Imported Debian patch 4.0.5-6~numeezy

daemons/dnssec/ipa-dnskeysync-replica

@@ -1,173 +0,0 @@
-#!/usr/bin/python2
-#
-# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
-#
-"""
-Download keys from LDAP to local HSM.
-
-This program should be run only on replicas, not on DNSSEC masters.
-"""
-
-from binascii import hexlify
-from datetime import datetime
-import dns.dnssec
-import fcntl
-from gssapi.exceptions import GSSError
-import logging
-import os
-from pprint import pprint
-import subprocess
-import socket
-import sys
-import systemd.daemon
-import systemd.journal
-import time
-
-import ipalib
-from ipapython.dn import DN
-from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython import ipaldap
-from ipapython import ipautil
-from ipaplatform.paths import paths
-
-from ipapython.dnssec.abshsm import sync_pkcs11_metadata, ldap2p11helper_api_params, wrappingmech_name2id
-from ipapython.dnssec.ldapkeydb import LdapKeyDB
-from ipapython.dnssec.localhsm import LocalHSM
-
-DAEMONNAME = 'ipa-dnskeysyncd'
-PRINCIPAL = None  # not initialized yet
-WORKDIR = '/tmp'
-
-def hex_set(s):
-    out = set()
-    for i in s:
-        out.add("0x%s" % hexlify(i))
-    return out
-
-def update_metadata_set(log, source_set, target_set):
-    """sync metadata from source key set to target key set
-
-    Keys not present in both sets are left intact."""
-    log = log.getChild('sync_metadata')
-    matching_keys = set(source_set.keys()).intersection(set(target_set.keys()))
-    log.info("keys in local HSM & LDAP: %s", hex_set(matching_keys))
-    for key_id in matching_keys:
-        sync_pkcs11_metadata(log, source_set[key_id], target_set[key_id])
-
-
-def find_unwrapping_key(log, localhsm, wrapping_key_uri):
-    wrap_keys = localhsm.find_keys(uri=wrapping_key_uri)
-    # find usable unwrapping key with matching ID
-    for key_id, key in wrap_keys.items():
-        unwrap_keys = localhsm.find_keys(id=key_id, cka_unwrap=True)
-        if len(unwrap_keys) > 0:
-            return unwrap_keys.popitem()[1]
-
-def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm):
-    ## LDAP -> replica master key synchronization
-    # import new master keys from LDAP
-    new_keys = set(ldapkeydb.master_keys.keys()) \
-            - set(localhsm.master_keys.keys())
-    log.debug("master keys in local HSM: %s", hex_set(localhsm.master_keys.keys()))
-    log.debug("master keys in LDAP HSM: %s", hex_set(ldapkeydb.master_keys.keys()))
-    log.debug("new master keys in LDAP HSM: %s", hex_set(new_keys))
-    for mkey_id in new_keys:
-        mkey_ldap = ldapkeydb.master_keys[mkey_id]
-        assert mkey_ldap.wrapped_entries, "Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute" % hexlify(mkey_id)
-        for wrapped_ldap in mkey_ldap.wrapped_entries:
-            unwrapping_key = find_unwrapping_key(log, localhsm,
-                    wrapped_ldap.single_value['ipaWrappingKey'])
-            if unwrapping_key:
-                break
-
-        # TODO: Could it happen in normal cases?
-        assert unwrapping_key is not None, "Local HSM does not contain suitable unwrapping key for master key 0x%s" % hexlify(mkey_id)
-
-        params = ldap2p11helper_api_params(mkey_ldap)
-        params['data'] = wrapped_ldap.single_value['ipaSecretKey']
-        params['unwrapping_key'] = unwrapping_key.handle
-        params['wrapping_mech'] = wrappingmech_name2id[wrapped_ldap.single_value['ipaWrappingMech']]
-        log.debug('Importing new master key: 0x%s %s', hexlify(mkey_id), params)
-        localhsm.p11.import_wrapped_secret_key(**params)
-
-    # synchronize metadata about master keys in LDAP
-    update_metadata_set(log, ldapkeydb.master_keys, localhsm.master_keys)
-
-def ldap2replica_zone_keys_sync(log, ldapkeydb, localhsm):
-    ## LDAP -> replica zone key synchronization
-    # import new zone keys from LDAP
-    new_keys = set(ldapkeydb.zone_keypairs.keys()) \
-            - set(localhsm.zone_privkeys.keys())
-
-    log.debug("zone keys in local HSM: %s", hex_set(localhsm.master_keys.keys()))
-    log.debug("zone keys in LDAP HSM: %s", hex_set(ldapkeydb.master_keys.keys()))
-    log.debug("new zone keys in LDAP HSM: %s", hex_set(new_keys))
-    for zkey_id in new_keys:
-        zkey_ldap = ldapkeydb.zone_keypairs[zkey_id]
-        log.debug('Looking for unwrapping key "%s" for zone key 0x%s',
-                zkey_ldap['ipaWrappingKey'], hexlify(zkey_id))
-        unwrapping_key = find_unwrapping_key(log, localhsm,
-                zkey_ldap['ipaWrappingKey'])
-        assert unwrapping_key is not None, \
-                "Local HSM does not contain suitable unwrapping key for ' \
-                'zone key 0x%s" % hexlify(zkey_id)
-
-        log.debug('Importing zone key pair 0x%s', hexlify(zkey_id))
-        localhsm.import_private_key(zkey_ldap, zkey_ldap['ipaPrivateKey'],
-                unwrapping_key)
-        localhsm.import_public_key(zkey_ldap, zkey_ldap['ipaPublicKey'])
-
-    # synchronize metadata about zone keys in LDAP & local HSM
-    update_metadata_set(log, ldapkeydb.master_keys, localhsm.master_keys)
-
-    # delete keys removed from LDAP
-    deleted_keys = set(localhsm.zone_privkeys.keys()) \
-                - set(ldapkeydb.zone_keypairs.keys())
-
-    for zkey_id in deleted_keys:
-        localhsm.p11.delete_key(localhsm.zone_pubkeys[zkey_id].handle)
-        localhsm.p11.delete_key(localhsm.zone_privkeys[zkey_id].handle)
-
-
