Merge pull request #4451 from tpurschke/develop

Hotfix - missing disposed userConfig ExtRequest module

Author: tpurschke

roles/api/handlers/main.yml

@@ -21,7 +21,7 @@
   listen: "api handler"
 
 - name: restore from backup
-  include_tasks: hasura-install.yml
+  include_tasks: ../tasks/rollback-restore.yml
   listen: "api handler"
 
 - name: fail message

roles/api/tasks/hasura-install.yml

@@ -52,15 +52,21 @@
   when:
     - installation_mode == "upgrade"
     - hasura_admin_secret_file.stat.exists
-    - api_use_existing_hasura_on_upgrade | default(false) | bool
 
-- name: set hasura admin secret from existing file
+- name: cache existing hasura admin secret during upgrade
   set_fact:
-    api_hasura_admin_secret: "{{ existing_hasura_admin_secret['content'] | b64decode | trim }}"
+    api_existing_hasura_admin_secret: "{{ existing_hasura_admin_secret['content'] | b64decode | trim }}"
   when:
     - installation_mode == "upgrade"
     - hasura_admin_secret_file.stat.exists
+
+- name: set hasura admin secret from existing file
+  set_fact:
+    api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
+  when:
+    - installation_mode == "upgrade"
     - api_use_existing_hasura_on_upgrade | default(false) | bool
+    - api_existing_hasura_admin_secret is defined
 
 - name: set static hasura admin pwd for test purposes only
   set_fact:
@@ -76,22 +82,30 @@
   when:
     - api_hasura_admin_secret is not defined
 
-- name: write hasura admin password to secrets directory
-  copy:
-    content: "{{ api_hasura_admin_secret }}\n"
-    dest: "{{ fworch_secrets_dir }}/hasura_admin_pwd"
-    mode: "0600"
-    owner: "{{ fworch_user }}"
-    group: "{{ fworch_group }}"
-  become: true
-  when:
-    - installation_mode != "upgrade" or not (api_use_existing_hasura_on_upgrade | default(false) | bool) or not hasura_admin_secret_file.stat.exists
-
 - name: check for existing hasura cli file
   stat:
     path: "{{ api_hasura_cli_bin }}"
   register: api_cli_check
 
