Description
- Nipyapi version: nipyapi==0.20.0
- NiFi version: 1.26.0
- NiFi-Registry version: None
- Python version: 3.11.2
- Operating System: Windows 10
Description
leveraging the nipyapi.security.set_service_ssl_context() method, an absent client_key_password will interrupt asking for a string via cli. Some keys may not be encrypted and thus have no need of a string.
As well, if the client_key_password field is fat-fingered, or pasted wrong, we end up with a generic ssl.SSLError
What I Did
nipyapi.security.set_service_ssl_context(
service='nifi',
ca_file = "REDACTED", #REDACTED line is file path of pem formatted file
client_cert_file = "REDACTED", #REDACTED line is file path of pem formatted file
client_key_file = "REDACTED", #REDACTED line is file path of pem formatted file
client_key_password = "" #Was accidentally left blank
)
I then traced the error back to the python SSL docs exceptions to discover that SSLError was a subexception under OSError.
I modified security.py beginning at line 739, to include at line 755 a new exception which accounts for SSLError, and then included e.errno in the output - which turned out to be errno: 9.
assert service in ['nifi', 'registry']
if client_key_file is None:
ssl_context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
else:
ssl_context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH)
try:
ssl_context.load_cert_chain(
certfile=client_cert_file,
keyfile=client_key_file,
password=client_key_password
)
except FileNotFoundError as e:
_raise(
FileNotFoundError(
"Unable to read keyfile {0} or certfile {1}"
.format(client_key_file, client_cert_file)), e)
except ssl.SSLError as e:
if e.errno == 9:
_raise(
ssl.SSLError(
f"This error probably pertains to a mis-typed or incorrect key password"
), e
)
Within the exception I modified the raised error to include a side note that it may pertain to a malformed client_key_password parameter
Urgency
Not very urgent at all - It's mostly resolved, just a bit of touch up that I'll go ahead and submit to the repo shortly.