Fix pwquality configuration and silent scriptlets

Resolves:
- Scriptlets should no produce any error messages (RHBZ #1622272)
- Provide fix for pwquality configuration (RHBZ #1618865)

0001-lib-fix-profile-origin-debug-message.patch

@@ -0,0 +1,29 @@
+From 607235797f0503178f81b5a2074803fdddd84071 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 12:33:21 +0200
+Subject: [PATCH 1/7] lib: fix profile origin debug message
+
+Previously, we failed to match the location and always print that
+the selected profile is a default profile.
+---
+ src/lib/profiles/read.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/lib/profiles/read.c b/src/lib/profiles/read.c
+index 002329090cec29eee7969a5f04634ba1bb214a4c..a3a3e62788a3b3ae493a22a8b8e10170d572fc6f 100644
+--- a/src/lib/profiles/read.c
++++ b/src/lib/profiles/read.c
+@@ -125,9 +125,9 @@ authselect_profile_open(const char *id,
+             return ret;
+         }
+
+-        if (strcmp(location, DIR_CUSTOM_PROFILES) == 0) {
++        if (strcmp(locations[i], DIR_CUSTOM_PROFILES) == 0) {
+             INFO("Profile [%s] is a custom profile", id);
+-        } else if (strcmp(location, DIR_VENDOR_PROFILES) == 0) {
++        } else if (strcmp(locations[i], DIR_VENDOR_PROFILES) == 0) {
+             INFO("Profile [%s] is a vendor profile", id);
+         } else {
+             INFO("Profile [%s] is a default profile", id);
+--
+2.17.1

0002-man-remove-duplicate-of-with-pamaccess.patch

@@ -0,0 +1,23 @@
+From 3b6ba3c895dfc7a3c6b3fa43d2c76070e45b0d94 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 12:39:16 +0200
+Subject: [PATCH 2/7] man: remove duplicate of with-pamaccess
+
+---
+ src/man/authselect-migration.7.adoc | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/man/authselect-migration.7.adoc b/src/man/authselect-migration.7.adoc
+index 47544a53efd70b55a75d68d5bcbf3c89f875d7e7..35ba484d576ab8a3d923a124f6b1577085deedd4 100644
+--- a/src/man/authselect-migration.7.adoc
++++ b/src/man/authselect-migration.7.adoc
+@@ -85,7 +85,6 @@ configuration file for required services.
+ |--enablefaillock     |with-faillock
+ |--enablepamaccess    |with-pamaccess
+ |--enablewinbindkrb5  |with-krb5
+-|--enablepamaccess    |with-pamaccess
+ |==================================================
+
+ .Examples
+--
+2.17.1

0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch

@@ -0,0 +1,27 @@
+From dd0b2a5b4293ac5a46c1ecf64b2716d210ade1ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 14:13:49 +0200
+Subject: [PATCH 3/7] spec: do not print any output when enabling with-sudo
+
+---
+ rpm/authselect.spec.in | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
+index c1de3107b099bab05284f65a4f6712fac41297da..70af91e16c72478e5e5bba0b4f59df86b66fb99f 100644
+--- a/rpm/authselect.spec.in
++++ b/rpm/authselect.spec.in
+@@ -210,9 +210,9 @@ if [ $? -eq 0 ]; then
+
+     if [ $PROFILE == "sssd" ] ; then
+         if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
+-            %{_bindir}/authselect enable-feature with-sudo
++            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
+         elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
+-            %{_bindir}/authselect enable-feature with-sudo
++            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
+         fi
+     fi
+ fi
+--
+2.17.1

0004-Don-t-write-options-without-value-to-pwquality-conf-.patch

@@ -1,7 +1,7 @@
-From 9e17c60b267f4c0a5e5f2fb33c409cd50c96ad10 Mon Sep 17 00:00:00 2001
+From 748e7672134545c5c66fab180c983edbd8d7a106 Mon Sep 17 00:00:00 2001
 From: Adam Williamson <awilliam@redhat.com>
 Date: Tue, 28 Aug 2018 11:49:35 -0700
-Subject: [PATCH] Don't write options without value to pwquality conf
+Subject: [PATCH 4/7] Don't write options without value to pwquality conf
  (#1618865)
 
 Per https://bugzilla.redhat.com/show_bug.cgi?id=1618865 , it is
@@ -23,7 +23,7 @@ Signed-off-by: Adam Williamson <awilliam@redhat.com>
  1 file changed, 7 insertions(+), 4 deletions(-)
 
 diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
-index abe1e58..1b4f531 100755
+index abe1e585954ccd5ac555339f23c175e941c76ea3..1b4f531b021c1e2e8fd99bd081094da365c0c64e 100755
 --- a/src/compat/authcompat.py.in.in
 +++ b/src/compat/authcompat.py.in.in
 @@ -319,10 +319,13 @@ class Configuration:

