mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-24 08:00:02 -06:00
5a00882eab
Cleanup up no longer used Pylint's disables where possible. Fixes: https://pagure.io/freeipa/issue/9117 Signed-off-by: Stanislav Levin <slev@altlinux.org> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
81 lines
2.5 KiB
Python
81 lines
2.5 KiB
Python
#!/usr/bin/python3
|
|
|
|
from __future__ import print_function
|
|
|
|
import argparse
|
|
import os
|
|
|
|
from requests import HTTPError
|
|
|
|
from ipalib import constants
|
|
from ipalib.config import Env
|
|
from ipaplatform.paths import paths
|
|
from ipaserver.secrets.client import CustodiaClient
|
|
|
|
|
|
def main():
|
|
env = Env()
|
|
env._finalize()
|
|
|
|
parser = argparse.ArgumentParser("ipa-pki-retrieve-key")
|
|
parser.add_argument("keyname", type=str)
|
|
parser.add_argument("servername", type=str)
|
|
|
|
args = parser.parse_args()
|
|
keyname = "ca_wrapped/{}".format(args.keyname)
|
|
|
|
service = constants.PKI_GSSAPI_SERVICE_NAME
|
|
client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys')
|
|
client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab')
|
|
|
|
for filename in [client_keyfile, client_keytab]:
|
|
if not os.access(filename, os.R_OK):
|
|
parser.error(
|
|
"File '{}' missing or not readable.\n".format(filename)
|
|
)
|
|
|
|
client = CustodiaClient(
|
|
client_service="{}@{}".format(service, env.host),
|
|
server=args.servername,
|
|
realm=env.realm,
|
|
ldap_uri="ldaps://" + env.host,
|
|
keyfile=client_keyfile,
|
|
keytab=client_keytab,
|
|
)
|
|
|
|
OID_AES128_CBC = "2.16.840.1.101.3.4.1.2"
|
|
|
|
try:
|
|
# Initially request a key wrapped using AES128-CBC.
|
|
# This uses the recent ability to specify additional
|
|
# parameters to a Custodia resource.
|
|
path = f'{keyname}/{OID_AES128_CBC}' # aes128-cbc
|
|
resp = client.fetch_key(path, store=False)
|
|
except HTTPError as e:
|
|
if e.response.status_code == 404:
|
|
# The 404 indicates one of two conditions:
|
|
#
|
|
# a) The server is an older version that does not support
|
|
# extra Custodia parameters. We should retry without
|
|
# specifying an algorithm.
|
|
#
|
|
# b) The key does not exist. At this point we cannot
|
|
# distinguish (a) and (b) but if we retry without
|
|
# specifying an algorithm, the second attempt will
|
|
# also fail with status 404.
|
|
#
|
|
# So the correct way to handle both scenarios is to
|
|
# retry without the algorithm parameter.
|
|
#
|
|
resp = client.fetch_key(keyname, store=False)
|
|
else:
|
|
raise # something else went wrong; re-raise
|
|
|
|
# Print the response JSON to stdout; it is already in the format
|
|
# that Dogtag's ExternalProcessKeyRetriever expects
|
|
print(resp)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|