From c8ca0f89a68b5d57c56344fdeb12fd436976c726 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Apr 28 2017 11:19:51 +0000
Subject: vault: piped input for ipa vault-add fails


An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

---

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 3fb4900..f21dc4d 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -21,11 +21,9 @@ from __future__ import print_function
 
 import base64
 import errno
-import getpass
 import io
 import json
 import os
-import sys
 import tempfile
 
 from cryptography.fernet import Fernet, InvalidToken
@@ -84,29 +82,6 @@ register = Registry()
 MAX_VAULT_DATA_SIZE = 2**20  # = 1 MB
 
 
-def get_new_password():
-    """
-    Gets new password from user and verify it.
-    """
-    while True:
-        password = getpass.getpass('New password: ').decode(
-            sys.stdin.encoding)
-        password2 = getpass.getpass('Verify password: ').decode(
-            sys.stdin.encoding)
-
-        if password == password2:
-            return password
-
-        print('  ** Passwords do not match! **')
-
-
-def get_existing_password():
-    """
-    Gets existing password from user.
-    """
-    return getpass.getpass('Password: ').decode(sys.stdin.encoding)
-
-
 def generate_symmetric_key(password, salt):
     """
     Generates symmetric key from password and salt.
@@ -304,7 +279,8 @@ class vault_add(Local):
                 password = password.rstrip('\n')
 
             else:
-                password = get_new_password()
+                password = self.api.Backend.textui.prompt_password(
+                    'New password')
 
             # generate vault salt
             options['ipavaultsalt'] = os.urandom(16)
@@ -887,9 +863,11 @@ class vault_archive(ModVaultData):
 
             else:
                 if override_password:
-                    password = get_new_password()
+                    password = self.api.Backend.textui.prompt_password(
+                        'New password')
                 else:
-                    password = get_existing_password()
+                    password = self.api.Backend.textui.prompt_password(
+                        'Password', confirm=False)
 
             if not override_password:
                 # verify password by retrieving existing data
@@ -1112,7 +1090,8 @@ class vault_retrieve(ModVaultData):
                 password = password.rstrip('\n')
 
             else:
-                password = get_existing_password()
+                password = self.api.Backend.textui.prompt_password(
+                    'Password', confirm=False)
 
             # generate encryption key from password
             encryption_key = generate_symmetric_key(password, salt)