From 4cc6b9cd1791e1a5fdbcd8e28904a5856e1f0b41 Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Jan 30 2024 15:18:02 +0000
Subject: Vault: improve vault server archival/retrieval calls error handling


If a vault operation fails, the error message just says "InternalError". This commit
improves error handling of key archival and retrieval calls by catching the PKIException
error and raising it as an IPA error.

Related: https://pagure.io/freeipa/issue/9191

Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

---

diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py
index a47cf7b..0bcc2a1 100644
--- a/ipaserver/plugins/vault.py
+++ b/ipaserver/plugins/vault.py
@@ -45,6 +45,7 @@ if api.env.in_server:
     import pki.key
     from pki.crypto import DES_EDE3_CBC_OID
     from pki.crypto import AES_128_CBC_OID
+    from pki import PKIException
 
 if six.PY3:
     unicode = str
@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery):
                     pki.key.KeyClient.KEY_STATUS_INACTIVE)
 
             # forward wrapped data to KRA
-            kra_client.keys.archive_encrypted_data(
-                client_key_id,
-                pki.key.KeyClient.PASS_PHRASE_TYPE,
-                wrapped_vault_data,
-                wrapped_session_key,
-                algorithm_oid=algorithm_oid,
-                nonce_iv=nonce,
-            )
-
-            kra_account.logout()
+            try:
+                kra_client.keys.archive_encrypted_data(
+                    client_key_id,
+                    pki.key.KeyClient.PASS_PHRASE_TYPE,
+                    wrapped_vault_data,
+                    wrapped_session_key,
+                    algorithm_oid=algorithm_oid,
+                    nonce_iv=nonce,
+                )
+            except PKIException as e:
+                kra_account.logout()
+                raise errors.EncodingError(
+                    message=_("Unable to archive key: %s") % e)
+            finally:
+                kra_account.logout()
 
         response = {
             'value': args[-1],
@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery):
             kra_client.keys.encrypt_alg_oid = algorithm_oid
 
             # retrieve encrypted data from KRA
-            key = kra_client.keys.retrieve_key(
-                key_info.get_key_id(),
-                wrapped_session_key)
+            try:
 
-            kra_account.logout()
+                key = kra_client.keys.retrieve_key(
+                    key_info.get_key_id(),
+                    wrapped_session_key)
+            except PKIException as e:
+                kra_account.logout()
+                raise errors.EncodingError(
+                    message=_("Unable to retrieve key: %s") % e)
+            finally:
+                kra_account.logout()
 
         response = {
             'value': args[-1],