+- name: detect whether upgrade can reuse installed Hasura
+  set_fact:
+    api_hasura_upgrade_reuse_possible: >-
+      {{
+        installation_mode == "upgrade"
+        and (api_existing_service_name | default('') | length > 0)
+        and hasura_admin_secret_file.stat.exists
+      }}
+
+- name: fail when Hasura upgrade reuse was requested without reusable state
+  fail:
+    msg: >-
+      Hasura upgrade fallback requires both an installed Hasura service unit and the existing
+      {{ fworch_secrets_dir }}/hasura_admin_pwd secret file.
+  when:
+    - installation_mode == "upgrade"
+    - api_use_existing_hasura_on_upgrade | default(false) | bool
+    - not api_hasura_upgrade_reuse_possible | bool
+
 - name: build GitHub auth header
   set_fact:
     api_github_auth_header: "{{ {'Authorization': 'Bearer ' ~ api_github_token} if api_github_token is defined else {} }}"
@@ -149,6 +163,50 @@
       when: hasura_cli_asset_id is defined
   rescue:
     - name: download {{ api_hasura_version }} hasura cli binary via direct GitHub download after asset API failure
+      block:
+        - name: download {{ api_hasura_version }} hasura cli binary via direct GitHub download after asset API failure
+          get_url:
+            url: "https://github.com/hasura/graphql-engine/releases/download/{{ api_hasura_version }}/cli-hasura-linux-{{ linux_architecture }}"
+            dest: "{{ api_hasura_cli_bin }}"
+            force: true
+            timeout: "{{ github_download_timeout }}"
+            mode: "0755"
+            owner: "{{ fworch_user }}"
+            group: "{{ fworch_group }}"
+          environment: "{{ proxy_env }}"
+          register: api_hasura_cli_download_fallback
+          retries: 3
+          delay: 5
+          until: api_hasura_cli_download_fallback is succeeded
+          become: true
+      rescue:
+        - name: fall back to existing Hasura after CLI download failure during upgrade
+          set_fact:
+            api_use_existing_hasura_on_upgrade: true
+            api_service_name: "{{ api_existing_service_name }}"
+            api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
+          when: api_hasura_upgrade_reuse_possible | bool
+
+        - name: show Hasura CLI upgrade fallback decision
+          debug:
+            msg: >-
+              Hasura CLI download failed during upgrade, reusing the installed Hasura service/container
+              and continuing with metadata-only upgrade steps. Docker-to-Podman migration is deferred
+              until a later run can download the required artifacts.
+          when: api_hasura_upgrade_reuse_possible | bool
+
+        - name: fail when Hasura CLI download fails without upgrade fallback
+          fail:
+            msg: >-
+              Failed to download Hasura CLI and no existing Hasura service is available for upgrade fallback.
+          when: not api_hasura_upgrade_reuse_possible | bool
+  when:
+    - not api_cli_check.stat.exists
+    - not api_use_existing_hasura_on_upgrade | default(false) | bool
+
+- name: download {{ api_hasura_version }} hasura cli binary via direct GitHub download when no asset id was found
+  block:
+    - name: download {{ api_hasura_version }} hasura cli binary via direct GitHub download when no asset id was found
       get_url:
         url: "https://github.com/hasura/graphql-engine/releases/download/{{ api_hasura_version }}/cli-hasura-linux-{{ linux_architecture }}"
         dest: "{{ api_hasura_cli_bin }}"
@@ -163,25 +221,28 @@
       delay: 5
       until: api_hasura_cli_download_fallback is succeeded
       become: true
-  when:
-    - not api_cli_check.stat.exists
-    - not api_use_existing_hasura_on_upgrade | default(false) | bool
-
-- name: download {{ api_hasura_version }} hasura cli binary via direct GitHub download when no asset id was found
-  get_url:
-    url: "https://github.com/hasura/graphql-engine/releases/download/{{ api_hasura_version }}/cli-hasura-linux-{{ linux_architecture }}"
-    dest: "{{ api_hasura_cli_bin }}"
-    force: true
-    timeout: "{{ github_download_timeout }}"
-    mode: "0755"
-    owner: "{{ fworch_user }}"
-    group: "{{ fworch_group }}"
-  environment: "{{ proxy_env }}"
-  register: api_hasura_cli_download_fallback
-  retries: 3
-  delay: 5
-  until: api_hasura_cli_download_fallback is succeeded
-  become: true
+  rescue:
+    - name: fall back to existing Hasura after direct CLI download failure during upgrade
+      set_fact:
+        api_use_existing_hasura_on_upgrade: true
+        api_service_name: "{{ api_existing_service_name }}"
+        api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
+      when: api_hasura_upgrade_reuse_possible | bool
+
+    - name: show Hasura direct CLI upgrade fallback decision
+      debug:
+        msg: >-
+          Direct Hasura CLI download failed during upgrade, reusing the installed Hasura service/container
+          and continuing with metadata-only upgrade steps. Docker-to-Podman migration is deferred
+          until a later run can download the required artifacts.
+      when: api_hasura_upgrade_reuse_possible | bool
+
+    - name: fail when direct Hasura CLI download fails without upgrade fallback
+      fail:
+        msg: >-
+          Failed to download Hasura CLI from the release URL and no existing Hasura service is available
+          for upgrade fallback.
+      when: not api_hasura_upgrade_reuse_possible | bool
   when:
     - not api_cli_check.stat.exists
     - not api_use_existing_hasura_on_upgrade | default(false) | bool
@@ -198,6 +259,69 @@
     - not api_cli_check.stat.exists
     - not api_use_existing_hasura_on_upgrade | default(false) | bool
 
