mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 08:21:05 -06:00
e7ac57e139
Use state in LDAP rather than local state to check if KRA is installed. Use correct log file names. https://fedorahosted.org/freeipa/ticket/3872 Reviewed-By: David Kupka <dkupka@redhat.com>
836 lines
23 KiB
Python
836 lines
23 KiB
Python
# Authors:
|
|
# Endi S. Dewata <edewata@redhat.com>
|
|
#
|
|
# Copyright (C) 2015 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import base64
|
|
import json
|
|
import os
|
|
import sys
|
|
import tempfile
|
|
|
|
import nss.nss as nss
|
|
import krbV
|
|
|
|
from ipalib.frontend import Command, Object, Local
|
|
from ipalib import api, errors
|
|
from ipalib import Bytes, Str, Flag
|
|
from ipalib import output
|
|
from ipalib.crud import PKQuery, Retrieve, Update
|
|
from ipalib.plugable import Registry
|
|
from ipalib.plugins.baseldap import LDAPObject, LDAPCreate, LDAPDelete,\
|
|
LDAPSearch, LDAPUpdate, LDAPRetrieve, pkey_to_value
|
|
from ipalib.request import context
|
|
from ipalib.plugins.user import split_principal
|
|
from ipalib import _, ngettext
|
|
from ipaplatform.paths import paths
|
|
from ipapython.dn import DN
|
|
from ipapython.nsslib import current_dbdir
|
|
|
|
if api.env.in_server:
|
|
import pki.account
|
|
import pki.key
|
|
|
|
__doc__ = _("""
|
|
Vaults
|
|
""") + _("""
|
|
Manage vaults.
|
|
""") + _("""
|
|
EXAMPLES:
|
|
""") + _("""
|
|
List private vaults:
|
|
ipa vault-find
|
|
""") + _("""
|
|
List service vaults:
|
|
ipa vault-find --service <service name>
|
|
""") + _("""
|
|
List shared vaults:
|
|
ipa vault-find --shared
|
|
""") + _("""
|
|
List user vaults:
|
|
ipa vault-find --user <username>
|
|
""") + _("""
|
|
Add a private vault:
|
|
ipa vault-add <name>
|
|
""") + _("""
|
|
Add a service vault:
|
|
ipa vault-add <name> --service <service name>
|
|
""") + _("""
|
|
Add a shared vault:
|
|
ipa vault-add <ame> --shared
|
|
""") + _("""
|
|
Add a user vault:
|
|
ipa vault-add <name> --user <username>
|
|
""") + _("""
|
|
Show a private vault:
|
|
ipa vault-show <name>
|
|
""") + _("""
|
|
Show a service vault:
|
|
ipa vault-show <name> --service <service name>
|
|
""") + _("""
|
|
Show a shared vault:
|
|
ipa vault-show <name> --shared
|
|
""") + _("""
|
|
Show a user vault:
|
|
ipa vault-show <name> --user <username>
|
|
""") + _("""
|
|
Modify a private vault:
|
|
ipa vault-mod <name> --desc <description>
|
|
""") + _("""
|
|
Modify a service vault:
|
|
ipa vault-mod <name> --service <service name> --desc <description>
|
|
""") + _("""
|
|
Modify a shared vault:
|
|
ipa vault-mod <name> --shared --desc <description>
|
|
""") + _("""
|
|
Modify a user vault:
|
|
ipa vault-mod <name> --user <username> --desc <description>
|
|
""") + _("""
|
|
Delete a private vault:
|
|
ipa vault-del <name>
|
|
""") + _("""
|
|
Delete a service vault:
|
|
ipa vault-del <name> --service <service name>
|
|
""") + _("""
|
|
Delete a shared vault:
|
|
ipa vault-del <name> --shared
|
|
""") + _("""
|
|
Delete a user vault:
|
|
ipa vault-del <name> --user <username>
|
|
""") + _("""
|
|
Display vault configuration:
|
|
ipa vault-config
|
|
""") + _("""
|
|
Archive data into private vault:
|
|
ipa vault-archive <name> --in <input file>
|
|
""") + _("""
|
|
Archive data into service vault:
|
|
ipa vault-archive <name> --service <service name> --in <input file>
|
|
""") + _("""
|
|
Archive data into shared vault:
|
|
ipa vault-archive <name> --shared --in <input file>
|
|
""") + _("""
|
|
Archive data into user vault:
|
|
ipa vault-archive <name> --user <username> --in <input file>
|
|
""") + _("""
|
|
Retrieve data from private vault:
|
|
ipa vault-retrieve <name> --out <output file>
|
|
""") + _("""
|
|
Retrieve data from service vault:
|
|
ipa vault-retrieve <name> --service <service name> --out <output file>
|
|
""") + _("""
|
|
Retrieve data from shared vault:
|
|
ipa vault-retrieve <name> --shared --out <output file>
|
|
""") + _("""
|
|
Retrieve data from user vault:
|
|
ipa vault-retrieve <name> --user <user name> --out <output file>
|
|
""")
|
|
|
|
register = Registry()
|
|
|
|
|
|
vault_options = (
|
|
Str(
|
|
'service?',
|
|
doc=_('Service name'),
|
|
),
|
|
Flag(
|
|
'shared?',
|
|
doc=_('Shared vault'),
|
|
),
|
|
Str(
|
|
'user?',
|
|
doc=_('Username'),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class vault(LDAPObject):
|
|
__doc__ = _("""
|
|
Vault object.
