+  | other ->
+      D.warn "%s: %s=%s (assuming true)" __MODULE__ cc other ;
+      true
+
 let set_https_only ~__context ~self ~value =
   let state = match value with true -> "close" | false -> "open" in
-  ignore
-  @@ Helpers.call_script !Xapi_globs.firewall_port_config_script [state; "80"] ;
-  Db.Host.set_https_only ~__context ~self ~value
+  match cc_prep () with
+  | false ->
+      ignore
+      @@ Helpers.call_script
+           !Xapi_globs.firewall_port_config_script
+           [state; "80"] ;
+      Db.Host.set_https_only ~__context ~self ~value
+  | true when value = Db.Host.get_https_only ~__context ~self ->
+      (* the new value is the same as the old value *)
+      ()
+  | true ->
+      (* it is illegal changing the firewall/https config in CC/FIPS mode *)
+      raise (Api_errors.Server_error (Api_errors.illegal_in_fips_mode, []))