#!/usr/bin/python3 from __future__ import print_function import argparse import os from ipalib import constants from ipalib.config import Env from ipaplatform.paths import paths from ipaserver.secrets.client import CustodiaClient def main(): env = Env() env._finalize() parser = argparse.ArgumentParser("ipa-pki-retrieve-key") parser.add_argument("keyname", type=str) parser.add_argument("servername", type=str) args = parser.parse_args() keyname = "ca_wrapped/{}".format(args.keyname) service = constants.PKI_GSSAPI_SERVICE_NAME client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') for filename in [client_keyfile, client_keytab]: if not os.access(filename, os.R_OK): parser.error( "File '{}' missing or not readable.\n".format(filename) ) # pylint: disable=no-member client = CustodiaClient( client_service="{}@{}".format(service, env.host), server=args.servername, realm=env.realm, ldap_uri="ldaps://" + env.host, keyfile=client_keyfile, keytab=client_keytab, ) # Print the response JSON to stdout; it is already in the format # that Dogtag's ExternalProcessKeyRetriever expects print(client.fetch_key(keyname, store=False)) if __name__ == '__main__': main()