+- name: set Hasura image reuse mode
+  set_fact:
+    api_reuse_existing_hasura_image: >-
+      {{
+        installation_mode == "upgrade"
+        and (api_use_existing_hasura_on_upgrade | default(false) | bool)
+        and api_hasura_keep_existing_container | default(true) | bool
+      }}
+
+- name: set Hasura systemd dependencies
+  set_fact:
+    api_hasura_systemd_after: >-
+      {{
+        ['network.target', 'remote-fs.target', 'nss-lookup.target']
+        + (['postgresql.service'] if 'databaseserver' in group_names else [])
+      }}
+
+- name: ensure Hasura image is present
+  block:
+    - name: ensure Hasura image is present
+      containers.podman.podman_image:
+        name: "{{ api_hasura_image }}"
+        state: present
+      environment: "{{ proxy_env }}"
+      become: true
+  rescue:
+    - name: fall back to existing Hasura image after pull failure during upgrade
+      set_fact:
+        api_use_existing_hasura_on_upgrade: true
+        api_reuse_existing_hasura_image: true
+        api_service_name: "{{ api_existing_service_name }}"
+        api_hasura_admin_secret: "{{ api_existing_hasura_admin_secret }}"
+      when: api_hasura_upgrade_reuse_possible | bool
+
+    - name: show Hasura image upgrade fallback decision
+      debug:
+        msg: >-
+          Hasura image pull failed during upgrade, reusing the installed Hasura service/container
+          and continuing with metadata-only upgrade steps. Docker-to-Podman migration is deferred
+          until a later run can download the required artifacts.
+      when: api_hasura_upgrade_reuse_possible | bool
+
+    - name: fail when Hasura image pull fails without upgrade fallback
+      fail:
+        msg: >-
+          Failed to pull Hasura image {{ api_hasura_image }} and no existing Hasura service is available
+          for upgrade fallback.
+      when: not api_hasura_upgrade_reuse_possible | bool
+  when:
+    - not api_reuse_existing_hasura_image | bool
+    - api_rollback_is_running | default(false) | bool == false
+
+- name: write hasura admin password to secrets directory
+  copy:
+    content: "{{ api_hasura_admin_secret }}\n"
+    dest: "{{ fworch_secrets_dir }}/hasura_admin_pwd"
+    mode: "0600"
+    owner: "{{ fworch_user }}"
+    group: "{{ fworch_group }}"
+  become: true
+  when:
+    - installation_mode != "upgrade" or not (api_use_existing_hasura_on_upgrade | default(false) | bool) or not hasura_admin_secret_file.stat.exists
+
 - name: set hasura env variable
   set_fact:
     hasura_env:
@@ -226,33 +350,6 @@
     var: hasura_env
   when: debug_level > '1'
 
-- name: set Hasura image reuse mode
-  set_fact:
-    api_reuse_existing_hasura_image: >-
-      {{
-        installation_mode == "upgrade"
-        and (api_use_existing_hasura_on_upgrade | default(false) | bool)
-        and api_hasura_keep_existing_container | default(true) | bool
-      }}
-
-- name: set Hasura systemd dependencies
-  set_fact:
-    api_hasura_systemd_after: >-
-      {{
-        ['network.target', 'remote-fs.target', 'nss-lookup.target']
-        + (['postgresql.service'] if 'databaseserver' in group_names else [])
-      }}
-
-- name: ensure Hasura image is present
-  containers.podman.podman_image:
-    name: "{{ api_hasura_image }}"
-    state: present
-  environment: "{{ proxy_env }}"
-  become: true
-  when:
-    - not api_reuse_existing_hasura_image | bool
-    - api_rollback_is_running | default(false) | bool == false
-
 - name: write Hasura env file for Podman
   copy:
     dest: "{{ api_env_file }}"

