IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Always check peer has keys before connecting

Browse Source 
When pulling the DM password we may have the same issues reported in
ticket #6838 for CA keys.
This commit makes sure we always check the peer has keys before any
client operation.

Ticket #6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Michal Reznik <mreznik@redhat.com>
This commit is contained in:
Simo Sorce
2017-06-23 04:48:41 -04:00
committed by Pavel Vomacka
parent be2fba08ce
commit c565fa1781
1 changed files with 8 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
ipaserver/install/custodiainstance.py
View File

@@ -13,7 +13,6 @@ from ipaserver.install import ldapupdate
from ipaserver.install import sysupgrade from ipaserver.install import sysupgrade
from base64 import b64decode from base64 import b64decode
from jwcrypto.common import json_decode from jwcrypto.common import json_decode
import functools
import shutil import shutil
import os import os
import stat import stat
@@ -31,13 +30,6 @@ class CustodiaInstance(SimpleServiceInstance):
self.ldap_uri = None self.ldap_uri = None
self.fqdn = host_name self.fqdn = host_name
self.realm = realm self.realm = realm
self.__CustodiaClient = functools.partial(
CustodiaClient,
client_service='host@%s' % self.fqdn,
keyfile=self.server_keys,
keytab=paths.KRB5_KEYTAB,
realm=realm,
)
def __config_file(self): def __config_file(self):
template_file = os.path.basename(self.config_file) + '.template' template_file = os.path.basename(self.config_file) + '.template'
@@ -144,6 +136,14 @@ class CustodiaInstance(SimpleServiceInstance):
raise RuntimeError("Timed out trying to obtain keys.") raise RuntimeError("Timed out trying to obtain keys.")
time.sleep(1) time.sleep(1)
def __CustodiaClient(self, server):
# Before we attempt to fetch keys from this host, make sure our public
# keys have been replicated there.
self.__wait_keys(server)
return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
paths.KRB5_KEYTAB, server, realm=self.realm)
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
# Fecth all needed certs one by one, then combine them in a single # Fecth all needed certs one by one, then combine them in a single
# p12 file # p12 file
@@ -151,10 +151,6 @@ class CustodiaInstance(SimpleServiceInstance):
prefix = data['prefix'] prefix = data['prefix']
certlist = data['list'] certlist = data['list']
# Before we attempt to fetch keys from this host, make sure our public
# keys have been replicated there.
self.__wait_keys(ca_host)
cli = self.__CustodiaClient(server=ca_host) cli = self.__CustodiaClient(server=ca_host)
# Temporary nssdb # Temporary nssdb