websms/freeipa
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Imported Upstream version 4.3.1

Browse Source
This commit is contained in:
Mario Fetka
2021-08-10 02:37:58 +02:00
parent a791de49a2
commit 2f177da8f2
2056 changed files with 421730 additions and 1668138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
ipaserver/install/opendnssecinstance.py
View File

@@ -2,9 +2,7 @@
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
#
from __future__ import absolute_import
import logging
import random
import os
import pwd
import grp
@@ -12,21 +10,20 @@ import stat
import shutil
from subprocess import CalledProcessError
from ipalib.install import sysrestore
from ipapython import p11helper as _ipap11helper
from ipaserver.install import service
from ipaserver.install import installutils
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
from ipapython import directivesetter
from ipapython import ipautil
from ipapython import sysrestore, ipautil, ipaldap, p11helper
from ipaplatform import services
from ipaplatform.constants import constants
from ipaplatform.paths import paths
from ipalib import errors, api
from ipaserver import p11helper
from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
logger = logging.getLogger(__name__)
from ipaserver.install import dnskeysyncinstance
KEYMASTER = u'dnssecKeyMaster'
softhsm_slot = 0
def get_dnssec_key_masters(conn):
@@ -62,16 +59,22 @@ def get_dnssec_key_masters(conn):
class OpenDNSSECInstance(service.Service):
def __init__(self, fstore=None):
def __init__(self, fstore=None, dm_password=None, ldapi=False,
start_tls=False, autobind=ipaldap.AUTOBIND_ENABLED):
service.Service.__init__(
self, "ods-enforcerd",
service_desc="OpenDNSSEC enforcer daemon",
dm_password=dm_password,
ldapi=ldapi,
autobind=autobind,
start_tls=start_tls
)
self.dm_password = dm_password
self.ods_uid = None
self.ods_gid = None
self.conf_file_dict = {
'SOFTHSM_LIB': paths.LIBSOFTHSM2_SO,
'TOKEN_LABEL': SOFTHSM_DNSSEC_TOKEN_LABEL,
'TOKEN_LABEL': dnskeysyncinstance.softhsm_token_label,
'KASP_DB': paths.OPENDNSSEC_KASP_DB,
'ODS_USER': constants.ODS_USER,
'ODS_GROUP': constants.ODS_GROUP,
@@ -87,7 +90,9 @@ class OpenDNSSECInstance(service.Service):
suffix = ipautil.dn_attribute_property('_suffix')
def get_masters(self):
return get_dnssec_key_masters(api.Backend.ldap2)
if not self.admin_conn:
self.ldap_connect()
return get_dnssec_key_masters(self.admin_conn)
def create_instance(self, fqdn, realm_name, generate_master_key=True,
kasp_db_file=None):
@@ -105,6 +110,9 @@ class OpenDNSSECInstance(service.Service):
except Exception:
pass
# get a connection to the DS
if not self.admin_conn:
self.ldap_connect()
# checking status must be first
self.step("checking status", self.__check_dnssec_status)
self.step("setting up configuration files", self.__setup_conf_files)
@@ -118,6 +126,9 @@ class OpenDNSSECInstance(service.Service):
self.start_creation()
def __check_dnssec_status(self):
named = services.knownservices.named
ods_enforcerd = services.knownservices.ods_enforcerd
try:
self.named_uid = pwd.getpwnam(constants.NAMED_USER).pw_uid
except KeyError:
@@ -140,25 +151,25 @@ class OpenDNSSECInstance(service.Service):
def __enable(self):
try:
self.ldap_configure('DNSSEC', self.fqdn, None,
self.suffix, self.extra_config)
self.ldap_enable('DNSSEC', self.fqdn, self.dm_password,
self.suffix, self.extra_config)
except errors.DuplicateEntry:
logger.error("DNSSEC service already exists")
root_logger.error("DNSSEC service already exists")
# add the KEYMASTER identifier into ipaConfigString
# this is needed for the re-enabled DNSSEC master
dn = DN(('cn', 'DNSSEC'), ('cn', self.fqdn), api.env.container_masters,
api.env.basedn)
try:
entry = api.Backend.ldap2.get_entry(dn, ['ipaConfigString'])
entry = self.admin_conn.get_entry(dn, ['ipaConfigString'])
except errors.NotFound as e:
logger.error(
root_logger.error(
"DNSSEC service entry not found in the LDAP (%s)", e)
else:
config = entry.setdefault('ipaConfigString', [])
if KEYMASTER not in config:
config.append(KEYMASTER)
api.Backend.ldap2.update_entry(entry)
self.admin_conn.update_entry(entry)
def __setup_conf_files(self):
if not self.fstore.has_file(paths.OPENDNSSEC_CONF_FILE):
@@ -179,8 +190,7 @@ class OpenDNSSECInstance(service.Service):
sub_conf_dict['PIN'] = pin
ods_conf_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),
sub_conf_dict)
ipautil.SHARE_DIR + "opendnssec_conf.template", sub_conf_dict)
ods_conf_fd = open(paths.OPENDNSSEC_CONF_FILE, 'w')
ods_conf_fd.seek(0)
ods_conf_fd.truncate(0)
@@ -188,8 +198,7 @@ class OpenDNSSECInstance(service.Service):