-# IPA framework initialization
-ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file
-ipalib.api.finalize()
-standard_logging_setup(verbose=True, debug = True)  # debug=ipalib.api.env.debug)
-log = root_logger
-log.setLevel(level=logging.DEBUG)
-
-# Kerberos initialization
-PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
-log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysync-replica.ccache')
-
-try:
-    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_DNSKEYSYNCD_KEYTAB,
-                         ccache_filename, attempts=5)
-except GSSError as e:
-    log.critical('Kerberos authentication failed: %s', e)
-    sys.exit(1)
-
-os.environ['KRB5CCNAME'] = ccache_filename
-log.debug('Got TGT')
-
-# LDAP initialization
-ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
-log.debug('Connecting to LDAP')
-ldap.gssapi_bind()
-log.debug('Connected')
-
-
-### DNSSEC master: key synchronization
-ldapkeydb = LdapKeyDB(log, ldap,
-        DN(('cn', 'keys'), ('cn', 'sec'), ipalib.api.env.container_dns,
-           ipalib.api.env.basedn))
-
-# TODO: slot number could be configurable
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
-        open(paths.DNSSEC_SOFTHSM_PIN).read())
-
-ldap2replica_master_keys_sync(log, ldapkeydb, localhsm)
-ldap2replica_zone_keys_sync(log, ldapkeydb, localhsm)
-
-sys.exit(0)

daemons/dnssec/ipa-dnskeysyncd

@@ -1,116 +0,0 @@
-#!/usr/bin/python2
-#
-# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
-#
-
-import sys
-import ldap
-import ldapurl
-import logging
-import os
-import signal
-import systemd.journal
-import time
-
-from ipalib import api
-from ipapython.dn import DN
-from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython import ipaldap
-from ipapython import ipautil
-from ipaplatform.paths import paths
-
-from ipapython.dnssec.keysyncer import KeySyncer
-
-# IPA framework initialization
-api.bootstrap(in_server=True, log=None)  # no logging to file
-api.finalize()
-standard_logging_setup(verbose=True, debug=api.env.debug)
-log = root_logger
-#log.addHandler(systemd.journal.JournalHandler())
-
-# Global state
-watcher_running = True
-ldap_connection = False
-
-DAEMONNAME = 'ipa-dnskeysyncd'
-PRINCIPAL = None  # not initialized yet
-WORKDIR = '/tmp' # private temp
-KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB
-
-# Shutdown handler
-def commenceShutdown(signum, stack):
-    # Declare the needed global variables
-    global watcher_running, ldap_connection, log
-    log.info('Signal %s received: Shutting down!', signum)
-
-    # We are no longer running
-    watcher_running = False
-
-    # Tear down the server connection
-    if ldap_connection:
-        ldap_connection.close_db()
-        del ldap_connection
-
-    # Shutdown
-    sys.exit(0)
-
-
-os.umask(0o07)
-
-# Signal handlers
-signal.signal(signal.SIGTERM, commenceShutdown)
-signal.signal(signal.SIGINT, commenceShutdown)
-
-# Kerberos initialization
-PRINCIPAL = str('%s/%s' % (DAEMONNAME, api.env.host))
-log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_filename = os.path.join(WORKDIR, 'ipa-dnskeysyncd.ccache')
-try:
-    ipautil.kinit_keytab(PRINCIPAL, KEYTAB_FB, ccache_filename, attempts=5)
-except Exception as ex:
-    log.critical("Kerberos authentication failed: %s", ex)
-    # signal failure and let init system to restart the daemon
-    sys.exit(1)
-os.environ['KRB5CCNAME'] = ccache_filename
-
-# LDAP initialization
-basedn = DN(api.env.container_dns, api.env.basedn)
-ldap_url = ldapurl.LDAPUrl(api.env.ldap_uri)
-ldap_url.dn = str(basedn)
-ldap_url.scope = ldapurl.LDAP_SCOPE_SUBTREE
-ldap_url.filterstr = '(|(objectClass=idnsZone)(objectClass=idnsSecKey)(objectClass=ipk11PublicKey))'
-log.debug('LDAP URL: %s', ldap_url.unparse())
-
-# Real work
-while watcher_running:
-    # Prepare the LDAP server connection (triggers the connection as well)
-    ldap_connection = KeySyncer(ldap_url.initializeUrl(), ipa_api=api)
-
-    # Now we login to the LDAP server
-    try:
-        log.info('LDAP bind...')
-        ldap_connection.sasl_interactive_bind_s("", ipaldap.SASL_GSSAPI)
-    except ldap.INVALID_CREDENTIALS as e:
-        log.exception('Login to LDAP server failed: %s', e)
-        sys.exit(1)
-    except ldap.SERVER_DOWN as e:
-        log.exception('LDAP server is down, going to retry: %s', e)
-        time.sleep(5)
-        continue
-
-    # Commence the syncing
-    log.info('Commencing sync process')
-    ldap_search = ldap_connection.syncrepl_search(
-        ldap_url.dn,
-        ldap_url.scope,
-        mode='refreshAndPersist',
-        attrlist=ldap_url.attrs,
-        filterstr=ldap_url.filterstr
-    )
-
-    try:
-        while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
-            pass
-    except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
-        log.exception('syncrepl_poll: LDAP error (%s)', e)
-        sys.exit(1)

daemons/dnssec/ipa-dnskeysyncd.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=IPA key daemon
-
-[Service]
-EnvironmentFile=/etc/sysconfig/ipa-dnskeysyncd
-ExecStart=/usr/libexec/ipa/ipa-dnskeysyncd
-User=ods
-Group=named
-SupplementaryGroups=ods
-PrivateTmp=yes
-Restart=on-failure
-RestartSec=60s
-
-[Install]
-WantedBy=multi-user.target

daemons/dnssec/ipa-ods-exporter

@@ -1,747 +0,0 @@
-#!/usr/bin/python2
-#
-# Copyright (C) 2014  FreeIPA Contributors see COPYING for license
-#
-"""
-This is FreeIPA's replacement for signerd from OpenDNSSEC suite version 1.4.x.
