From 3883f1d05046b033a16a31058d929af69d287c01 Mon Sep 17 00:00:00 2001
From: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
Date: Mon, 30 Jan 2023 14:38:30 -0300
Subject: [PATCH] Support secure LDAP upgrade for AIO-DX (n+2)

This commit adds two upgrade scripts for different stages:

start: backs up data to /opt/platform/config/21.12/ldap/ldap.db
activate: imports data from /opt/platform/config/21.12/ldap/ldap.db

From centos to debian there are many changes to the directory
structure and configuration for slapd. The above steps are necessary
to ensure data is properly restored in the new version.

Story: 2009303
Task: 47241

Test Plan:

PASS: Run AIO-DX upgrade from a Centos system to a Debian system and
      verify ldap commands such as ldapfinger and ldapsearch
      are returning proper data
PASS: Create new openldap user in Centos system, do the upgrade to
      Debian system and verify that such user is kept and usable after
      the upgrade.
PASS: After upgrade do ldapfinger and 'getent passwd <user>' for the
      default ldap users of operator and admin and verify proper data
      is returned
Change-Id: Ibb12d6f639115d4a31d6f4c49399525d5148481a
Signed-off-by: Rei Oliveira <Reinildes.JoseMateusOliveira@windriver.com>
---
 .../upgrade-scripts/11-ldap-users-backup.sh   | 59 +++++++++++++++++++
 .../67-update-openldap-users.sh               | 11 +++-
 2 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh

diff --git a/controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh b/controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh
new file mode 100644
index 0000000000..1d1ece316c
--- /dev/null
+++ b/controllerconfig/controllerconfig/upgrade-scripts/11-ldap-users-backup.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+#
+# Copyright (c) 2023 Wind River Systems, Inc.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+#
+# This start script is used to back up ldap data from 21.12
+# so that it can be used later for importing after a platform upgrade.
+
+# The scripts are passed these parameters:
+NAME=$(basename $0)
+FROM_RELEASE=$1
+TO_RELEASE=$2
+ACTION=$3
+
+# This will log to /var/log/platform.log
+function log {
+    logger -p local1.info $1
+}
+
+# Logs using the 'log' function and exits with error
+function exit_with_error {
+    log "$NAME: $1 (RETURNED: $?)"
+    exit 1
+}
+
+# Script start
+log "$NAME: Saving backup of openldap schema files from release $FROM_RELEASE to $TO_RELEASE with action $ACTION"
+
+if [[ "${ACTION}" == "start" ]] && [[ "${FROM_RELEASE}" == "21.12" ]] && [[ "${TO_RELEASE}" == "22.12" ]]; then
+
+    BACKUP_DIR="/opt/platform/config/$FROM_RELEASE/ldap"
+
+    rm -rf $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to remove directory $BACKUP_DIR"
+
+    mkdir $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to create directory $BACKUP_DIR"
+
+    log "$NAME: Successfully created directory $BACKUP_DIR"
+
+    /usr/sbin/slapcat -F /etc/openldap/schema -l $BACKUP_DIR/ldap.db \
+    || exit_with_error "ERROR - Failed to export ldap data to $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Successfully exported $BACKUP_DIR/ldap.db"
+
+    chmod -R go= $BACKUP_DIR \
+    || exit_with_error "ERROR - Failed to set permissions to $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Successfully set permissions for $BACKUP_DIR/ldap.db"
+
+    log "$NAME: Script finished successfully."
+else
+    log "$NAME: No actions required for from release $FROM_RELEASE to $TO_RELEASE with action $ACTION"
+fi
+
+exit 0
+
diff --git a/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh b/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh
index 1d48a41573..9168da5f65 100644
--- a/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh
+++ b/controllerconfig/controllerconfig/upgrade-scripts/67-update-openldap-users.sh
@@ -1,12 +1,13 @@
 #!/bin/bash
 #
-# Copyright (c) 2022 Wind River Systems, Inc.
+# Copyright (c) 2022-2023 Wind River Systems, Inc.
 #
 # SPDX-License-Identifier: Apache-2.0
 #
 #
 # This migration script is used for update openldap users during the
 # activate stage of a platform upgrade. It will:
+# - import data from a previous backup
 # - change admin user's primary group from 'root' to 'users'
 
 # The migration scripts are passed these parameters:
@@ -33,11 +34,17 @@ if [[ "${ACTION}" == "activate" ]] && [[ "${TO_RELEASE}" == "22.12" ]]; then
         exit 0
     fi
 
+    if [[ "${FROM_RELEASE}" == "21.12" ]]; then
+        BACKUP_DIR="/opt/platform/config/$FROM_RELEASE/ldap"
+        /usr/sbin/slapadd -F /etc/ldap/schema -l $BACKUP_DIR/ldap.db
+        log "$NAME: Successfully imported ldap data from $BACKUP_DIR/ldap.db"
+    fi
+
     /usr/sbin/ldapsetprimarygroup admin users
 
     RC=$?
     if [ ${RC} -eq 0 ]; then
-        log "$NAME: Successfully updated openldap users."
+        log "$NAME: Successfully updated openldap users. Script finished successfully."
     else
         log "$NAME: ERROR - failed to update openldap users. (RETURNED: $RC)"
         exit 1