|
|
""")
|
|
|
|
container_dn = api.env.container_vault
|
|
|
|
object_name = _('vault')
|
|
object_name_plural = _('vaults')
|
|
|
|
object_class = ['ipaVault']
|
|
default_attributes = [
|
|
'cn',
|
|
'description',
|
|
]
|
|
|
|
label = _('Vaults')
|
|
label_singular = _('Vault')
|
|
|
|
takes_params = (
|
|
Str(
|
|
'cn',
|
|
cli_name='name',
|
|
label=_('Vault name'),
|
|
primary_key=True,
|
|
pattern='^[a-zA-Z0-9_.-]+$',
|
|
pattern_errmsg='may only include letters, numbers, _, ., and -',
|
|
maxlength=255,
|
|
),
|
|
Str(
|
|
'description?',
|
|
cli_name='desc',
|
|
label=_('Description'),
|
|
doc=_('Vault description'),
|
|
),
|
|
)
|
|
|
|
def get_dn(self, *keys, **options):
|
|
"""
|
|
Generates vault DN from parameters.
|
|
"""
|
|
|
|
service = options.get('service')
|
|
shared = options.get('shared')
|
|
user = options.get('user')
|
|
|
|
count = 0
|
|
if service:
|
|
count += 1
|
|
|
|
if shared:
|
|
count += 1
|
|
|
|
if user:
|
|
count += 1
|
|
|
|
if count > 1:
|
|
raise errors.MutuallyExclusiveError(
|
|
reason=_('Service, shared, and user options ' +
|
|
'cannot be specified simultaneously'))
|
|
|
|
# TODO: create container_dn after object initialization then reuse it
|
|
container_dn = DN(self.container_dn, self.api.env.basedn)
|
|
|
|
dn = super(vault, self).get_dn(*keys, **options)
|
|
assert dn.endswith(container_dn)
|
|
rdns = DN(*dn[:-len(container_dn)])
|
|
|
|
if not count:
|
|
principal = getattr(context, 'principal')
|
|
|
|
if principal.startswith('host/'):
|
|
raise errors.NotImplementedError(
|
|
reason=_('Host is not supported'))
|
|
|
|
(name, realm) = split_principal(principal)
|
|
if '/' in name:
|
|
service = name
|
|
else:
|
|
user = name
|
|
|
|
if service:
|
|
parent_dn = DN(('cn', service), ('cn', 'services'), container_dn)
|
|
elif shared:
|
|
parent_dn = DN(('cn', 'shared'), container_dn)
|
|
else:
|
|
parent_dn = DN(('cn', user), ('cn', 'users'), container_dn)
|
|
|
|
return DN(rdns, parent_dn)
|
|
|
|
def create_container(self, dn):
|
|
"""
|
|
Creates vault container and its parents.
|
|
"""
|
|
|
|
# TODO: create container_dn after object initialization then reuse it
|
|
container_dn = DN(self.container_dn, self.api.env.basedn)
|
|
|
|
entries = []
|
|
|
|
while dn:
|
|
assert dn.endswith(container_dn)
|
|
|
|
rdn = dn[0]
|
|
entry = self.backend.make_entry(
|
|
dn,
|
|
{
|
|
'objectclass': ['nsContainer'],
|
|
'cn': rdn['cn'],
|
|
})
|
|
|
|
# if entry can be added, return
|
|
try:
|
|
self.backend.add_entry(entry)
|
|
break
|
|
|
|
except errors.NotFound:
|
|
pass
|
|
|
|
# otherwise, create parent entry first
|
|
dn = DN(*dn[1:])
|
|
entries.insert(0, entry)
|
|
|
|
# then create the entries again
|
|
for entry in entries:
|
|
self.backend.add_entry(entry)
|
|
|
|
def get_key_id(self, dn):
|
|
"""
|
|
Generates a client key ID to archive/retrieve data in KRA.
