From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Wed, 29 Jul 2020 13:35:49 +0200

Subject: [PATCH] ipa-client-install: use the authselect backup during

 uninstall

When ipa-client-install is run on a system with no existing

authselect configuration (for instance a fedora 31 new install),

uninstallation is picking sssd profile but this may lead to

a configuration with differences compared to the pre-ipa-client

state.

Now that authselect provides an option to backup the existing

configuration prior to setting a profile, the client install

can save the backup name and uninstall is able to apply the

backup in order to go back to the pre-ipa-client state.

Fixes: https://pagure.io/freeipa/issue/8189

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Michal Polovka <mpolovka@redhat.com>

---

 ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------

 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py

index 758376f2b..89f452d66 100644

--- a/ipaplatform/redhat/authconfig.py

+++ b/ipaplatform/redhat/authconfig.py

@@ -27,6 +27,7 @@ from ipaplatform.paths import paths

 from ipapython import ipautil

 from ipapython.admintool import ScriptError

 import os

+import time

 FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']

@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):

     def configure(self, sssd, mkhomedir, statestore, sudo=True):

         # In the statestore, the following keys are used for the

         # 'authselect' module:

+        # Old method:

         # profile: name of the profile configured pre-installation

         # features_list: list of features configured pre-installation

         # mkhomedir: True if installation was called with --mkhomedir

         # profile and features_list are used when reverting to the

         # pre-install state

-        cfg = self._parse_authselect_output()

-        if cfg:

-            statestore.backup_state('authselect', 'profile', cfg[0])

-            statestore.backup_state(

-                    'authselect', 'features_list', " ".join(cfg[1]))

-        else:

-            # cfg = None means that the current conf is not managed by

-            # authselect but by authconfig.

-            # As we are using authselect to configure the host,

-            # it will not be possible to revert to a custom authconfig

-            # configuration later (during uninstall)

-            # Best thing to do will be to use sssd profile at this time

-            logger.warning(

-                "WARNING: The configuration pre-client installation is not "

-                "managed by authselect and cannot be backed up. "

-                "Uninstallation may not be able to revert to the original "

-                "state.")

+        # New method:

+        # backup: name of the authselect backup

+        backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))

+        statestore.backup_state('authselect', 'backup', backup_name)

         cmd = [paths.AUTHSELECT, "select", "sssd"]

         if mkhomedir:

@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):

         if sudo:

             cmd.append("with-sudo")

         cmd.append("--force")

+        cmd.append("--backup={}".format(backup_name))

         ipautil.run(cmd)

@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):

             else:

                 features = []

-        cmd = [paths.AUTHSELECT, "select", profile]

-        cmd.extend(features)

-        cmd.append("--force")

-        ipautil.run(cmd)

+        backup = statestore.restore_state('authselect', 'backup')

+        if backup:

+            cmd = [paths.AUTHSELECT, "backup-restore", backup]

+            ipautil.run(cmd)

+        else:

+            cmd = [paths.AUTHSELECT, "select", profile]

+            cmd.extend(features)

+            cmd.append("--force")

+            ipautil.run(cmd)

     def backup(self, path):

         current = self._get_authselect_current_output()

-- 

2.26.2

# Not needed for 4.7.8 release

#

#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001

#From: Florence Blanc-Renaud <flo@redhat.com>

#Date: Wed, 29 Jul 2020 13:40:26 +0200

#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py

#

#Related: https://pagure.io/freeipa/issue/8189

#Reviewed-By: Francois Cami <fcami@redhat.com>

#Reviewed-By: Michal Polovka <mpolovka@redhat.com>

#---

# ipatests/test_integration/test_nfs.py | 4 ----

# 1 file changed, 4 deletions(-)

#

#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py

#index 7272b0d44..832c56cca 100644

#--- a/ipatests/test_integration/test_nfs.py

#+++ b/ipatests/test_integration/test_nfs.py

#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):

#         cmd = self.clients[0].run_command(sha256nsswitch_cmd)

#         assert cmd.stdout_text == orig_sha256

# 

#-    @pytest.mark.xfail(

#-        reason="https://pagure.io/freeipa/issue/8189",

#-        strict=True

#-    )

#     def test_nsswitch_backup_restore_sssd(self):

#         self.nsswitch_backup_restore()

# 

#-- 

#2.26.2

From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Wed, 29 Jul 2020 17:57:53 +0200

Subject: [PATCH] ipatests: fix test_authselect

Before the code fix, install/uninstall on a config without

any authselect profile was not able to restore the exact

state but configured sssd profile instead.

Now that the code is doing a pre-install backup, uninstall

restores the exact state and the test needs to be updated

accordingly.

Related: https://pagure.io/freeipa/issue/8189

Reviewed-By: Francois Cami <fcami@redhat.com>

Reviewed-By: Michal Polovka <mpolovka@redhat.com>

---

 ipatests/test_integration/test_authselect.py | 13 ++++++++-----

 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py

index bdf7d9f77..cba23e707 100644

--- a/ipatests/test_integration/test_authselect.py

+++ b/ipatests/test_integration/test_authselect.py

@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):

             ['rm', '-f', '/etc/authselect/authselect.conf'])

         result = self._install_client()

         assert result.returncode == 0

-        assert self.msg_warn_install in result.stderr_text

+        # With the fix for 8189, there is no warning any more

+        # because install is performing a pre-install backup

+        assert self.msg_warn_install not in result.stderr_text

         # Client installation must configure the 'sssd' profile

         # with sudo

         check_authselect_profile(self.client, default_profile, ('with-sudo',))

@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):

         """

         Test client un-installation when there was no authselect profile

         """

-        # As the client did not have any authselect profile before install,

-        # uninstall must print a warning about restoring 'sssd' profile

-        # by default

+        # The client did not have any authselect profile before install,

+        # but uninstall must be able to restore the backup

+        # Check that no profile is configured after uninstall

         result = self._uninstall_client()

         assert result.returncode == 0

-        check_authselect_profile(self.client, default_profile)

+        assert not self.client.transport.file_exists(

+            '/etc/authselect/authselect.conf')

     def test_install_client_preconfigured_profile(self):

         """

-- 

2.26.2