Imported Debian patch 4.8.10-2

2020-11-23 20:48:56 +02:00
parent 8bc559c5a1
commit 358acdd85f
917 changed files with 1185414 additions and 1069733 deletions
--- a/ipaserver/dnssec/odsmgr.py
+++ b/ipaserver/dnssec/odsmgr.py
@@ -5,12 +5,14 @@
 import logging

 import dns.name
+import re
 try:
    from xml.etree import cElementTree as etree
 except ImportError:
    from xml.etree import ElementTree as etree

 from ipapython import ipa_log_manager, ipautil
+from ipaserver.dnssec.opendnssec import tasks

 logger = logging.getLogger(__name__)

@@ -19,7 +21,7 @@ ENTRYUUID_PREFIX = "/var/lib/ipa/dns/zone/entryUUID/"
 ENTRYUUID_PREFIX_LEN = len(ENTRYUUID_PREFIX)


-class ZoneListReader(object):
+class ZoneListReader:
    def __init__(self):
        self.names = set()  # dns.name
        self.uuids = set()  # UUID strings
@@ -119,7 +121,7 @@ class LDAPZoneListReader(ZoneListReader):
            self._del_zone(zone_ldap['idnsname'][0], uuid)


-class ODSMgr(object):
+class ODSMgr:
    """OpenDNSSEC zone manager. It does LDAP->ODS synchronization.

    Zones with idnsSecInlineSigning attribute = TRUE in LDAP are added
@@ -130,42 +132,75 @@ class ODSMgr(object):
        self.zl_ldap = LDAPZoneListReader()

    def ksmutil(self, params):
-        """Call ods-ksmutil with given parameters and return stdout.
+        """Call ods-ksmutil / ods-enforcer with parameters and return stdout.

        Raises CalledProcessError if returncode != 0.
        """
-        cmd = ['ods-ksmutil'] + params
-        result = ipautil.run(cmd, capture_output=True)
+        result = tasks.run_ods_manager(params, capture_output=True)
        return result.output

    def get_ods_zonelist(self):
        stdout = self.ksmutil(['zonelist', 'export'])
-        reader = ODSZoneListReader(stdout)
+        try:
+            reader = ODSZoneListReader(stdout)
+        except etree.ParseError:
+            # With OpenDNSSEC 2, the above command returns a message
+            # containing the zonelist filename instead of the XML text:
+            # "Exported zonelist to /etc/opendnssec/zonelist.xml successfully"
+            # extract the filename and read its content
+            pattern = re.compile(r'.* (/.*) .*')
+            matches = re.findall(pattern, stdout)
+            if matches:
+                with open(matches[0]) as f:
+                    content = f.read()
+                reader = ODSZoneListReader(content)
+
        return reader

    def add_ods_zone(self, uuid, name):
        zone_path = '%s%s' % (ENTRYUUID_PREFIX, uuid)
+        if name != dns.name.root:
+            name = name.relativize(dns.name.root)
        cmd = ['zone', 'add', '--zone', str(name), '--input', zone_path]
-        output = self.ksmutil(cmd)
-        logger.info('%s', output)
-        self.notify_enforcer()
+        output = None
+        try:
+            output = self.ksmutil(cmd)
+        except ipautil.CalledProcessError as e:
+            # Zone already exists in HSM
+            if e.returncode == 1 \
+                    and str(e.output).endswith(str(name) + ' already exists!'):
+                # Just return
+                return
+        if output is not None:
+            logger.info('%s', output)
+            self.notify_enforcer()

    def del_ods_zone(self, name):
        # ods-ksmutil blows up if zone name has period at the end
-        name = name.relativize(dns.name.root)
+        if name != dns.name.root:
+            name = name.relativize(dns.name.root)
        # detect if name is root zone
        if name == dns.name.empty:
            name = dns.name.root
        cmd = ['zone', 'delete', '--zone', str(name)]
-        output = self.ksmutil(cmd)
-        logger.info('%s', output)
-        self.notify_enforcer()
-        self.cleanup_signer(name)
+        output = None
+        try:
+            output = self.ksmutil(cmd)
+        except ipautil.CalledProcessError as e:
+            # Zone already doesn't exist in HSM
+            if e.returncode == 1 \
+                    and str(e.output).endswith(str(name) + ' not found!'):
+                # Just cleanup signer, no need to notify enforcer
+                self.cleanup_signer(name)
+                return
+        if output is not None:
+            logger.info('%s', output)
+            self.notify_enforcer()
+            self.cleanup_signer(name)

    def notify_enforcer(self):
-        cmd = ['notify']
-        output = self.ksmutil(cmd)
-        logger.info('%s', output)
+        result = tasks.run_ods_notify(capture_output=True)
+        logger.info('%s', result.output)

    def cleanup_signer(self, zone_name):
        cmd = ['ods-signer', 'ldap-cleanup', str(zone_name)]