Import Upstream version 4.12.4

daemons/dnssec/Makefile.in

@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.16.2 from Makefile.am.
+# Makefile.in generated by automake 1.17 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2020 Free Software Foundation, Inc.
+# Copyright (C) 1994-2024 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -71,6 +71,8 @@ am__make_running_with_option = \
   test $$has_opt = yes
 am__make_dryrun = (target_option=n; $(am__make_running_with_option))
 am__make_keepgoing = (target_option=k; $(am__make_running_with_option))
+am__rm_f = rm -f $(am__rm_f_notfound)
+am__rm_rf = rm -rf $(am__rm_f_notfound)
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -130,10 +132,9 @@ am__base_list = \
   sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
   sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
 am__uninstall_files_from_dir = { \
-  test -z "$$files" \
-    || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
-    || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
-         $(am__cd) "$$dir" && rm -f $$files; }; \
+  { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \
+  || { echo " ( cd '$$dir' && rm -f" $$files ")"; \
+       $(am__cd) "$$dir" && echo $$files | $(am__xargs_n) 40 $(am__rm_f); }; \
   }
 am__installdirs = "$(DESTDIR)$(appdir)" \
 	"$(DESTDIR)$(systemdsystemunitdir)"
@@ -181,6 +182,8 @@ CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CRYPTO_CFLAGS = @CRYPTO_CFLAGS@
 CRYPTO_LIBS = @CRYPTO_LIBS@
+CSCOPE = @CSCOPE@
+CTAGS = @CTAGS@
 CYGPATH_W = @CYGPATH_W@
 DATA_VERSION = @DATA_VERSION@
 DEFS = @DEFS@
@@ -194,8 +197,10 @@ ECHO_C = @ECHO_C@
 ECHO_N = @ECHO_N@
 ECHO_T = @ECHO_T@
 EGREP = @EGREP@
+ETAGS = @ETAGS@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
+FILECMD = @FILECMD@
 GETTEXT_DOMAIN = @GETTEXT_DOMAIN@
 GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
 GIT_BRANCH = @GIT_BRANCH@
@@ -203,6 +208,7 @@ GIT_VERSION = @GIT_VERSION@
 GMSGFMT = @GMSGFMT@
 GMSGFMT_015 = @GMSGFMT_015@
 GREP = @GREP@
+HTTPD_GROUP = @HTTPD_GROUP@
 INI_CFLAGS = @INI_CFLAGS@
 INI_LIBS = @INI_LIBS@
 INSTALL = @INSTALL@
@@ -215,9 +221,12 @@ INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@
 IPAPLATFORM = @IPAPLATFORM@
 IPA_DATA_DIR = @IPA_DATA_DIR@
 IPA_SYSCONF_DIR = @IPA_SYSCONF_DIR@
+JANSSON_CFLAGS = @JANSSON_CFLAGS@
+JANSSON_LIBS = @JANSSON_LIBS@
 JSLINT = @JSLINT@
 KRAD_LIBS = @KRAD_LIBS@
 KRB5KDC_SERVICE = @KRB5KDC_SERVICE@
+KRB5_BUILD_VERSION = @KRB5_BUILD_VERSION@
 KRB5_CFLAGS = @KRB5_CFLAGS@
 KRB5_GSSAPI_CFLAGS = @KRB5_GSSAPI_CFLAGS@
 KRB5_GSSAPI_LIBS = @KRB5_GSSAPI_LIBS@
@@ -226,6 +235,8 @@ LD = @LD@
 LDAP_CFLAGS = @LDAP_CFLAGS@
 LDAP_LIBS = @LDAP_LIBS@
 LDFLAGS = @LDFLAGS@
+LIBCURL_CFLAGS = @LIBCURL_CFLAGS@
+LIBCURL_LIBS = @LIBCURL_LIBS@
 LIBICONV = @LIBICONV@
 LIBINTL = @LIBINTL@
 LIBINTL_LIBS = @LIBINTL_LIBS@
@@ -285,6 +296,8 @@ PLATFORM_PYTHON = @PLATFORM_PYTHON@
 POPT_CFLAGS = @POPT_CFLAGS@
 POPT_LIBS = @POPT_LIBS@
 POSUB = @POSUB@
+PWQUALITY_CFLAGS = @PWQUALITY_CFLAGS@
+PWQUALITY_LIBS = @PWQUALITY_LIBS@
 PYLINT = @PYLINT@
 PYTHON = @PYTHON@
 PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@
@@ -293,9 +306,12 @@ PYTHON_PLATFORM = @PYTHON_PLATFORM@
 PYTHON_PREFIX = @PYTHON_PREFIX@
 PYTHON_VERSION = @PYTHON_VERSION@
 RANLIB = @RANLIB@
+RESOLV_LIBS = @RESOLV_LIBS@
+RPMLINT = @RPMLINT@
 SAMBA40EXTRA_LIBPATH = @SAMBA40EXTRA_LIBPATH@
 SAMBAUTIL_CFLAGS = @SAMBAUTIL_CFLAGS@
 SAMBAUTIL_LIBS = @SAMBAUTIL_LIBS@
+SAMBA_SECURITY_LIBS = @SAMBA_SECURITY_LIBS@
 SASL_CFLAGS = @SASL_CFLAGS@
 SASL_LIBS = @SASL_LIBS@
 SED = @SED@
@@ -334,8 +350,10 @@ ac_ct_DUMPBIN = @ac_ct_DUMPBIN@
 am__include = @am__include@
 am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
+am__rm_f_notfound = @am__rm_f_notfound@
 am__tar = @am__tar@
 am__untar = @am__untar@
+am__xargs_n = @am__xargs_n@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -381,6 +399,7 @@ sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
 sysconfdir = @sysconfdir@
 sysconfenvdir = @sysconfenvdir@
+systemdcatalogdir = @systemdcatalogdir@
 systemdsystemunitdir = @systemdsystemunitdir@
 systemdtmpfilesdir = @systemdtmpfilesdir@
 target_alias = @target_alias@
@@ -517,7 +536,6 @@ ctags CTAGS:
 
