From ceaa1c9a244499534343dc667227e47a923212ee Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 17 Jun 2025 12:50:36 -0400
Subject: [PATCH] ipa-migrate - only remove repl state attribute options

Improve how we process attributes that might include replication state
data. Previously we only cared about ";binary" but there are other
attribute options that are used in IPA. Now we completely break down the
attribute into each option and rebuild it without any repl state options

Fixes: https://pagure.io/freeipa/issue/9784

Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/ipa_migrate.py           | 17 +++++++++--------
 ipaserver/install/ipa_migrate_constants.py |  2 ++
 2 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index a24a2ab7a5ffd4cf1d59179f14e2f5d348fd57e2..b26fb66853ce91a139c3193753b34bed1ce2f586 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -33,7 +33,7 @@ from ipaserver.install.ipa_migrate_constants import (
     DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME,
     STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS,
     DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS,
-    DB_EXCLUDE_TREES, POLICY_OP_ATTRS
+    DB_EXCLUDE_TREES, POLICY_OP_ATTRS, STATE_OPTIONS
 )
 
 """
@@ -202,14 +202,15 @@ def decode_attr_vals(entry_attrs):
     decoded_attrs = {}
     for attr in entry_attrs:
         vals = ensure_list_str(entry_attrs[attr])
-        # Remove replication state data, but don't remove ";binary"
-        # e.g.  userCertififccate;binary;adcsn=<CSN>
+        # Remove "only" replication state data, but don't remove other attr
+        # options like ";binary"
+        #    e.g.  userCertificate;binary;adcsn=<CSN>
         parts = attr.split(";")
-        if len(parts) > 1 and not attr.endswith(";binary"):
-            if parts[1] == "binary":
-                attr = parts[0] + ";binary"
-            else:
-                attr = parts[0]
+        attr_parts = [
+            parts[0]] + [p for p in parts[1:]
+                         if not any(p.startswith(opt)
+                                    for opt in STATE_OPTIONS)]
+        attr = (';').join(attr_parts)
         decoded_attrs[attr] = vals
     return decoded_attrs
 
diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py
index 4beaa4f42a667ba83008213075b3ded782a83260..19cd5141316d018cf1d81f8db174197f4c5f15ff 100644
--- a/ipaserver/install/ipa_migrate_constants.py
+++ b/ipaserver/install/ipa_migrate_constants.py
@@ -117,6 +117,8 @@ AD_TRUST_ATTRS = [  # ipaNTTrustedDomain objectclass
     'ipantadditionalsuffixes',
 ]
 
+STATE_OPTIONS = ('adcsn-', 'mdcsn-', 'vucsn-', 'vdcsn-')
+
 DNA_REGEN_VAL = "-1"
 
 DNA_REGEN_ATTRS = [
-- 
2.50.0