-
-This program uses the same socket and protocol as original signerd and should
-be activated via systemd socket activation using "ods-signer" command line
-utility.
-
-Alternativelly, it can be called directly and a command can be supplied as
-first command line argument.
-
-Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
-"""
-from __future__ import print_function
-
-from binascii import hexlify
-from datetime import datetime
-import dateutil.tz
-import dns.dnssec
-import fcntl
-from gssapi.exceptions import GSSError
-import logging
-import os
-import subprocess
-import socket
-import select
-import sys
-import systemd.daemon
-import systemd.journal
-import sqlite3
-import time
-import traceback
-
-import ipalib
-from ipapython.dn import DN
-from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython import ipaldap
-from ipapython import ipautil
-from ipaplatform.paths import paths
-
-from ipapython.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
-from ipapython.dnssec.ldapkeydb import LdapKeyDB
-from ipapython.dnssec.localhsm import LocalHSM
-
-DAEMONNAME = 'ipa-ods-exporter'
-PRINCIPAL = None  # not initialized yet
-WORKDIR = os.path.join(paths.VAR_OPENDNSSEC_DIR ,'tmp')
-KEYTAB_FB = paths.IPA_ODS_EXPORTER_KEYTAB
-
-ODS_SE_MAXLINE = 1024  # from ODS common/config.h
-ODS_DB_LOCK_PATH = "%s%s" % (paths.OPENDNSSEC_KASP_DB, '.our_lock')
-
-SECRETKEY_WRAPPING_MECH = 'rsaPkcsOaep'
-PRIVKEY_WRAPPING_MECH = 'aesKeyWrapPad'
-
-# Constants from OpenDNSSEC's enforcer/ksm/include/ksm/ksm.h
-KSM_STATE_PUBLISH    = 2
-KSM_STATE_READY      = 3
-KSM_STATE_ACTIVE     = 4
-KSM_STATE_RETIRE     = 5
-KSM_STATE_DEAD       = 6
-KSM_STATE_KEYPUBLISH = 10
-
-# DNSKEY flag constants
-dnskey_flag_by_value = {
-    0x0001: 'SEP',
-    0x0080: 'REVOKE',
-    0x0100: 'ZONE'
-}
-
-def dnskey_flags_to_text_set(flags):
-    """Convert a DNSKEY flags value to set texts
-    @rtype: set([string])"""
-
-    flags_set = set()
-    mask = 0x1
-    while mask <= 0x8000:
-        if flags & mask:
-            text = dnskey_flag_by_value.get(mask)
-            if not text:
-                text = hex(mask)
-            flags_set.add(text)
-        mask <<= 1
-    return flags_set
-
-def datetime2ldap(dt):
-    return dt.strftime(ipalib.constants.LDAP_GENERALIZED_TIME_FORMAT)
-
-def sql2datetime(sql_time):
-    """Convert SQL date format from local time zone into UTC."""
-    localtz = dateutil.tz.tzlocal()
-    localtime = datetime.strptime(sql_time, "%Y-%m-%d %H:%M:%S").replace(
-                                  tzinfo=localtz)
-    utctz = dateutil.tz.gettz('UTC')
-    return localtime.astimezone(utctz)
-
-def sql2datetimes(row):
-    row2key_map = {'generate': 'idnsSecKeyCreated',
-                   'publish': 'idnsSecKeyPublish',
-                   'active': 'idnsSecKeyActivate',
-                   'retire': 'idnsSecKeyInactive',
-                   'dead': 'idnsSecKeyDelete'}
-    times = {}
-    for column, key in row2key_map.items():
-        if row[column] is not None:
-            times[key] = sql2datetime(row[column])
-    return times
-
-def sql2ldap_algorithm(sql_algorithm):
-    return {"idnsSecAlgorithm": dns.dnssec.algorithm_to_text(sql_algorithm)}
-
-def sql2ldap_flags(sql_flags):
-    dns_flags = dnskey_flags_to_text_set(sql_flags)
-    ldap_flags = {}
-    for flag in dns_flags:
-        attr = 'idnsSecKey%s' % flag
-        ldap_flags[attr] = 'TRUE'
-    return ldap_flags
-
-def sql2ldap_keyid(sql_keyid):
-    assert len(sql_keyid) % 2 == 0
-    assert len(sql_keyid) > 0
-    # TODO: this is huge hack. BIND has some problems with % notation in URIs.
-    # Workaround: OpenDNSSEC uses same value for ID also for label (but in hex).
-    uri = "pkcs11:object=%s" % sql_keyid
-    #uri += '%'.join(sql_keyid[i:i+2] for i in range(0, len(sql_keyid), 2))
-    return {"idnsSecKeyRef": uri}
-
-def ods2bind_timestamps(key_state, key_type, ods_times):
-    """Transform (timestamps and key states) from ODS to set of BIND timestamps
-    with equivalent meaning. At the same time, remove timestamps
-    for future/planned state transitions to prevent ODS & BIND
-    from desynchronizing.
