Imported Debian patch 4.7.2-3

daemons/dnssec/Makefile.am

@@ -29,9 +29,7 @@ CLEANFILES = $(systemdsystemunit_DATA) $(nodist_app_SCRIPTS)
 		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@localstatedir[@]|$(localstatedir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-		-e 's|@runstatedir[@]|$(runstatedir)|g' \
 		-e 's|@ODS_USER[@]|$(ODS_USER)|g' \
-		-e 's|@ODS_GROUP[@]|$(ODS_GROUP)|g' \
 		-e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
 		'$(srcdir)/$@.in' >$@
 

daemons/dnssec/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -219,8 +219,6 @@ JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
 KRB5_CFLAGS = @KRB5_CFLAGS@
-KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
-KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
 KRB5_LIBS = @KRB5_LIBS@
 LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
@@ -263,10 +261,11 @@ NM = @NM@
 NMEDIT = @NMEDIT@
 NSPR_CFLAGS = @NSPR_CFLAGS@
 NSPR_LIBS = @NSPR_LIBS@
+NSS_CFLAGS = @NSS_CFLAGS@
+NSS_LIBS = @NSS_LIBS@
 NUM_VERSION = @NUM_VERSION@
 OBJDUMP = @OBJDUMP@
 OBJEXT = @OBJEXT@
-ODS_GROUP = @ODS_GROUP@
 ODS_USER = @ODS_USER@
 OTOOL = @OTOOL@
 OTOOL64 = @OTOOL64@
@@ -287,6 +286,8 @@ POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
+PYTHON2 = @PYTHON2@
+PYTHON3 = @PYTHON3@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
 PYTHON_INSTALL_EXTRA_OPTIONS = @PYTHON_INSTALL_EXTRA_OPTIONS@
 PYTHON_PLATFORM = @PYTHON_PLATFORM@
@@ -374,9 +375,7 @@ program_transform_name = @program_transform_name@
 psdir = @psdir@
 pyexecdir = @pyexecdir@
 pythondir = @pythondir@
-runstatedir = @runstatedir@
 sbindir = @sbindir@
-selinux_makefile = @selinux_makefile@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
@@ -683,9 +682,7 @@ uninstall-am: uninstall-nodist_appSCRIPTS \
 		-e 's|@libexecdir[@]|$(libexecdir)|g' \
 		-e 's|@localstatedir[@]|$(localstatedir)|g' \
 		-e 's|@sysconfenvdir[@]|$(sysconfenvdir)|g' \
-		-e 's|@runstatedir[@]|$(runstatedir)|g' \
 		-e 's|@ODS_USER[@]|$(ODS_USER)|g' \
-		-e 's|@ODS_GROUP[@]|$(ODS_GROUP)|g' \
 		-e 's|@NAMED_GROUP[@]|$(NAMED_GROUP)|g' \
 		'$(srcdir)/$@.in' >$@
 install-data-hook:
@@ -693,12 +690,9 @@ install-data-hook:
 
 # special handling of Python scripts with auto-generated shebang line
 $(PYTHON_SHEBANG):%: %.in Makefile
-	$(AM_V_GEN)sed -e 's|^#!/usr/bin/python3.*|#!$(PYTHON) -I|g' $< > $@
+	$(AM_V_GEN)sed -e 's|@PYTHONSHEBANG[@]|#!$(PYTHON) -E|g' $< > $@
 	$(AM_V_GEN)chmod +x $@
 
-.PHONY: python_scripts_sub
-python_scripts_sub: $(PYTHON_SHEBANG)
-
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:

daemons/dnssec/ipa-dnskeysync-replica.in

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+@PYTHONSHEBANG@
 #
 # Copyright (C) 2014  FreeIPA Contributors see COPYING for license
 #
@@ -14,7 +14,6 @@ import os
 import sys
 
 import ipalib
-from ipalib import errors
 from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
 from ipalib.install.kinit import kinit_keytab
 from ipapython.dn import DN
@@ -58,7 +57,6 @@ def find_unwrapping_key(localhsm, wrapping_key_uri):
         unwrap_keys = localhsm.find_keys(id=key_id, cka_unwrap=True)
         if len(unwrap_keys) > 0:
             return unwrap_keys.popitem()[1]
-    return None
 
 def ldap2replica_master_keys_sync(ldapkeydb, localhsm):
     ## LDAP -> replica master key synchronization
@@ -164,33 +162,23 @@ except GSSError as e:
 os.environ['KRB5CCNAME'] = ccache_filename
 logger.debug('Got TGT')
 
