Vault: improve vault server archival/retrieval calls error handling

If a vault operation fails, the error message just says "InternalError". This commit improves error handling of key archival and retrieval calls by catching the PKIException error and raising it as an IPA error. Related: https://pagure.io/freeipa/issue/9191 Signed-off-by: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2025-02-25 18:55:28 -06:00 · 2024-01-19 18:15:28 +01:00 · 2024-01-19 18:15:28 +01:00 · 4cc6b9cd17
commit 4cc6b9cd17
parent 2d0a088f93
1 changed files with 26 additions and 14 deletions
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@ -45,6 +45,7 @@ if api.env.in_server:
    import pki.key
    from pki.crypto import DES_EDE3_CBC_OID
    from pki.crypto import AES_128_CBC_OID
+    from pki import PKIException

 if six.PY3:
    unicode = str
@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery):
                    pki.key.KeyClient.KEY_STATUS_INACTIVE)

            # forward wrapped data to KRA
-            kra_client.keys.archive_encrypted_data(
-                client_key_id,
-                pki.key.KeyClient.PASS_PHRASE_TYPE,
-                wrapped_vault_data,
-                wrapped_session_key,
-                algorithm_oid=algorithm_oid,
-                nonce_iv=nonce,
-            )
-
-            kra_account.logout()
+            try:
+                kra_client.keys.archive_encrypted_data(
+                    client_key_id,
+                    pki.key.KeyClient.PASS_PHRASE_TYPE,
+                    wrapped_vault_data,
+                    wrapped_session_key,
+                    algorithm_oid=algorithm_oid,
+                    nonce_iv=nonce,
+                )
+            except PKIException as e:
+                kra_account.logout()
+                raise errors.EncodingError(
+                    message=_("Unable to archive key: %s") % e)
+            finally:
+                kra_account.logout()

        response = {
            'value': args[-1],
@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery):
            kra_client.keys.encrypt_alg_oid = algorithm_oid

            # retrieve encrypted data from KRA
-            key = kra_client.keys.retrieve_key(
-                key_info.get_key_id(),
-                wrapped_session_key)
+            try:

-            kra_account.logout()
+                key = kra_client.keys.retrieve_key(
+                    key_info.get_key_id(),
+                    wrapped_session_key)
+            except PKIException as e:
+                kra_account.logout()
+                raise errors.EncodingError(
+                    message=_("Unable to retrieve key: %s") % e)
+            finally:
+                kra_account.logout()

        response = {
            'value': args[-1],