-
-    OpenDNSSEC database may contain timestamps for state transitions planned
-    in the future, but timestamp itself is not sufficient information because
-    there could be some additional condition which is guaded by OpenDNSSEC
-    itself.
-
-    BIND works directly with timestamps without any additional conditions.
-    This difference causes problem when state transition planned in OpenDNSSEC
-    does not happen as originally planned for some reason.
-
-    At the same time, this difference causes problem when OpenDNSSEC on DNSSEC
-    key master and BIND instances on replicas are not synchronized. This
-    happens when DNSSEC key master is down, or a replication is down. Even
-    a temporary desynchronization could cause DNSSEC validation failures
-    which could have huge impact.
-
-    To prevent this problem, this function removes all timestamps corresponding
-    to future state transitions. As a result, BIND will not do state transition
-    until it happens in OpenDNSSEC first and until the change is replicated.
-
-    Also, timestamp mapping depends on key type and is not 1:1.
-    For detailed description of the mapping please see
-    https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC/OpenDNSSEC2BINDKeyStates
-    """
-    bind_times = {}
-    # idnsSecKeyCreated is equivalent to SQL column 'created'
-    bind_times['idnsSecKeyCreated'] = ods_times['idnsSecKeyCreated']
-
-    # set of key states where publishing in DNS zone is desired is taken from
-    # opendnssec/enforcer/ksm/ksm_request.c:KsmRequestIssueKeys()
-    # TODO: support for RFC 5011, requires OpenDNSSEC v1.4.8+
-    if ('idnsSecKeyPublish' in ods_times and
-        key_state in {KSM_STATE_PUBLISH, KSM_STATE_READY, KSM_STATE_ACTIVE,
-                      KSM_STATE_RETIRE, KSM_STATE_KEYPUBLISH}):
-        bind_times['idnsSecKeyPublish'] = ods_times['idnsSecKeyPublish']
-
-    # ZSK and KSK handling differs in enforcerd, see
-    # opendnssec/enforcer/enforcerd/enforcer.c:commKeyConfig()
-    if key_type == 'ZSK':
-        # idnsSecKeyActivate cannot be set before the key reaches ACTIVE state
-        if ('idnsSecKeyActivate' in ods_times and
-            key_state in {KSM_STATE_ACTIVE, KSM_STATE_RETIRE, KSM_STATE_DEAD}):
-                bind_times['idnsSecKeyActivate'] = ods_times['idnsSecKeyActivate']
-
-        # idnsSecKeyInactive cannot be set before the key reaches RETIRE state
-        if ('idnsSecKeyInactive' in ods_times and
-            key_state in {KSM_STATE_RETIRE, KSM_STATE_DEAD}):
-                bind_times['idnsSecKeyInactive'] = ods_times['idnsSecKeyInactive']
-
-    elif key_type == 'KSK':
-        # KSK is special: it is used for signing as long as it is in zone
-        if ('idnsSecKeyPublish' in ods_times and
-            key_state in {KSM_STATE_PUBLISH, KSM_STATE_READY, KSM_STATE_ACTIVE,
-                          KSM_STATE_RETIRE, KSM_STATE_KEYPUBLISH}):
-            bind_times['idnsSecKeyActivate'] = ods_times['idnsSecKeyPublish']
-        # idnsSecKeyInactive is ignored for KSK on purpose
-
-    else:
-        assert False, "unsupported key type %s" % key_type
-
-    # idnsSecKeyDelete is relevant only in DEAD state
-    if 'idnsSecKeyDelete' in ods_times and key_state == KSM_STATE_DEAD:
-        bind_times['idnsSecKeyDelete'] = ods_times['idnsSecKeyDelete']
-
-    return bind_times
-
-class ods_db_lock(object):
-    def __enter__(self):
-        self.f = open(ODS_DB_LOCK_PATH, 'w')
-        log.debug('waiting for lock %r', self.f)
-        fcntl.lockf(self.f, fcntl.LOCK_EX)
-        log.debug('acquired lock %r', self.f)
-
-    def __exit__(self, *args):
-        fcntl.lockf(self.f, fcntl.LOCK_UN)
-        log.debug('released lock %r', self.f)
-        self.f.close()
-
-def get_ldap_zone(ldap, dns_base, name):
-    zone_names = ["%s." % name, name]
-
-    # find zone object: name can optionally end with period
-    ldap_zone = None
-    for zone_name in zone_names:
-        zone_base = DN("idnsname=%s" % zone_name, dns_base)
-        try:
-            ldap_zone = ldap.get_entry(dn=zone_base,
-                                       attrs_list=["idnsname"])
-            break
-        except ipalib.errors.NotFound:
-            continue
-
-    if ldap_zone is None:
-        raise ipalib.errors.NotFound(
-            reason='DNS zone "%s" not found in LDAP' % name)
-
-    return ldap_zone
-
-def get_ldap_keys_dn(zone_dn):
-    """Container DN"""
-    return DN("cn=keys", zone_dn)
-
-def get_ldap_keys(ldap, zone_dn):
-    """Keys objects"""
-    keys_dn = get_ldap_keys_dn(zone_dn)
-    ldap_filter = ldap.make_filter_from_attr('objectClass', 'idnsSecKey')
-    ldap_keys = ldap.get_entries(base_dn=keys_dn, filter=ldap_filter)
-
-    return ldap_keys
-
-def get_ods_keys(zone_name):
-    # get zone ID
-    cur = db.execute("SELECT id FROM zones WHERE LOWER(name)=LOWER(?)",
-                     (zone_name,))
-    rows = cur.fetchall()
-    assert len(rows) == 1, "exactly one DNS zone should exist in ODS DB"
-    zone_id = rows[0][0]
-
-    # get relevant keys for given zone ID:
-    # ignore keys which were generated but not used yet
-    # key state check is using constants from
-    # OpenDNSSEC's enforcer/ksm/include/ksm/ksm.h
-    # WARNING! OpenDNSSEC version 1 and 2 are using different constants!
