From a0ea8706fddb0459982c2ae276679cea6b0a812e Mon Sep 17 00:00:00 2001

From: Florence Blanc-Renaud <flo@redhat.com>

Date: Thu, 27 Apr 2017 18:20:06 +0200

Subject: [PATCH] vault: piped input for ipa vault-add fails

An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)

and sys.stdin.encoding is None when the input is read from a pipe.

The fix is using the prompt_password method defined by Backend.textui,

which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>

Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

 ipaclient/plugins/vault.py | 37 ++++++++-----------------------------

 1 file changed, 8 insertions(+), 29 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py

index 3fb4900d9cf90e6902c40e1c3d8cfdafec2e28b8..f21dc4dbb6579c0f92ae9ab94d76a6396b26b233 100644

--- a/ipaclient/plugins/vault.py

+++ b/ipaclient/plugins/vault.py

@@ -21,11 +21,9 @@ from __future__ import print_function

 import base64

 import errno

-import getpass

 import io

 import json

 import os

-import sys

 import tempfile

 from cryptography.fernet import Fernet, InvalidToken

@@ -84,29 +82,6 @@ register = Registry()

 MAX_VAULT_DATA_SIZE = 2**20  # = 1 MB

-def get_new_password():

-    """

-    Gets new password from user and verify it.

-    """

-    while True:

-        password = getpass.getpass('New password: ').decode(

-            sys.stdin.encoding)

-        password2 = getpass.getpass('Verify password: ').decode(

-            sys.stdin.encoding)

-

-        if password == password2:

-            return password

-

-        print('  ** Passwords do not match! **')

-

-

-def get_existing_password():

-    """

-    Gets existing password from user.

-    """

-    return getpass.getpass('Password: ').decode(sys.stdin.encoding)

-

-

 def generate_symmetric_key(password, salt):

     """

     Generates symmetric key from password and salt.

@@ -304,7 +279,8 @@ class vault_add(Local):

                 password = password.rstrip('\n')

             else:

-                password = get_new_password()

+                password = self.api.Backend.textui.prompt_password(

+                    'New password')

             # generate vault salt

             options['ipavaultsalt'] = os.urandom(16)

@@ -887,9 +863,11 @@ class vault_archive(ModVaultData):

             else:

                 if override_password:

-                    password = get_new_password()

+                    password = self.api.Backend.textui.prompt_password(

+                        'New password')

                 else:

-                    password = get_existing_password()

+                    password = self.api.Backend.textui.prompt_password(

+                        'Password', confirm=False)

             if not override_password:

                 # verify password by retrieving existing data

@@ -1112,7 +1090,8 @@ class vault_retrieve(ModVaultData):

                 password = password.rstrip('\n')

             else:

-                password = get_existing_password()

+                password = self.api.Backend.textui.prompt_password(

+                    'Password', confirm=False)

             # generate encryption key from password

             encryption_key = generate_symmetric_key(password, salt)

-- 

2.12.2