|
|
"""
|
|
|
|
# TODO: create container_dn after object initialization then reuse it
|
|
container_dn = DN(self.container_dn, self.api.env.basedn)
|
|
|
|
# make sure the DN is a vault DN
|
|
if not dn.endswith(container_dn, 1):
|
|
raise ValueError('Invalid vault DN: %s' % dn)
|
|
|
|
# construct the vault ID from the bottom up
|
|
id = u''
|
|
for rdn in dn[:-len(container_dn)]:
|
|
name = rdn['cn']
|
|
id = u'/' + name + id
|
|
|
|
return 'ipa:' + id
|
|
|
|
|
|
@register()
|
|
class vault_add(LDAPCreate):
|
|
__doc__ = _('Create a new vault.')
|
|
|
|
takes_options = LDAPCreate.takes_options + vault_options
|
|
|
|
msg_summary = _('Added vault "%(value)s"')
|
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys,
|
|
**options):
|
|
assert isinstance(dn, DN)
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
try:
|
|
parent_dn = DN(*dn[1:])
|
|
self.obj.create_container(parent_dn)
|
|
except errors.DuplicateEntry, e:
|
|
pass
|
|
|
|
return dn
|
|
|
|
|
|
@register()
|
|
class vault_del(LDAPDelete):
|
|
__doc__ = _('Delete a vault.')
|
|
|
|
takes_options = LDAPDelete.takes_options + vault_options
|
|
|
|
msg_summary = _('Deleted vault "%(value)s"')
|
|
|
|
def pre_callback(self, ldap, dn, *keys, **options):
|
|
assert isinstance(dn, DN)
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
return dn
|
|
|
|
def post_callback(self, ldap, dn, *args, **options):
|
|
assert isinstance(dn, DN)
|
|
|
|
kra_client = self.api.Backend.kra.get_client()
|
|
|
|
kra_account = pki.account.AccountClient(kra_client.connection)
|
|
kra_account.login()
|
|
|
|
client_key_id = self.obj.get_key_id(dn)
|
|
|
|
# deactivate vault record in KRA
|
|
response = kra_client.keys.list_keys(
|
|
client_key_id, pki.key.KeyClient.KEY_STATUS_ACTIVE)
|
|
|
|
for key_info in response.key_infos:
|
|
kra_client.keys.modify_key_status(
|
|
key_info.get_key_id(),
|
|
pki.key.KeyClient.KEY_STATUS_INACTIVE)
|
|
|
|
kra_account.logout()
|
|
|
|
return True
|
|
|
|
|
|
@register()
|
|
class vault_find(LDAPSearch):
|
|
__doc__ = _('Search for vaults.')
|
|
|
|
takes_options = LDAPSearch.takes_options + vault_options
|
|
|
|
msg_summary = ngettext(
|
|
'%(count)d vault matched',
|
|
'%(count)d vaults matched',
|
|
0,
|
|
)
|
|
|
|
def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args,
|
|
**options):
|
|
assert isinstance(base_dn, DN)
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
base_dn = self.obj.get_dn(*args, **options)
|
|
|
|
return (filter, base_dn, scope)
|
|
|
|
def exc_callback(self, args, options, exc, call_func, *call_args,
|
|
**call_kwargs):
|
|
if call_func.__name__ == 'find_entries':
|
|
if isinstance(exc, errors.NotFound):
|
|
# ignore missing containers since they will be created
|
|
# automatically on vault creation.
|
|
raise errors.EmptyResult(reason=str(exc))
|
|
|
|
raise exc
|
|
|
|
|
|
@register()
|
|
class vault_mod(LDAPUpdate):
|
|
__doc__ = _('Modify a vault.')
|
|
|
|
takes_options = LDAPUpdate.takes_options + vault_options
|
|
|
|
msg_summary = _('Modified vault "%(value)s"')
|
|
|
|
def pre_callback(self, ldap, dn, entry_attrs, attrs_list,
|
|
*keys, **options):
|
|
|
|
assert isinstance(dn, DN)
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
return dn
|
|
|
|
|
|
@register()
|
|
class vault_show(LDAPRetrieve):
