[Freeipa-devel] [freeipa PR#892][opened] Always check peer has keys before connecting

Fri, 23 Jun 2017 01:58:50 -0700 

   URL: https://github.com/freeipa/freeipa/pull/892
Author: simo5
 Title: #892: Always check peer has keys before connecting
Action: opened

PR body:
"""
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/892/head:pr892
git checkout pr892

From 923d928fa0aa1b9a1b0ee096e0a7063755a1c4ab Mon Sep 17 00:00:00 2001
From: Simo Sorce <s...@redhat.com>
Date: Fri, 23 Jun 2017 04:48:41 -0400
Subject: [PATCH] Always check peer has keys before connecting

When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.

Ticket #6838

Signed-off-by: Simo Sorce <s...@redhat.com>
---
 ipaserver/install/custodiainstance.py | 20 ++++++++------------
 1 file changed, 8 insertions(+), 12 deletions(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 390576bc0c..bc3cea7063 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -13,7 +13,6 @@
 from ipaserver.install import sysupgrade
 from base64 import b64decode
 from jwcrypto.common import json_decode
-import functools
 import shutil
 import os
 import stat
@@ -31,13 +30,6 @@ def __init__(self, host_name=None, realm=None):
         self.ldap_uri = None
         self.fqdn = host_name
         self.realm = realm
-        self.__CustodiaClient = functools.partial(
-            CustodiaClient,
-            client_service='host@%s' % self.fqdn,
-            keyfile=self.server_keys,
-            keytab=paths.KRB5_KEYTAB,
-            realm=realm,
-        )
 
     def __config_file(self):
         template_file = os.path.basename(self.config_file) + '.template'
@@ -144,6 +136,14 @@ def __wait_keys(self, host, timeout=300):
                     raise RuntimeError("Timed out trying to obtain keys.")
                 time.sleep(1)
 
+    def __CustodiaClient(self, server):
+        # Before we attempt to fetch keys from this host, make sure our public
+        # keys have been replicated there.
+        self.__wait_keys(server)
+
+        return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
+                              paths.KRB5_KEYTAB, server, realm=self.realm)
+
     def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
         # Fecth all needed certs one by one, then combine them in a single
         # p12 file
@@ -151,10 +151,6 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
         prefix = data['prefix']
         certlist = data['list']
 
-        # Before we attempt to fetch keys from this host, make sure our public
-        # keys have been replicated there.
-        self.__wait_keys(ca_host)
-
         cli = self.__CustodiaClient(server=ca_host)
 
         # Temporary nssdb

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to