Debian: Add fixes for OpenDNSSEC 2.0

Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>

ipaplatform/base/paths.py

@@ -185,6 +185,8 @@ class BasePathNamespace:
     NSUPDATE = "/usr/bin/nsupdate"
     ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
     ODS_SIGNER = "/usr/sbin/ods-signer"
+    ODS_ENFORCER = None
+    ODS_ENFORCER_SETUP = None
     OPENSSL = "/usr/bin/openssl"
     PK12UTIL = "/usr/bin/pk12util"
     SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"

ipaplatform/debian/paths.py

@@ -65,6 +65,9 @@ class DebianPathNamespace(BasePathNamespace):
     OLD_KRA_AGENT_PEM = "/etc/apache2/nssdb/kra-agent.pem"
     SBIN_SERVICE = "/usr/sbin/service"
     CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
+    ODS_KSMUTIL = None
+    ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+    ODS_ENFORCER_SETUP = "/usr/sbin/ods-enforcer-db-setup"
     UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
     BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"

ipaserver/dnssec/odsmgr.py

@@ -11,6 +11,7 @@ except ImportError:
     from xml.etree import ElementTree as etree
 
 from ipapython import ipa_log_manager, ipautil
+from ipaplatform.paths import paths
 
 logger = logging.getLogger(__name__)
 
@@ -130,11 +131,15 @@ class ODSMgr:
         self.zl_ldap = LDAPZoneListReader()
 
     def ksmutil(self, params):
-        """Call ods-ksmutil with given parameters and return stdout.
+        """Call ods-ksmutil / ods-enforcer with parameters and return stdout.
 
         Raises CalledProcessError if returncode != 0.
         """
-        cmd = ['ods-ksmutil'] + params
+        if paths.ODS_ENFORCER is not None:
+            cmd = [paths.ODS_ENFORCER]
+        else:
+            cmd = [paths.ODS_KSMUTIL]
+        cmd.extend(params)
         result = ipautil.run(cmd, capture_output=True)
         return result.output
 

ipaserver/install/opendnssecinstance.py

@@ -200,6 +200,11 @@ class OpenDNSSECInstance(service.Service):
         if not self.fstore.has_file(paths.SYSCONFIG_ODS):
             self.fstore.backup_file(paths.SYSCONFIG_ODS)
 
+        if not os.path.isfile(paths.SYSCONFIG_ODS):
+            # create file, it's not shipped on Debian
+            with open(paths.SYSCONFIG_ODS, 'a') as f:
+                os.fchmod(f.fileno(), 0o644)
+
         directivesetter.set_directive(paths.SYSCONFIG_ODS,
                                       'SOFTHSM2_CONF',
                                       paths.DNSSEC_SOFTHSM2_CONF,
@@ -274,6 +279,11 @@ class OpenDNSSECInstance(service.Service):
         if not self.fstore.has_file(paths.OPENDNSSEC_KASP_DB):
             self.fstore.backup_file(paths.OPENDNSSEC_KASP_DB)
 
+        if paths.ODS_ENFORCER is not None:
+            ods_cmd = paths.ODS_ENFORCER
+        else:
+            ods_cmd = paths.ODS_KSMUTIL
+
         if self.kasp_db_file:
             # copy user specified kasp.db to proper location and set proper
             # privileges
@@ -282,24 +292,20 @@ class OpenDNSSECInstance(service.Service):
             os.chmod(paths.OPENDNSSEC_KASP_DB, 0o660)
 
             # regenerate zonelist.xml
-            cmd = [paths.ODS_KSMUTIL, 'zonelist', 'export']
-            result = ipautil.run(cmd,
-                                 runas=constants.ODS_USER,
-                                 capture_output=True)
-            with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as zonelistf:
-                zonelistf.write(result.output)
-                os.chown(paths.OPENDNSSEC_ZONELIST_FILE,
-                         self.ods_uid, self.ods_gid)
-                os.chmod(paths.OPENDNSSEC_ZONELIST_FILE, 0o660)
+            cmd = [ods_cmd, 'zonelist', 'export']
+            result = ipautil.run(
+                cmd, runas=constants.ODS_USER, capture_output=True
+            )
+            if paths.ODS_ENFORCER is not None:
+                with open(paths.OPENDNSSEC_ZONELIST_FILE, 'w') as f:
+                    f.write(result.output)
+                    os.fchown(f.fileno(), self.ods_uid, self.ods_gid)
+                    os.fchmod(f.fileno(), 0o660)
 
         else:
             # initialize new kasp.db
-            command = [
-                paths.ODS_KSMUTIL,
-                'setup'
-            ]
-
-            ipautil.run(command, stdin="y", runas=constants.ODS_USER)
+            cmd = [ods_cmd, 'setup']
+            ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
 
     def __setup_dnskeysyncd(self):
         # set up dnskeysyncd this is DNSSEC master