-    cur = db.execute("SELECT kp.HSMkey_id, kp.generate, kp.algorithm, "
-                     "dnsk.publish, dnsk.active, dnsk.retire, dnsk.dead, "
-                     "dnsk.keytype, dnsk.state "
-                     "FROM keypairs AS kp "
-                     "JOIN dnsseckeys AS dnsk ON kp.id = dnsk.keypair_id "
-                     "WHERE dnsk.zone_id = ?", (zone_id,))
-    keys = {}
-    for row in cur:
-        key_data = sql2ldap_flags(row['keytype'])
-        assert key_data.get('idnsSecKeyZONE', None) == 'TRUE', \
-                'unexpected key type 0x%x' % row['keytype']
-        if key_data.get('idnsSecKeySEP', 'FALSE') == 'TRUE':
-            key_type = 'KSK'
-        else:
-            key_type = 'ZSK'
-
-        # transform key state to timestamps for BIND with equivalent semantics
-        ods_times = sql2datetimes(row)
-        key_data.update(ods2bind_timestamps(row['state'], key_type, ods_times))
-
-        key_data.update(sql2ldap_algorithm(row['algorithm']))
-        key_id = "%s-%s-%s" % (key_type,
-                               datetime2ldap(key_data['idnsSecKeyCreated']),
-                               row['HSMkey_id'])
-
-        key_data.update(sql2ldap_keyid(row['HSMkey_id']))
-        keys[key_id] = key_data
-        log.debug("key %s metadata: %s", key_id, key_data)
-
-    return keys
-
-def sync_set_metadata_2ldap(log, source_set, target_set):
-    """sync metadata from source key set to target key set in LDAP
-
-    Keys not present in both sets are left intact."""
-    log = log.getChild('sync_set_metadata_2ldap')
-    matching_keys = set(source_set.keys()).intersection(set(target_set.keys()))
-    log.info("keys in local HSM & LDAP: %s", hex_set(matching_keys))
-    for key_id in matching_keys:
-        sync_pkcs11_metadata(log, source_set[key_id], target_set[key_id])
-
-def ldap2master_replica_keys_sync(log, ldapkeydb, localhsm):
-    """LDAP=>master's local HSM replica key synchronization"""
-    # import new replica keys from LDAP
-    log = log.getChild('ldap2master_replica')
-    log.debug("replica pub keys in LDAP: %s", hex_set(ldapkeydb.replica_pubkeys_wrap))
-    log.debug("replica pub keys in SoftHSM: %s", hex_set(localhsm.replica_pubkeys_wrap))
-    new_replica_keys = set(ldapkeydb.replica_pubkeys_wrap.keys()) \
-            - set(localhsm.replica_pubkeys_wrap.keys())
-    log.info("new replica keys in LDAP: %s", hex_set(new_replica_keys))
-    for key_id in new_replica_keys:
-        new_key_ldap = ldapkeydb.replica_pubkeys_wrap[key_id]
-        log.debug('label=%s, id=%s, data=%s',
-                new_key_ldap['ipk11label'],
-                hexlify(new_key_ldap['ipk11id']),
-                hexlify(new_key_ldap['ipapublickey']))
-        localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
-
-    # set CKA_WRAP = FALSE for all replica keys removed from LDAP
-    removed_replica_keys = set(localhsm.replica_pubkeys_wrap.keys()) \
-            - set(ldapkeydb.replica_pubkeys_wrap.keys())
-    log.info("obsolete replica keys in local HSM: %s",
-            hex_set(removed_replica_keys))
-    for key_id in removed_replica_keys:
-        localhsm.replica_pubkeys_wrap[key_id]['ipk11wrap'] = False
-
-    # synchronize replica key attributes from LDAP to local HSM
-    sync_set_metadata_2ldap(log, localhsm.replica_pubkeys_wrap,
-            ldapkeydb.replica_pubkeys_wrap)
-
-def master2ldap_master_keys_sync(log, ldapkeydb, localhsm):
-    ## master key -> LDAP synchronization
-    # export new master keys to LDAP
-    new_master_keys = set(localhsm.master_keys.keys()) \
-            - set(ldapkeydb.master_keys.keys())
-    log.debug("master keys in local HSM: %s", hex_set(localhsm.master_keys.keys()))
-    log.debug("master keys in LDAP HSM: %s", hex_set(ldapkeydb.master_keys.keys()))
-    log.debug("new master keys in local HSM: %s", hex_set(new_master_keys))
-    for mkey_id in new_master_keys:
-        mkey = localhsm.master_keys[mkey_id]
-        ldapkeydb.import_master_key(mkey)
-
-    # re-fill cache with keys we just added
-    ldapkeydb.flush()
-    log.debug('master keys in LDAP after flush: %s', hex_set(ldapkeydb.master_keys))
-
-    # synchronize master key metadata to LDAP
-    for mkey_id, mkey_local in localhsm.master_keys.items():
-        log.debug('synchronizing master key metadata: 0x%s', hexlify(mkey_id))
-        sync_pkcs11_metadata(log, mkey_local, ldapkeydb.master_keys[mkey_id])
-
-    # re-wrap all master keys in LDAP with new replica keys (as necessary)
-    enabled_replica_key_ids = set(localhsm.replica_pubkeys_wrap.keys())
-    log.debug('enabled replica key ids: %s', hex_set(enabled_replica_key_ids))
-
-    for mkey_id, mkey_ldap in ldapkeydb.master_keys.items():
-        log.debug('processing master key data: 0x%s', hexlify(mkey_id))
-
-        # check that all active replicas have own copy of master key
-        used_replica_keys = set()
-        for wrapped_entry in mkey_ldap.wrapped_entries:
-            matching_keys = localhsm.find_keys(
-                    uri=wrapped_entry.single_value['ipaWrappingKey'])
-            for matching_key in matching_keys.values():
-                assert matching_key['ipk11label'].startswith(u'dnssec-replica:'), \
