From c97d39cc7a6e40d7a8be76227ffce018a86df00f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Jan 2026 11:49:50 +0000 Subject: [PATCH 1/2] pccsadmin: make 'keyring' module optional MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is not available in some distros, and since it is merely a convenience to avoid repeated password entry, it can be made optional. Signed-off-by: Daniel P. Berrangé --- PccsAdminTool/lib/intelsgx/credential.py | 29 ++++++++++++++---------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/PccsAdminTool/lib/intelsgx/credential.py b/PccsAdminTool/lib/intelsgx/credential.py index ca1b23b..d23ec20 100644 --- a/PccsAdminTool/lib/intelsgx/credential.py +++ b/PccsAdminTool/lib/intelsgx/credential.py @@ -1,4 +1,7 @@ -import keyring +try: + import keyring +except: + keyring = None import getpass class Credentials: @@ -7,11 +10,12 @@ class Credentials: def get_admin_token(self): admin_token = "" - try: - print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") - admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN) - except keyring.errors.KeyringError as ke: - admin_token = "" + if keyring is not None: + try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") + admin_token = keyring.get_password(self.APPNAME, self.KEY_ADMINTOKEN) + except keyring.errors.KeyringError as ke: + admin_token = "" while admin_token is None or admin_token == '': admin_token = getpass.getpass(prompt="Please input your administrator password for PCCS service:") @@ -24,10 +28,11 @@ def get_admin_token(self): return admin_token def set_admin_token(self, token): - try: - print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") - keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token) - except keyring.errors.PasswordSetError as ke: - print("Failed to store admin token.") - return False + if keyring is not None: + try: + print("Please note: A prompt may appear asking for your keyring password to access stored credentials.") + keyring.set_password(self.APPNAME, self.KEY_ADMINTOKEN, token) + except keyring.errors.PasswordSetError as ke: + print("Failed to store admin token.") + return False return True From e3641795caa38180a66995877a23f9aa588bc86a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= Date: Tue, 27 Jan 2026 11:51:25 +0000 Subject: [PATCH 2/2] pccsadmin: ignore errors trying to clear the keyring MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On authentication errors with PCS, an attempt is made to clear the keyring. This may fail if the user's login environment has no keyring configured. The user would have declined to store the key when first prompted, so there would be nothing to clear either in this case. Signed-off-by: Daniel P. Berrangé --- PccsAdminTool/pccsadmin.py | 32 ++++++++++++++++++++++++++++---- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/PccsAdminTool/pccsadmin.py b/PccsAdminTool/pccsadmin.py index 01dc9b8..c4cf3e7 100755 --- a/PccsAdminTool/pccsadmin.py +++ b/PccsAdminTool/pccsadmin.py @@ -120,7 +120,13 @@ def get_platforms(self): if response.status_code == 200: self._write_output_file(output_file, response) elif response.status_code == 401: # Authentication error - self.credentials.set_admin_token('') + try: + self.credentials.set_admin_token('') + except: + # If keyring is unavailable, we don't want to trigger + # traceback, as the user may have declined to save + # the key in the keyring earlier + pass print("Authentication failed.") else: self._handle_error(response) @@ -150,7 +156,13 @@ def upload_collaterals(self): if response.status_code == 200: print("Collaterals uploaded successfully.") elif response.status_code == 401: # Authentication error - self.credentials.set_admin_token('') + try: + self.credentials.set_admin_token('') + except: + # If keyring is unavailable, we don't want to trigger + # traceback, as the user may have declined to save + # the key in the keyring earlier + pass print("Authentication failed.") else: self._handle_error(response) @@ -166,7 +178,13 @@ def upload_collaterals(self): if response.status_code == 200: print("Policy uploaded successfully with policy ID :" + response.text) elif response.status_code == 401: # Authentication error - self.credentials.set_admin_token('') + try: + self.credentials.set_admin_token('') + except: + # If keyring is unavailable, we don't want to trigger + # traceback, as the user may have declined to save + # the key in the keyring earlier + pass print("Authentication failed.") else: self._handle_error(response) @@ -199,7 +217,13 @@ def refresh_cache_database(self): if response.status_code == 200: print("The cache database was refreshed successfully.") elif response.status_code == 401: # Authentication error - self.credentials.set_admin_token('') + try: + self.credentials.set_admin_token('') + except: + # If keyring is unavailable, we don't want to trigger + # traceback, as the user may have declined to save + # the key in the keyring earlier + pass print("Authentication failed.") else: self._handle_error(response)