-keys_dn = DN(
-    ('cn', 'keys'), ('cn', 'sec'),
-    ipalib.api.env.container_dns,
-    ipalib.api.env.basedn
-)
+# LDAP initialization
+ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
+logger.debug('Connecting to LDAP')
+ldap.gssapi_bind()
+logger.debug('Connected')
 
-with open(paths.DNSSEC_SOFTHSM_PIN) as f:
-    localhsm = LocalHSM(
-        paths.LIBSOFTHSM2_SO,
-        SOFTHSM_DNSSEC_TOKEN_LABEL,
-        f.read()
-    )
 
-try:
-    # LDAP initialization
-    ldap = ipaldap.LDAPClient(ipalib.api.env.ldap_uri)
-    logger.debug('Connecting to LDAP')
-    ldap.gssapi_bind()
-    logger.debug('Connected')
+### DNSSEC master: key synchronization
+ldapkeydb = LdapKeyDB(ldap, DN(('cn', 'keys'),
+                               ('cn', 'sec'),
+                               ipalib.api.env.container_dns,
+                               ipalib.api.env.basedn))
 
-    ### DNSSEC master: key synchronization
-    ldapkeydb = LdapKeyDB(ldap, keys_dn)
-    ldap2replica_master_keys_sync(ldapkeydb, localhsm)
-    ldap2replica_zone_keys_sync(ldapkeydb, localhsm)
-except (errors.NetworkError, errors.DatabaseError) as e:
-    # SERVER_DOWN, CONNECT_ERROR
-    logger.error("LDAP server is down: %s", e)
-    sys.exit(1)
-else:
-    sys.exit(0)
+localhsm = LocalHSM(paths.LIBSOFTHSM2_SO, SOFTHSM_DNSSEC_TOKEN_LABEL,
+        open(paths.DNSSEC_SOFTHSM_PIN).read())
+
+ldap2replica_master_keys_sync(ldapkeydb, localhsm)
+ldap2replica_zone_keys_sync(ldapkeydb, localhsm)
+
+sys.exit(0)

daemons/dnssec/ipa-dnskeysyncd.in

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+@PYTHONSHEBANG@
 #
 # Copyright (C) 2014  FreeIPA Contributors see COPYING for license
 #
@@ -97,7 +97,7 @@ while watcher_running:
     except ldap.INVALID_CREDENTIALS as e:
         logger.exception('Login to LDAP server failed: %s', e)
         sys.exit(1)
-    except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
+    except ldap.SERVER_DOWN as e:
         logger.exception('LDAP server is down, going to retry: %s', e)
         time.sleep(5)
         continue
@@ -116,5 +116,5 @@ while watcher_running:
         while ldap_connection.syncrepl_poll(all=1, msgid=ldap_search):
             pass
     except (ldap.SERVER_DOWN, ldap.CONNECT_ERROR) as e:
-        logger.error('syncrepl_poll: LDAP error (%s)', e)
+        logger.exception('syncrepl_poll: LDAP error (%s)', e)
         sys.exit(1)

daemons/dnssec/ipa-ods-exporter.in

@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+@PYTHONSHEBANG@
 #
 # Copyright (C) 2014  FreeIPA Contributors see COPYING for license
 #
@@ -22,6 +22,7 @@ import os
 import socket
 import select
 import sys
+import sqlite3
 import traceback
 
 import dateutil.tz
@@ -41,8 +42,6 @@ from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
 from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
 from ipaserver.dnssec.localhsm import LocalHSM
 
-from ipaserver.dnssec import opendnssec
-
 logger = logging.getLogger(os.path.basename(__file__))
 
 DAEMONNAME = 'ipa-ods-exporter'
@@ -234,19 +233,26 @@ def get_ldap_keys(ldap, zone_dn):
 
 def get_ods_keys(zone_name):
     # get zone ID
-    rows = db.get_zone_id(zone_name)
+    cur = db.execute("SELECT id FROM zones WHERE LOWER(name)=LOWER(?)",
+                     (zone_name,))
+    rows = cur.fetchall()
     if len(rows) != 1:
         raise ValueError("exactly one DNS zone should exist in ODS DB")
-    zone_id = rows[0]
+    zone_id = rows[0][0]
 