0005-compat-write-only-options-set-on-command-line-to-pwq.patch

@@ -0,0 +1,71 @@
+From 65c081520d2192602ecffb31a06f96e577ed3998 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 11:36:43 +0200
+Subject: [PATCH 5/7] compat: write only options set on command line to
+ pwquality.conf
+
+This will not overwrite pwquality.conf if for exapmle "authconfig --update"
+is called. Without this patch the values would get overriden with empty
+values.
+---
+ src/compat/authcompat.py.in.in | 36 ++++++++++++++++++++++------------
+ 1 file changed, 24 insertions(+), 12 deletions(-)
+
+diff --git a/src/compat/authcompat.py.in.in b/src/compat/authcompat.py.in.in
+index 1b4f531b021c1e2e8fd99bd081094da365c0c64e..4fa9a6afc1d62aa9dde41b525d473168e6dc2901 100755
+--- a/src/compat/authcompat.py.in.in
++++ b/src/compat/authcompat.py.in.in
+@@ -166,7 +166,10 @@ class Configuration:
+         def getBool(self, name):
+             return self.options.getBool(name)
+
+-        def getBoolAsValue(self, name, if_true, if_false):
++        def getBoolAsValue(self, name, if_true, if_false, AllowNone=False):
++            if AllowNone and not self.isset(name):
++                return None
++
+             value = self.getBool(name)
+             if value:
+                 return if_true
+@@ -318,19 +321,28 @@ class Configuration:
+
+         def write(self):
+             config = EnvironmentFile(Path.System('pwquality.conf'))
++            value_set = False
+
+-            # for each if these options, we want to write a line to the config
+-            # *only if* it is set to an actual value, see
+-            # https://bugzilla.redhat.com/show_bug.cgi?id=1618865
+-            for pwval in ["minlen", "minclass", "maxrepeat", "maxclassrepeat"]:
+-                if self.isset("pass{0}".format(pwval)):
+-                    config.set(pwval, self.get("pass{0}".format(pwval)))
++            pwopts = {
++                "minlen" : self.get("passminlen"),
++                "minclass" : self.get("passminclass"),
++                "maxrepeat" : self.get("passmaxrepeat"),
++                "maxclassrepeat" : self.get("passmaxclassrepeat"),
++                "lcredit" : self.getBoolAsValue("reqlower", -1, 0, AllowNone=True),
++                "ucredit" : self.getBoolAsValue("requpper", -1, 0, AllowNone=True),
++                "dcredit" : self.getBoolAsValue("reqdigit", -1, 0, AllowNone=True),
++                "ocredit" : self.getBoolAsValue("reqother", -1, 0, AllowNone=True)
++            }
+
+-            config.set("lcredit", self.getBoolAsValue("reqlower", -1, 0))
+-            config.set("ucredit", self.getBoolAsValue("requpper", -1, 0))
+-            config.set("dcredit", self.getBoolAsValue("reqdigit", -1, 0))
+-            config.set("ocredit", self.getBoolAsValue("reqother", -1, 0))
+-            config.write()
++            # Write options only if their are actually set
++            for opt, value in pwopts.items():
++                if value is not None:
++                    print(opt + "=" + str(value))
++                    config.set(opt, value)
++                    value_set = True
++
++            if value_set:
++                config.write()
+
+     class MakeHomedir(Base):
+         def __init__(self, options):
+--
+2.17.1

0006-compat-fix-regular-expression-for-environment-files.patch

@@ -0,0 +1,30 @@
+From 7c37960dbf378dc1041c1d635629d509c48bae20 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 11:38:38 +0200
+Subject: [PATCH 6/7] compat: fix regular expression for environment files
+
+Any word character (\w) was not enough as it does not accept e.g. '-'.
+Therefore line like 'ocredit=-1' was incorrectly parse returning only
+'1' as value instead of '-1'.
+---
+ src/compat/authcompat_EnvironmentFile.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/compat/authcompat_EnvironmentFile.py b/src/compat/authcompat_EnvironmentFile.py
+index 529497e61903b3fb89f560b8e0ac0bb38111b46a..5738c6cafaf75109a5c1dbb9d3f040686a4945e1 100644
+--- a/src/compat/authcompat_EnvironmentFile.py
++++ b/src/compat/authcompat_EnvironmentFile.py
+@@ -34,9 +34,9 @@ class EnvironmentFile:
+         self.environment = []
+
+         delimiter_re = delimiter_re if delimiter_re is not None else delimiter
+-        self.pattern = re.compile('^(\s*)(\S*)([^\n\w]*)(' +
++        self.pattern = re.compile('^(\s*)(\S*)([^\n\S]*)(' +
+                                   delimiter_re +
+-                                  ')([^\n\w]*)(.*)$',
++                                  ')([^\n\S]*)(.*)$',
+                                   re.MULTILINE)
+
+         self.read()
+--
+2.17.1

