mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 15:40:01 -06:00
854d3053e2
If lightweight CA key replication has not completed, requests for the certificate or chain will return 404**. This can occur in normal operation, and should be a temporary condition. Detect this case and handle it by simply omitting the 'certificate' and/or 'certificate_out' fields in the response, and add a warning message to the response. Also update the client-side plugin that handles the --certificate-out option. Because the CLI will automatically print the warning message, if the expected field is missing from the response, just ignore it and continue processing. ** after the Dogtag NullPointerException gets fixed! Part of: https://pagure.io/freeipa/issue/7964 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
66 lines
2.0 KiB
Python
66 lines
2.0 KiB
Python
#
|
|
# Copyright (C) 2016 FreeIPA Contributors see COPYING for license
|
|
#
|
|
import base64
|
|
|
|
from ipaclient.frontend import MethodOverride
|
|
from ipalib import errors, util, x509, Str
|
|
from ipalib.plugable import Registry
|
|
from ipalib.text import _
|
|
|
|
register = Registry()
|
|
|
|
|
|
class WithCertOutArgs(MethodOverride):
|
|
|
|
takes_options = (
|
|
Str(
|
|
'certificate_out?',
|
|
doc=_('Write certificate (chain if --chain used) to file'),
|
|
include='cli',
|
|
cli_metavar='FILE',
|
|
),
|
|
)
|
|
|
|
def forward(self, *keys, **options):
|
|
filename = None
|
|
if 'certificate_out' in options:
|
|
filename = options.pop('certificate_out')
|
|
try:
|
|
util.check_writable_file(filename)
|
|
except errors.FileError as e:
|
|
raise errors.ValidationError(name='certificate-out',
|
|
error=str(e))
|
|
|
|
result = super(WithCertOutArgs, self).forward(*keys, **options)
|
|
|
|
if filename:
|
|
# if result certificate / certificate_chain not present in result,
|
|
# it means Dogtag did not provide it (probably due to LWCA key
|
|
# replication lag or failure. The server transmits a warning
|
|
# message in this case, which the client automatically prints.
|
|
# So in this section we just ignore it and move on.
|
|
certs = None
|
|
if options.get('chain', False):
|
|
if 'certificate_chain' in result['result']:
|
|
certs = result['result']['certificate_chain']
|
|
else:
|
|
if 'certificate' in result['result']:
|
|
certs = [base64.b64decode(result['result']['certificate'])]
|
|
if certs:
|
|
x509.write_certificate_list(
|
|
(x509.load_der_x509_certificate(cert) for cert in certs),
|
|
filename)
|
|
|
|
return result
|
|
|
|
|
|
@register(override=True, no_fail=True)
|
|
class ca_add(WithCertOutArgs):
|
|
pass
|
|
|
|
|
|
@register(override=True, no_fail=True)
|
|
class ca_show(WithCertOutArgs):
|
|
pass
|