URL: https://github.com/freeipa/freeipa/pull/766 Author: flo-renaud Title: #766: ipa-kra-install: fix check_host_keys Action: opened
PR body: """ ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/766/head:pr766 git checkout pr766
From 3acd6f06396bf7596f3af53724b3f345bdf562b5 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud <f...@redhat.com> Date: Fri, 5 May 2017 17:06:09 +0200 Subject: [PATCH] ipa-kra-install: fix check_host_keys ipa-kra-install on a replica checks that the keys are available before going further to avoid race condition due to replication. The issue is that the check_host_keys method expects to find exactly one key for cn=env/host but 2 may exist: one below cn=custodia and one below cn=dogtag,cn=custodia. The fix is to check that at least one key exist (not exactly one key). https://pagure.io/freeipa/issue/6934 --- ipaserver/secrets/kem.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py index c1991c6..f876b9e 100644 --- a/ipaserver/secrets/kem.py +++ b/ipaserver/secrets/kem.py @@ -72,7 +72,7 @@ def get_key(self, usage, principal): 'princ': principal}) r = conn.search_s(self.keysbase, scope, ldap_filter) if len(r) != 1: - raise ValueError("Incorrect number of results (%d) searching for" + raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), principal)) ipa_public_key = r[0][1]['ipaPublicKey'][0] jwk = self._parse_public_key(ipa_public_key) @@ -85,8 +85,8 @@ def check_host_keys(self, host): ldap_filter = self.build_filter(IPA_CHECK_QUERY, {'host': host}) r = conn.search_s(self.keysbase, scope, ldap_filter) - if len(r) != 1: - raise ValueError("Incorrect number of results (%d) searching for" + if len(r) < 1: + raise ValueError("Incorrect number of results (%d) searching for " "public key for %s" % (len(r), host)) return True
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code