|
|
__doc__ = _('Display information about a vault.')
|
|
|
|
takes_options = LDAPRetrieve.takes_options + vault_options
|
|
|
|
def pre_callback(self, ldap, dn, attrs_list, *keys, **options):
|
|
assert isinstance(dn, DN)
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
return dn
|
|
|
|
|
|
@register()
|
|
class vaultconfig(Object):
|
|
__doc__ = _('Vault configuration')
|
|
|
|
takes_params = (
|
|
Bytes(
|
|
'transport_cert',
|
|
label=_('Transport Certificate'),
|
|
),
|
|
)
|
|
|
|
|
|
@register()
|
|
class vaultconfig_show(Retrieve):
|
|
__doc__ = _('Show vault configuration.')
|
|
|
|
takes_options = (
|
|
Str(
|
|
'transport_out?',
|
|
doc=_('Output file to store the transport certificate'),
|
|
),
|
|
)
|
|
|
|
def forward(self, *args, **options):
|
|
|
|
file = options.get('transport_out')
|
|
|
|
# don't send these parameters to server
|
|
if 'transport_out' in options:
|
|
del options['transport_out']
|
|
|
|
response = super(vaultconfig_show, self).forward(*args, **options)
|
|
|
|
if file:
|
|
with open(file, 'w') as f:
|
|
f.write(response['result']['transport_cert'])
|
|
|
|
return response
|
|
|
|
def execute(self, *args, **options):
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
kra_client = self.api.Backend.kra.get_client()
|
|
transport_cert = kra_client.system_certs.get_transport_cert()
|
|
return {
|
|
'result': {
|
|
'transport_cert': transport_cert.binary
|
|
},
|
|
'value': None,
|
|
}
|
|
|
|
|
|
@register()
|
|
class vault_archive(PKQuery, Local):
|
|
__doc__ = _('Archive data into a vault.')
|
|
|
|
takes_options = vault_options + (
|
|
Bytes(
|
|
'data?',
|
|
doc=_('Binary data to archive'),
|
|
),
|
|
Str( # TODO: use File parameter
|
|
'in?',
|
|
doc=_('File containing data to archive'),
|
|
),
|
|
)
|
|
|
|
has_output = output.standard_entry
|
|
|
|
msg_summary = _('Archived data into vault "%(value)s"')
|
|
|
|
def forward(self, *args, **options):
|
|
|
|
data = options.get('data')
|
|
input_file = options.get('in')
|
|
|
|
# don't send these parameters to server
|
|
if 'data' in options:
|
|
del options['data']
|
|
if 'in' in options:
|
|
del options['in']
|
|
|
|
# get data
|
|
if data and input_file:
|
|
raise errors.MutuallyExclusiveError(
|
|
reason=_('Input data specified multiple times'))
|
|
|
|
if input_file:
|
|
with open(input_file, 'rb') as f:
|
|
data = f.read()
|
|
|
|
elif not data:
|
|
data = ''
|
|
|
|
if self.api.env.in_server:
|
|
backend = self.api.Backend.ldap2
|
|
else:
|
|
backend = self.api.Backend.rpcclient
|
|
if not backend.isconnected():
|
|
backend.connect(ccache=krbV.default_context().default_ccache())
|
|
|
|
# initialize NSS database
|
|
current_dbdir = paths.IPA_NSSDB_DIR
|
|
nss.nss_init(current_dbdir)
|
|
|
|
# retrieve transport certificate
|
|
config = self.api.Command.vaultconfig_show()
|
|
transport_cert_der = config['result']['transport_cert']
|
|
nss_transport_cert = nss.Certificate(transport_cert_der)