 cscope cscopelist:
 
-
 distdir: $(BUILT_SOURCES)
 	$(MAKE) $(AM_MAKEFLAGS) distdir-am
 
@@ -580,11 +598,11 @@ install-strip:
 mostlyclean-generic:
 
 clean-generic:
-	-test -z "$(CLEANFILES)" || rm -f $(CLEANFILES)
+	-$(am__rm_f) $(CLEANFILES)
 
 distclean-generic:
-	-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
-	-test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
+	-$(am__rm_f) $(CONFIG_CLEAN_FILES)
+	-test . = "$(srcdir)" || $(am__rm_f) $(CONFIG_CLEAN_VPATH_FILES)
 
 maintainer-clean-generic:
 	@echo "This command is intended for maintainers to use"
@@ -702,3 +720,10 @@ python_scripts_sub: $(PYTHON_SHEBANG)
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
 .NOEXPORT:
+
+# Tell GNU make to disable its built-in pattern rules.
+%:: %,v
+%:: RCS/%,v
+%:: RCS/%
+%:: s.%
+%:: SCCS/s.%

daemons/dnssec/ipa-dnskeysync-replica.in

@@ -19,6 +19,7 @@ from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
 from ipalib.install.kinit import kinit_keytab
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import standard_logging_setup
+from ipapython.ipautil import get_config_debug
 from ipapython import ipaldap
 from ipaplatform.paths import paths
 from ipaserver.dnssec.abshsm import (sync_pkcs11_metadata,
@@ -145,7 +146,11 @@ def ldap2replica_zone_keys_sync(ldapkeydb, localhsm):
 
 
 # IPA framework initialization
-standard_logging_setup(verbose=True, debug=True)
+debug = get_config_debug('dns')
+standard_logging_setup(debug=debug, verbose=True)
+if not debug:
+    logger.info("To increase debugging set debug=True in dns.conf "
+                "See default.conf(5) for details")
 ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
 ipalib.api.finalize()
 

daemons/dnssec/ipa-dnskeysyncd.in

@@ -16,19 +16,33 @@ from ipalib.install.kinit import kinit_keytab
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import standard_logging_setup
 from ipapython import ipaldap
+from ipapython.ipautil import get_config_debug
 from ipaplatform.paths import paths
 from ipaserver.dnssec.keysyncer import KeySyncer
 
 logger = logging.getLogger(os.path.basename(__file__))
 
 
+def fixup_dnssec_utils(self):
+   try:
+       os.stat(self.DNSSEC_KEYFROMLABEL)
+   except FileNotFoundError:
+       try:
+           os.stat(self.DNSSEC_KEYFROMLABEL_9_17)
+       except FileNotFoundError:
+           pass
+       else:
+           self.DNSSEC_KEYFROMLABEL = self.DNSSEC_KEYFROMLABEL_9_17
+
+fixup_dnssec_utils(paths)
 # IPA framework initialization
-standard_logging_setup(verbose=True)
+debug = get_config_debug('dns')
+standard_logging_setup(debug=debug, verbose=True)
+if not debug:
+    logger.info("To increase debugging set debug=True in dns.conf "
+                "See default.conf(5) for details")
 api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
 api.finalize()
-if api.env.debug:
-    root_logger = logging.getLogger()
-    root_logger.setLevel(logging.DEBUG)
 
