Imported Debian patch 4.8.10-2

ipaclient/plugins/ca.py

@@ -33,13 +33,24 @@ class WithCertOutArgs(MethodOverride):
                                              error=str(e))
 
         result = super(WithCertOutArgs, self).forward(*keys, **options)
+
         if filename:
+            # if result certificate / certificate_chain not present in result,
+            # it means Dogtag did not provide it (probably due to LWCA key
+            # replication lag or failure.  The server transmits a warning
+            # message in this case, which the client automatically prints.
+            # So in this section we just ignore it and move on.
+            certs = None
             if options.get('chain', False):
-                certs = result['result']['certificate_chain']
+                if 'certificate_chain' in result['result']:
+                    certs = result['result']['certificate_chain']
             else:
-                certs = [base64.b64decode(result['result']['certificate'])]
-            certs = (x509.load_der_x509_certificate(cert) for cert in certs)
-            x509.write_certificate_list(certs, filename)
+                if 'certificate' in result['result']:
+                    certs = [base64.b64decode(result['result']['certificate'])]
+            if certs:
+                x509.write_certificate_list(
+                    (x509.load_der_x509_certificate(cert) for cert in certs),
+                    filename)
 
         return result
 

ipaclient/plugins/otptoken.py

@@ -26,15 +26,15 @@ from ipalib.messages import add_message, ResultFormattingError
 from ipalib.plugable import Registry
 from ipalib.frontend import Local
 from ipalib.util import create_https_connection
-from ipapython.dn import DN
 from ipapython.version import API_VERSION
 
 import locale
 import qrcode
 
 import six
-from six import StringIO
-from six.moves import urllib
+from io import StringIO
+import urllib.parse
+import urllib.request
 
 if six.PY3:
     unicode = str
@@ -161,13 +161,13 @@ class otptoken_sync(Local):
         sync_uri = urllib.parse.urlunparse(segments)
 
         # Prepare the query.
-        query = {k: v for k, v in kwargs.items()
-                    if k in {x.name for x in self.takes_options}}
+        options = {x.name for x in self.takes_options}
+        query = {k: v for k, v in kwargs.items() if k in options}
         if args and args[0] is not None:
-            obj = self.api.Object.otptoken
-            query['token'] = DN((obj.primary_key.name, args[0]),
-                                obj.container_dn, self.api.env.basedn)
+            # sync_token converts token name to token DN
+            query['token'] = args[0]
         query = urllib.parse.urlencode(query)
+        query = query.encode('utf-8')
 
         # Sync the token.
         # pylint: disable=E1101

ipaclient/plugins/vault.py

@@ -546,7 +546,7 @@ class vault_mod(Local):
         return response
 
 
-class _TransportCertCache(object):
+class _TransportCertCache:
     def __init__(self):
         self._dirname = os.path.join(
                 USER_CACHE_PATH, 'ipa', 'kra-transport-certs'