ca, kra install: validate DM password #757
Conversation
install/tools/ipa-ca-install
Outdated
| "Directory Manager (existing master)", confirm=False, | ||
| validate=False) | ||
| except KeyboardInterrupt: | ||
| sys.exit(0) |
There was a problem hiding this comment.
keyboard interrupt should not result in exit code 0. A common exit code is 130 (128 + SIGINT).
There was a problem hiding this comment.
I'm afraid that this is inconsistent with other parts of code. The rest will return error code 1 in case of SIGINT.
If you want to keep new error code, then manpage should be updated as well.
There was a problem hiding this comment.
Or even better, don't catch that exception and let installutils.run_script() to handle it in the same way for every script.
nicki-krizek
force-pushed
the
validate-dm-password
branch
from
23c0ca9
to
03e8494
Compare
| try: | ||
| client.simple_bind(DIRMAN_DN, password) | ||
| except errors.ACIError: | ||
| raise ValueError("Invalid Directory Manager password") |
There was a problem hiding this comment.
I'm sorry but I think you may miss following code there:
else:
client.unbind()
There was a problem hiding this comment.
Also I would rather use verbs to name functions/methods, like validate_dm_password (but I have a suspicion that one is already taken).
install/tools/ipa-ca-install
Outdated
| try: | ||
| installutils.dm_password_validator(password) | ||
| except ValueError: | ||
| sys.exit("Directory Manager password is invalid") |
There was a problem hiding this comment.
Please don't use sys.exit() explicitly here, either let the exception propagate up the stack to the caller or re-raise RuntimeError as you do in ipa-kra-install
|
There will be no more sys.exits. This patchset shall not be ACKed until all have been removed. |
Extract copy-pasted code to a single function. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Add a validator that checks whether provided Directory Manager is valid by attempting to connect to LDAP. Related https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
nicki-krizek
force-pushed
the
validate-dm-password
branch
from
03e8494
to
6f3e293
Compare
|
Thanks for the feedback, hopefully I addressed all the issues. |
install/tools/ipa-ca-install
Outdated
| def _get_dirman_password(password=None, unattended=False): | ||
| if not password: | ||
| if unattended: | ||
| raise RuntimeError('Directory Manager password required') |
There was a problem hiding this comment.
Please use script error to be consistent
ipaserver/install/server/install.py: raise ScriptError("Directory Manager password required")
install/tools/ipa-ca-install
Outdated
| try: | ||
| installutils.validate_dm_password_ldap(password) | ||
| except ValueError: | ||
| raise RuntimeError("Directory Manager password is invalid") |
There was a problem hiding this comment.
Please use ScriptError here as well.
ipaserver/install/ipa_kra_install.py
Outdated
| try: | ||
| installutils.validate_dm_password_ldap(self.options.password) | ||
| except ValueError: | ||
| raise RuntimeError("Directory Manager password is invalid") |
nicki-krizek
force-pushed
the
validate-dm-password
branch
2 times, most recently
from
4677428
to
8d13f2a
Compare
|
Implementing the tests shouldn't block us from pushing this fix. I opened a ticket for it: https://pagure.io/freeipa/issue/6941 |
|
We have to use We don't want to uninstall server due typo in password |
nicki-krizek
force-pushed
the
validate-dm-password
branch
2 times, most recently
from
6eef190
to
fa43013
Compare
|
You forgot an import in ipa-ca-install: |
Before proceeding with installation, validate DM password. If the provided DM password is invalid, abort the installation. Fixes https://pagure.io/freeipa/issue/6892 Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
nicki-krizek
force-pushed
the
validate-dm-password
branch
from
fa43013
to
630829e
Compare
MartinBasti
added
ack
Prevent CA and KRA installation from proceeding if provided DM password is invalid to avoid broken installations with no possibility to uninstall CA or KRA.
https://pagure.io/freeipa/issue/6892