-                        'Wrapped key "%s" refers to PKCS#11 URI "%s" which is ' \
-                        'not a know DNSSEC replica key: label "%s" does not start ' \
-                        'with "dnssec-replica:" prefix' % (wrapped_entry.dn,
-                                wrapped_entry['ipaWrappingKey'],
-                                matching_key['ipk11label'])
-                used_replica_keys.add(matching_key['ipk11id'])
-
-        new_replica_keys = enabled_replica_key_ids - used_replica_keys
-        log.debug('master key 0x%s is not wrapped with replica keys %s',
-                hexlify(mkey_id), hex_set(new_replica_keys))
-
-        # wrap master key with new replica keys
-        mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
-        for replica_key_id in new_replica_keys:
-            log.info('adding master key 0x%s wrapped with replica key 0x%s' % (
-                hexlify(mkey_id), hexlify(replica_key_id)))
-            replica_key = localhsm.replica_pubkeys_wrap[replica_key_id]
-            keydata = localhsm.p11.export_wrapped_key(mkey_local.handle,
-                    replica_key.handle,
-                    wrappingmech_name2id[SECRETKEY_WRAPPING_MECH])
-            mkey_ldap.add_wrapped_data(keydata, SECRETKEY_WRAPPING_MECH,
-                    replica_key_id)
-
-    ldapkeydb.flush()
-
-def master2ldap_zone_keys_sync(log, ldapkeydb, localhsm):
-    """add and update zone key material from local HSM to LDAP
-
-    No key material will be removed, only new keys will be added or updated.
-    Key removal is hanled by master2ldap_zone_keys_purge()."""
-    log = log.getChild('master2ldap_zone_keys')
-    keypairs_ldap = ldapkeydb.zone_keypairs
-    log.debug("zone keys in LDAP: %s", hex_set(keypairs_ldap))
-
-    pubkeys_local = localhsm.zone_pubkeys
-    privkeys_local = localhsm.zone_privkeys
-    log.debug("zone keys in local HSM: %s", hex_set(privkeys_local))
-
-    assert set(pubkeys_local) == set(privkeys_local), (
-            "IDs of private and public keys for DNS zones in local HSM does "
-            "not match to key pairs: %s vs. %s" %
-            (hex_set(pubkeys_local), hex_set(privkeys_local)))
-
-    new_keys = set(pubkeys_local) - set(keypairs_ldap)
-    log.debug("new zone keys in local HSM: %s", hex_set(new_keys))
-    mkey = localhsm.active_master_key
-    # wrap each new zone key pair with selected master key
-    for zkey_id in new_keys:
-        pubkey = pubkeys_local[zkey_id]
-        pubkey_data = localhsm.p11.export_public_key(pubkey.handle)
-
-        privkey = privkeys_local[zkey_id]
-        privkey_data = localhsm.p11.export_wrapped_key(privkey.handle,
-                wrapping_key=mkey.handle,
-                wrapping_mech=wrappingmech_name2id[PRIVKEY_WRAPPING_MECH])
-        ldapkeydb.import_zone_key(pubkey, pubkey_data, privkey, privkey_data,
-                PRIVKEY_WRAPPING_MECH, mkey['ipk11id'])
-
-    sync_set_metadata_2ldap(log, pubkeys_local, keypairs_ldap)
-    sync_set_metadata_2ldap(log, privkeys_local, keypairs_ldap)
-    ldapkeydb.flush()
-
-def master2ldap_zone_keys_purge(log, ldapkeydb, localhsm):
-    """purge removed key material from LDAP (but not metadata)
-
-    Keys which are present in LDAP but not in local HSM will be removed.
-    Key metadata must be removed first so references to removed key material
-    are removed before actually removing the keys."""
-    keypairs_ldap = ldapkeydb.zone_keypairs
-    log.debug("zone keys in LDAP: %s", hex_set(keypairs_ldap))
-
-    pubkeys_local = localhsm.zone_pubkeys
-    privkeys_local = localhsm.zone_privkeys
-    log.debug("zone keys in local HSM: %s", hex_set(privkeys_local))
-    assert set(pubkeys_local) == set(privkeys_local), \
-            "IDs of private and public keys for DNS zones in local HSM does " \
-            "not match to key pairs: %s vs. %s" % \
-            (hex_set(pubkeys_local), hex_set(privkeys_local))
-
-    deleted_key_ids = set(keypairs_ldap) - set(pubkeys_local)
-    log.debug("zone keys deleted from local HSM but present in LDAP: %s",
-            hex_set(deleted_key_ids))
-    for zkey_id in deleted_key_ids:
-        keypairs_ldap[zkey_id].schedule_deletion()
-    ldapkeydb.flush()
-
-def hex_set(s):
-    out = set()
-    for i in s:
-        out.add("0x%s" % hexlify(i))
-    return out
-
-def receive_systemd_command(log):
-    fds = systemd.daemon.listen_fds()
-    if len(fds) != 1:
-        raise KeyError('Exactly one socket is expected.')
-
-    sck = socket.fromfd(fds[0], socket.AF_UNIX, socket.SOCK_STREAM)
-    rlist, wlist, xlist = select.select([sck], [], [], 0)
-    if not rlist:
-        log.critical('socket activation did not return socket with a command')
-        sys.exit(0)
-
-    log.debug('accepting new connection')
-    conn, addr = sck.accept()
-    log.debug('accepted new connection %s', repr(conn))
-
-    # this implements cmdhandler_handle_cmd() logic
-    cmd = conn.recv(ODS_SE_MAXLINE).strip()
-    log.debug('received command "%s" from systemd socket', cmd)
-    return (cmd, conn)
-
-def parse_command(cmd):
-    """Parse command to (exit code, message, zone_name) tuple.
