From 72e4a584ed19eb9f2bb195a589625f83c90e2741 Mon Sep 17 00:00:00 2001
From: Alexandre Aubin <alex.aubin@mailoo.org>
Date: Sat, 17 Apr 2021 00:58:12 +0200
Subject: [PATCH] Be more robust against re-running the migration

---
 .../0020_ssh_sftp_permissions.py              | 34 +++++++++++--------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
index 52d813d32..c3b7a91ec 100644
--- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
+++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
@@ -30,26 +30,32 @@ class MyMigration(Migration):
         from yunohost.utils.ldap import _get_ldap_interface
         ldap = _get_ldap_interface()
 
+        existing_perms_raw = ldap.search("ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"])
+        existing_perms = [perm['cn'][0] for perm in existing_perms_raw]
+
         # Add SSH and SFTP permissions
         ldap_map = read_yaml('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml')
 
-        ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"])
-        ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"])
+        if "sftp.main" not in existing_perms:
+            ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"])
 
-        # Add a bash terminal to each users
-        users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"])
-        for user in users:
-            if user['loginShell'][0] == '/bin/false':
-                dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
-                ldap.update(dn, {'loginShell': ['/bin/bash']})
-            else:
-                user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)
+        if "ssh.main" not in existing_perms:
+            ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"])
 
-        permission_sync_to_user()
+            # Add a bash terminal to each users
+            users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"])
+            for user in users:
+                if user['loginShell'][0] == '/bin/false':
+                    dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
+                    ldap.update(dn, {'loginShell': ['/bin/bash']})
+                else:
+                    user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)
 
-        # Somehow this is needed otherwise the PAM thing doesn't forget about the
-        # old loginShell value ?
-        subprocess.call(['nscd', '-i', 'passwd'])
+            permission_sync_to_user()
+
+            # Somehow this is needed otherwise the PAM thing doesn't forget about the
+            # old loginShell value ?
+            subprocess.call(['nscd', '-i', 'passwd'])
 
         if '/etc/ssh/sshd_config' in manually_modified_files() \
             and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: