Be more robust against re-running the migration

2024-09-03 20:06:10 +02:00 · 2021-04-17 00:58:12 +02:00 · 2021-04-17 00:58:12 +02:00 · 72e4a584ed
commit 72e4a584ed
parent aae7c6e296
1 changed files with 20 additions and 14 deletions
--- a/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
+++ b/src/yunohost/data_migrations/0020_ssh_sftp_permissions.py
@ -30,26 +30,32 @@ class MyMigration(Migration):
        from yunohost.utils.ldap import _get_ldap_interface
        ldap = _get_ldap_interface()

+        existing_perms_raw = ldap.search("ou=permission,dc=yunohost,dc=org", "(objectclass=permissionYnh)", ["cn"])
+        existing_perms = [perm['cn'][0] for perm in existing_perms_raw]
+
        # Add SSH and SFTP permissions
        ldap_map = read_yaml('/usr/share/yunohost/yunohost-config/moulinette/ldap_scheme.yml')

-        ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"])
-        ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"])
+        if "sftp.main" not in existing_perms:
+            ldap.add("cn=sftp.main,ou=permission", ldap_map['depends_children']["cn=sftp.main,ou=permission"])

-        # Add a bash terminal to each users
-        users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"])
-        for user in users:
-            if user['loginShell'][0] == '/bin/false':
-                dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
-                ldap.update(dn, {'loginShell': ['/bin/bash']})
-            else:
-                user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)
+        if "ssh.main" not in existing_perms:
+            ldap.add("cn=ssh.main,ou=permission", ldap_map['depends_children']["cn=ssh.main,ou=permission"])

-        permission_sync_to_user()
+            # Add a bash terminal to each users
+            users = ldap.search('ou=users,dc=yunohost,dc=org', filter="(loginShell=*)", attrs=["dn", "uid", "loginShell"])
+            for user in users:
+                if user['loginShell'][0] == '/bin/false':
+                    dn = user['dn'][0].replace(',dc=yunohost,dc=org', '')
+                    ldap.update(dn, {'loginShell': ['/bin/bash']})
+                else:
+                    user_permission_update("ssh.main", add=user["uid"][0], sync_perm=False)

-        # Somehow this is needed otherwise the PAM thing doesn't forget about the
-        # old loginShell value ?
-        subprocess.call(['nscd', '-i', 'passwd'])
+            permission_sync_to_user()
+
+            # Somehow this is needed otherwise the PAM thing doesn't forget about the
+            # old loginShell value ?
+            subprocess.call(['nscd', '-i', 'passwd'])

        if '/etc/ssh/sshd_config' in manually_modified_files() \
            and os.system("grep -q '^ *AllowGroups\\|^ *AllowUsers' /etc/ssh/sshd_config") != 0: