ipaplatform: Do not require custom Authconfig implementations from platform modules

https://fedorahosted.org/freeipa/ticket/4052

Reviewed-By: Petr Viktorin <pviktori@redhat.com>

2 files changed, 121 insertions, 0 deletions

diff --git a/ipaplatform/fedora/authconfig.py b/ipaplatform/fedora/authconfig.py
new file mode 100644
index 000000000..166a826f7
--- /dev/null
+++ b/ipaplatform/fedora/authconfig.py
@@ -0,0 +1,56 @@
+# Authors: Simo Sorce <ssorce@redhat.com>
+#          Alexander Bokovoy <abokovoy@redhat.com>
+#          Tomas Babej <tbabej@redhat.com>
+#
+# Copyright (C) 2007-2014  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from ipapython import ipautil
+from ipaplatform.base.authconfig import AuthConfig
+
+
+class FedoraAuthConfig(AuthConfig):
+    """
+    AuthConfig class implements system-independent interface to configure
+    system authentication resources. In Red Hat-produced systems this is done
+    with authconfig(8) utility.
+    """
+
+    def build_args(self):
+        args = []
+
+        for (option, value) in self.parameters.items():
+            if type(value) is bool:
+                if value:
+                    args.append("--enable%s" % (option))
+                else:
+                    args.append("--disable%s" % (option))
+            elif type(value) in (tuple, list):
+                args.append("--%s" % (option))
+                args.append("%s" % (value[0]))
+            elif value is None:
+                args.append("--%s" % (option))
+            else:
+                args.append("--%s%s" % (option, value))
+
+        return args
+
+    def execute(self, update=True):
+        if update:
+            self.add_option("update")
+
+        args = self.build_args()
+        ipautil.run(["/usr/sbin/authconfig"] + args)
diff --git a/ipaplatform/fedora/tasks.py b/ipaplatform/fedora/tasks.py
index 841b3d4e0..46fc08d70 100644
--- a/ipaplatform/fedora/tasks.py
+++ b/ipaplatform/fedora/tasks.py
@@ -25,6 +25,7 @@ This module contains default Fedora-specific implementations of system tasks.
 import os
 import ipautil
 
+from ipaplatform.fedora.authconfig import FedoraAuthConfig
 from ipaplatform.base.tasks import *
 
 
@@ -76,3 +77,67 @@ def check_selinux_status(restorecon='/sbin/restorecon'):
         raise RuntimeError('SELinux is enabled but %s does not exist.\n'
                            'Install the policycoreutils package and start the '
                            'installation again.' % restorecon)
+
+
+def restore_pre_ipa_client_configuration(fstore, statestore,
+                                         was_sssd_installed,
+                                         was_sssd_configured):
+
+    auth_config = FedoraAuthConfig()
+    if statestore.has_state('authconfig'):
+        # disable only those configurations that we enabled during install
+        for conf in ('ldap', 'krb5', 'sssd', 'sssdauth', 'mkhomedir'):
+            cnf = statestore.restore_state('authconfig', conf)
+            # Do not disable sssd, as this can cause issues with its later
+            # uses. Remove it from statestore however, so that it becomes
+            # empty at the end of uninstall process.
+            if cnf and conf != 'sssd':
+                auth_config.disable(conf)
+    else:
+        # There was no authconfig status store
+        # It means the code was upgraded after original install
+        # Fall back to old logic
+        auth_config.disable("ldap")
+        auth_config.disable("krb5")
+        if not(was_sssd_installed and was_sssd_configured):
+            # Only disable sssdauth. Disabling sssd would cause issues
+            # with its later uses.
+            auth_config.disable("sssdauth")
+        auth_config.disable("mkhomedir")
+
+    auth_config.execute()
+
+
+def set_nisdomain(nisdomain):
+    # Let authconfig setup the permanent configuration
+    auth_config = FedoraAuthConfig()
+    auth_config.add_parameter("nisdomain", nisdomain)
+    auth_config.execute()
+
+
+def modify_nsswitch_pam_stack(sssd, mkhomedir, statestore):
+    auth_config = FedoraAuthConfig()
+
+    if sssd:
+        statestore.backup_state('authconfig', 'sssd', True)
+        statestore.backup_state('authconfig', 'sssdauth', True)
+        auth_config.enable("sssd")
+        auth_config.enable("sssdauth")
+    else:
+        statestore.backup_state('authconfig', 'ldap', True)
+        auth_config.enable("ldap")
+        auth_config.enable("forcelegacy")
+
+    if mkhomedir:
+        statestore.backup_state('authconfig', 'mkhomedir', True)
+        auth_config.enable("mkhomedir")
+
+    auth_config.execute()
+
+
+def modify_pam_to_use_krb5(statestore):
+    auth_config = FedoraAuthConfig()
+    statestore.backup_state('authconfig', 'krb5', True)
+    auth_config.enable("krb5")
+    auth_config.add_option("nostart")
+    auth_config.execute()