freeipa/ipaserver/install/plugins/dns.py

# Authors:
#   Martin Kosek <mkosek@redhat.com>
#
# Copyright (C) 2012  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

from ipaserver.install.plugins import MIDDLE
from ipaserver.install.plugins.baseupdate import PostUpdate
from ipaserver.install.plugins import baseupdate
from ipalib import api, errors, util
from ipalib.dn import DN
from ipalib.plugins.dns import dns_container_exists

class update_dnszones(PostUpdate):
    """
    Update all zones to meet requirements in the new FreeIPA versions

    1) AllowQuery and AllowTransfer
    Set AllowQuery and AllowTransfer ACLs in all zones that may be configured
    in an upgraded FreeIPA instance.

    Upgrading to new version of bind-dyndb-ldap and having these ACLs empty
    would result in a leak of potentially sensitive DNS information as
    zone transfers are enabled for all hosts if not disabled in named.conf
    or LDAP.

    This plugin disables the zone transfer by default so that it needs to be
    explicitly enabled by FreeIPA Administrator.

    2) Update policy
    SSH public key support includes a feature to automatically add/update
    client SSH fingerprints in SSHFP records. However, the update won't
    work for zones created before this support was added as they don't allow
    clients to update SSHFP records in their update policies.

    This module extends the original policy to allow the SSHFP updates.
    """
    order=MIDDLE

    def execute(self, **options):
        ldap = self.obj.backend

        try:
            zones = api.Command.dnszone_find(all=True)['result']
        except errors.NotFound:
            self.log.info('No DNS zone to update found')
            return (False, False, [])

        for zone in zones:
            update = {}
            if not zone.get('idnsallowquery'):
                # allow query from any client by default
                update['idnsallowquery'] = u'any;'

            if not zone.get('idnsallowtransfer'):
                # do not open zone transfers by default
                update['idnsallowtransfer'] = u'none;'

            old_policy = util.gen_dns_update_policy(api.env.realm, ('A', 'AAAA'))
            if zone.get('idnsupdatepolicy', [''])[0] == old_policy:
                update['idnsupdatepolicy'] = util.gen_dns_update_policy(\
                        api.env.realm)

            if update:
                api.Command.dnszone_mod(zone[u'idnsname'][0], **update)

        return (False, False, [])

api.register(update_dnszones)

class update_dns_permissions(PostUpdate):
    """
    New DNS permissions need to be added only for updated machines with
    enabled DNS. LDIF loaded by DNS installer would fail because of duplicate
    entries otherwise.
    """
    def execute(self, **options):
        ldap = self.obj.backend

        if not dns_container_exists(ldap):
            return (False, False, [])

        dnsupdates = {}
        dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn))
        entry = ['objectClass:groupofnames',
                 'objectClass:top',
                 'cn:Write DNS Configuration',
                 'description:Write DNS Configuration',
                 'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn,
                 'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn]
        # make sure everything is str or otherwise python-ldap will complain
        entry = map(str, entry)
        dnsupdates[dn] = {'dn' : str(dn), 'default' : entry}

        dn = str(DN(api.env.basedn))
        entry = ['add:aci:\'(targetattr = "idnsforwardpolicy || idnsforwarders || idnsallowsyncptr || idnszonerefresh || idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]
        entry = map(str, entry)
        dnsupdates[dn] = {'dn' : dn, 'updates' : entry}

        return (False, True, [dnsupdates])

api.register(update_dns_permissions)
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`# Authors:`
			`# Martin Kosek <mkosek@redhat.com>`
			`#`
			`# Copyright (C) 2012 Red Hat`
			`# see file 'COPYING' for use and warranty information`
			`#`
			`# This program is free software; you can redistribute it and/or modify`
			`# it under the terms of the GNU General Public License as published by`
			`# the Free Software Foundation, either version 3 of the License, or`
			`# (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program. If not, see <http://www.gnu.org/licenses/>.`

			`from ipaserver.install.plugins import MIDDLE`
			`from ipaserver.install.plugins.baseupdate import PostUpdate`
			`from ipaserver.install.plugins import baseupdate`
Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`from ipalib import api, errors, util`
Amend permissions for new DNS attributes New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510 2012-03-14 04:38:33 -05:00			`from ipalib.dn import DN`
			`from ipalib.plugins.dns import dns_container_exists`
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00
Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`class update_dnszones(PostUpdate):`
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`"""`
Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`Update all zones to meet requirements in the new FreeIPA versions`

			`1) AllowQuery and AllowTransfer`
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`Set AllowQuery and AllowTransfer ACLs in all zones that may be configured`
			`in an upgraded FreeIPA instance.`

			`Upgrading to new version of bind-dyndb-ldap and having these ACLs empty`
			`would result in a leak of potentially sensitive DNS information as`
			`zone transfers are enabled for all hosts if not disabled in named.conf`
			`or LDAP.`

