def main()

in Templates/kerberosSideCar/krb_side_car.py [0:0]

• 56 lines of code
• 10 McCabe index (conditional complexity)

def main():
    """
    Entrypoint of kerberos sidecar
    :return: Will return only if there is error
    :rtype: Exceptions on error
    """
    env_vars = read_env()

    username = None
    password = None
    for num_retries in range(5):
        try:
            username, password = get_secret(env_vars[REGION_NAME],
                                            env_vars[SECRET_ARN])
            break
        except:
            print("[%s] ERROR** JSON error while loading secrets from secrets "
                  "manager" % num_retries,
                  flush=True)
            sys.exit(1)

    if username is None or password is None:
        """
        If Secrets Manager is not properly configured, the program will exit
        """
        print("ERROR** Secret not available from Secrets Manager", flush=True)
        sys.exit(1)

    # AD Sanity check, these can be extended later
    try:
        execute_kinit_cmd(username, password, env_vars[DIRECTORY_NAME])
        check_ldap_info(env_vars)
    except:
        print("Warning** LDAP access failed")

    """
    Kerberos ticket refresh every KINIT_DELAY_IN_SECS
    The grace period for Kerberos even if passwords change, is about an hour
    KINIT_DELAY_IN_SECS is set to 45 minutes
    """
    keytab_filename = env_vars[KRB_DIR] + "/" + KEYTAB_FILE_NAME
    num_failures = 0
    while True:
        if num_failures > MAX_FAILURES_IN_ABOUT_A_DAY:
            print("ERROR** Max failures reached, exiting", flush=True)
            sys.exit(1)
        try:
            username_new, password_new = get_secret(env_vars[REGION_NAME],
                                                    env_vars[SECRET_ARN])

            execute_kinit_cmd(username_new, password_new, env_vars[DIRECTORY_NAME])

            if not os.path.isfile(keytab_filename):
                create_keytab(username_new, password_new, env_vars[DIRECTORY_NAME],
                              env_vars[SERVICE_PRINCIPAL_NAME], keytab_filename)

            if username_new != username or password_new != password:
                print(
                    "Credentials change detected at " + str(datetime.now()) +
                    "creating a new keytab file", flush=True)
                if os.path.isfile(keytab_filename):
                    os.remove(keytab_filename)
                username = username_new
                password = password_new
                create_keytab(username, password, env_vars[DIRECTORY_NAME],
                              env_vars[SERVICE_PRINCIPAL_NAME], keytab_filename)
            num_failures = 0
        except:
            num_failures = num_failures + 1
            print("ERROR** JSON error while loading secrets from secrets manager",
                  flush=True)
            exc_type, exc_value, exc_traceback = sys.exc_info()
            traceback.print_tb(exc_traceback, limit=1, file=sys.stdout)
            traceback.print_exception(exc_type, exc_value, exc_traceback,
                                      limit=5, file=sys.stdout)
            traceback.print_exc(limit=5, file=sys.stdout)

        time.sleep(env_vars[KRB_TICKET_REFRESH_PERIOD])