1515VALID_CHARS_MSG = "Valid chars are ASCII printable except SPACE, '#', and ','"
1616TACACS_PASSKEY_MAX_LEN = 65
1717
18+
1819def rotate_tacplus_key (table_info , secret ):
19- #Extract table and nested_key names
20+ # Extract table and nested_key names
2021 table = table_info .split ('|' )[0 ]
2122 nested_key = table_info .split ('|' )[1 ]
2223
2324 # Re-encrypt with updated password
2425 value = secure_cipher .encrypt_passkey ("TACPLUS" , secret )
2526 add_table_kv (table , nested_key , 'passkey' , value )
2627
28+
2729# Security cipher Callback dir
2830# Note: Required for Security Cipher - password rotation feature
29- security_cipher_clbk_lookup = {
30- #TACPLUS
31- "rotate_tacplus_key" : rotate_tacplus_key
31+ security_cipher_clbk_lookup = {
32+ "rotate_tacplus_key" : rotate_tacplus_key #TACPLUS
3233}
3334secure_cipher = master_key_mgr (security_cipher_clbk_lookup )
3435
36+
3537def is_secret (secret ):
3638 return bool (re .match ('^' + '[^ #,]*' + '$' , secret ))
3739
@@ -283,16 +285,16 @@ def passkey(db, ctx, secret, encrypt, rotate):
283285 try :
284286 # Set new passwd if not set already
285287 if secure_cipher .is_key_encrypt_enabled ("TACPLUS" , "global" ) is False :
286- #Register feature with Security Cipher module for the 1st time
288+ # Register feature with Security Cipher module for the 1st time
287289 secure_cipher .register ("TACPLUS" , rotate_tacplus_key )
288290 passwd = getpass .getpass ()
289- #Set new password for encryption
291+ # Set new password for encryption
290292 secure_cipher .set_feature_password ("TACPLUS" , passwd )
291293 else :
292- #Check if password rotation is enabled
294+ # Check if password rotation is enabled
293295 if rotate :
294296 passwd = getpass .getpass ()
295- #Rotate password for TACPLUS feature and re-encrypt the secret
297+ # Rotate password for TACPLUS feature and re-encrypt the secret
296298 secure_cipher .rotate_feature_passwd ("TACPLUS" , "TACPLUS|global" , secret , passwd )
297299 return
298300 b64_encoded = secure_cipher .encrypt_passkey ("TACPLUS" , secret )
@@ -301,18 +303,18 @@ def passkey(db, ctx, secret, encrypt, rotate):
301303 add_table_kv ('TACPLUS' , 'global' , 'key_encrypt' , True )
302304 add_table_kv ('TACPLUS' , 'global' , 'passkey' , b64_encoded )
303305 else :
304- #Deregister feature with Security Cipher module
306+ # Deregister feature with Security Cipher module
305307 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
306- click .echo ('Passkey encryption failed: %s' % errs )
308+ click .echo ('Passkey encryption failed' )
307309 return
308310 except (EOFError , KeyboardInterrupt ):
309- #Deregister feature with Security Cipher module
311+ # Deregister feature with Security Cipher module
310312 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
311313 add_table_kv ('TACPLUS' , 'global' , 'key_encrypt' , False )
312314 click .echo ('Input cancelled' )
313315 return
314316 except Exception as e :
315- #Deregister feature with Security Cipher module
317+ # Deregister feature with Security Cipher module
316318 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
317319 add_table_kv ('TACPLUS' , 'global' , 'key_encrypt' , False )
318320 click .echo ('Unexpected error: %s' % e )
@@ -359,43 +361,43 @@ def add(address, timeout, key, encrypted_key, rotate, auth_type, port, pri, use_
359361 if timeout is not None :
360362 data ['timeout' ] = str (timeout )
361363
362- if key and secret_key :
363- raise click .UsageError ("You must provide either --key or --secret_key " )
364+ if key and encrypted_key :
365+ aise click .UsageError ("You must provide either --key or --encrypted_key " )
364366
365367 if encrypted_key is not None :
366368 try :
367369 # Set new passwd if not set already
368370 if secure_cipher .is_key_encrypt_enabled ("TACPLUS_SERVER" , address ) is False :
369- #Register feature with Security Cipher module for the 1st time
371+ # Register feature with Security Cipher module for the 1st time
370372 secure_cipher .register ("TACPLUS" , rotate_tacplus_key )
371373 passwd = getpass .getpass ()
372- #Set new password for encryption
374+ # Set new password for encryption
373375 secure_cipher .set_feature_password ("TACPLUS" , passwd )
374376 else :
375- #Check if password rotation is enabled
377+ # Check if password rotation is enabled
376378 if rotate :
377379 passwd = getpass .getpass ()
378- #Rotate password for TACPLUS feature and re-encrypt the secret
379- secure_cipher .rotate_feature_passwd ("TACPLUS" , ("TACPLUS_SERVER|" + address ), secret , passwd )
380+ # Rotate password for TACPLUS feature and re-encrypt the secret
381+ secure_cipher .rotate_feature_passwd ("TACPLUS" , ("TACPLUS_SERVER|" + address ), encrypted_key , passwd )
380382 return
381- b64_encoded = secure_cipher .encrypt_passkey ("TACPLUS" , secret )
383+ b64_encoded = secure_cipher .encrypt_passkey ("TACPLUS" , encrypted_key )
382384 if b64_encoded is not None :
383385 # Update key_encrypt flag
384386 add_table_kv ('TACPLUS_SERVER' , address , 'key_encrypt' , True )
385387 add_table_kv ('TACPLUS_SERVER' , address , 'passkey' , b64_encoded )
386388 else :
387- #Deregister feature with Security Cipher module
389+ # Deregister feature with Security Cipher module
388390 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
389- click .echo ('Passkey encryption failed: %s' % errs )
391+ click .echo ('Passkey encryption failed' )
390392 return
391393 except (EOFError , KeyboardInterrupt ):
392- #Deregister feature with Security Cipher module
394+ # Deregister feature with Security Cipher module
393395 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
394396 add_table_kv ('TACPLUS_SERVER' , address , 'key_encrypt' , False )
395397 click .echo ('Input cancelled' )
396398 return
397399 except Exception as e :
398- #Deregister feature with Security Cipher module
400+ # Deregister feature with Security Cipher module
399401 secure_cipher .deregister ("TACPLUS" , rotate_tacplus_key )
400402 add_table_kv ('TACPLUS_SERVER' , address , 'key_encrypt' , False )
401403 click .echo ('Unexpected error: %s' % e )
0 commit comments