Convert ipa-httpd-pwdreader into Python script

and use paths from ipaplatform. Fixes: https://pagure.io/freeipa/issue/8401 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com>
2025-02-25 18:55:28 -06:00 · 2020-07-28 14:04:34 +02:00 · 2020-07-28 14:04:34 +02:00 · 8f6502db03
commit 8f6502db03
parent 664007e031
6 changed files with 50 additions and 29 deletions
--- a/.gitignore
+++ b/.gitignore
@ -133,6 +133,7 @@ makeaci
 makeapi
 client/ipa-certupdate
 client/ipa-client-automount
+client/certbot-dns-ipa
 client/ipa-client-install
 client/ipa-client-samba
 client/ipa-epn
@ -156,6 +157,7 @@ install/restart_scripts/renew_ra_cert_pre
 install/restart_scripts/restart_dirsrv
 install/restart_scripts/restart_httpd
 install/restart_scripts/stop_pkicad
+install/tools/ipa-acme-manage
 install/tools/ipa-adtrust-install
 install/tools/ipa-advise
 install/tools/ipa-backup
@ -170,6 +172,7 @@ install/tools/ipa-custodia
 install/tools/ipa-custodia-check
 install/tools/ipa-dns-install
 install/tools/ipa-httpd-kdcproxy
+install/tools/ipa-httpd-pwdreader
 install/tools/ipa-kra-install
 install/tools/ipa-ldap-updater
 install/tools/ipa-managed-entries
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@ -33,6 +33,7 @@ dist_noinst_DATA =		\
 	ipa-custodia.in		\
 	ipa-custodia-check.in	\
 	ipa-httpd-kdcproxy.in	\
+	ipa-httpd-pwdreader.in	\
 	ipa-pki-retrieve-key.in	\
 	ipa-pki-wait-running.in	\
 	ipa-acme-manage.in	\
@ -72,14 +73,11 @@ nodist_app_SCRIPTS =		\
 	ipa-custodia		\
 	ipa-custodia-check	\
 	ipa-httpd-kdcproxy	\
+	ipa-httpd-pwdreader	\
 	ipa-pki-retrieve-key	\
 	ipa-pki-wait-running	\
 	$(NULL)

-dist_app_SCRIPTS =		\
-	ipa-httpd-pwdreader	\
-	$(NULL)
-
 PYTHON_SHEBANG = 					\
 	$(nodist_sbin_SCRIPTS)	\
 	$(nodist_app_SCRIPTS)	\
--- a/install/tools/ipa-httpd-pwdreader
+++ b/install/tools/ipa-httpd-pwdreader
@ -1,25 +0,0 @@
-#!/bin/bash
-# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
-#
-# If you'd like to write your custom binary providing passwords to mod_ssl,
-# see the documentation of the aforementioned directive of the mod_ssl module.
-
-USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"
-
-if [ "$#" -ne 2 ]; then
-    echo "Wrong number of arguments!" 1>&2
-    echo "$USAGE" 1>&2
-    exit 1
-fi
-
-fname=${1/:/-}-$2
-pwdpath=/var/lib/ipa/passwds/$fname
-
-# Make sure the values passed in do not contain path information
-checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)
-
-if [ $pwdpath == "${checkpath}" ]; then
-    cat $pwdpath
-else
-    echo "Invalid path ${pwdpath}" 1>&2
-fi
--- a/install/tools/ipa-httpd-pwdreader.in
+++ b/install/tools/ipa-httpd-pwdreader.in
@ -0,0 +1,43 @@
+#!/usr/bin/python3
+"""mod_ssl password reader
+This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
+
+If you'd like to write your custom binary providing passwords to mod_ssl,
+see the documentation of the aforementioned directive of the mod_ssl module.
+"""
+import argparse
+import os
+
+from ipaplatform.paths import paths
+
+HTTPD_PASSWD_DIR = os.path.realpath(
+    os.path.dirname(paths.HTTPD_PASSWD_FILE_FMT)
+)
+
+parser = argparse.ArgumentParser(description="mod_ssl password reader")
+parser.add_argument(
+    "host_port", help="host:port",
+)
+parser.add_argument(
+    "keytype", help="RSA|DSA|ECC|number",
+)
+
+
+def main():
+    args = parser.parse_args()
+    host_port = args.host_port.replace(":", "-")
+    keytype = args.keytype
+    pwdpath = os.path.realpath(
+        os.path.join(HTTPD_PASSWD_DIR, f"{host_port}-{keytype}")
+    )
+    if not pwdpath.startswith(HTTPD_PASSWD_DIR):
+        parser.error(f"Invalid path {pwdpath}\n")
+    try:
+        with open(pwdpath) as f:
+            print(f.read(), end="")
+    except OSError as e:
+        parser.error(str(e))
+
+
+if __name__ == "__main__":
+    main()
--- a/ipaplatform/fedora_container/paths.py
+++ b/ipaplatform/fedora_container/paths.py
@ -24,6 +24,7 @@ class FedoraContainerPathNamespace(FedoraPathNamespace):
    PKI_CONFIGURATION = data(FedoraPathNamespace.PKI_CONFIGURATION)
    SAMBA_DIR = data(FedoraPathNamespace.SAMBA_DIR)
    HTTPD_IPA_WSGI_MODULES_CONF = None
+    HTTPD_PASSWD_FILE_FMT = data(FedoraPathNamespace.HTTPD_PASSWD_FILE_FMT)


 paths = FedoraContainerPathNamespace()
--- a/ipaplatform/rhel_container/paths.py
+++ b/ipaplatform/rhel_container/paths.py
@ -24,6 +24,7 @@ class RHELContainerPathNamespace(RHELPathNamespace):
    PKI_CONFIGURATION = data(RHELPathNamespace.PKI_CONFIGURATION)
    SAMBA_DIR = data(RHELPathNamespace.SAMBA_DIR)
    HTTPD_IPA_WSGI_MODULES_CONF = None
+    HTTPD_PASSWD_FILE_FMT = data(RHELPathNamespace.HTTPD_PASSWD_FILE_FMT)


 paths = RHELContainerPathNamespace()