Import Upstream version 4.12.4

ipaserver/dnssec/_ods21.py

@@ -2,8 +2,8 @@
 # Copyright (C) 2020  FreeIPA Contributors see COPYING for license
 #
 
-from datetime import datetime
 import os
+import dateutil.tz
 
 from ipaserver.dnssec._odsbase import AbstractODSDBConnection
 from ipaserver.dnssec._odsbase import AbstractODSSignerConn
@@ -32,22 +32,28 @@ class ODSDBConnection(AbstractODSDBConnection):
     def get_keys_for_zone(self, zone_id):
         cur = self._db.execute(
             "SELECT hsmk.locator, hsmk.inception, hsmk.algorithm, "
-            "hsmk.keyType, hsmk.state "
+            "hsmk.role, hsmk.state "
             "FROM hsmKey AS hsmk "
             "JOIN keyData AS kd ON hsmk.id = kd.hsmKeyId "
             "WHERE kd.zoneId = ?", (zone_id,))
         for row in cur:
             key = dict()
             key['HSMkey_id'] = row['locator']
-            key['generate'] = str(datetime.fromtimestamp(row['inception']))
+            # The date is stored in UTC format but OpenDNSSEC 1.4 was
+            # returning a local tz format
+            tz = dateutil.tz.tzlocal()
+            key['generate'] = ipautil.datetime_from_utctimestamp(
+                row['inception'],
+                units=1).astimezone(tz).replace(tzinfo=None).isoformat(
+                    sep=' ', timespec='seconds')
             key['algorithm'] = row['algorithm']
             key['publish'] = key['generate']
             key['active'] = None
             key['retire'] = None
             key['dead'] = None
-            if row['keyType'] == 2:
+            if row['role'] == 2:
                 key['keytype'] = 256
-            elif row['keyType'] == 1:
+            elif row['role'] == 1:
                 key['keytype'] = 257
             key['state'] = row['state']
             yield key

ipaserver/dnssec/bindmgr.py

@@ -16,11 +16,14 @@ import stat
 import six
 
 import ipalib.constants
+
 from ipapython.dn import DN
 from ipapython import ipautil
+from ipaplatform.constants import constants as platformconstants
 from ipaplatform.paths import paths
 
 from ipaserver.dnssec.temp import TemporaryDirectory
+from ipaserver.install import installutils
 
 logger = logging.getLogger(__name__)
 
@@ -124,6 +127,7 @@ class BINDMgr:
         )
         cmd = [
             paths.DNSSEC_KEYFROMLABEL,
+            '-E', 'pkcs11',
             '-K', workdir,
             '-a', attrs['idnsSecAlgorithm'][0],
             '-l', uri
@@ -133,8 +137,11 @@ class BINDMgr:
             cmd.extend(['-f', 'KSK'])
         if attrs.get('idnsSecKeyRevoke', [b'FALSE'])[0].upper() == b'TRUE':
             cmd.extend(['-R', datetime.now().strftime(time_bindfmt)])
+        if platformconstants.NAMED_OPENSSL_ENGINE is not None:
+            cmd.extend(['-E', platformconstants.NAMED_OPENSSL_ENGINE])
         cmd.append(zone.to_text())
 
+        installutils.check_entropy()
         # keys has to be readable by ODS & named
         result = ipautil.run(cmd, capture_output=True)
         basename = result.output.strip()
@@ -176,10 +183,9 @@ class BINDMgr:
         zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR,
                 self.get_zone_dir_name(zone))
         try:
-            os.makedirs(zone_path)
-        except OSError as e:
-            if e.errno != errno.EEXIST:
-                raise e
+            os.mkdir(zone_path, 0o770)
+        except FileExistsError:
+            pass
 
         # fix HSM permissions
         # TODO: move out

ipaserver/dnssec/keysyncer.py

@@ -76,46 +76,46 @@ class KeySyncer(SyncReplConsumer):
             return False
         return vals[0].startswith(b'dnssec-replica:')
 
-    def application_add(self, uuid, dn, newattrs):
-        objclass = self._get_objclass(newattrs)
+    def application_add(self, uuid, dn, attributes):
+        objclass = self._get_objclass(attributes)
         if objclass == b'idnszone':
-            self.zone_add(uuid, dn, newattrs)
+            self.zone_add(uuid, dn, attributes)
         elif objclass == b'idnsseckey':
-            self.key_meta_add(uuid, dn, newattrs)
+            self.key_meta_add(uuid, dn, attributes)
         elif objclass == b'ipk11publickey' and \
-                self.__is_replica_pubkey(newattrs):
+                self.__is_replica_pubkey(attributes):
             self.hsm_master_sync()
 
-    def application_del(self, uuid, dn, oldattrs):
-        objclass = self._get_objclass(oldattrs)
+    def application_del(self, uuid, dn, previous_attributes):
+        objclass = self._get_objclass(previous_attributes)
         if objclass == b'idnszone':
-            self.zone_del(uuid, dn, oldattrs)
+            self.zone_del(uuid, dn, previous_attributes)
         elif objclass == b'idnsseckey':
-            self.key_meta_del(uuid, dn, oldattrs)
+            self.key_meta_del(uuid, dn, previous_attributes)
         elif objclass == b'ipk11publickey' and \
-                self.__is_replica_pubkey(oldattrs):
+                self.__is_replica_pubkey(previous_attributes):
             self.hsm_master_sync()
 