0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch

@@ -0,0 +1,31 @@
+From 81de5acd2ce27592b724ab564ed3ade6ed3d68eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
+Date: Tue, 4 Sep 2018 11:51:20 +0200
+Subject: [PATCH 7/7] spec: fix invalid options in pwquality.conf generated by
+ compat tool
+
+---
+ rpm/authselect.spec.in | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/rpm/authselect.spec.in b/rpm/authselect.spec.in
+index 70af91e16c72478e5e5bba0b4f59df86b66fb99f..6887d1d16724412de8abfd5b872e5ecfc93e5ba5 100644
+--- a/rpm/authselect.spec.in
++++ b/rpm/authselect.spec.in
+@@ -219,6 +219,14 @@ fi
+
+ exit 0
+
++%posttrans compat
++# Fix for RHBZ#1618865
++# Remove invalid lines from pwquality.conf generated by authconfig compat tool
++# - previous version could write some options without value, which is invalid
++# - we delete all options without value from existing file
++sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
++exit 0
++
+ %changelog
+ * Thu Feb 22 2018 Pavel Březina <pbrezina@redhat.com> - @PACKAGE_VERSION@-@RELEASE_NUMBER@
+ - Do not use change log for rpm generated from source
+--
+2.17.1

authselect.spec

@@ -1,14 +1,19 @@
 Name:           authselect
 Version:        1.0
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Configures authentication and identity sources from supported profiles
 URL:            https://github.com/pbrezina/authselect
 
 License:        GPLv3+
 Source0:        %{url}/archive/%{version}/%{name}-%{version}.tar.gz
-# Backport https://github.com/pbrezina/authselect/pull/78 to fix
-# https://bugzilla.redhat.com/show_bug.cgi?id=1618865
-Patch0:         0001-Don-t-write-options-without-value-to-pwquality-conf-.patch
+
+Patch0001: 0001-lib-fix-profile-origin-debug-message.patch
+Patch0002: 0002-man-remove-duplicate-of-with-pamaccess.patch
+Patch0003: 0003-spec-do-not-print-any-output-when-enabling-with-sudo.patch
+Patch0004: 0004-Don-t-write-options-without-value-to-pwquality-conf-.patch
+Patch0005: 0005-compat-write-only-options-set-on-command-line-to-pwq.patch
+Patch0006: 0006-compat-fix-regular-expression-for-environment-files.patch
+Patch0007: 0007-spec-fix-invalid-options-in-pwquality.conf-generated.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -75,8 +80,10 @@ you develop a front-end for the authselect library.
 
 %prep
 %setup -q
-%patch0 -p1
 
+for p in %patches ; do
+    %__patch -p1 -i $p
+done
 
 %build
 autoreconf -if
@@ -214,16 +221,28 @@ if [ $? -eq 0 ]; then
 
     if [ $PROFILE == "sssd" ] ; then
         if grep -E "services[[:blank:]]*=[[:blank:]]*.*sudo" /etc/sssd/sssd.conf &> /dev/null ; then
-            %{_bindir}/authselect enable-feature with-sudo
+            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
         elif systemctl is-active sssd-sudo.service sssd-sudo.socket --quiet || systemctl is-enabled sssd-sudo.socket --quiet ; then
-            %{_bindir}/authselect enable-feature with-sudo
+            %{_bindir}/authselect enable-feature with-sudo &> /dev/null
         fi
     fi
 fi
 
 exit 0
 
+%posttrans compat
+# Fix for RHBZ#1618865
+# Remove invalid lines from pwquality.conf generated by authconfig compat tool
+# - previous version could write some options without value, which is invalid
+# - we delete all options without value from existing file
+sed -i -E '/^\w+=$/d' %{_sysconfdir}/security/pwquality.conf.d/10-authconfig-pwquality.conf &> /dev/null
+exit 0
+
 %changelog
+* Fri Sep 14 2018 Pavel Březina <pbrezina@redhat.com> - 1.0-3
+- Scriptlets should no produce any error messages (RHBZ #1622272)
+- Provide fix for pwquality configuration (RHBZ #1618865)
+
 * Thu Aug 30 2018 Adam Williamson <awilliam@redhat.com> - 1.0-2
 - Backport PR #78 to fix broken pwquality config (RHBZ #1618865)