rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0172-DNSSEC-ipa-ods-exporter-add-ldap-cleanup-command.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   db5969ef1d220eb0c817ef53f22d74d97c0a0108
  2.   SOURCES
  3.   0172-DNSSEC-ipa-ods-exporter-add-ldap-cleanup-command.patch
Blob History Raw
e0ab38 
From a5687f3070877fc28435d9db4d5fed8c521dbf41 Mon Sep 17 00:00:00 2001
e0ab38 
From: Petr Spacek <pspacek@redhat.com>
e0ab38 
Date: Sun, 20 Dec 2015 19:19:28 +0100
e0ab38 
Subject: [PATCH] DNSSEC: ipa-ods-exporter: add ldap-cleanup command
e0ab38
e0ab38 
Command "ldap-cleanup <zone name>" will remove all key metadata from
e0ab38 
LDAP. This can be used manually in sequence like:
e0ab38 
ldap-cleanup <zone name>
e0ab38 
update <zone name>
e0ab38 
to delete all key metadata from LDAP and re-export them from OpenDNSSEC.
e0ab38
e0ab38 
ldap-cleanup command should be called when disabling DNSSEC on a DNS
e0ab38 
zone to remove stale key metadata from LDAP.
e0ab38
e0ab38 
https://fedorahosted.org/freeipa/ticket/5348
e0ab38
e0ab38 
Reviewed-By: Martin Basti <mbasti@redhat.com>
e0ab38 
Reviewed-By: Martin Basti <mbasti@redhat.com>
e0ab38 
---
e0ab38 
 daemons/dnssec/ipa-ods-exporter | 60 ++++++++++++++++++++++++++++++++---------
e0ab38 
 1 file changed, 48 insertions(+), 12 deletions(-)
e0ab38
e0ab38 
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
e0ab38 
index 2a1cc4315355569b24ec6ef42a68f4d64fee9f4f..8abb5cf7c6d1e5e8ea996b8925d2e8cffc44133c 100755
e0ab38 
--- a/daemons/dnssec/ipa-ods-exporter
e0ab38 
+++ b/daemons/dnssec/ipa-ods-exporter
e0ab38 
@@ -227,7 +227,9 @@ def get_ldap_zone(ldap, dns_base, name):
e0ab38 
         except ipalib.errors.NotFound:
e0ab38 
             continue
e0ab38
e0ab38 
-    assert ldap_zone is not None, 'DNS zone "%s" should exist in LDAP' % name
e0ab38 
+    if ldap_zone is None:
e0ab38 
+        raise ipalib.errors.NotFound(
e0ab38 
+            reason='DNS zone "%s" not found in LDAP' % name)
e0ab38
e0ab38 
     return ldap_zone
e0ab38
e0ab38 
@@ -481,25 +483,37 @@ def parse_command(cmd):
e0ab38 
     if cmd == 'ipa-hsm-update':
e0ab38 
         return (0,
e0ab38 
                 'HSM synchronization finished, skipping zone synchronization.',
e0ab38 
-                None)
e0ab38 
+                None,
e0ab38 
+                cmd)
e0ab38
e0ab38 
     elif cmd == 'ipa-full-update':
e0ab38 
         return (None,
e0ab38 
                 'Synchronization of all zones was finished.',
e0ab38 
-                None)
e0ab38 
+                None,
e0ab38 
+                cmd)
e0ab38 
+
e0ab38 
+    elif cmd.startswith('ldap-cleanup '):
e0ab38 
+        zone_name = cmd2ods_zone_name(cmd)
e0ab38 
+        return (None,
e0ab38 
+                'Zone "%s" metadata will be removed from LDAP.\n' % zone_name,
e0ab38 
+                zone_name,
e0ab38 
+                'ldap-cleanup')
e0ab38
e0ab38 
-    elif not cmd.startswith('update '):
e0ab38 
+    elif cmd.startswith('update '):
e0ab38 
+        zone_name = cmd2ods_zone_name(cmd)
e0ab38 
+        return (None,
e0ab38 
+                'Zone "%s" metadata will be updated in LDAP.\n' % zone_name,
e0ab38 
+                zone_name,
e0ab38 
+                'update')
e0ab38 
+
e0ab38 
+    else:
e0ab38 
         return (0,
e0ab38 
                 'Command "%s" is not supported by IPA; '
e0ab38 
                 'HSM synchronization was finished and the command '
e0ab38 
                 'will be ignored.' % cmd,
e0ab38 
+                None,
e0ab38 
                 None)
e0ab38
e0ab38 
-    else:
e0ab38 
-        zone_name = cmd2ods_zone_name(cmd)
e0ab38 
-        return (None,
e0ab38 
-                'Zone was "%s" updated.\n' % zone_name,
e0ab38 
-                zone_name)
e0ab38
e0ab38 
 def send_systemd_reply(conn, reply):
