URL: https://github.com/freeipa/freeipa/pull/679
Author: simo5
 Title: #679: Make sure remote hosts have our keys
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/679/head:pr679
git checkout pr679
From cefe3dfb81d0a78072fa03c14e6265c261bae162 Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 31 Mar 2017 11:22:45 -0400
Subject: [PATCH] Make sure remote hosts have our keys

In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6688

Signed-off-by: Simo Sorce <s...@redhat.com>
 ipaserver/install/custodiainstance.py | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 6a61392..38035b4 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -1,15 +1,17 @@
 # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license.
-from ipaserver.secrets.kem import IPAKEMKeys
+from custodia.message.kem import KEY_USAGE_ENC
+from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap
 from ipaserver.secrets.client import CustodiaClient
 from ipaplatform.paths import paths
 from ipaplatform.constants import constants
 from ipaserver.install.service import SimpleServiceInstance
-from ipapython import ipautil
+from ipapython import ipautil, ipaldap
 from ipapython.ipa_log_manager import root_logger
 from ipapython.certdb import NSSDatabase
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
+from ipaserver.install import replication
 from ipaserver.install import sysupgrade
 from base64 import b64decode
 from jwcrypto.common import json_decode
@@ -18,6 +20,7 @@
 import os
 import stat
 import tempfile
+import time
 import pwd
@@ -122,6 +125,23 @@ def import_dm_password(self, master_host_name):
         cli = self.__CustodiaClient(server=master_host_name)
+    def __wait_keys(self, host, timeout=300):
+        ldap_uri = 'ldap://%s' % host
+        principal = 'host/%s@%s' % (self.fqdn, self.realm)
+        deadline = int(time.time()) + timeout
+        root_logger.info("Waiting to see our keys appear on %s".format(host))
+        result = None
+        konn = KEMLdap(ldap_uri)
+        while True:
+            try:
+                konn.get_key(KEY_USAGE_ENC, principal)
+                return
+            except Exception:
+                if int(time.time()) > deadline:
+                    raise
+                time.sleep(1)
     def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
         # Fecth all needed certs one by one, then combine them in a single
         # p12 file
@@ -129,6 +149,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
         prefix = data['prefix']
         certlist = data['list']
+        # Before we attempt to fetch keys from this host, make sure our public
+        # keys have been replicated there.
+        sel.__wait_keys(ca_host)
         cli = self.__CustodiaClient(server=ca_host)
         # Temporary nssdb
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to