roles/api/tasks/rollback-restore.yml

@@ -0,0 +1,33 @@
+- name: collect installed Hasura service unit candidates for rollback
+  stat:
+    path: "/lib/systemd/system/{{ item }}.service"
+  loop: "{{ [api_service_name] + (api_legacy_service_names | default([])) }}"
+  register: api_restore_service_unit_candidates
+  become: true
+
+- name: pick Hasura service name for rollback restore
+  set_fact:
+    api_restore_service_name: >-
+      {{
+        (
+          api_restore_service_unit_candidates.results
+          | selectattr('stat.exists')
+          | map(attribute='item')
+          | list
+          | first
+        ) | default(api_service_name)
+      }}
+
+- name: clear Hasura service failed state during rollback
+  command: "systemctl reset-failed {{ api_restore_service_name }}"
+  become: true
+  failed_when: false
+
+- name: start Hasura service during rollback
+  ansible.builtin.systemd:
+    name: "{{ api_restore_service_name }}"
+    state: started
+    enabled: true
+    daemon_reload: true
+  become: true
+  failed_when: false

roles/lib/files/FWO.Report/ReportAppRules.cs

@@ -24,7 +24,7 @@ public ReportAppRules(ReportRules reportRules, ModellingFilter modellingFilter)
         {
             this.modellingFilter = modellingFilter;
         }
-        
+
         public override async Task Generate(int elementsPerFetch, ApiConnection apiConnection, Func<ReportData, Task> callback, CancellationToken ct)
         {
             await base.Generate(elementsPerFetch, apiConnection, callback, ct);

roles/middleware/files/FWO.Middleware.Server/Controllers/ExternalRequestController.cs

@@ -40,10 +40,9 @@ public async Task<bool> Post([FromBody] ExternalRequestAddParameters parameters)
         {
             if (parameters.TicketId > 0)
             {
-                GlobalConfig GlobalConfig = await GlobalConfig.ConstructAsync(apiConnection, true);
-                UserConfig userConfig = new(GlobalConfig, apiConnection, new() { Language = GlobalConst.kEnglish });
-
-                ExternalRequestHandler extRequestHandler = new(userConfig, apiConnection);
+                using GlobalConfig GlobalConfig = await GlobalConfig.ConstructAsync(apiConnection, true);
+                using UserConfig userConfig = new(GlobalConfig, apiConnection, new() { Language = GlobalConst.kEnglish });
+                using ExternalRequestHandler extRequestHandler = new(userConfig, apiConnection);
                 return await extRequestHandler.SendFirstRequest(parameters.TicketId);
             }
             else
@@ -70,9 +69,9 @@ public async Task<bool> Change([FromBody] ExternalRequestPatchStateParameters pa
         {
             if (parameters.ExtRequestId > 0)
             {
-                GlobalConfig GlobalConfig = await GlobalConfig.ConstructAsync(apiConnection, true);
-                UserConfig userConfig = new(GlobalConfig, apiConnection, new() { Language = GlobalConst.kEnglish });
-                ExternalRequestHandler extRequestHandler = new(userConfig, apiConnection);
+                using GlobalConfig GlobalConfig = await GlobalConfig.ConstructAsync(apiConnection, true);
+                using UserConfig userConfig = new(GlobalConfig, apiConnection, new() { Language = GlobalConst.kEnglish });
+                using ExternalRequestHandler extRequestHandler = new(userConfig, apiConnection);
                 ExternalRequest extRequest = new()
                 {
                     Id = parameters.ExtRequestId,

roles/middleware/files/FWO.Middleware.Server/Controllers/RuleController.cs

@@ -404,19 +404,19 @@ public bool IsInRange(IPAddress ipAddress, int minPrefix, List<NetworkObject> ob
             {
                 continue;
             }
-            
+
             int rangePrefix = CommonPrefixLength(start, end);
 
             if (rangePrefix < minPrefix)
             {
                 break;
             }
-            
+
             if (IsInRange(ipAddress, start, end))
             {
                 return true;
             }
-            
+
         }
 
         return false;

roles/middleware/files/FWO.Middleware.Server/ExternalRequestHandler.cs

@@ -559,7 +559,8 @@ protected virtual void Dispose(bool disposing)
             {
                 if (disposing)
                 {
-                    UserConfig?.Dispose();
+                    // UserConfig is caller-owned and can be reused across multiple request handling steps.
+                    // Disposing it here breaks subsequent handler instances that receive the same config.
                 }
                 disposed = true;
             }