-    def application_sync(self, uuid, dn, newattrs, oldattrs):
-        objclass = self._get_objclass(oldattrs)
+    def application_sync(self, uuid, dn, attributes, previous_attributes):
+        objclass = self._get_objclass(previous_attributes)
         if objclass == b'idnszone':
-            olddn = ldap.dn.str2dn(oldattrs['dn'])
-            newdn = ldap.dn.str2dn(newattrs['dn'])
+            olddn = ldap.dn.str2dn(previous_attributes['dn'])
+            newdn = ldap.dn.str2dn(attributes['dn'])
             assert olddn == newdn, 'modrdn operation is not supported'
 
-            oldval = self.__get_signing_attr(oldattrs)
-            newval = self.__get_signing_attr(newattrs)
+            oldval = self.__get_signing_attr(previous_attributes)
+            newval = self.__get_signing_attr(attributes)
             if oldval != newval:
-                if self.__is_dnssec_enabled(newattrs):
-                    self.zone_add(uuid, olddn, newattrs)
+                if self.__is_dnssec_enabled(attributes):
+                    self.zone_add(uuid, olddn, attributes)
                 else:
-                    self.zone_del(uuid, olddn, oldattrs)
+                    self.zone_del(uuid, olddn, previous_attributes)
 
         elif objclass == b'idnsseckey':
-            self.key_metadata_sync(uuid, dn, oldattrs, newattrs)
+            self.key_metadata_sync(uuid, dn, previous_attributes, attributes)
 
         elif objclass == b'ipk11publickey' and \
-                self.__is_replica_pubkey(newattrs):
+                self.__is_replica_pubkey(attributes):
             self.hsm_master_sync()
 
     def syncrepl_refreshdone(self):

ipaserver/dnssec/ldapkeydb.py

@@ -5,11 +5,10 @@
 from __future__ import print_function, absolute_import
 
 from binascii import hexlify
+from collections.abc import MutableMapping
 import logging
 from pprint import pprint
 
-import six
-
 import ipalib
 from ipaplatform.paths import paths
 from ipapython.dn import DN
@@ -24,13 +23,6 @@ from ipaserver.dnssec.abshsm import (
 from ipaserver import p11helper as _ipap11helper
 import uuid
 
-# pylint: disable=no-name-in-module, import-error
-if six.PY3:
-    from collections.abc import MutableMapping
-else:
-    from collections import MutableMapping
-# pylint: enable=no-name-in-module, import-error
-
 logger = logging.getLogger(__name__)
 
 
@@ -40,7 +32,6 @@ def uri_escape(val):
         raise ValueError("zero-length URI component detected")
     hexval = str_hexlify(val)
     out = '%'
-    # pylint: disable=E1127
     out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
     return out
 
@@ -188,8 +179,8 @@ class Key(MutableMapping):
         """remove default values from LDAP entry"""
         default_attrs = get_default_attrs(self.entry['objectclass'])
         empty = object()
-        for attr in default_attrs:
-            if self.get(attr, empty) == default_attrs[attr]:
+        for attr, attr_val in default_attrs.items():
+            if self.get(attr, empty) == attr_val:
                 del self[attr]
 
     def _update_key(self):
@@ -307,8 +298,8 @@ class LdapKeyDB(AbstractHSM):
             # add default values not present in LDAP
             key = key_type(o, self.ldap, self)
             default_attrs = get_default_attrs(key.entry['objectclass'])
-            for attr in default_attrs:
-                key.setdefault(attr, default_attrs[attr])
+            for attr, attr_val in default_attrs.items():
+                key.setdefault(attr, attr_val)
 
             if 'ipk11id' not in key:
                 raise ValueError(

ipaserver/dnssec/localhsm.py

@@ -4,11 +4,10 @@
 
 from __future__ import print_function, absolute_import
 
+from collections.abc import MutableMapping
 import os
 from pprint import pprint
 
-import six
-
 from ipalib.constants import SOFTHSM_DNSSEC_TOKEN_LABEL
 from ipaplatform.paths import paths
 from ipaserver import p11helper as _ipap11helper
@@ -17,13 +16,6 @@ from ipaserver.dnssec.abshsm import (attrs_name2id, attrs_id2name, AbstractHSM,
                                      ldap2p11helper_api_params)
 from ipaserver.dnssec.ldapkeydb import str_hexlify
 
-# pylint: disable=no-name-in-module, import-error
-if six.PY3:
-    from collections.abc import MutableMapping
-else:
-    from collections import MutableMapping
-# pylint: enable=no-name-in-module, import-error
-
 
 private_key_api_params = set(["label", "id", "data", "unwrapping_key",
     "wrapping_mech", "key_type", "cka_always_authenticate", "cka_copyable",

ipaserver/dnssec/syncrepl.py

@@ -48,8 +48,8 @@ class SyncReplConsumer(ReconnectLDAPObject, SyncreplConsumer):
         logger.debug('New cookie is: %s', cookie)
         self.__data['cookie'] = cookie
 
-    def syncrepl_entry(self, dn, attributes, uuid):
-        attributes = cidict(attributes)
+    def syncrepl_entry(self, dn, attrs, uuid):
+        attributes = cidict(attrs)
         # First we determine the type of change we have here
         # (and store away the previous data for later if needed)
         previous_attributes = cidict()