URL: https://github.com/freeipa/freeipa/pull/679 Author: simo5 Title: #679: Make sure remote hosts have our keys Action: opened
PR body: """ In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/679/head:pr679 git checkout pr679
From f51e478fb79cda153a6d0483369f0159088423fb Mon Sep 17 00:00:00 2001 From: Simo Sorce <s...@redhat.com> Date: Fri, 31 Mar 2017 11:22:45 -0400 Subject: [PATCH] Make sure remote hosts have our keys In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6688 Signed-off-by: Simo Sorce <s...@redhat.com> --- ipaserver/install/custodiainstance.py | 27 +++++++++++++++++++++++++-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index 6a61392..4d6e7ba 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -1,15 +1,17 @@ # Copyright (C) 2015 FreeIPa Project Contributors, see 'COPYING' for license. -from ipaserver.secrets.kem import IPAKEMKeys +from custodia.message.kem import KEY_USAGE_ENC +from ipaserver.secrets.kem import IPAKEMKeys, KEMLdap from ipaserver.secrets.client import CustodiaClient from ipaplatform.paths import paths from ipaplatform.constants import constants from ipaserver.install.service import SimpleServiceInstance -from ipapython import ipautil +from ipapython import ipautil, ipaldap from ipapython.ipa_log_manager import root_logger from ipapython.certdb import NSSDatabase from ipaserver.install import installutils from ipaserver.install import ldapupdate +from ipaserver.install import replication from ipaserver.install import sysupgrade from base64 import b64decode from jwcrypto.common import json_decode @@ -18,6 +20,7 @@ import os import stat import tempfile +import time import pwd @@ -122,6 +125,22 @@ def import_dm_password(self, master_host_name): cli = self.__CustodiaClient(server=master_host_name) cli.fetch_key('dm/DMHash') + def __wait_keys(self, host, timeout=300): + ldap_uri = 'ldap://%s' % host + principal = 'host/%s@%s' % (self.fqdn, self.realm) + deadline = int(time.time()) + timeout + + result = None + konn = KEMLdap(ldap_uri) + while True: + try: + konn.get_key(KEY_USAGE_ENC, principal) + return + except Exception as e: + if int(time.time()) > deadline: + raise e + time.sleep(1) + def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): # Fecth all needed certs one by one, then combine them in a single # p12 file @@ -129,6 +148,10 @@ def __get_keys(self, ca_host, cacerts_file, cacerts_pwd, data): prefix = data['prefix'] certlist = data['list'] + # Before we attempt to fetch keys from this host, make sure our public + # keys have been replicated there. + sel.__wait_keys(ca_host) + cli = self.__CustodiaClient(server=ca_host) # Temporary nssdb
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
