diff options
author | Jan Cholasta <jcholast@redhat.com> | 2011-09-26 08:27:01 +0200 |
---|---|---|
committer | Rob Crittenden <rcritten@redhat.com> | 2011-10-04 20:13:11 -0400 |
commit | 428d8c4a2d4e45cd78a185f7824a76daacce8e16 (patch) | |
tree | a87ba3a37e67e3409152889c53ada9a2dbb4da29 /ipaserver/install | |
parent | 5bc83239640aa111e83720d8f5d4eec911a79451 (diff) | |
download | freeipa-428d8c4a2d4e45cd78a185f7824a76daacce8e16.tar.gz freeipa-428d8c4a2d4e45cd78a185f7824a76daacce8e16.tar.xz freeipa-428d8c4a2d4e45cd78a185f7824a76daacce8e16.zip |
Work around pkisilent bugs.
Check directory manager password and certificate subject base for
invalid characters.
(https://bugzilla.redhat.com/show_bug.cgi?id=658641)
Shell-escape pkisilent command-line arguments.
(https://bugzilla.redhat.com/show_bug.cgi?id=741180)
ticket 1636
Diffstat (limited to 'ipaserver/install')
-rw-r--r-- | ipaserver/install/cainstance.py | 29 | ||||
-rw-r--r-- | ipaserver/install/installutils.py | 17 |
2 files changed, 28 insertions, 18 deletions
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index d244097d8..c819957a6 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -593,34 +593,34 @@ class CAInstance(service.Service): "-cs_hostname", self.fqdn, "-cs_port", str(ADMIN_SECURE_PORT), "-client_certdb_dir", self.ca_agent_db, - "-client_certdb_pwd", "'%s'" % self.admin_password, + "-client_certdb_pwd", self.admin_password, "-preop_pin" , preop_pin, "-domain_name", self.domain_name, "-admin_user", "admin", "-admin_email", "root@localhost", - "-admin_password", "'%s'" % self.admin_password, + "-admin_password", self.admin_password, "-agent_name", "ipa-ca-agent", "-agent_key_size", "2048", "-agent_key_type", "rsa", - "-agent_cert_subject", "\"CN=ipa-ca-agent,%s\"" % self.subject_base, + "-agent_cert_subject", "CN=ipa-ca-agent,%s" % self.subject_base, "-ldap_host", self.fqdn, "-ldap_port", str(self.ds_port), - "-bind_dn", "\"cn=Directory Manager\"", - "-bind_password", "'%s'" % self.dm_password, + "-bind_dn", "cn=Directory Manager", + "-bind_password", self.dm_password, "-base_dn", self.basedn, "-db_name", "ipaca", "-key_size", "2048", "-key_type", "rsa", "-key_algorithm", "SHA256withRSA", "-save_p12", "true", - "-backup_pwd", "'%s'" % self.admin_password, + "-backup_pwd", self.admin_password, "-subsystem_name", self.service_name, "-token_name", "internal", - "-ca_subsystem_cert_subject_name", "\"CN=CA Subsystem,%s\"" % self.subject_base, - "-ca_ocsp_cert_subject_name", "\"CN=OCSP Subsystem,%s\"" % self.subject_base, - "-ca_server_cert_subject_name", "\"CN=%s,%s\"" % (self.fqdn, self.subject_base), - "-ca_audit_signing_cert_subject_name", "\"CN=CA Audit,%s\"" % self.subject_base, - "-ca_sign_cert_subject_name", "\"CN=Certificate Authority,%s\"" % self.subject_base ] + "-ca_subsystem_cert_subject_name", "CN=CA Subsystem,%s" % self.subject_base, + "-ca_ocsp_cert_subject_name", "CN=OCSP Subsystem,%s" % self.subject_base, + "-ca_server_cert_subject_name", "CN=%s,%s" % (self.fqdn, self.subject_base), + "-ca_audit_signing_cert_subject_name", "CN=CA Audit,%s" % self.subject_base, + "-ca_sign_cert_subject_name", "CN=Certificate Authority,%s" % self.subject_base ] if self.external == 1: args.append("-external") args.append("true") @@ -651,7 +651,7 @@ class CAInstance(service.Service): args.append("-clone_p12_file") args.append("ca.p12") args.append("-clone_p12_password") - args.append("'%s'" % self.dm_password) + args.append(self.dm_password) args.append("-sd_hostname") args.append(self.master_host) args.append("-sd_admin_port") @@ -659,7 +659,7 @@ class CAInstance(service.Service): args.append("-sd_admin_name") args.append("admin") args.append("-sd_admin_password") - args.append("'%s'" % self.admin_password) + args.append(self.admin_password) args.append("-clone_start_tls") args.append("true") args.append("-clone_uri") @@ -668,6 +668,9 @@ class CAInstance(service.Service): args.append("-clone") args.append("false") + # pkisilent does not escape the arguments before passing them to shell + args[2:] = [ipautil.shell_quote(i) for i in args[2:]] + # Define the things we don't want logged nolog = (self.admin_password, self.dm_password,) diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index 44292fd4c..ac1e3f4d1 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -313,7 +313,11 @@ def get_password(prompt): else: return sys.stdin.readline().rstrip() -def read_password(user, confirm=True, validate=True, retry=True): +def _read_password_default_validator(password): + if len(password) < 8: + raise ValueError("Password must be at least 8 characters long") + +def read_password(user, confirm=True, validate=True, retry=True, validator=_read_password_default_validator): correct = False pwd = "" while not correct: @@ -322,10 +326,13 @@ def read_password(user, confirm=True, validate=True, retry=True): pwd = get_password(user + " password: ") if not pwd: continue - if validate and len(pwd) < 8: - print "Password must be at least 8 characters long" - pwd = "" - continue + if validate: + try: + validator(pwd) + except ValueError, e: + print str(e) + pwd = "" + continue if not confirm: correct = True continue |