From a0ea8706fddb0459982c2ae276679cea6b0a812e Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 27 Apr 2017 18:20:06 +0200
Subject: [PATCH] vault: piped input for ipa vault-add fails
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault
This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.
https://pagure.io/freeipa/issue/6907
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
---
ipaclient/plugins/vault.py | 37 ++++++++-----------------------------
1 file changed, 8 insertions(+), 29 deletions(-)
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 3fb4900d9cf90e6902c40e1c3d8cfdafec2e28b8..f21dc4dbb6579c0f92ae9ab94d76a6396b26b233 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -21,11 +21,9 @@ from __future__ import print_function
import base64
import errno
-import getpass
import io
import json
import os
-import sys
import tempfile
from cryptography.fernet import Fernet, InvalidToken
@@ -84,29 +82,6 @@ register = Registry()
MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB
-def get_new_password():
- """
- Gets new password from user and verify it.
- """
- while True:
- password = getpass.getpass('New password: ').decode(
- sys.stdin.encoding)
- password2 = getpass.getpass('Verify password: ').decode(
- sys.stdin.encoding)
-
- if password == password2:
- return password
-
- print(' ** Passwords do not match! **')
-
-
-def get_existing_password():
- """
- Gets existing password from user.
- """
- return getpass.getpass('Password: ').decode(sys.stdin.encoding)
-
-
def generate_symmetric_key(password, salt):
"""
Generates symmetric key from password and salt.
@@ -304,7 +279,8 @@ class vault_add(Local):
password = password.rstrip('\n')
else:
- password = get_new_password()
+ password = self.api.Backend.textui.prompt_password(
+ 'New password')
# generate vault salt
options['ipavaultsalt'] = os.urandom(16)
@@ -887,9 +863,11 @@ class vault_archive(ModVaultData):
else:
if override_password:
- password = get_new_password()
+ password = self.api.Backend.textui.prompt_password(
+ 'New password')
else:
- password = get_existing_password()
+ password = self.api.Backend.textui.prompt_password(
+ 'Password', confirm=False)
if not override_password:
# verify password by retrieving existing data
@@ -1112,7 +1090,8 @@ class vault_retrieve(ModVaultData):
password = password.rstrip('\n')
else:
- password = get_existing_password()
+ password = self.api.Backend.textui.prompt_password(
+ 'Password', confirm=False)
# generate encryption key from password
encryption_key = generate_symmetric_key(password, salt)
--
2.12.2