[Freeipa-devel] [PATCH] 352 Fixed KRA backend.
Petr Viktorin
pviktori at redhat.com
Wed Oct 29 12:58:26 UTC 2014
On 10/28/2014 10:51 PM, Endi Sukma Dewata wrote:
> Thanks for the review. New patch attached.
>
> On 10/23/2014 3:59 AM, Petr Viktorin wrote:
>> In IPA we usually include the full ticket URL, not just the number.
>
> Fixed.
>
>> The build fails with a lint message:
>> ************* Module ipaserver.plugins.dogtag
>> ipaserver/plugins/dogtag.py:1903: [E1123(unexpected-keyword-arg),
>> kra.get_client] Unexpected keyword argument 'password_file' in
>> constructor call)
>> ipaserver/plugins/dogtag.py:1903: [E1120(no-value-for-parameter),
>> kra.get_client] No value for argument 'certdb_password' in constructor
>> call)
>>
>> I have pki-base-10.2.0-3.fc21.noarch, where NSSCryptoProvider indeed
>> takes password and not password_file. If a newer version is required you
>> should put it in the spec.
>
> Fixed. Dependency is bumped to 10.2.1-0.1 which is available from my
> COPR repo:
>
> dnf copr enable edewata/pki
OK. We should get that to an IPA COPR before merging this.
>> ipaserver.install.certs.CertDB.install_pem_from_p12:
>> If p12_passwd is missing and pwd_fname is None, this will crash.
>> Please document how the method should be called. And assert that exactly
>> one of p12_passwd and pwd_fname is given.
>
> I reverted this change because the KRA backend actually no longer uses
> install_pem_from_p12(). The KRA backend is now using the CLI from the
> new Dogtag which generates the proper PEM format for client
> authentication, so I'll leave install_pem_from_p12() unmodified because
> it's still used by KrbInstance.
>
>> ipaserver.plugins.dogtag.kra.get_client:
>> Should every caller check if this returns None?
>> If not, raise an exception instead.
>> If yes, at least mention it in a docstring.
>
> Fixed. It's now raising a generic exception.
>
> Is there an existing exception that is more appropriate for backend
> issues like this?
I'd go for RuntimeError.
Don't use translatable strings (the _ function) if you're not using
ipalib.PublicError subclasses.
>
>> Typo in commit message: "modified to use Dogtag's CLI *go* create"
>
> Fixed.
>
How can I do some basic smoke check on this? Is there something I still
need to to besides ipa-kra-istall? Any other patches?
I tried:
from ipalib import api
from pki.key import KeyClient
api.bootstrap(context='server')
api.finalize()
keyclient = api.Backend.kra.get_client()
keyclient.keys.archive_key('test3', KeyClient.PASS_PHRASE_TYPE, 'tkey')
which gives me:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python2.7/site-packages/pki/__init__.py", line 295, in
handler
return fn_call(inst, *args, **kwargs)
File "/usr/lib/python2.7/site-packages/pki/key.py", line 687, in
archive_key
nonce_iv = self.crypto.generate_nonce_iv()
File "/usr/lib/python2.7/site-packages/pki/crypto.py", line 176, in
generate_nonce_iv
iv_data = nss.generate_random(iv_length)
nss.error.NSPRError: (SEC_ERROR_NO_TOKEN) The security card or token
does not exist, needs to be initialized, or has been removed.
--
Petr³
More information about the Freeipa-devel
mailing list