 # Global state
 watcher_running = True
@@ -43,7 +57,7 @@ KEYTAB_FB = paths.IPA_DNSKEYSYNCD_KEYTAB
 def commenceShutdown(signum, stack):
     # Declare the needed global variables
     global watcher_running
-    global ldap_connection  # pylint: disable=global-variable-not-assigned
+    global ldap_connection
 
     logger.info('Signal %s received: Shutting down!', signum)
 

daemons/dnssec/ipa-dnskeysyncd.service.in

@@ -2,6 +2,7 @@
 Description=IPA key daemon
 
 [Service]
+Environment=LC_ALL=C.UTF-8
 EnvironmentFile=@sysconfenvdir@/ipa-dnskeysyncd
 ExecStart=@libexecdir@/ipa/ipa-dnskeysyncd
 User=@ODS_USER@

daemons/dnssec/ipa-ods-exporter.in

@@ -29,14 +29,16 @@ import dns.dnssec
 from gssapi.exceptions import GSSError
 import six
 import systemd.daemon
-import systemd.journal
 
 import ipalib
 from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
 from ipalib.install.kinit import kinit_keytab
 from ipapython.dn import DN
+from ipapython.ipa_log_manager import standard_logging_setup
 from ipapython import ipaldap
+from ipapython.ipautil import get_config_debug
 from ipaplatform.paths import paths
+from ipaserver import p11helper
 from ipaserver.dnssec.abshsm import sync_pkcs11_metadata, wrappingmech_name2id
 from ipaserver.dnssec.ldapkeydb import LdapKeyDB, str_hexlify
 from ipaserver.dnssec.localhsm import LocalHSM
@@ -301,7 +303,19 @@ def ldap2master_replica_keys_sync(ldapkeydb, localhsm):
                      new_key_ldap['ipk11label'],
                      str_hexlify(new_key_ldap['ipk11id']),
                      str_hexlify(new_key_ldap['ipapublickey']))
-        localhsm.import_public_key(new_key_ldap, new_key_ldap['ipapublickey'])
+        try:
+            localhsm.import_public_key(
+                new_key_ldap, new_key_ldap['ipapublickey'])
+        except p11helper.DuplicationError:
+            # we may have been called in the middle of operations
+            # disabling dnssec on the current node, while the
+            # replica key has already been disabled in localhsm but
+            # not yet in LDAP.
+            # Ignore the import error (key is already in localhsm but disabled)
+            # and log a warning
+            logger.warning("import of replica key to localhsm %s failed, "
+                           "key already present but disabled",
+                           str_hexlify(new_key_ldap['ipk11id']))
 
     # set CKA_WRAP = FALSE for all replica keys removed from LDAP
     removed_replica_keys = set(localhsm.replica_pubkeys_wrap.keys()) \
@@ -375,7 +389,18 @@ def master2ldap_master_keys_sync(ldapkeydb, localhsm):
                      str_hexlify(mkey_id), hex_set(new_replica_keys))
 
         # wrap master key with new replica keys
-        mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
+        try:
+            mkey_local = localhsm.find_keys(id=mkey_id).popitem()[1]
+        except KeyError:
+            # The master key is present in LDAP but could not be found
+            # in the local HSM. Let's hope it's not the active key,
+            # log an error and process the next master key
+            logger.error("master key 0x%s missing in local HSM, "
+                "will not be able to add master key wrapped with "
+                "replica keys",
+                str_hexlify(mkey_id))
+            continue
+
         for replica_key_id in new_replica_keys:
             logger.info('adding master key 0x%s wrapped with replica key 0x%s',
                         str_hexlify(mkey_id), str_hexlify(replica_key_id))
@@ -650,20 +675,12 @@ def cleanup_ldap_zone(ldap, dns_dn, zone_name):
         ldap.delete_entry(ldap_key)
 
 
-# this service is usually socket-activated
-root_logger = logging.getLogger()
-root_logger.addHandler(systemd.journal.JournalHandler())
-root_logger.setLevel(level=logging.DEBUG)
-
-if len(sys.argv) > 2:
-    print(__doc__)
-    sys.exit(1)
-# program was likely invoked from console, log to it
-elif len(sys.argv) == 2:
-    console = logging.StreamHandler()
-    root_logger.addHandler(console)
-
 # IPA framework initialization
+debug = get_config_debug('dns')
+standard_logging_setup(debug=debug, verbose=True)
+if not debug:
+    logger.info("To increase debugging set debug=True in dns.conf "
+                "See default.conf(5) for details")
 ipalib.api.bootstrap(context='dns', confdir=paths.ETC_IPA, in_server=True)
 ipalib.api.finalize()
 

daemons/dnssec/ipa-ods-exporter.service.in

@@ -4,6 +4,7 @@ Wants=ipa-ods-exporter.socket
 After=ipa-ods-exporter.socket
 
 [Service]
+Environment=LC_ALL=C.UTF-8
 EnvironmentFile=@sysconfenvdir@/ipa-ods-exporter
 ExecStart=@libexecdir@/ipa/ipa-ods-exporter
 User=@ODS_USER@