|
|
|
|
# generate session key
|
|
mechanism = nss.CKM_DES3_CBC_PAD
|
|
slot = nss.get_best_slot(mechanism)
|
|
key_length = slot.get_best_key_length(mechanism)
|
|
session_key = slot.key_gen(mechanism, None, key_length)
|
|
|
|
# wrap session key with transport certificate
|
|
public_key = nss_transport_cert.subject_public_key_info.public_key
|
|
wrapped_session_key = nss.pub_wrap_sym_key(mechanism,
|
|
public_key,
|
|
session_key)
|
|
|
|
options['session_key'] = wrapped_session_key.data
|
|
|
|
nonce_length = nss.get_iv_length(mechanism)
|
|
nonce = nss.generate_random(nonce_length)
|
|
options['nonce'] = nonce
|
|
|
|
vault_data = {}
|
|
vault_data[u'data'] = base64.b64encode(data).decode('utf-8')
|
|
|
|
json_vault_data = json.dumps(vault_data)
|
|
|
|
# wrap vault_data with session key
|
|
iv_si = nss.SecItem(nonce)
|
|
iv_param = nss.param_from_iv(mechanism, iv_si)
|
|
|
|
encoding_ctx = nss.create_context_by_sym_key(mechanism,
|
|
nss.CKA_ENCRYPT,
|
|
session_key,
|
|
iv_param)
|
|
|
|
wrapped_vault_data = encoding_ctx.cipher_op(json_vault_data)\
|
|
+ encoding_ctx.digest_final()
|
|
|
|
options['vault_data'] = wrapped_vault_data
|
|
|
|
response = self.api.Command.vault_archive_encrypted(*args, **options)
|
|
|
|
response['result'] = {}
|
|
del response['summary']
|
|
|
|
return response
|
|
|
|
|
|
@register()
|
|
class vault_archive_encrypted(Update):
|
|
NO_CLI = True
|
|
|
|
takes_options = vault_options + (
|
|
Bytes(
|
|
'session_key',
|
|
doc=_('Session key wrapped with transport certificate'),
|
|
),
|
|
Bytes(
|
|
'vault_data',
|
|
doc=_('Vault data encrypted with session key'),
|
|
),
|
|
Bytes(
|
|
'nonce',
|
|
doc=_('Nonce'),
|
|
),
|
|
)
|
|
|
|
def execute(self, *args, **options):
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
wrapped_vault_data = options.pop('vault_data')
|
|
nonce = options.pop('nonce')
|
|
wrapped_session_key = options.pop('session_key')
|
|
|
|
# retrieve vault info
|
|
result = self.api.Command.vault_show(*args, **options)
|
|
vault = result['result']
|
|
|
|
# connect to KRA
|
|
kra_client = self.api.Backend.kra.get_client()
|
|
|
|
kra_account = pki.account.AccountClient(kra_client.connection)
|
|
kra_account.login()
|
|
|
|
client_key_id = self.obj.get_key_id(vault['dn'])
|
|
|
|
# deactivate existing vault record in KRA
|
|
response = kra_client.keys.list_keys(
|
|
client_key_id,
|
|
pki.key.KeyClient.KEY_STATUS_ACTIVE)
|
|
|
|
for key_info in response.key_infos:
|
|
kra_client.keys.modify_key_status(
|
|
key_info.get_key_id(),
|
|
pki.key.KeyClient.KEY_STATUS_INACTIVE)
|
|
|
|
# forward wrapped data to KRA
|
|
kra_client.keys.archive_encrypted_data(
|
|
client_key_id,
|
|
pki.key.KeyClient.PASS_PHRASE_TYPE,
|
|
wrapped_vault_data,
|
|
wrapped_session_key,
|
|
None,
|
|
nonce,
|
|
)
|
|
|
|
kra_account.logout()
|
|
|
|
return result
|
|
|
|
|
|
@register()
|
|
class vault_retrieve(PKQuery, Local):