-
-    Exit code None means that execution should continue.
-    """
-    if cmd == 'ipa-hsm-update':
-        return (0,
-                'HSM synchronization finished, skipping zone synchronization.',
-                None,
-                cmd)
-
-    elif cmd == 'ipa-full-update':
-        return (None,
-                'Synchronization of all zones was finished.',
-                None,
-                cmd)
-
-    elif cmd.startswith('ldap-cleanup '):
-        zone_name = cmd2ods_zone_name(cmd)
-        return (None,
-                'Zone "%s" metadata will be removed from LDAP.\n' % zone_name,
-                zone_name,
-                'ldap-cleanup')
-
-    elif cmd.startswith('update '):
-        zone_name = cmd2ods_zone_name(cmd)
-        return (None,
-                'Zone "%s" metadata will be updated in LDAP.\n' % zone_name,
-                zone_name,
-                'update')
-
-    else:
-        return (0,
-                'Command "%s" is not supported by IPA; '
-                'HSM synchronization was finished and the command '
-                'will be ignored.' % cmd,
-                None,
-                None)
-
-
-def send_systemd_reply(conn, reply):
-        # Reply & close connection early.
-        # This is necessary to let Enforcer to unlock the ODS DB.
-        conn.send(reply + '\n')
-        conn.shutdown(socket.SHUT_RDWR)
-        conn.close()
-
-def cmd2ods_zone_name(cmd):
-    # ODS stores zone name without trailing period
-    zone_name = cmd.split(' ', 1)[1].strip()
-    if len(zone_name) > 1 and zone_name[-1] == '.':
-        zone_name = zone_name[:-1]
-
-    return zone_name
-
-def sync_zone(log, ldap, dns_dn, zone_name):
-    """synchronize metadata about zone keys for single DNS zone
-
-    Key material has to be synchronized elsewhere.
-    Keep in mind that keys could be shared among multiple zones!"""
-    log.getChild("%s.%s" % (__name__, zone_name))
-    log.debug('synchronizing zone "%s"', zone_name)
-    ods_keys = get_ods_keys(zone_name)
-    ods_keys_id = set(ods_keys.keys())
-
-    ldap_zone = get_ldap_zone(ldap, dns_dn, zone_name)
-    zone_dn = ldap_zone.dn
-
-    keys_dn = get_ldap_keys_dn(zone_dn)
-    try:
-        ldap_keys = get_ldap_keys(ldap, zone_dn)
-    except ipalib.errors.NotFound:
-        # cn=keys container does not exist, create it
-        ldap_keys = []
-        ldap_keys_container = ldap.make_entry(keys_dn,
-                                              objectClass=['nsContainer'])
-        try:
-            ldap.add_entry(ldap_keys_container)
-        except ipalib.errors.DuplicateEntry:
-            # ldap.get_entries() does not distinguish non-existent base DN
-            # from empty result set so addition can fail because container
-            # itself exists already
-            pass
-
-    ldap_keys_dict = {}
-    for ldap_key in ldap_keys:
-        cn = ldap_key['cn'][0]
-        ldap_keys_dict[cn] = ldap_key
-
-    ldap_keys = ldap_keys_dict  # shorthand
-    ldap_keys_id = set(ldap_keys.keys())
-
-    new_keys_id = ods_keys_id - ldap_keys_id
-    log.info('new key metadata from ODS: %s', new_keys_id)
-    for key_id in new_keys_id:
-        cn = "cn=%s" % key_id
-        key_dn = DN(cn, keys_dn)
-        log.debug('adding key metadata "%s" to LDAP', key_dn)
-        ldap_key = ldap.make_entry(key_dn,
-                                   objectClass=['idnsSecKey'],
-                                   **ods_keys[key_id])
-        ldap.add_entry(ldap_key)
-
-    deleted_keys_id = ldap_keys_id - ods_keys_id
-    log.info('deleted key metadata in LDAP: %s', deleted_keys_id)
-    for key_id in deleted_keys_id:
-        cn = "cn=%s" % key_id
-        key_dn = DN(cn, keys_dn)
-        log.debug('deleting key metadata "%s" from LDAP', key_dn)
-        ldap.delete_entry(key_dn)
-
-    update_keys_id = ldap_keys_id.intersection(ods_keys_id)
-    log.info('key metadata in LDAP & ODS: %s', update_keys_id)
-    for key_id in update_keys_id:
-        ldap_key = ldap_keys[key_id]
-        ods_key = ods_keys[key_id]
-        log.debug('updating key metadata "%s" in LDAP', ldap_key.dn)
-        ldap_key.update(ods_key)
-        try:
-            ldap.update_entry(ldap_key)
-        except ipalib.errors.EmptyModlist:
-            continue
-
-def cleanup_ldap_zone(log, ldap, dns_dn, zone_name):
-    """delete all key metadata about zone keys for single DNS zone
-
-    Key material has to be synchronized elsewhere.
-    Keep in mind that keys could be shared among multiple zones!"""
