From 81d5888a2dc512cd0295b860cf8f408dea2e46a0 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed, 11 May 2016 16:13:51 +1000
Subject: [PATCH] Prevent replica install from overwriting cert profiles

An earlier change that unconditionally triggers import of file-based
profiles to LDAP during server or replica install results in
replicas overwriting FreeIPA-managed profiles with profiles of the
same name shipped with Dogtag. ('caIPAserviceCert' is the affected
profile).

Avoid this situation by never overwriting existing profiles during
the LDAP import.

Fixes: https://fedorahosted.org/freeipa/ticket/5881
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/install/cainstance.py | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b06760308865aa42afac79d6750f4a422a5c8f95..50ca5d3aeb9be24d8e1e80ad408191fca76a459c 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1763,7 +1763,9 @@ def import_included_profiles():
             conn.add_entry(entry)
             profile_data = ipautil.template_file(
                 '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Create the profile, replacing any existing profile of same name
+            _create_dogtag_profile(profile_id, profile_data, overwrite=True)
             root_logger.info("Imported profile '%s'", profile_id)
 
     api.Backend.ra_certprofile.override_port = None
@@ -1815,12 +1817,17 @@ def migrate_profiles_to_ldap(dogtag_constants):
                 profile_data += '\n'
             profile_data += 'profileId={}\n'.format(profile_id)
             profile_data += 'classId={}\n'.format(class_id)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Import the profile, but do not replace it if it already exists.
+            # This prevents replicas from replacing IPA-managed profiles with
+            # Dogtag default profiles of same name.
+            #
+            _create_dogtag_profile(profile_id, profile_data, overwrite=False)
 
     api.Backend.ra_certprofile.override_port = None
 
 
-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
     with api.Backend.ra_certprofile as profile_api:
         # import the profile
         try:
@@ -1831,9 +1838,8 @@ def _create_dogtag_profile(profile_id, profile_data):
             root_logger.debug("Error migrating '{}': {}".format(
                 profile_id, e))
 
-            # conflicting profile; replace it if we are
-            # installing IPA, but keep it for upgrades
-            if api.env.context == 'installer':
+            # profile already exists
+            if overwrite:
                 try:
                     profile_api.disable_profile(profile_id)
                 except errors.RemoteRetrieveError:
-- 
2.5.5