Browse Source

Fix - Invalid ipaotp returned if host in cache

Change: Id107000b3a667f5724331e281912560cff6f92f0 implemented
caching in the IPAClient. We need to store the OTP in the cache
and return the cached OTP, not the one generated on the join
request in case there is a cache hit, since we do not update
the OTP in FreeIPA when the host is in the cache.

Closes-Bug: #1796415
Change-Id: Ic19ee7c2228d275397bc4be04432126fd2f228ec
Harald Jensås 6 months ago
parent
commit
96ab6fd525
2 changed files with 13 additions and 10 deletions
  1. 10
    6
      novajoin/ipa.py
  2. 3
    4
      novajoin/join.py

+ 10
- 6
novajoin/ipa.py View File

@@ -260,7 +260,7 @@ class IPAClient(IPANovaJoinBase):
260 260
 
261 261
         if hostname in self.host_cache:
262 262
             LOG.debug('Host  ' + hostname + ' found in cache.')
263
-            return True
263
+            return self.host_cache[hostname]
264 264
 
265 265
         params = [hostname]
266 266
 
@@ -289,21 +289,25 @@ class IPAClient(IPANovaJoinBase):
289 289
 
290 290
         try:
291 291
             self._call_ipa('host_mod', *params, **modargs)
292
+            self.host_cache[hostname] = ipaotp.decode('UTF-8')
292 293
         except errors.NotFound:
293 294
             try:
294 295
                 self._call_ipa('host_add', *params, **hostargs)
295
-                self.host_cache[hostname] = True
296
+                self.host_cache[hostname] = ipaotp.decode('UTF-8')
296 297
             except errors.DuplicateEntry:
297
-                self.host_cache[hostname] = True
298
+                # We have no idea what the OTP is for the existing host.
299
+                return False
298 300
             except (errors.ValidationError, errors.DNSNotARecordError):
299
-                pass
301
+                # Assumes despite these exceptions the host was created
302
+                # and the OTP was set.
303
+                self.host_cache[hostname] = ipaotp.decode('UTF-8')
300 304
         except errors.ValidationError:
301 305
             # Updating the OTP on an enrolled-host is not allowed
302 306
             # in IPA and really a no-op.
303
-            self.host_cache[hostname] = True
307
+            # We don't know the OTP of the host, so we cannot update the cache.
304 308
             return False
305 309
 
306
-        return True
310
+        return self.host_cache.get(hostname, False)
307 311
 
308 312
     def add_subhost(self, hostname):
309 313
         """Add a subhost to IPA.

+ 3
- 4
novajoin/join.py View File

@@ -200,15 +200,14 @@ class JoinController(Controller):
200 200
 
201 201
         ipaotp = uuid.uuid4().hex
202 202
 
203
-        data['ipaotp'] = ipaotp
204 203
         data['hostname'] = get_fqdn(hostname_short, project_name)
205 204
         _, realm = self.ipaclient.get_host_and_realm()
206 205
         data['krb_realm'] = realm
207 206
 
208 207
         try:
209
-            res = self.ipaclient.add_host(data['hostname'], ipaotp,
210
-                                          metadata, image_metadata)
211
-            if not res:
208
+            data['ipaotp'] = self.ipaclient.add_host(data['hostname'], ipaotp,
209
+                                                     metadata, image_metadata)
210
+            if not data['ipaotp']:
212 211
                 # OTP was not added to host, don't return one
213 212
                 del data['ipaotp']
214 213
         except Exception as e:  # pylint: disable=broad-except

Loading…
Cancel
Save