-    log = log.getChild("%s.%s" % (__name__, zone_name))
-    log.debug('cleaning up key metadata from zone "%s"', zone_name)
-
-    try:
-        ldap_zone = get_ldap_zone(ldap, dns_dn, zone_name)
-        ldap_keys = get_ldap_keys(ldap, ldap_zone.dn)
-    except ipalib.errors.NotFound as ex:
-        # zone or cn=keys container does not exist, we are done
-        log.debug(str(ex))
-        return
-
-    for ldap_key in ldap_keys:
-        log.debug('deleting key metadata "%s"', ldap_key.dn)
-        ldap.delete_entry(ldap_key)
-
-log = logging.getLogger('root')
-# this service is usually socket-activated
-log.addHandler(systemd.journal.JournalHandler())
-log.setLevel(level=logging.DEBUG)
-
-if len(sys.argv) > 2:
-    print(__doc__)
-    sys.exit(1)
-# program was likely invoked from console, log to it
-elif len(sys.argv) == 2:
-    console = logging.StreamHandler()
-    log.addHandler(console)
-
-# IPA framework initialization
-ipalib.api.bootstrap(in_server=True, log=None)  # no logging to file
-ipalib.api.finalize()
-
-# Kerberos initialization
-PRINCIPAL = str('%s/%s' % (DAEMONNAME, ipalib.api.env.host))
-log.debug('Kerberos principal: %s', PRINCIPAL)
-ccache_name = paths.IPA_ODS_EXPORTER_CCACHE
-
-try:
-    ipautil.kinit_keytab(PRINCIPAL, paths.IPA_ODS_EXPORTER_KEYTAB, ccache_name,
-                         attempts=5)
-except GSSError as e:
-    log.critical('Kerberos authentication failed: %s', e)
-    sys.exit(1)
-
-os.environ['KRB5CCNAME'] = ccache_name
-log.debug('Got TGT')
-
-# LDAP initialization
-dns_dn = DN(ipalib.api.env.container_dns, ipalib.api.env.basedn)
-ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
-log.debug('Connecting to LDAP')
-ldap.gssapi_bind()
-log.debug('Connected')
-
-
-### DNSSEC master: key material upload & synchronization (but not deletion)
-ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
-                                    ipalib.api.env.container_dns,
-                                    ipalib.api.env.basedn))
-localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, 0,
-        open(paths.DNSSEC_SOFTHSM_PIN).read())
-
-ldap2master_replica_keys_sync(log, ldapkeydb, localhsm)
-master2ldap_master_keys_sync(log, ldapkeydb, localhsm)
-master2ldap_zone_keys_sync(log, ldapkeydb, localhsm)
-
-
-### DNSSEC master: DNSSEC key metadata upload & synchronization & deletion
-# command receive is delayed so the command will stay in socket queue until
-# the problem with LDAP server or HSM is fixed
-try:
-    cmd, conn = receive_systemd_command(log)
-    if len(sys.argv) != 1:
-        log.critical('No additional parameters are accepted when '
-                     'socket activation is used.')
-        sys.exit(1)
-# Handle cases where somebody ran the program without systemd.
-except KeyError as e:
-    if len(sys.argv) != 2:
-        print(__doc__)
-        print('ERROR: Exactly one parameter or socket activation is required.')
-        sys.exit(1)
-    conn = None
-    cmd = sys.argv[1]
-
-exitcode, msg, zone_name, cmd = parse_command(cmd)
-
-if exitcode is not None:
-    if conn:
-        send_systemd_reply(conn, msg)
-    log.info(msg)
-    sys.exit(exitcode)
-else:
-    log.debug(msg)
-
-# Open DB directly and read key timestamps etc.
-db = None
-try:
-    # LOCK WARNING:
-    # ods-enforcerd is holding kasp.db.our_lock when processing all zones and
-    # the lock is unlocked only after all calls to ods-signer are finished,
-    # i.e. when ods-enforcerd receives reply from each ods-signer call.
-    #
-    # Consequently, ipa-ods-exporter (ods-signerd implementation) must not
-    # request kasp.db.our_lock to prevent deadlocks.
-    # SQLite transaction isolation should suffice.
-    # Beware: Reply can be sent back only after DB is unlocked and closed
-    #         otherwise ods-enforcerd will fail.
-
-    db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB)
-    db.row_factory = sqlite3.Row
-    db.execute('BEGIN')
-
-    if zone_name is not None:
-        # only one zone should be processed
-        if cmd == 'update':
-            sync_zone(log, ldap, dns_dn, zone_name)
-        elif cmd == 'ldap-cleanup':
-            cleanup_ldap_zone(log, ldap, dns_dn, zone_name)
-    else:
-        # process all zones
-        for zone_row in db.execute("SELECT name FROM zones"):
-            sync_zone(log, ldap, dns_dn, zone_row['name'])
-
-    ### DNSSEC master: DNSSEC key material purging
-    # references to old key material were removed above in sync_zone()
-    # so now we can purge old key material from LDAP
-    master2ldap_zone_keys_purge(log, ldapkeydb, localhsm)
-
-except Exception as ex:
-    msg = "ipa-ods-exporter exception: %s" % traceback.format_exc(ex)
-    log.exception(ex)
-    raise ex
-
-finally:
-    try:
-        if db:
-            db.close()
-    finally:
-        if conn:
-            send_systemd_reply(conn, msg)
-
-log.debug('Done')

daemons/dnssec/ipa-ods-exporter.service

@@ -1,15 +0,0 @@
-[Unit]
-Description=IPA OpenDNSSEC Signer replacement
-Wants=ipa-ods-exporter.socket
-After=ipa-ods-exporter.socket
-
-[Service]
-EnvironmentFile=/etc/sysconfig/ipa-ods-exporter
-ExecStart=/usr/libexec/ipa/ipa-ods-exporter
-User=ods
-PrivateTmp=yes
-Restart=on-failure
-RestartSec=60s
-
-[Install]
-WantedBy=multi-user.target

daemons/dnssec/ipa-ods-exporter.socket

@@ -1,5 +0,0 @@
-[Socket]
-ListenStream=/var/run/opendnssec/engine.sock
-
-[Install]
-WantedBy=sockets.target