Imported Debian patch 4.8.10-2

2020-11-23 20:48:56 +02:00
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
--- a/install/tools/ipa-pki-retrieve-key.in
+++ b/install/tools/ipa-pki-retrieve-key.in
@@ -1,10 +1,11 @@
-@PYTHONSHEBANG@
+#!/usr/bin/python3

 from __future__ import print_function

+import argparse
 import os
-import sys
-import traceback
+
+from requests import HTTPError

 from ipalib import constants
 from ipalib.config import Env
@@ -16,27 +17,65 @@ def main():
    env = Env()
    env._finalize()

-    keyname = "ca_wrapped/" + sys.argv[1]
-    servername = sys.argv[2]
+    parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
+    parser.add_argument("keyname", type=str)
+    parser.add_argument("servername", type=str)
+
+    args = parser.parse_args()
+    keyname = "ca_wrapped/{}".format(args.keyname)

    service = constants.PKI_GSSAPI_SERVICE_NAME
    client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
    client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')

+    for filename in [client_keyfile, client_keytab]:
+        if not os.access(filename, os.R_OK):
+            parser.error(
+                "File '{}' missing or not readable.\n".format(filename)
+            )
+
    # pylint: disable=no-member
    client = CustodiaClient(
-        client_service='%s@%s' % (service, env.host), server=servername,
-        realm=env.realm, ldap_uri="ldaps://" + env.host,
-        keyfile=client_keyfile, keytab=client_keytab,
-        )
+        client_service="{}@{}".format(service, env.host),
+        server=args.servername,
+        realm=env.realm,
+        ldap_uri="ldaps://" + env.host,
+        keyfile=client_keyfile,
+        keytab=client_keytab,
+    )
+
+    OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
+
+    try:
+        # Initially request a key wrapped using AES128-CBC.
+        # This uses the recent ability to specify additional
+        # parameters to a Custodia resource.
+        path = f'{keyname}/{OID_AES128_CBC}'  # aes128-cbc
+        resp = client.fetch_key(path, store=False)
+    except HTTPError as e:
+        if e.response.status_code == 404:
+            # The 404 indicates one of two conditions:
+            #
+            # a) The server is an older version that does not support
+            #    extra Custodia parameters.  We should retry without
+            #    specifying an algorithm.
+            #
+            # b) The key does not exist.  At this point we cannot
+            #    distinguish (a) and (b) but if we retry without
+            #    specifying an algorithm, the second attempt will
+            #    also fail with status 404.
+            #
+            # So the correct way to handle both scenarios is to
+            # retry without the algorithm parameter.
+            #
+            resp = client.fetch_key(keyname, store=False)
+        else:
+            raise  # something else went wrong; re-raise

    # Print the response JSON to stdout; it is already in the format
    # that Dogtag's ExternalProcessKeyRetriever expects
-    print(client.fetch_key(keyname, store=False))
+    print(resp)


-try:
+if __name__ == '__main__':
    main()
-except BaseException:
-    traceback.print_exc()
-    sys.exit(1)