ca, kra install: validate DM password

Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.

Fixes https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

install/tools/ipa-ca-install

@@ -117,17 +117,19 @@ def parse_options():
 
 
 def _get_dirman_password(password=None, unattended=False):
+    # sys.exit() is used on purpose, because otherwise user is advised to
+    # uninstall the component, even though it is not needed
     if not password:
         if unattended:
             sys.exit('Directory Manager password required')
-        try:
         password = installutils.read_password(
             "Directory Manager (existing master)", confirm=False,
             validate=False)
-        except KeyboardInterrupt:
+    try:
-            sys.exit(0)
+        installutils.validate_dm_password_ldap(password)
-        if password is None:
+    except ValueError:
-            sys.exit("Directory Manager password required")
+        sys.exit("Directory Manager password is invalid")
+
     return password
 
 

ipaserver/install/ipa_kra_install.py

@@ -137,6 +137,14 @@ class KRAInstaller(KRAInstall):
     def run(self):
         super(KRAInstaller, self).run()
 
+        # Verify DM password. This has to be called after ask_for_options(),
+        # so it can't be placed in validate_options().
+        try:
+            installutils.validate_dm_password_ldap(self.options.password)
+        except ValueError:
+            raise admintool.ScriptError(
+                "Directory Manager password is invalid")
+
         if not cainstance.is_ca_installed_locally():
             raise RuntimeError("Dogtag CA is not installed. "
                                "Please install the CA first")