[Freeipa-devel] [PATCH] 352 Fixed KRA backend.

Petr Viktorin pviktori at redhat.com
Wed Oct 29 12:58:26 UTC 2014 

On 10/28/2014 10:51 PM, Endi Sukma Dewata wrote:
> Thanks for the review. New patch attached.
>
> On 10/23/2014 3:59 AM, Petr Viktorin wrote:
>> In IPA we usually include the full ticket URL, not just the number.
>
> Fixed.
>
>> The build fails with a lint message:
>> ************* Module ipaserver.plugins.dogtag
>> ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
>> kra.get_client] Unexpected keyword argument 'password_file' in
>> constructor call)
>> ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
>> kra.get_client] No value for argument 'certdb_password' in constructor
>> call)
>>
>> I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
>> takes password and not password_file. If a newer version is required you
>> should put it in the spec.
>
> Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my
> COPR repo:
>
>    dnf copr enable edewata/pki

OK. We should get that to an IPA COPR before merging this.

>> ipaserver.install.certs.CertDB.install_pem_from_p12:
>> If p12_passwd is missing and pwd_fname is None, this will crash.
>> Please document how the method should be called. And assert that exactly
>> one of p12_passwd and pwd_fname is given.
>
> I reverted this change because the KRA backend actually no longer uses
> install_pem_from_p12(). The KRA backend is now using the CLI from the
> new Dogtag which generates the proper PEM format for client
> authentication, so I'll leave install_pem_from_p12() unmodified because
> it's still used by KrbInstance.
>
>> ipaserver.plugins.dogtag.kra.get_client:
>> Should every caller check if this returns None?
>> If not, raise an exception instead.
>> If yes, at least mention it in a docstring.
>
> Fixed. It's now raising a generic exception.
>
> Is there an existing exception that is more appropriate for backend
> issues like this?

I'd go for RuntimeError.
Don't use translatable strings (the _ function) if you're not using 
ipalib.PublicError subclasses.

>
>> Typo in commit message: "modified to use Dogtag's CLI *go* create"
>
> Fixed.
>


How can I do some basic smoke check on this? Is there something I still 
need to to besides ipa-kra-istall? Any other patches?
I tried:

from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_client()
keyclient.keys.archive_key('test3', KeyClient.PASS_PHRASE_TYPE, 'tkey')

which gives me:

Traceback (most recent call last):
   File "<stdin>", line 1, in <module>
   File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 295, in 
handler
     return fn_call(inst, *args, **kwargs)
   File "/usr/lib/python2.7/site-packages/pki/key.py", line 687, in 
archive_key
     nonce_iv = self.crypto.generate_nonce_iv()
   File "/usr/lib/python2.7/site-packages/pki/crypto.py", line 176, in 
generate_nonce_iv
     iv_data = nss.generate_random(iv_length)
nss.error.NSPRError: (SEC_ERROR_NO_TOKEN) The security card or token 
does not exist, needs to be initialized, or has been removed.


-- 
Petr³

More information about the Freeipa-devel mailing list