     # get relevant keys for given zone ID:
     # ignore keys which were generated but not used yet
     # key state check is using constants from
     # OpenDNSSEC's enforcer/ksm/include/ksm/ksm.h
     # WARNING! OpenDNSSEC version 1 and 2 are using different constants!
-    rows = db.get_keys_for_zone(zone_id)
+    cur = db.execute("SELECT kp.HSMkey_id, kp.generate, kp.algorithm, "
+                     "dnsk.publish, dnsk.active, dnsk.retire, dnsk.dead, "
+                     "dnsk.keytype, dnsk.state "
+                     "FROM keypairs AS kp "
+                     "JOIN dnsseckeys AS dnsk ON kp.id = dnsk.keypair_id "
+                     "WHERE dnsk.zone_id = ?", (zone_id,))
     keys = {}
-    for row in rows:
+    for row in cur:
         key_data = sql2ldap_flags(row['keytype'])
         if key_data.get('idnsSecKeyZONE') != 'TRUE':
             raise ValueError("unexpected key type 0x%x" % row['keytype'])
@@ -477,13 +483,11 @@ def receive_systemd_command():
         sys.exit(1)
 
     logger.debug('accepting new connection')
-    conn_tmp, _addr = sck.accept()
-    conn = opendnssec.ODSSignerConn(conn_tmp)
+    conn, _addr = sck.accept()
     logger.debug('accepted new connection %s', repr(conn))
 
     # this implements cmdhandler_handle_cmd() logic
-    cmd = conn.read_cmd()
-
+    cmd = conn.recv(ODS_SE_MAXLINE).strip()
     # ODS uses an ASCII protocol, the rest of the code expects str
     if six.PY3:
         cmd = cmd.decode('ascii')
@@ -544,7 +548,9 @@ def send_systemd_reply(conn, reply):
         # This is necessary to let Enforcer to unlock the ODS DB.
         if six.PY3:
             reply = reply.encode('ascii')
-        conn.send_reply_and_close(reply)
+        conn.send(reply + b'\n')
+        conn.shutdown(socket.SHUT_RDWR)
+        conn.close()
 
 def cmd2ods_zone_name(cmd):
     # ODS stores zone name without trailing period
@@ -560,11 +566,7 @@ def sync_zone(ldap, dns_dn, zone_name):
     Key material has to be synchronized elsewhere.
     Keep in mind that keys could be shared among multiple zones!"""
     logger.debug('%s: synchronizing zone "%s"', zone_name, zone_name)
-    try:
-        ods_keys = get_ods_keys(zone_name)
-    except ValueError as e:
-        logger.error(str(e))
-        return
+    ods_keys = get_ods_keys(zone_name)
     ods_keys_id = set(ods_keys.keys())
 
     ldap_zone = get_ldap_zone(ldap, dns_dn, zone_name)
@@ -722,14 +724,6 @@ except KeyError as e:
     cmd = sys.argv[1]
 
 exitcode, msg, zone_name, cmd = parse_command(cmd)
-if exitcode:
-    logger.debug("parse_command returned exitcode: %d", exitcode)
-if msg:
-    logger.debug("parse_command returned msg: %s", msg)
-if zone_name:
-    logger.debug("parse_command returned zone_name: %s", zone_name)
-if cmd:
-    logger.debug("parse_command returned cmd: %s", cmd)
 
 if exitcode is not None:
     if conn:
@@ -753,7 +747,9 @@ try:
     # Beware: Reply can be sent back only after DB is unlocked and closed
     #         otherwise ods-enforcerd will fail.
 
-    db = opendnssec.ODSDBConnection()
+    db = sqlite3.connect(paths.OPENDNSSEC_KASP_DB)
+    db.row_factory = sqlite3.Row
+    db.execute('BEGIN')
 
     if zone_name is not None:
         # only one zone should be processed
@@ -763,8 +759,8 @@ try:
             cleanup_ldap_zone(ldap, dns_dn, zone_name)
     else:
         # process all zones
-        for zone_name in db.get_zones():
-            sync_zone(ldap, dns_dn, zone_name)
+        for zone_row in db.execute("SELECT name FROM zones"):
+            sync_zone(ldap, dns_dn, zone_row['name'])
 
     ### DNSSEC master: DNSSEC key material purging
     # references to old key material were removed above in sync_zone()

daemons/dnssec/ipa-ods-exporter.service.in

@@ -7,7 +7,6 @@ After=ipa-ods-exporter.socket
 EnvironmentFile=@sysconfenvdir@/ipa-ods-exporter
 ExecStart=@libexecdir@/ipa/ipa-ods-exporter
 User=@ODS_USER@
-Group=@ODS_GROUP@
 PrivateTmp=yes
 Restart=on-failure
 RestartSec=60s

daemons/dnssec/ipa-ods-exporter.socket.in

@@ -1,7 +1,5 @@
 [Socket]
-ListenStream=@runstatedir@/opendnssec/engine.sock
-SocketUser=@ODS_USER@
-SocketGroup=@ODS_GROUP@
+ListenStream=@localstatedir@/run/opendnssec/engine.sock
 
 [Install]
 WantedBy=sockets.target