-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ca, kra install: validate DM password #757
Conversation
install/tools/ipa-ca-install
Outdated
"Directory Manager (existing master)", confirm=False, | ||
validate=False) | ||
except KeyboardInterrupt: | ||
sys.exit(0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
keyboard interrupt should not result in exit code 0. A common exit code is 130 (128 + SIGINT).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm afraid that this is inconsistent with other parts of code. The rest will return error code 1 in case of SIGINT.
If you want to keep new error code, then manpage should be updated as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or even better, don't catch that exception and let installutils.run_script()
to handle it in the same way for every script.
23c0ca9
to
03e8494
Compare
try: | ||
client.simple_bind(DIRMAN_DN, password) | ||
except errors.ACIError: | ||
raise ValueError("Invalid Directory Manager password") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm sorry but I think you may miss following code there:
else:
client.unbind()
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also I would rather use verbs to name functions/methods, like validate_dm_password
(but I have a suspicion that one is already taken).
install/tools/ipa-ca-install
Outdated
try: | ||
installutils.dm_password_validator(password) | ||
except ValueError: | ||
sys.exit("Directory Manager password is invalid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please don't use sys.exit() explicitly here, either let the exception propagate up the stack to the caller or re-raise RuntimeError as you do in ipa-kra-install
There will be no more sys.exits. This patchset shall not be ACKed until all have been removed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Don't use sys.exits
Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
03e8494
to
6f3e293
Compare
Thanks for the feedback, hopefully I addressed all the issues. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please fix nitpicks, and ehm..ehm maybe add a CI test? Works for me otherwise
install/tools/ipa-ca-install
Outdated
def _get_dirman_password(password=None, unattended=False): | ||
if not password: | ||
if unattended: | ||
raise RuntimeError('Directory Manager password required') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use script error to be consistent
ipaserver/install/server/install.py: raise ScriptError("Directory Manager password required")
install/tools/ipa-ca-install
Outdated
try: | ||
installutils.validate_dm_password_ldap(password) | ||
except ValueError: | ||
raise RuntimeError("Directory Manager password is invalid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use ScriptError
here as well.
ipaserver/install/ipa_kra_install.py
Outdated
try: | ||
installutils.validate_dm_password_ldap(self.options.password) | ||
except ValueError: | ||
raise RuntimeError("Directory Manager password is invalid") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ScriptError
please :)
4677428
to
8d13f2a
Compare
Implementing the tests shouldn't block us from pushing this fix. I opened a ticket for it: https://pagure.io/freeipa/issue/6941 |
We have to use
We don't want to uninstall server due typo in password |
6eef190
to
fa43013
Compare
You forgot an import in ipa-ca-install:
|
Before proceeding with installation, validate DM password. If the provided DM password is invalid, abort the installation. Fixes https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
fa43013
to
630829e
Compare
Prevent CA and KRA installation from proceeding if provided DM password is invalid to avoid broken installations with no possibility to uninstall CA or KRA.
https://pagure.io/freeipa/issue/6892