subject:"\[Freeipa\-devel\] \[PATCH 0040\-0045\] DNSSEC improvements"

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Tomas Babej

On 06/29/2015 01:36 PM, Tomas Babej wrote:
 
 
 On 06/29/2015 01:14 PM, Martin Basti wrote:
 On 26/06/15 18:55, Petr Spacek wrote:
 Hello,

 attached patches implement a portion of improvements for ticket
 https://fedorahosted.org/freeipa/ticket/4657

 It came to my mind that it will be better to review them at once - the
 previous threads with my patches 40 and 41 can be abandoned.

 I'm sorry for the mess.



 ACK

 -- 
 Martin Basti



 
 Martin told me offline there is some potential issue with the patch, so
 it should not be pushed as of now.
 

Pushed to:
ipa-4-1: a9831406bf0d205ac431aadc32b7ef03f74a2bfc
master: f9cbdd4915d13cd6e20fe7631d3c95c1352860f9

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Martin Basti


On 26/06/15 18:55, Petr Spacek wrote:

Hello,

attached patches implement a portion of improvements for ticket
https://fedorahosted.org/freeipa/ticket/4657

It came to my mind that it will be better to review them at once - the
previous threads with my patches 40 and 41 can be abandoned.

I'm sorry for the mess.




ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-29 Thread Tomas Babej



On 06/29/2015 01:14 PM, Martin Basti wrote:
 On 26/06/15 18:55, Petr Spacek wrote:
 Hello,

 attached patches implement a portion of improvements for ticket
 https://fedorahosted.org/freeipa/ticket/4657

 It came to my mind that it will be better to review them at once - the
 previous threads with my patches 40 and 41 can be abandoned.

 I'm sorry for the mess.



 ACK
 
 -- 
 Martin Basti
 
 
 

Martin told me offline there is some potential issue with the patch, so
it should not be pushed as of now.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

2015-06-26 Thread Petr Spacek

Hello,

attached patches implement a portion of improvements for ticket
https://fedorahosted.org/freeipa/ticket/4657

It came to my mind that it will be better to review them at once - the
previous threads with my patches 40 and 41 can be abandoned.

I'm sorry for the mess.

-- 
Petr^2 Spacek
From 999017d75f3044bd9abf6d8c2a4a70cede77886f Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 26 Jun 2015 16:04:00 +0200
Subject: [PATCH] DNSSEC: Detect invalid master keys in LDAP.

This should never happen ...

https://fedorahosted.org/freeipa/ticket/4657
---
 daemons/dnssec/ipa-dnskeysync-replica | 1 +
 1 file changed, 1 insertion(+)

diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index c2c4c2725a9c46db4db04894a326ddf40e254eab..551c2f21d5b85b76a7281f719ce722a6c5830cf7 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm):
 log.debug(new master keys in LDAP HSM: %s, hex_set(new_keys))
 for mkey_id in new_keys:
 mkey_ldap = ldapkeydb.master_keys[mkey_id]
+assert mkey_ldap.wrapped_entries, Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute % hexlify(mkey_id)
 for wrapped_ldap in mkey_ldap.wrapped_entries:
 unwrapping_key = find_unwrapping_key(log, localhsm,
 wrapped_ldap.single_value['ipaWrappingKey'])
-- 
2.1.0

From c927f884eaed11506587c6dbb82ccd7e07896987 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 26 Jun 2015 17:39:47 +0200
Subject: [PATCH] DNSSEC: Accept ipa-ods-exporter commands from command line.

Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.

https://fedorahosted.org/freeipa/ticket/4657
---
 daemons/dnssec/ipa-ods-exporter | 88 ++---
 1 file changed, 56 insertions(+), 32 deletions(-)

diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 913b418af2806e2660a7db221e06394b501bbb18..c6de5acbd9966a0cf5bb6a0c35c54c79aec91604 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -9,6 +9,9 @@ This program uses the same socket and protocol as original signerd and should
 be activated via systemd socket activation using ods-signer command line
 utility.
 
+Alternativelly, it can be called directly and a command can be supplied as
+first command line argument.
+
 Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
 
 
@@ -334,7 +337,7 @@ def hex_set(s):
 out.add(0x%s % hexlify(i))
 return out
 
-def receive_zone_name(log):
+def receive_systemd_command(log):
 fds = systemd.daemon.listen_fds()
 if len(fds) != 1:
 raise KeyError('Exactly one socket is expected.')
@@ -345,52 +348,60 @@ def receive_zone_name(log):
 log.debug('accepted new connection %s', repr(conn))
 
 # this implements cmdhandler_handle_cmd() logic
-cmd = conn.recv(ODS_SE_MAXLINE)
-cmd = cmd.strip()
+cmd = conn.recv(ODS_SE_MAXLINE).strip()
+log.debug('received command %s from systemd socket', cmd)
+return (cmd, conn)
 
-try:
-if cmd == 'ipa-hsm-update':
-msg = 'HSM synchronization finished, exiting.'
-conn.send('%s\n' % msg)
-log.info(msg)
-sys.exit(0)
+def parse_command(cmd):
+Parse command to (exit code, message, zone_name) tuple.
 
-elif not cmd.startswith('update '):
-conn.send('Command %s is not supported by IPA; ' \
-  'HSM synchronization was finished and the command ' \
-  'will be ignored.\n' % cmd)
-log.info('Ignoring unsupported command %s.', cmd)
-sys.exit(0)
+Exit code None means that execution should continue.
+
+if cmd == 'ipa-hsm-update':
+return (0,
+'HSM synchronization finished, exiting.',
+None)
 
-else:
-zone_name = cmd2ods_zone_name(cmd)
-conn.send('Update request for zone %s queued.\n' % zone_name)
-log.info('Processing command: %s', cmd)
+elif not cmd.startswith('update '):
+return (0,
+'Command %s is not supported by IPA; '
+'HSM synchronization was finished and the command '
+'will be ignored.\n' % cmd,
+None)
 
-finally:
+else:
+zone_name = cmd2ods_zone_name(cmd)
+return (None,
+'Update request for zone %s queued.\n' % zone_name,
+zone_name)
+
+def send_systemd_reply(conn, reply):
 # Reply  close connection early.
 # This is necessary to let Enforcer to unlock the ODS DB.
+conn.send(reply + '\n')

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

Re: [Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

[Freeipa-devel] [PATCH 0040-0045] DNSSEC improvements

4 matches

Site Navigation

Mail list logo

Footer information