|
|
__doc__ = _('Retrieve a data from a vault.')
|
|
|
|
takes_options = vault_options + (
|
|
Str(
|
|
'out?',
|
|
doc=_('File to store retrieved data'),
|
|
),
|
|
)
|
|
|
|
has_output = output.standard_entry
|
|
has_output_params = (
|
|
Bytes(
|
|
'data',
|
|
label=_('Data'),
|
|
),
|
|
)
|
|
|
|
msg_summary = _('Retrieved data from vault "%(value)s"')
|
|
|
|
def forward(self, *args, **options):
|
|
|
|
output_file = options.get('out')
|
|
|
|
# don't send these parameters to server
|
|
if 'out' in options:
|
|
del options['out']
|
|
|
|
if self.api.env.in_server:
|
|
backend = self.api.Backend.ldap2
|
|
else:
|
|
backend = self.api.Backend.rpcclient
|
|
if not backend.isconnected():
|
|
backend.connect(ccache=krbV.default_context().default_ccache())
|
|
|
|
# initialize NSS database
|
|
current_dbdir = paths.IPA_NSSDB_DIR
|
|
nss.nss_init(current_dbdir)
|
|
|
|
# retrieve transport certificate
|
|
config = self.api.Command.vaultconfig_show()
|
|
transport_cert_der = config['result']['transport_cert']
|
|
nss_transport_cert = nss.Certificate(transport_cert_der)
|
|
|
|
# generate session key
|
|
mechanism = nss.CKM_DES3_CBC_PAD
|
|
slot = nss.get_best_slot(mechanism)
|
|
key_length = slot.get_best_key_length(mechanism)
|
|
session_key = slot.key_gen(mechanism, None, key_length)
|
|
|
|
# wrap session key with transport certificate
|
|
public_key = nss_transport_cert.subject_public_key_info.public_key
|
|
wrapped_session_key = nss.pub_wrap_sym_key(mechanism,
|
|
public_key,
|
|
session_key)
|
|
|
|
# send retrieval request to server
|
|
options['session_key'] = wrapped_session_key.data
|
|
|
|
response = self.api.Command.vault_retrieve_encrypted(*args, **options)
|
|
|
|
result = response['result']
|
|
nonce = result['nonce']
|
|
|
|
# unwrap data with session key
|
|
wrapped_vault_data = result['vault_data']
|
|
|
|
iv_si = nss.SecItem(nonce)
|
|
iv_param = nss.param_from_iv(mechanism, iv_si)
|
|
|
|
decoding_ctx = nss.create_context_by_sym_key(mechanism,
|
|
nss.CKA_DECRYPT,
|
|
session_key,
|
|
iv_param)
|
|
|
|
json_vault_data = decoding_ctx.cipher_op(wrapped_vault_data)\
|
|
+ decoding_ctx.digest_final()
|
|
|
|
vault_data = json.loads(json_vault_data)
|
|
data = base64.b64decode(vault_data[u'data'].encode('utf-8'))
|
|
|
|
if output_file:
|
|
with open(output_file, 'w') as f:
|
|
f.write(data)
|
|
|
|
response['result'] = {'data': data}
|
|
del response['summary']
|
|
|
|
return response
|
|
|
|
|
|
@register()
|
|
class vault_retrieve_encrypted(Retrieve):
|
|
NO_CLI = True
|
|
|
|
takes_options = vault_options + (
|
|
Bytes(
|
|
'session_key',
|
|
doc=_('Session key wrapped with transport certificate'),
|
|
),
|
|
)
|
|
|
|
def execute(self, *args, **options):
|
|
|
|
if not self.api.Command.kra_is_enabled()['result']:
|
|
raise errors.InvocationError(
|
|
format=_('KRA service is not enabled'))
|
|
|
|
wrapped_session_key = options.pop('session_key')
|
|
|
|
# retrieve vault info
|
|
result = self.api.Command.vault_show(*args, **options)
|
|
vault = result['result']
|
|
|
|
# connect to KRA
|
|
kra_client = self.api.Backend.kra.get_client()
|
|
|
|
kra_account = pki.account.AccountClient(kra_client.connection)
|
|
kra_account.login()
|
|
|
|
client_key_id = self.obj.get_key_id(vault['dn'])
|
|
|
|
# find vault record in KRA
|
|
response = kra_client.keys.list_keys(
|
|
client_key_id,
|
|
pki.key.KeyClient.KEY_STATUS_ACTIVE)
|
|
|
|
if not len(response.key_infos):
|
|
raise errors.NotFound(reason=_('No archived data.'))
|
|
|
|
key_info = response.key_infos[0]
|
|
|
|
# retrieve encrypted data from KRA
|
|
key = kra_client.keys.retrieve_key(
|
|
key_info.get_key_id(),
|
|
wrapped_session_key)
|
|
|
|
vault['vault_data'] = key.encrypted_data
|
|
vault['nonce'] = key.nonce_data
|
|
|
|
kra_account.logout()
|
|
|
|
return result
|
|
|
|
|
|
@register()
|
|
class kra_is_enabled(Command):
|
|
NO_CLI = True
|
|
|
|
has_output = output.standard_value
|
|
|
|
def execute(self, *args, **options):
|
|
base_dn = DN(('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc'),
|
|
self.api.env.basedn)
|
|
filter = '(&(objectClass=ipaConfigObject)(cn=KRA))'
|
|
try:
|
|
self.api.Backend.ldap2.find_entries(
|
|
base_dn=base_dn, filter=filter, attrs_list=[])
|
|
except errors.NotFound:
|
|
result = False
|
|
else:
|
|
result = True
|
|
return dict(result=result, value=pkey_to_value(None, options))
|