freeipa/install/tools/ipa-pki-retrieve-key.in
Stanislav Levin 5a00882eab pylint: Fix useless-suppression
Cleanup up no longer used Pylint's disables where possible.

Fixes: https://pagure.io/freeipa/issue/9117
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2022-03-11 13:37:08 -05:00

81 lines
2.5 KiB
Python

#!/usr/bin/python3
from __future__ import print_function
import argparse
import os
from requests import HTTPError
from ipalib import constants
from ipalib.config import Env
from ipaplatform.paths import paths
from ipaserver.secrets.client import CustodiaClient
def main():
env = Env()
env._finalize()
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
parser.add_argument("keyname", type=str)
parser.add_argument("servername", type=str)
args = parser.parse_args()
keyname = "ca_wrapped/{}".format(args.keyname)
service = constants.PKI_GSSAPI_SERVICE_NAME
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
for filename in [client_keyfile, client_keytab]:
if not os.access(filename, os.R_OK):
parser.error(
"File '{}' missing or not readable.\n".format(filename)
)
client = CustodiaClient(
client_service="{}@{}".format(service, env.host),
server=args.servername,
realm=env.realm,
ldap_uri="ldaps://" + env.host,
keyfile=client_keyfile,
keytab=client_keytab,
)
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
try:
# Initially request a key wrapped using AES128-CBC.
# This uses the recent ability to specify additional
# parameters to a Custodia resource.
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
resp = client.fetch_key(path, store=False)
except HTTPError as e:
if e.response.status_code == 404:
# The 404 indicates one of two conditions:
#
# a) The server is an older version that does not support
# extra Custodia parameters. We should retry without
# specifying an algorithm.
#
# b) The key does not exist. At this point we cannot
# distinguish (a) and (b) but if we retry without
# specifying an algorithm, the second attempt will
# also fail with status 404.
#
# So the correct way to handle both scenarios is to
# retry without the algorithm parameter.
#
resp = client.fetch_key(keyname, store=False)
else:
raise # something else went wrong; re-raise
# Print the response JSON to stdout; it is already in the format
# that Dogtag's ExternalProcessKeyRetriever expects
print(resp)
if __name__ == '__main__':
main()