If I create a pkispawn deployment config file that has a value with a '%' in it, the interpolation code throws an exception. For example, I created the following deployment file that uses a '%' character in the passwords:
[DEFAULT] pki_admin_password=Secret%12 pki_client_pkcs12_password=Secret%12 pki_ds_password=Secret%12
If I then attempt to run pkispawn, I encounter this exception:
$ sudo pkispawn -s CA -f /home/nkinder/ca.cfg Loading deployment configuration from /home/nkinder/ca.cfg. Traceback (most recent call last): File "/sbin/pkispawn", line 429, in <module> main(sys.argv) File "/sbin/pkispawn", line 320, in main parser.compose_pki_master_dictionary() File "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line 454, in compose_pki_master_dictionary self.flatten_master_dict() File "/usr/lib/python2.7/site-packages/pki/deployment/pkiparser.py", line 333, in flatten_master_dict default_dict = dict(self.pki_config.items('DEFAULT')) File "/usr/lib64/python2.7/ConfigParser.py", line 655, in items for option in options] File "/usr/lib64/python2.7/ConfigParser.py", line 691, in _interpolate self._interpolate_some(option, L, rawval, section, vars, 1) File "/usr/lib64/python2.7/ConfigParser.py", line 732, in _interpolate_some "'%%' must be followed by '%%' or '(', found: %r" % (rest,)) ConfigParser.InterpolationSyntaxError: '%' must be followed by '%' or '(', found: '%12'
There is an easy solution to using '%' in values in the pkispawn deployment file. The '%' character is used for interpolation in Python's ConfigParser class. To use a '%' character in a config value where you are not trying to do interpolation, you simply need to escape the character with a second '%'. For example, the following pkispawn deployment file works fine:
[DEFAULT] pki_admin_password=Secret%%12 pki_client_pkcs12_password=Secret%%12 pki_ds_password=Secret%%12
The solution might just be to document that escaping is needed for '%' characters in pkispawn deployment files.
I attempted an interactive creation of a CA using pkispawn, and it seems to work fine when the passwords use '%' characters, so it seems that it is already internally escaping values.
In addition to documenting that '%' characters must be escaped in deployment files in the pkispawn manpage, we should also try to print a helpful error message when we encounter an unescaped '%' character. It would be much more helpful if pkispawn said something like:
"Encountered an unescaped '%' character in <deployment file>. You must escape '%' characters in deployment file values (example - 'setting=some%%value')."
attachment 0001-Ticket-755-Detect-unescaped-percent-characters-in-de.patch
Pushed to master. Thanks to Ade for his review!
master - 443159f77e87a70bc85ab85f5ad58b9169def88a
Metadata Update from @nkinder: - Issue set to the milestone: N/A
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/1322
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.