Prevent replica install from overwriting cert profiles

An earlier change that unconditionally triggers import of file-based profiles to LDAP during server or replica install results in replicas overwriting FreeIPA-managed profiles with profiles of the same name shipped with Dogtag. ('caIPAserviceCert' is the affected profile). Avoid this situation by never overwriting existing profiles during the LDAP import. Fixes: https://fedorahosted.org/freeipa/ticket/5881 Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2024-12-26 00:41:25 -06:00 · 2016-05-11 16:13:51 +10:00 · 2016-05-11 16:13:51 +10:00 · 5dad49688c
commit 5dad49688c
parent 144a367d35
1 changed files with 12 additions and 6 deletions
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@ -1664,7 +1664,9 @@ def import_included_profiles():
            conn.add_entry(entry)
            profile_data = ipautil.template_file(
                '/usr/share/ipa/profiles/{}.cfg'.format(profile_id), sub_dict)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Create the profile, replacing any existing profile of same name
+            _create_dogtag_profile(profile_id, profile_data, overwrite=True)
            root_logger.info("Imported profile '%s'", profile_id)

    api.Backend.ra_certprofile.override_port = None
@ -1716,12 +1718,17 @@ def migrate_profiles_to_ldap():
                profile_data += '\n'
            profile_data += 'profileId={}\n'.format(profile_id)
            profile_data += 'classId={}\n'.format(class_id)
-            _create_dogtag_profile(profile_id, profile_data)
+
+            # Import the profile, but do not replace it if it already exists.
+            # This prevents replicas from replacing IPA-managed profiles with
+            # Dogtag default profiles of same name.
+            #
+            _create_dogtag_profile(profile_id, profile_data, overwrite=False)

    api.Backend.ra_certprofile.override_port = None


-def _create_dogtag_profile(profile_id, profile_data):
+def _create_dogtag_profile(profile_id, profile_data, overwrite):
    with api.Backend.ra_certprofile as profile_api:
        # import the profile
        try:
@ -1732,9 +1739,8 @@ def _create_dogtag_profile(profile_id, profile_data):
            root_logger.debug("Error migrating '{}': {}".format(
                profile_id, e))

-            # conflicting profile; replace it if we are
-            # installing IPA, but keep it for upgrades
-            if api.env.context == 'installer':
+            # profile already exists
+            if overwrite:
                try:
                    profile_api.disable_profile(profile_id)
                except errors.RemoteRetrieveError: