From fcd40cd3f47b15dae8c2e964e890b69906045f32 Mon Sep 17 00:00:00 2001

From: David Kupka <dkupka@redhat.com>

Date: Wed, 19 Aug 2015 08:10:03 +0200

Subject: [PATCH] Backup/resore authentication control configuration

https://fedorahosted.org/freeipa/ticket/5071

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipaplatform/base/tasks.py        | 15 +++++++++++++++

 ipaplatform/redhat/authconfig.py |  6 ++++++

 ipaplatform/redhat/tasks.py      |  8 ++++++++

 ipaserver/install/ipa_backup.py  |  4 ++++

 ipaserver/install/ipa_restore.py |  4 ++++

 5 files changed, 37 insertions(+)

diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py

index 08fdb494a3bfc6c59bebf4af2f72f54a26724700..65715145af533c90038b3e8667da07fd28b7ec56 100644

--- a/ipaplatform/base/tasks.py

+++ b/ipaplatform/base/tasks.py

@@ -150,6 +150,21 @@ class BaseTaskNamespace(object):

         return

+    def backup_auth_configuration(self, path):

+        """

+        Create backup of access control configuration.

+        :param path: store the backup here. This will be passed to

+        restore_auth_configuration as well.

+        """

+        return

+

+    def restore_auth_configuration(self, path):

+        """

+        Restore backup of access control configuration.

+        :param path: restore the backup from here.

+        """

+        return

+

     def set_selinux_booleans(self, required_settings, backup_func=None):

         """Set the specified SELinux booleans

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py

index 901eb51637d193d80bc3927929d7d436065ec262..edefee8b2b4922ad67cdbac158615ef32c776bb4 100644

--- a/ipaplatform/redhat/authconfig.py

+++ b/ipaplatform/redhat/authconfig.py

@@ -84,3 +84,9 @@ class RedHatAuthConfig(object):

         args = self.build_args()

         ipautil.run(["/usr/sbin/authconfig"] + args)

+

+    def backup(self, path):

+        ipautil.run(["/usr/sbin/authconfig", "--savebackup", path])

+

+    def restore(self, path):

+        ipautil.run(["/usr/sbin/authconfig", "--restorebackup", path])

diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py

index b26604aa736eb472c88bc0dcbc3a4b515712ce9d..1af99d318c6745b1e5285c7829c2b292f86c8390 100644

--- a/ipaplatform/redhat/tasks.py

+++ b/ipaplatform/redhat/tasks.py

@@ -161,6 +161,14 @@ class RedHatTaskNamespace(BaseTaskNamespace):

         auth_config.add_option("nostart")

         auth_config.execute()

+    def backup_auth_configuration(self, path):

+        auth_config = RedHatAuthConfig()

+        auth_config.backup(path)

+

+    def restore_auth_configuration(self, path):

+        auth_config = RedHatAuthConfig()

+        auth_config.restore(path)

+

     def reload_systemwide_ca_store(self):

         try:

             ipautil.run([paths.UPDATE_CA_TRUST])

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py

index d7afb3654b09e88321f1ce9f279749b19c2f6414..0ba44b280dfb7c9d9cbbe2470392c3c98ef35bcc 100644

--- a/ipaserver/install/ipa_backup.py

+++ b/ipaserver/install/ipa_backup.py

@@ -41,6 +41,7 @@ from ipapython import ipaldap

 from ipalib.session import ISO8601_DATETIME_FMT

 from ipalib.constants import CACERT

 from ConfigParser import SafeConfigParser

+from ipaplatform.tasks import tasks

 """

 A test gpg can be generated like this:

@@ -302,6 +303,9 @@ class Backup(admintool.AdminTool):

                     self.db2ldif(instance, 'userRoot', online=options.online)

                     self.db2bak(instance, online=options.online)

             if not options.data_only:

+                # create backup of auth configuration

+                auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')

+                tasks.backup_auth_configuration(auth_backup_path)

                 self.file_backup(options)

             self.finalize_backup(options.data_only, options.gpg, options.gpg_keyring)

diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py

index 528a6daf0d4b6d3dfc69b6bbf8e8b05ad91ce02d..8960626d0f0e438ef198e2d92803983e520051a8 100644

--- a/ipaserver/install/ipa_restore.py

+++ b/ipaserver/install/ipa_restore.py

@@ -386,6 +386,10 @@ class Restore(admintool.AdminTool):

                     self.log.info('Starting Directory Server')

                     dirsrv.start(capture_output=False)

             else:

+                # restore access controll configuration

+                auth_backup_path = os.path.join(paths.VAR_LIB_IPA, 'auth_backup')

+                if os.path.exists(auth_backup_path):

+                    tasks.restore_auth_configuration(auth_backup_path)

                 # explicitly enable then disable the pki tomcatd service to

                 # re-register its instance. FIXME, this is really wierd.

                 services.knownservices.pki_tomcatd.enable()

-- 

2.4.3