|
 |
460745 |
From 82e860ae81b9e34fc6a326be4183f37a21ac1564 Mon Sep 17 00:00:00 2001
|
|
|
460745 |
From: Simo Sorce <simo@redhat.com>
|
|
|
460745 |
Date: Fri, 23 Jun 2017 04:48:41 -0400
|
|
|
460745 |
Subject: [PATCH] Always check peer has keys before connecting
|
|
|
460745 |
|
|
|
460745 |
When pulling the DM password we may have the same issues reported in
|
|
|
460745 |
ticket #6838 for CA keys.
|
|
|
460745 |
This commit makes sure we always check the peer has keys before any
|
|
|
460745 |
client operation.
|
|
|
460745 |
|
|
|
460745 |
Ticket #6838
|
|
|
460745 |
|
|
|
460745 |
Signed-off-by: Simo Sorce <simo@redhat.com>
|
|
|
460745 |
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
|
|
|
460745 |
Reviewed-By: Michal Reznik <mreznik@redhat.com>
|
|
|
460745 |
---
|
|
|
460745 |
ipaserver/install/custodiainstance.py | 20 ++++++++------------
|
|
|
460745 |
1 file changed, 8 insertions(+), 12 deletions(-)
|
|
|
460745 |
|
|
|
460745 |
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
|
|
|
460745 |
index 390576bc0c0edfb7d8f8895eca9df30079526aa8..bc3cea7063dff183c85b4f6e8ced7567f691001d 100644
|
|
|
460745 |
--- a/ipaserver/install/custodiainstance.py
|
|
|
460745 |
+++ b/ipaserver/install/custodiainstance.py
|
|
|
460745 |
@@ -13,7 +13,6 @@ from ipaserver.install import ldapupdate
|
|
|
460745 |
from ipaserver.install import sysupgrade
|
|
|
460745 |
from base64 import b64decode
|
|
|
460745 |
from jwcrypto.common import json_decode
|
|
|
460745 |
-import functools
|
|
|
460745 |
import shutil
|
|
|
460745 |
import os
|
|
|
460745 |
import stat
|
|
|
460745 |
@@ -31,13 +30,6 @@ class CustodiaInstance(SimpleServiceInstance):
|
|
|
460745 |
self.ldap_uri = None
|
|
|
460745 |
self.fqdn = host_name
|
|
|
460745 |
self.realm = realm
|
|
|
460745 |
- self.__CustodiaClient = functools.partial(
|
|
|
460745 |
- CustodiaClient,
|
|
|
460745 |
- client_service='host@%s' % self.fqdn,
|
|
|
460745 |
- keyfile=self.server_keys,
|
|
|
460745 |
- keytab=paths.KRB5_KEYTAB,
|
|
|
460745 |
- realm=realm,
|
|
|
460745 |
- )
|
|
|
460745 |
|
|
|
460745 |
def __config_file(self):
|
|
|
460745 |
template_file = os.path.basename(self.config_file) + '.template'
|
|
|
460745 |
@@ -144,6 +136,14 @@ class CustodiaInstance(SimpleServiceInstance):
|
|
|
460745 |
raise RuntimeError("Timed out trying to obtain keys.")
|
|
|
460745 |
time.sleep(1)
|
|
|
460745 |
|
|
|
460745 |
+ def __CustodiaClient(self, server):
|
|
|
460745 |
+ # Before we attempt to fetch keys from this host, make sure our public
|
|
|
460745 |
+ # keys have been replicated there.
|
|
|
460745 |
+ self.__wait_keys(server)
|
|
|
460745 |
+
|
|
|
460745 |
+ return CustodiaClient('host@%s' % self.fqdn, self.server_keys,
|
|
|
460745 |
+ paths.KRB5_KEYTAB, server, realm=self.realm)
|
|
|
460745 |
+
|
|
|
460745 |
def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data):
|
|
|
460745 |
# Fecth all needed certs one by one, then combine them in a single
|
|
|
460745 |
# p12 file
|
|
|
460745 |
@@ -151,10 +151,6 @@ class CustodiaInstance(SimpleServiceInstance):
|
|
|
460745 |
prefix = data['prefix']
|
|
|
460745 |
certlist = data['list']
|
|
|
460745 |
|
|
|
460745 |
- # Before we attempt to fetch keys from this host, make sure our public
|
|
|
460745 |
- # keys have been replicated there.
|
|
|
460745 |
- self.__wait_keys(ca_host)
|
|
|
460745 |
-
|
|
|
460745 |
cli = self.__CustodiaClient(server=ca_host)
|
|
|
460745 |
|
|
|
460745 |
# Temporary nssdb
|
|
|
460745 |
--
|
|
|
460745 |
2.13.5
|