vault: piped input for ipa vault-add fails

An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://pagure.io/freeipa/issue/6907 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2025-02-25 18:55:28 -06:00 · 2017-04-27 18:20:06 +02:00
parent 960e361f68
commit d5c41ed4ad
1 changed files with 8 additions and 29 deletions
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -21,11 +21,9 @@ from __future__ import print_function

 import base64
 import errno
-import getpass
 import io
 import json
 import os
-import sys
 import tempfile

 from cryptography.fernet import Fernet, InvalidToken
@@ -84,29 +82,6 @@ register = Registry()
 MAX_VAULT_DATA_SIZE = 2**20  # = 1 MB


-def get_new_password():
-    """
-    Gets new password from user and verify it.
-    """
-    while True:
-        password = getpass.getpass('New password: ').decode(
-            sys.stdin.encoding)
-        password2 = getpass.getpass('Verify password: ').decode(
-            sys.stdin.encoding)
-
-        if password == password2:
-            return password
-
-        print('  ** Passwords do not match! **')
-
-
-def get_existing_password():
-    """
-    Gets existing password from user.
-    """
-    return getpass.getpass('Password: ').decode(sys.stdin.encoding)
-
-
 def generate_symmetric_key(password, salt):
    """
    Generates symmetric key from password and salt.
@@ -304,7 +279,8 @@ class vault_add(Local):
                password = password.rstrip('\n')

            else:
-                password = get_new_password()
+                password = self.api.Backend.textui.prompt_password(
+                    'New password')

            # generate vault salt
            options['ipavaultsalt'] = os.urandom(16)
@@ -887,9 +863,11 @@ class vault_archive(ModVaultData):

            else:
                if override_password:
-                    password = get_new_password()
+                    password = self.api.Backend.textui.prompt_password(
+                        'New password')
                else:
-                    password = get_existing_password()
+                    password = self.api.Backend.textui.prompt_password(
+                        'Password', confirm=False)

            if not override_password:
                # verify password by retrieving existing data
@@ -1112,7 +1090,8 @@ class vault_retrieve(ModVaultData):
                password = password.rstrip('\n')

            else:
-                password = get_existing_password()
+                password = self.api.Backend.textui.prompt_password(
+                    'Password', confirm=False)

            # generate encryption key from password
            encryption_key = generate_symmetric_key(password, salt)