From c6e09b40cb1be865b3b62a1246f6916368018d34 Mon Sep 17 00:00:00 2001
From: Nils Philippsen <nils@redhat.com>
Date: Tue, 2 Feb 2021 18:19:21 +0100
Subject: [PATCH] ipa/client: clean up old 2FA sudo configuration

The old, TOTPCGI-enabled sudo configuration breaks when it should be
verifying password and OTP token against what's stored in IPA.

If found, or /etc/pam.d/sudo or the sudo package are missing, reinstall
the sudo package to fix.

Signed-off-by: Nils Philippsen <nils@redhat.com>
---
 roles/ipa/client/tasks/cleanup.yml | 39 ++++++++++++++++++++++++++++++
 roles/ipa/client/tasks/main.yml    |  8 ++++++
 2 files changed, 47 insertions(+)
 create mode 100644 roles/ipa/client/tasks/cleanup.yml

diff --git a/roles/ipa/client/tasks/cleanup.yml b/roles/ipa/client/tasks/cleanup.yml
new file mode 100644
index 0000000000..984f05a65b
--- /dev/null
+++ b/roles/ipa/client/tasks/cleanup.yml
@@ -0,0 +1,39 @@
+# REMOVEME: As soon as all (affected) hosts have been migrated over from fas_client, 2fa_client to
+# ipa/client, this can go away.
+#
+# Restore pristine sudo configuration, TOTPCGI configuration messes with IPA integration
+
+- name: Check if /etc/pam.d/sudo exists
+  stat:
+    path: /etc/pam.d/sudo
+  register: pam_sudo_stat
+
+- name: Check if /etc/pam.d/sudo needs to be restored
+  lineinfile:
+    name: /etc/pam.d/sudo
+    regexp: 'pam_url\.so'
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: pam_sudo_pam_url_so
+  when: pam_sudo_stat.stat.exists and not pam_sudo_stat.stat.islnk
+
+- name: Remove butchered sudo pam.d file
+  file:
+    name: /etc/pam.d/sudo
+    state: absent
+  when: pam_sudo_stat.stat.exists and pam_sudo_pam_url_so.found
+
+- name: Uninstall sudo package, but not any dependencies
+  command:
+    cmd: rpm -e --nodeps sudo
+    # We really don't want to use yum/dnf here
+    warn: no
+  failed_when: false
+  when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found
+
+- name: (Re)install sudo package
+  package:
+    name: sudo
+    state: present
+  when: not pam_sudo_stat.stat.exists or pam_sudo_pam_url_so.found
diff --git a/roles/ipa/client/tasks/main.yml b/roles/ipa/client/tasks/main.yml
index 2822168dca..e0d591b4d1 100644
--- a/roles/ipa/client/tasks/main.yml
+++ b/roles/ipa/client/tasks/main.yml
@@ -21,6 +21,14 @@
     - ipa/client
     - config
 
+- name: Clean up annoying remnants of previous FAS client installations
+  import_tasks: cleanup.yml
+  # don't muck with prod for now
+  when: env == 'staging'
+  tags:
+    - ipa/client
+    - fas-client-cleanup
+
 - name: Basic configuration for client on IPA cluster
   delegate_to: "{{ ipa_server }}"
   import_tasks: common.yml