ods_conf_fd.close()
ods_kasp_txt = ipautil.template_file(
os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_kasp.template"),
self.kasp_file_dict)
ipautil.SHARE_DIR + "opendnssec_kasp.template", self.kasp_file_dict)
ods_kasp_fd = open(paths.OPENDNSSEC_KASP_FILE, 'w')
ods_kasp_fd.seek(0)
ods_kasp_fd.truncate(0)
@@ -199,10 +208,10 @@ class OpenDNSSECInstance(service.Service):
if not self.fstore.has_file(paths.SYSCONFIG_ODS):
self.fstore.backup_file(paths.SYSCONFIG_ODS)
directivesetter.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
installutils.set_directive(paths.SYSCONFIG_ODS,
'SOFTHSM2_CONF',
paths.DNSSEC_SOFTHSM2_CONF,
quotes=False, separator='=')
def __setup_ownership_file_modes(self):
assert self.ods_uid is not None
@@ -240,15 +249,14 @@ class OpenDNSSECInstance(service.Service):
pin = f.read()
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
p11 = p11helper.P11_Helper(
SOFTHSM_DNSSEC_TOKEN_LABEL, pin, paths.LIBSOFTHSM2_SO)
p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
try:
# generate master key
logger.debug("Creating master key")
root_logger.debug("Creating master key")
p11helper.generate_master_key(p11)
# change tokens mod/owner
logger.debug("Changing ownership of token files")
root_logger.debug("Changing ownership of token files")
for (root, dirs, files) in os.walk(paths.DNSSEC_TOKENS_DIR):
for directory in dirs:
dir_path = os.path.join(root, directory)
@@ -265,7 +273,7 @@ class OpenDNSSECInstance(service.Service):
def __setup_dnssec(self):
# run once only
if self.get_state("kasp_db_configured") and not self.kasp_db_file:
logger.debug("Already configured, skipping step")
root_logger.debug("Already configured, skipping step")
return
self.backup_state("kasp_db_configured", True)
@@ -281,6 +289,7 @@ class OpenDNSSECInstance(service.Service):
os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
# regenerate zonelist.xml
ods_enforcerd = services.knownservices.ods_enforcerd
cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
result = ipautil.run(cmd,
runas=constants.ODS_USER,
@@ -298,14 +307,15 @@ class OpenDNSSECInstance(service.Service):
'setup'
]
ods_enforcerd = services.knownservices.ods_enforcerd
ipautil.run(command, stdin="y", runas=constants.ODS_USER)
def __setup_dnskeysyncd(self):
# set up dnskeysyncd this is DNSSEC master
directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False, separator='=')
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER',
'1',
quotes=False, separator='=')
def __start(self):
self.restart() # needed to reload conf files
@@ -325,7 +335,7 @@ class OpenDNSSECInstance(service.Service):
except Exception:
pass
ods_exporter = services.service('ipa-ods-exporter', api)
ods_exporter = services.service('ipa-ods-exporter')
try:
ods_exporter.stop()
except Exception:
@@ -333,33 +343,34 @@ class OpenDNSSECInstance(service.Service):
# remove directive from ipa-dnskeysyncd, this server is not DNSSEC
# master anymore
directivesetter.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER', None,
quotes=False, separator='=')
installutils.set_directive(paths.SYSCONFIG_IPA_DNSKEYSYNCD,
'ISMASTER', None,
quotes=False, separator='=')
restore_list = [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE]
if os.path.isfile(paths.OPENDNSSEC_KASP_DB):
if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
# force to export data
ods_enforcerd = services.knownservices.ods_enforcerd
cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
try:
self.print_msg("Exporting DNSSEC data before uninstallation")
ipautil.run(cmd, runas=constants.ODS_USER)
except CalledProcessError:
logger.error("DNSSEC data export failed")
root_logger.error("DNSSEC data export failed")
try:
shutil.copy(paths.OPENDNSSEC_KASP_DB,
paths.IPA_KASP_DB_BACKUP)
except IOError as e:
logger.error(
root_logger.error(
"Unable to backup OpenDNSSEC database %s, "
"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e)
else:
logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
root_logger.info("OpenDNSSEC database backed up in %s",
paths.IPA_KASP_DB_BACKUP)
# restore OpenDNSSEC's KASP DB only if backup succeeded
# removing the file without backup could totally break DNSSEC
restore_list.append(paths.OPENDNSSEC_KASP_DB)
@@ -368,11 +379,12 @@ class OpenDNSSECInstance(service.Service):
try:
self.fstore.restore_file(f)
except ValueError as error:
logger.debug("%s", error)
root_logger.debug(error)
pass
self.restore_state("kasp_db_configured") # just eat state
# disabled by default, by ldap_configure()
# disabled by default, by ldap_enable()
if enabled:
self.enable()