Hello,
attached patches implement a portion of improvements for ticket
https://fedorahosted.org/freeipa/ticket/4657
It came to my mind that it will be better to review them at once - the
previous threads with my patches 40 and 41 can be abandoned.
I'm sorry for the mess.
--
Petr^2 Spacek
From 999017d75f3044bd9abf6d8c2a4a70cede77886f Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 26 Jun 2015 16:04:00 +0200
Subject: [PATCH] DNSSEC: Detect invalid master keys in LDAP.
This should never happen ...
https://fedorahosted.org/freeipa/ticket/4657
---
daemons/dnssec/ipa-dnskeysync-replica | 1 +
1 file changed, 1 insertion(+)
diff --git a/daemons/dnssec/ipa-dnskeysync-replica b/daemons/dnssec/ipa-dnskeysync-replica
index c2c4c2725a9c46db4db04894a326ddf40e254eab..551c2f21d5b85b76a7281f719ce722a6c5830cf7 100755
--- a/daemons/dnssec/ipa-dnskeysync-replica
+++ b/daemons/dnssec/ipa-dnskeysync-replica
@@ -74,6 +74,7 @@ def ldap2replica_master_keys_sync(log, ldapkeydb, localhsm):
log.debug(new master keys in LDAP HSM: %s, hex_set(new_keys))
for mkey_id in new_keys:
mkey_ldap = ldapkeydb.master_keys[mkey_id]
+assert mkey_ldap.wrapped_entries, Master key 0x%s in LDAP is missing key material referenced by ipaSecretKeyRefObject attribute % hexlify(mkey_id)
for wrapped_ldap in mkey_ldap.wrapped_entries:
unwrapping_key = find_unwrapping_key(log, localhsm,
wrapped_ldap.single_value['ipaWrappingKey'])
--
2.1.0
From c927f884eaed11506587c6dbb82ccd7e07896987 Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Fri, 26 Jun 2015 17:39:47 +0200
Subject: [PATCH] DNSSEC: Accept ipa-ods-exporter commands from command line.
Previously only systemd socket activation was supported.
Ability to call the command directly is handy in special cases,
e.g. for debugging or moving key master role from one server to another.
https://fedorahosted.org/freeipa/ticket/4657
---
daemons/dnssec/ipa-ods-exporter | 88 ++---
1 file changed, 56 insertions(+), 32 deletions(-)
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 913b418af2806e2660a7db221e06394b501bbb18..c6de5acbd9966a0cf5bb6a0c35c54c79aec91604 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -9,6 +9,9 @@ This program uses the same socket and protocol as original signerd and should
be activated via systemd socket activation using ods-signer command line
utility.
+Alternativelly, it can be called directly and a command can be supplied as
+first command line argument.
+
Purpose of this replacement is to upload keys generated by OpenDNSSEC to LDAP.
@@ -334,7 +337,7 @@ def hex_set(s):
out.add(0x%s % hexlify(i))
return out
-def receive_zone_name(log):
+def receive_systemd_command(log):
fds = systemd.daemon.listen_fds()
if len(fds) != 1:
raise KeyError('Exactly one socket is expected.')
@@ -345,52 +348,60 @@ def receive_zone_name(log):
log.debug('accepted new connection %s', repr(conn))
# this implements cmdhandler_handle_cmd() logic
-cmd = conn.recv(ODS_SE_MAXLINE)
-cmd = cmd.strip()
+cmd = conn.recv(ODS_SE_MAXLINE).strip()
+log.debug('received command %s from systemd socket', cmd)
+return (cmd, conn)
-try:
-if cmd == 'ipa-hsm-update':
-msg = 'HSM synchronization finished, exiting.'
-conn.send('%s\n' % msg)
-log.info(msg)
-sys.exit(0)
+def parse_command(cmd):
+Parse command to (exit code, message, zone_name) tuple.
-elif not cmd.startswith('update '):
-conn.send('Command %s is not supported by IPA; ' \
- 'HSM synchronization was finished and the command ' \
- 'will be ignored.\n' % cmd)
-log.info('Ignoring unsupported command %s.', cmd)
-sys.exit(0)
+Exit code None means that execution should continue.
+
+if cmd == 'ipa-hsm-update':
+return (0,
+'HSM synchronization finished, exiting.',
+None)
-else:
-zone_name = cmd2ods_zone_name(cmd)
-conn.send('Update request for zone %s queued.\n' % zone_name)
-log.info('Processing command: %s', cmd)
+elif not cmd.startswith('update '):
+return (0,
+'Command %s is not supported by IPA; '
+'HSM synchronization was finished and the command '
+'will be ignored.\n' % cmd,
+None)
-finally:
+else:
+zone_name = cmd2ods_zone_name(cmd)
+return (None,
+'Update request for zone %s queued.\n' % zone_name,
+zone_name)
+
+def send_systemd_reply(conn, reply):
# Reply close connection early.
# This is necessary to let Enforcer to unlock the ODS DB.
+conn.send(reply + '\n')