			`This plugin disables the zone transfer by default so that it needs to be`
			`explicitly enabled by FreeIPA Administrator.`
Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00
			`2) Update policy`
			`SSH public key support includes a feature to automatically add/update`
			`client SSH fingerprints in SSHFP records. However, the update won't`
			`work for zones created before this support was added as they don't allow`
			`clients to update SSHFP records in their update policies.`

			`This module extends the original policy to allow the SSHFP updates.`
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`"""`
			`order=MIDDLE`

			`def execute(self, **options):`
			`ldap = self.obj.backend`

			`try:`
Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`zones = api.Command.dnszone_find(all=True)['result']`
Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`except errors.NotFound:`
			`self.log.info('No DNS zone to update found')`
			`return (False, False, [])`

			`for zone in zones:`
			`update = {}`
			`if not zone.get('idnsallowquery'):`
			`# allow query from any client by default`
			`update['idnsallowquery'] = u'any;'`

			`if not zone.get('idnsallowtransfer'):`
			`# do not open zone transfers by default`
			`update['idnsallowtransfer'] = u'none;'`

Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`old_policy = util.gen_dns_update_policy(api.env.realm, ('A', 'AAAA'))`
			`if zone.get('idnsupdatepolicy', [''])[0] == old_policy:`
			`update['idnsupdatepolicy'] = util.gen_dns_update_policy(\`
			`api.env.realm)`

Query and transfer ACLs for DNS zones Provide a way to specify BIND allow-query and allow-transfer ACLs for DNS zones. IMPORTANT: new bind-dyndb-ldap adds a zone transfer ability. To avoid zone information leaks to unintended places, allow-transfer ACL for every zone is by default set to none and has to be explicitly enabled by an Administrator. This is done both for new DNS zones and old DNS zones during RPM update via new DNS upgrade plugin. https://fedorahosted.org/freeipa/ticket/1211 2012-02-24 02:30:39 -06:00			`if update:`
			`api.Command.dnszone_mod(zone[u'idnsname'][0], **update)`

			`return (False, False, [])`

Add SSHFP update policy for existing zones SSH public key support includes a feature to automatically add/update client SSH fingerprints in SSHFP records. However, the update won't work for zones created before this support was added as they don't allow clients to update SSHFP records in their update policies. This patch lets dns upgrade module extend the original policy to allow the SSHFP dynamic updates. It updates only original policy, we don't want it to overwrite custom user policies. https://fedorahosted.org/freeipa/ticket/2394 2012-02-24 09:23:52 -06:00			`api.register(update_dnszones)`
Amend permissions for new DNS attributes New features in bind-dyndb-ldap and IPA DNS plugin pulled new attributes and objectclasses. ACIs and permissions need to be updated to allow users with appropriate permissions update these attributes in LDAP. This patch updates the ACI for DNS record updates and adds one new permission to update global DNS configuration. https://fedorahosted.org/freeipa/ticket/2510 2012-03-14 04:38:33 -05:00
			`class update_dns_permissions(PostUpdate):`
			`"""`
			`New DNS permissions need to be added only for updated machines with`
			`enabled DNS. LDIF loaded by DNS installer would fail because of duplicate`
			`entries otherwise.`
			`"""`
			`def execute(self, **options):`
			`ldap = self.obj.backend`

			`if not dns_container_exists(ldap):`
			`return (False, False, [])`

			`dnsupdates = {}`
			`dn = str(DN('cn=Write DNS Configuration', api.env.container_permission, api.env.basedn))`
			`entry = ['objectClass:groupofnames',`
			`'objectClass:top',`
			`'cn:Write DNS Configuration',`
			`'description:Write DNS Configuration',`
			`'member:cn=DNS Administrators,cn=privileges,cn=pbac,%s' % api.env.basedn,`
			`'member:cn=DNS Servers,cn=privileges,cn=pbac,%s' % api.env.basedn]`
			`# make sure everything is str or otherwise python-ldap will complain`
			`entry = map(str, entry)`
			`dnsupdates[dn] = {'dn' : str(dn), 'default' : entry}`

			`dn = str(DN(api.env.basedn))`
			`entry = ['add:aci:\'(targetattr = "idnsforwardpolicy \|\| idnsforwarders \|\| idnsallowsyncptr \|\| idnszonerefresh \|\| idnspersistentsearch")(target = "ldap:///cn=dns,%(realm)s")(version 3.0;acl "permission:Write DNS Configuration";allow (write) groupdn = "ldap:///cn=Write DNS Configuration,cn=permissions,cn=pbac,%(realm)s";)\'' % dict(realm=api.env.basedn)]`
			`entry = map(str, entry)`
			`dnsupdates[dn] = {'dn' : dn, 'updates' : entry}`

			`return (False, True, [dnsupdates])`

			`api.register(update_dns_permissions)`