Always check peer has keys before connecting

When pulling the DM password we may have the same issues reported in ticket #6838 for CA keys. This commit makes sure we always check the peer has keys before any client operation. Ticket #6838 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> Reviewed-By: Michal Reznik <mreznik@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-06-23 04:48:41 -04:00 · 2017-06-23 04:48:41 -04:00 · c565fa1781
commit c565fa1781
parent be2fba08ce
1 changed files with 8 additions and 12 deletions
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@ -13,7 +13,6 @@ from ipaserver.install import ldapupdate
 from ipaserver.install import sysupgrade
 from base64 import b64decode
 from jwcrypto.common import json_decode
-import functools
 import shutil
 import os
 import stat
@ -31,13 +30,6 @@ class CustodiaInstance(SimpleServiceInstance):
        self.ldap_uri = None
        self.fqdn = host_name
        self.realm = realm
-        self.__CustodiaClient = functools.partial(
-            CustodiaClient,
-            client_service='host@%s' % self.fqdn,
-            keyfile=self.server_keys,
-            keytab=paths.KRB5_KEYTAB,
-            realm=realm,
-        )

    def __config_file(self):
        template_file = os.path.basename(self.config_file) + '.template'
@ -144,6 +136,14 @@ class CustodiaInstance(SimpleServiceInstance):
                    raise RuntimeError("Timed out trying to obtain keys.")
                time.sleep(1)

+    def __CustodiaClient(self, server):
+        # Before we attempt to fetch keys from this host, make sure our public
+        # keys have been replicated there.
+        self.__wait_keys(server)
+
+        return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
+                              paths.KRB5_KEYTAB, server, realm=self.realm)
+
    def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
        # Fecth all needed certs one by one, then combine them in a single
        # p12 file
@ -151,10 +151,6 @@ class CustodiaInstance(SimpleServiceInstance):
        prefix = data['prefix']
        certlist = data['list']

-        # Before we attempt to fetch keys from this host, make sure our public
-        # keys have been replicated there.
-        self.__wait_keys(ca_host)
-
        cli = self.__CustodiaClient(server=ca_host)

        # Temporary nssdb