pylxd/models/certificate: re-add password arg for backward compat (#603)

Fixes canonical/charm-lxd#168 where charm-lxd is calling certificates.create(): ```python config: Dict[str, Union[str, bytes, List[str], bool]] = { "name": name, "password": "", "cert_data": cert.encode(), } client.certificates.create(**config) ``` causing: ``` File "./src/charm.py", line 1139, in _on_https_relation_changed if self.lxd_trust_add(cert=cert, name=cert_name, projects=projects): File "./src/charm.py", line 2294, in lxd_trust_add client.certificates.create(**config) TypeError: create() got an unexpected keyword argument 'password' ``` This should fix an unexpected regression introduced in commit ec1b3ee.
canonical · Sep 10, 2024 · 0f102cb · 0f102cb
2 parents fb96065 + d131c01
commit 0f102cb
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 6 deletions.
diff --git a/pylxd/client.py b/pylxd/client.py
@@ -478,11 +478,15 @@ def assert_has_api_extension(self, name):
         if not self.has_api_extension(name):
             raise exceptions.LXDAPIExtensionNotAvailable(name)
 
-    def authenticate(self, secret):
+    def authenticate(self, secret, use_token_auth=True):
         if self.trusted:
             return
         cert = open(self.api.session.cert[0]).read().encode("utf-8")
-        self.certificates.create(secret, cert)
+
+        if self.has_api_extension("explicit_trust_token") and use_token_auth:
+            self.certificates.create(password="", cert_data=cert, secret=secret)
+        else:
+            self.certificates.create(password=secret, cert_data=cert)
 
         # Refresh the host info
         response = self.api.get()

diff --git a/pylxd/models/certificate.py b/pylxd/models/certificate.py
@@ -53,12 +53,13 @@ def all(cls, client):
     def create(
         cls,
         client,
-        secret,
+        password,
         cert_data,
         cert_type="client",
         name="",
         projects=None,
         restricted=False,
+        secret="",
     ):
         """Create a new certificate."""
         cert = x509.load_pem_x509_certificate(cert_data, default_backend())
@@ -68,14 +69,18 @@ def create(
         data = {
             "type": cert_type,
             "certificate": base64_cert,
+            "password": password,
             "name": name,
             "restricted": restricted,
             "projects": projects,
         }
-        if client.has_api_extension("explicit_trust_token"):
+
+        # secret/trust_token are safer than password but support for password is kept for
+        # backward compatibility
+        if client.has_api_extension("explicit_trust_token") and secret:
             data["trust_token"] = secret
-        else:
-            data["password"] = secret
+            del data["password"]
+
         response = client.api.certificates.post(json=data)
         location = response.headers["Location"]
         fingerprint = location.split("/")[-1]