Prompt for passphrase if it's necessary

brenns10 · brenns10 · commit 18cd8396f213 · 2024-08-29T16:26:46.000-07:00
Signed-off-by: Stephen Brennan &lt;stephen.s.brennan@oracle.com&gt;
diff --git a/doc/install.rst b/doc/install.rst
@@ -55,7 +55,9 @@ contains the code ``NotAuthorizedOrNotFound``, then there's an alternative way
 to setup your OCI credentials:
 
 1. Run ``oci setup keys``. At the prompt, you probably want to type "N/A" to
-   avoid setting a passphrase for the key.
+   avoid setting a passphrase for the key. However, if you really feel it is
+   necessary, you can use a passphrase. Yo will detect that it is necessary and
+   prompt you for it.
 2. Open the OCI web console. Navigate to your profile using the icon at the top
    right (or search your email address in the search bar). On your profile page,
    select the "API keys" link, and then choose "Add API key".
diff --git a/yo/api.py b/yo/api.py
@@ -1033,7 +1033,40 @@ def _setup_oci(self) -> None:
         # a value provided from its own config, to allow users to update the
         # region, VCN ID, and AD configuration, all in one place.
         self._oci_cfg["region"] = self.config.region
-        self._vnet = foo.oci.core.VirtualNetworkClient(self._oci_cfg)
+
+        # First try to load a client without using a passphrase. If that fails,
+        # we need to prompt and retry with a passphrase. If that fails, the
+        # passphrase was likely wrong, so we continue until we succeed in
+        # creating the client, or until we get any other error.
+        #
+        # KNOWN BUG: Some versions of cryptography / OpenSSL (the built-in ones
+        # on OL9, at least) will give a spurious prompt in case you provide the
+        # wrong password. This doesn't happen with recent versions from pip, and
+        # it can't be sanely monkey-patched. As a result, we just need to live
+        # with the double prompt. Try to get the password right on the first try.
+        # See: https://github.com/oracle/oci-python-sdk/issues/697
+        while True:
+            try:
+                self._vnet = foo.oci.core.VirtualNetworkClient(self._oci_cfg)
+            except foo.oci.exceptions.MissingPrivateKeyPassphrase:
+                needs_passphrase = True
+                self._oci_cfg["pass_phrase"] = self.con.input(
+                    prompt="OCI API Key Passphrase: ",
+                    password=True,
+                )
+            except foo.oci.exceptions.InvalidPrivateKey:
+                # The error is vague: either the password is wrong, or it's the
+                # wrong type of key. We can be more specific, since we know
+                # whether a password is required, we already tried without it.
+                if not needs_passphrase:
+                    raise
+                self.con.print("[red]Incorrect passphrase[/red]")
+                self._oci_cfg["pass_phrase"] = self.con.input(
+                    prompt="OCI API Key Passphrase: ",
+                    password=True,
+                )
+            else:
+                break
         self._compute = foo.oci.core.ComputeClient(self._oci_cfg)
         self._block = foo.oci.core.BlockstorageClient(self._oci_cfg)
         self._iam = foo.oci.identity.IdentityClient(self._oci_cfg)
