Ask for PKCS#12 password interactively in ipa-replica-prepare.

https://fedorahosted.org/freeipa/ticket/3717
2025-02-25 18:55:28 -06:00 · 2013-07-09 10:24:14 +00:00 · 2013-07-09 10:24:14 +00:00 · ab2debd1ea
commit ab2debd1ea
parent ea544bee4c
1 changed files with 34 additions and 15 deletions
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@ -103,17 +103,12 @@ class ReplicaPrepare(admintool.AdminTool):
        options.setup_pkinit = False

        # If any of the PKCS#12 options are selected, all are required.
-        pkcs12_opts = [options.dirsrv_pkcs12, options.dirsrv_pin,
-                    options.http_pkcs12, options.http_pin]
-        if options.setup_pkinit:
-            pkcs12_opts.extend([options.pkinit_pkcs12, options.pkinit_pin])
-        if pkcs12_opts[0]:
-            pkcs12_okay = all(opt for opt in pkcs12_opts)
-        else:
-            pkcs12_okay = all(opt is None for opt in pkcs12_opts)
-        if not pkcs12_okay:
+        pkcs12_req = (options.dirsrv_pkcs12, options.http_pkcs12)
+        pkcs12_opt = (options.pkinit_pkcs12,)
+        if any(pkcs12_req + pkcs12_opt) and not all(pkcs12_req):
            self.option_parser.error(
-                "All PKCS#12 options are required if any are used.")
+                "--dirsrv_pkcs12 and --http_pkcs12 are required if any "
+                "PKCS#12 options are used.")

        if len(self.args) < 1:
            self.option_parser.error(
@ -136,11 +131,6 @@ class ReplicaPrepare(admintool.AdminTool):
                "--http_pkcs12, --dirsrv_pkcs12 options to provide custom "
                "certificates.")

-        if options.http_pkcs12:
-            # Check the given PKCS#12 files
-            self.check_pkcs12(options.http_pkcs12, options.http_pin)
-            self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin)
-
        config_dir = dsinstance.config_dirname(
            dsinstance.realm_to_serverid(api.env.realm))
        if not ipautil.dir_exists(config_dir):
@ -220,6 +210,35 @@ class ReplicaPrepare(admintool.AdminTool):
                    options.reverse_zone, options.ip_address):
                raise admintool.ScriptError("Invalid reverse zone")

+        if options.http_pkcs12:
+            if not options.http_pin:
+                options.http_pin = installutils.read_password(
+                    "Enter %s unlock" % options.http_pkcs12,
+                    confirm=False, validate=False)
+                if options.http_pin is None:
+                    raise admintool.ScriptError(
+                        "%s unlock password required" % options.http_pkcs12)
+            self.check_pkcs12(options.http_pkcs12, options.http_pin)
+
+        if options.dirsrv_pkcs12:
+            if not options.dirsrv_pin:
+                options.dirsrv_pin = installutils.read_password(
+                    "Enter %s unlock" % options.dirsrv_pkcs12,
+                    confirm=False, validate=False)
+                if options.dirsrv_pin is None:
+                    raise admintool.ScriptError(
+                        "%s unlock password required" % options.dirsrv_pkcs12)
+            self.check_pkcs12(options.dirsrv_pkcs12, options.dirsrv_pin)
+
+        if options.pkinit_pkcs12:
+            if not options.pkinit_pin:
+                options.pkinit_pin = installutils.read_password(
+                    "Enter %s unlock" % options.pkinit_pkcs12,
+                    confirm=False, validate=False)
+                if options.pkinit_pin is None:
+                    raise admintool.ScriptError(
+                        "%s unlock password required" % options.pkinit_pkcs12)
+
        if (not ipautil.file_exists(
                    dogtag.configured_constants().CS_CFG_PATH) and
                not options.dirsrv_pin):