From 31fda79a0e3f34dcf71a9e2687faa958ecb91ab8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: May 16 2024 12:46:32 +0000
Subject: Prompt for token password if not provided in replica/ipa-ca-install


If the password wasn't provided by --token-password then an empty
value would be passed into the CA installer which promptly failed.

Related: https://pagure.io/freeipa/issue/9273

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

---

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 8484e1e..73f5624 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -351,7 +351,7 @@ def install_check(standalone, replica_config, options):
         (token_name, token_library_path) = lookup_hsm_configuration(_api)
         # IPA version and dependency checking should prevent this but
         # better to be safe and avoid a failed install.
-        if token_name:
+        if replica_config.setup_ca and token_name:
             try:
                 hsm_validator(
                     True,
@@ -364,6 +364,19 @@ def install_check(standalone, replica_config, options):
                 raise ScriptError(str(e))
             if not options.token_library_path:
                 options.token_library_path = token_library_path
+            if (
+                not options.token_password_file
+                and not options.token_password
+            ):
+                if options.unattended:
+                    raise ScriptError("HSM token password required")
+                token_password = installutils.read_password(
+                    f"{token_name}", confirm=False
+                )
+                if token_password is None:
+                    raise ScriptError("HSM token password required")
+                else:
+                    options.token_password = token_password
 
     if replica_config is not None and not replica_config.setup_ca:
         return