From ca880cfb117fc870a6e2710b9e31b2f67d5651e1 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 29 Jul 2020 13:35:49 +0200
Subject: [PATCH] ipa-client-install: use the authselect backup during
 uninstall

When ipa-client-install is run on a system with no existing
authselect configuration (for instance a fedora 31 new install),
uninstallation is picking sssd profile but this may lead to
a configuration with differences compared to the pre-ipa-client
state.

Now that authselect provides an option to backup the existing
configuration prior to setting a profile, the client install
can save the backup name and uninstall is able to apply the
backup in order to go back to the pre-ipa-client state.

Fixes: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
 ipaplatform/redhat/authconfig.py | 37 ++++++++++++++------------------
 1 file changed, 16 insertions(+), 21 deletions(-)

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index 758376f2b..89f452d66 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -27,6 +27,7 @@ from ipaplatform.paths import paths
 from ipapython import ipautil
 from ipapython.admintool import ScriptError
 import os
+import time
 
 FILES_TO_NOT_BACKUP = ['passwd', 'group', 'shadow', 'gshadow']
 
@@ -103,28 +104,16 @@ class RedHatAuthSelect(RedHatAuthToolBase):
     def configure(self, sssd, mkhomedir, statestore, sudo=True):
         # In the statestore, the following keys are used for the
         # 'authselect' module:
+        # Old method:
         # profile: name of the profile configured pre-installation
         # features_list: list of features configured pre-installation
         # mkhomedir: True if installation was called with --mkhomedir
         # profile and features_list are used when reverting to the
         # pre-install state
-        cfg = self._parse_authselect_output()
-        if cfg:
-            statestore.backup_state('authselect', 'profile', cfg[0])
-            statestore.backup_state(
-                    'authselect', 'features_list', " ".join(cfg[1]))
-        else:
-            # cfg = None means that the current conf is not managed by
-            # authselect but by authconfig.
-            # As we are using authselect to configure the host,
-            # it will not be possible to revert to a custom authconfig
-            # configuration later (during uninstall)
-            # Best thing to do will be to use sssd profile at this time
-            logger.warning(
-                "WARNING: The configuration pre-client installation is not "
-                "managed by authselect and cannot be backed up. "
-                "Uninstallation may not be able to revert to the original "
-                "state.")
+        # New method:
+        # backup: name of the authselect backup
+        backup_name = "pre_ipaclient_{}".format(time.strftime("%Y%m%d%H%M%S"))
+        statestore.backup_state('authselect', 'backup', backup_name)
 
         cmd = [paths.AUTHSELECT, "select", "sssd"]
         if mkhomedir:
@@ -133,6 +122,7 @@ class RedHatAuthSelect(RedHatAuthToolBase):
         if sudo:
             cmd.append("with-sudo")
         cmd.append("--force")
+        cmd.append("--backup={}".format(backup_name))
 
         ipautil.run(cmd)
 
@@ -179,10 +169,15 @@ class RedHatAuthSelect(RedHatAuthToolBase):
             else:
                 features = []
 
-        cmd = [paths.AUTHSELECT, "select", profile]
-        cmd.extend(features)
-        cmd.append("--force")
-        ipautil.run(cmd)
+        backup = statestore.restore_state('authselect', 'backup')
+        if backup:
+            cmd = [paths.AUTHSELECT, "backup-restore", backup]
+            ipautil.run(cmd)
+        else:
+            cmd = [paths.AUTHSELECT, "select", profile]
+            cmd.extend(features)
+            cmd.append("--force")
+            ipautil.run(cmd)
 
     def backup(self, path):
         current = self._get_authselect_current_output()
-- 
2.26.2

# Not needed for 4.7.8 release
#
#From 3eaab97e317584bc47d4a27a607267ed90df7ff7 Mon Sep 17 00:00:00 2001
#From: Florence Blanc-Renaud <flo@redhat.com>
#Date: Wed, 29 Jul 2020 13:40:26 +0200
#Subject: [PATCH] ipatests: remove the xfail for test_nfs.py
#
#Related: https://pagure.io/freeipa/issue/8189
#Reviewed-By: Francois Cami <fcami@redhat.com>
#Reviewed-By: Michal Polovka <mpolovka@redhat.com>
#---
# ipatests/test_integration/test_nfs.py | 4 ----
# 1 file changed, 4 deletions(-)
#
#diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
#index 7272b0d44..832c56cca 100644
#--- a/ipatests/test_integration/test_nfs.py
#+++ b/ipatests/test_integration/test_nfs.py
#@@ -363,10 +363,6 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
#         cmd = self.clients[0].run_command(sha256nsswitch_cmd)
#         assert cmd.stdout_text == orig_sha256
# 
#-    @pytest.mark.xfail(
#-        reason="https://pagure.io/freeipa/issue/8189",
#-        strict=True
#-    )
#     def test_nsswitch_backup_restore_sssd(self):
#         self.nsswitch_backup_restore()
# 
#-- 
#2.26.2

From 4baf6b292f28481ece483bb8ecbd6a0807d9d45a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 29 Jul 2020 17:57:53 +0200
Subject: [PATCH] ipatests: fix test_authselect

Before the code fix, install/uninstall on a config without
any authselect profile was not able to restore the exact
state but configured sssd profile instead.

Now that the code is doing a pre-install backup, uninstall
restores the exact state and the test needs to be updated
accordingly.

Related: https://pagure.io/freeipa/issue/8189
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
 ipatests/test_integration/test_authselect.py | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
index bdf7d9f77..cba23e707 100644
--- a/ipatests/test_integration/test_authselect.py
+++ b/ipatests/test_integration/test_authselect.py
@@ -100,7 +100,9 @@ class TestClientInstallation(IntegrationTest):
             ['rm', '-f', '/etc/authselect/authselect.conf'])
         result = self._install_client()
         assert result.returncode == 0
-        assert self.msg_warn_install in result.stderr_text
+        # With the fix for 8189, there is no warning any more
+        # because install is performing a pre-install backup
+        assert self.msg_warn_install not in result.stderr_text
         # Client installation must configure the 'sssd' profile
         # with sudo
         check_authselect_profile(self.client, default_profile, ('with-sudo',))
@@ -109,12 +111,13 @@ class TestClientInstallation(IntegrationTest):
         """
         Test client un-installation when there was no authselect profile
         """
-        # As the client did not have any authselect profile before install,
-        # uninstall must print a warning about restoring 'sssd' profile
-        # by default
+        # The client did not have any authselect profile before install,
+        # but uninstall must be able to restore the backup
+        # Check that no profile is configured after uninstall
         result = self._uninstall_client()
         assert result.returncode == 0
-        check_authselect_profile(self.client, default_profile)
+        assert not self.client.transport.file_exists(
+            '/etc/authselect/authselect.conf')
 
     def test_install_client_preconfigured_profile(self):
         """
-- 
2.26.2