e0ab38 
         # Reply & close connection early.
e0ab38 
@@ -510,7 +524,7 @@ def send_systemd_reply(conn, reply):
e0ab38
e0ab38 
 def cmd2ods_zone_name(cmd):
e0ab38 
     # ODS stores zone name without trailing period
e0ab38 
-    zone_name = cmd[7:].strip()
e0ab38 
+    zone_name = cmd.split(' ', 1)[1].strip()
e0ab38 
     if len(zone_name) > 1 and zone_name[-1] == '.':
e0ab38 
         zone_name = zone_name[:-1]
e0ab38
e0ab38 
@@ -584,6 +598,25 @@ def sync_zone(log, ldap, dns_dn, zone_name):
e0ab38 
         except ipalib.errors.EmptyModlist:
e0ab38 
             continue
e0ab38
e0ab38 
+def cleanup_ldap_zone(log, ldap, dns_dn, zone_name):
e0ab38 
+    """delete all key metadata about zone keys for single DNS zone
e0ab38 
+
e0ab38 
+    Key material has to be synchronized elsewhere.
e0ab38 
+    Keep in mind that keys could be shared among multiple zones!"""
e0ab38 
+    log = log.getChild("%s.%s" % (__name__, zone_name))
e0ab38 
+    log.debug('cleaning up key metadata from zone "%s"', zone_name)
e0ab38 
+
e0ab38 
+    try:
e0ab38 
+        ldap_zone = get_ldap_zone(ldap, dns_dn, zone_name)
e0ab38 
+        ldap_keys = get_ldap_keys(ldap, ldap_zone.dn)
e0ab38 
+    except ipalib.errors.NotFound as ex:
e0ab38 
+        # zone or cn=keys container does not exist, we are done
e0ab38 
+        log.debug(str(ex))
e0ab38 
+        return
e0ab38 
+
e0ab38 
+    for ldap_key in ldap_keys:
e0ab38 
+        log.debug('deleting key metadata "%s"', ldap_key.dn)
e0ab38 
+        ldap.delete_entry(ldap_key)
e0ab38
e0ab38 
 log = logging.getLogger('root')
e0ab38 
 # this service is usually socket-activated
e0ab38 
@@ -656,7 +689,7 @@ except KeyError as e:
e0ab38 
     conn = None
e0ab38 
     cmd = sys.argv[1]
e0ab38
e0ab38 
-exitcode, msg, zone_name = parse_command(cmd)
e0ab38 
+exitcode, msg, zone_name, cmd = parse_command(cmd)
e0ab38
e0ab38 
 if exitcode is not None:
e0ab38 
     if conn:
e0ab38 
@@ -686,7 +719,10 @@ try:
e0ab38
e0ab38 
     if zone_name is not None:
e0ab38 
         # only one zone should be processed
e0ab38 
-        sync_zone(log, ldap, dns_dn, zone_name)
e0ab38 
+        if cmd == 'update':
e0ab38 
+            sync_zone(log, ldap, dns_dn, zone_name)
e0ab38 
+        elif cmd == 'ldap-cleanup':
e0ab38 
+            cleanup_ldap_zone(log, ldap, dns_dn, zone_name)
e0ab38 
     else:
e0ab38 
         # process all zones
e0ab38 
         for zone_row in db.execute("SELECT name FROM zones"):
e0ab38 
--
e0ab38 
2.4.3
e0ab38

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation