From 2ed6fb092eac2397f4d6395307c91a497d747ac0 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 3 Sep 2014 15:04:35 +0200
Subject: Backup CS.cfg before modifying it

https://fedorahosted.org/freeipa/ticket/4166

Reviewed-By: Petr Viktorin <pviktori@redhat.com>
---
 install/tools/ipa-upgradeconfig |  1 +
 ipaserver/install/cainstance.py | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 9535cedd8..5dbf3087b 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -1085,6 +1085,7 @@ def main():
         sub_dict['SUBJECT_BASE'] = subject_base
 
     ca = cainstance.CAInstance(api.env.realm, certs.NSS_DIR)
+    ca.backup_config()
 
     # migrate CRL publish dir before the location in ipa.conf is updated
     ca_restart = migrate_crl_publish_dir(ca)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ce0561a08..b6342a508 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -404,6 +404,7 @@ class CAInstance(DogtagInstance):
                 self.step("creating pki-ca instance", self.create_instance)
             self.step("configuring certificate server instance", self.__configure_instance)
         self.step("stopping certificate server instance to update CS.cfg", self.stop_instance)
+        self.step("backing up CS.cfg", self.backup_config)
         self.step("disabling nonces", self.__disable_nonce)
         self.step("set up CRL publishing", self.__enable_crl_publish)
         self.step("enable PKIX certificate path discovery and validation", self.enable_pkix)
@@ -733,6 +734,12 @@ class CAInstance(DogtagInstance):
 
         self.log.debug("completed creating ca instance")
 
+    def backup_config(self):
+        try:
+            backup_config(self.dogtag_constants)
+        except Exception, e:
+            root_logger.warning("Failed to backup CS.cfg: %s", e)
+
     def __disable_nonce(self):
         # Turn off Nonces
         update_result = installutils.update_file(
@@ -1587,6 +1594,11 @@ class CAInstance(DogtagInstance):
                       'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
                       'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
 
+        try:
+            backup_config(dogtag_constants)
+        except Exception, e:
+            syslog.syslog(syslog.LOG_ERR, "Failed to backup CS.cfg: %s" % e)
+
         DogtagInstance.update_cert_cs_cfg(
             nickname, cert, directives,
             dogtag.configured_constants().CS_CFG_PATH,
@@ -1715,6 +1727,15 @@ def install_replica_ca(config, postinstall=False):
 
     return ca
 
+def backup_config(dogtag_constants=None):
+    """
+    Create a backup copy of CS.cfg
+    """
+    if dogtag_constants is None:
+        dogtag_constants = dogtag.configured_constants()
+
+    shutil.copy(dogtag_constants.CS_CFG_PATH,
+                dogtag_constants.CS_CFG_PATH + '.ipabkp')
 
 def update_people_entry(dercert):
     """
-- 
cgit