[Freeipa-devel] [freeipa PR#2366][opened] [Backport][ipa-4-7] authselect: harden uninstallation of ipa client

flo-renaud via FreeIPA-devel Wed, 19 Sep 2018 01:19:59 -0700

   URL: https://github.com/freeipa/freeipa/pull/2366
Author: flo-renaud
 Title: #2366: [Backport][ipa-4-7] authselect: harden uninstallation of ipa 
client
Action: opened


PR body:
"""
This PR was opened automatically because PR #2363 was pushed to master and 
backport to ipa-4-7 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2366/head:pr2366
git checkout pr2366

From fb62f1cb2f0ce87ac7f472dbfca8bc0ac0fd8117 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 14 Sep 2018 18:08:26 +0200
Subject: [PATCH 1/2] authselect: harden uninstallation of ipa client

When ipa client is uninstalled, the content of sysrestore.state
is read to restore the previous authselect profile and features.
The code should properly handle the case where sysrestore.state
contains the header for the authselect section, but the key=value
for profile and features are missing.

Fixes https://pagure.io/freeipa/issue/7657
---
 ipaplatform/redhat/authconfig.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipaplatform/redhat/authconfig.py b/ipaplatform/redhat/authconfig.py
index ba85537dc7..ab3775e9e9 100644
--- a/ipaplatform/redhat/authconfig.py
+++ b/ipaplatform/redhat/authconfig.py
@@ -162,8 +162,10 @@ def unconfigure(
             profile = 'sssd'
             features = ''
         else:
-            profile = statestore.restore_state('authselect', 'profile')
-            features = statestore.restore_state('authselect', 'features_list')
+            profile = \
+                statestore.restore_state('authselect', 'profile') or 'sssd'
+            features = \
+                statestore.restore_state('authselect', 'features_list') or ''
             statestore.delete_state('authselect', 'mkhomedir')
 
         cmd = [paths.AUTHSELECT, "select", profile, features, "--force"]

From 48653c2e8520f18348b539deae36f7e9dcd51081 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Fri, 14 Sep 2018 18:12:40 +0200
Subject: [PATCH 2/2] tests: add test for uninstall with incomplete
 sysrestore.state

Add a test that performs client uninstallation when sysrestore.state
contains the header for the [authselect] section but does not
contain a value for profile and features.

Related to https://pagure.io/freeipa/issue/7657
---
 ipatests/test_integration/test_authselect.py | 29 ++++++++++++++++++--
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_authselect.py b/ipatests/test_integration/test_authselect.py
index fa9b202654..5dbfce88c9 100644
--- a/ipatests/test_integration/test_authselect.py
+++ b/ipatests/test_integration/test_authselect.py
@@ -8,9 +8,10 @@
 
 from __future__ import absolute_import
 
+import os
 import pytest
 
-import ipaplatform.paths
+from ipaplatform.paths import paths
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.pytest_ipa.integration import tasks
 
@@ -44,7 +45,7 @@ def apply_authselect_profile(host, profile, options=()):
 
 
 @pytest.mark.skipif(
-    ipaplatform.paths.paths.AUTHSELECT is None,
+    paths.AUTHSELECT is None,
     reason="Authselect is only available in fedora-like distributions")
 class TestClientInstallation(IntegrationTest):
     """
@@ -187,6 +188,28 @@ def test_install_client_no_sudo(self):
         # but not with sudo (because of extraargs)
         check_authselect_profile(self.client, default_profile, ())
 
+    def test_uninstall_wrong_sysrestore(self):
+        """
+        Test client uninstallation when sysrestore.state is incomplete
+        Test for issue 7657
+        """
+        # Remove the keys 'profile' and 'features_list' from sysrestore.state
+        def keep(line):
+            if line.startswith('profile') or line.startswith('features_list'):
+                return False
+            return True
+
+        sysrestore_state_file = os.path.join(paths.IPA_CLIENT_SYSRESTORE,
+                                             "sysrestore.state")
+        content = self.client.get_file_contents(sysrestore_state_file,
+                                                encoding='utf-8')
+        lines = [line.rstrip() for line in content.split('\n') if keep(line)]
+        new_content = '\n'.join(lines)
+        self.client.put_file_contents(sysrestore_state_file, new_content)
+
+        result = self._uninstall_client()
+        assert result.returncode == 0
+
     @classmethod
     def uninstall(cls, mh):
         super(TestClientInstallation, cls).uninstall(mh)
@@ -195,7 +218,7 @@ def uninstall(cls, mh):
 
 
 @pytest.mark.skipif(
-    ipaplatform.paths.paths.AUTHSELECT is None,
+    paths.AUTHSELECT is None,
     reason="Authselect is only available in fedora-like distributions")
 class TestServerInstallation(IntegrationTest):
     """

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#2366][opened] [Backport][ipa-4-7] authselect: harden uninstallation of ipa client

Reply via email to