mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-25 16:31:08 -06:00
7b6bee030d
BindInstance et al. now use STARTTLS to set up secure connection to DS during ipa-dns-install. This fixes https://fedorahosted.org/freeipa/ticket/4933 Reviewed-By: Martin Basti <mbasti@redhat.com>
505 lines
19 KiB
Python
505 lines
19 KiB
Python
#
|
|
# Copyright (C) 2014 FreeIPA Contributors see COPYING for license
|
|
#
|
|
|
|
from ipapython.dnsutil import DNSName
|
|
|
|
import service
|
|
import installutils
|
|
import os
|
|
import pwd
|
|
import grp
|
|
import random
|
|
import shutil
|
|
import stat
|
|
|
|
import ldap
|
|
import _ipap11helper
|
|
|
|
from ipapython.ipa_log_manager import *
|
|
from ipapython.dn import DN
|
|
from ipapython import ipaldap
|
|
from ipapython import sysrestore, ipautil
|
|
from ipaplatform import services
|
|
from ipaplatform.paths import paths
|
|
from ipalib import errors, api
|
|
from ipalib.constants import CACERT
|
|
from ipaserver.install.bindinstance import dns_container_exists
|
|
|
|
softhsm_token_label = u'ipaDNSSEC'
|
|
softhsm_slot = 0
|
|
replica_keylabel_template = u"dnssec-replica:%s"
|
|
|
|
def check_inst():
|
|
if not os.path.exists(paths.DNSSEC_KEYFROMLABEL):
|
|
print ("Please install the 'bind-pkcs11-utils' package and start "
|
|
"the installation again")
|
|
return False
|
|
return True
|
|
|
|
def dnssec_container_exists(fqdn, suffix, dm_password=None, ldapi=False,
|
|
realm=None, autobind=ipaldap.AUTOBIND_DISABLED):
|
|
"""
|
|
Test whether the dns container exists.
|
|
"""
|
|
assert isinstance(suffix, DN)
|
|
try:
|
|
# At install time we may need to use LDAPI to avoid chicken/egg
|
|
# issues with SSL certs and truting CAs
|
|
if ldapi:
|
|
conn = ipaldap.IPAdmin(host=fqdn, ldapi=True, realm=realm)
|
|
else:
|
|
conn = ipaldap.IPAdmin(host=fqdn, port=636, cacert=CACERT)
|
|
|
|
conn.do_bind(dm_password, autobind=autobind)
|
|
except ldap.SERVER_DOWN:
|
|
raise RuntimeError('LDAP server on %s is not responding. Is IPA installed?' % fqdn)
|
|
|
|
ret = conn.entry_exists(DN(('cn', 'sec'), ('cn', 'dns'), suffix))
|
|
conn.unbind()
|
|
|
|
return ret
|
|
|
|
class DNSKeySyncInstance(service.Service):
|
|
def __init__(self, fstore=None, dm_password=None, logger=root_logger,
|
|
ldapi=False, start_tls=False):
|
|
service.Service.__init__(
|
|
self, "ipa-dnskeysyncd",
|
|
service_desc="DNS key synchronization service",
|
|
dm_password=dm_password,
|
|
ldapi=ldapi,
|
|
start_tls=start_tls
|
|
)
|
|
self.dm_password = dm_password
|
|
self.logger = logger
|
|
self.extra_config = [u'dnssecVersion 1', ] # DNSSEC enabled
|
|
self.named_uid = None
|
|
self.named_gid = None
|
|
self.ods_uid = None
|
|
self.ods_gid = None
|
|
if fstore:
|
|
self.fstore = fstore
|
|
else:
|
|
self.fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
|
|
suffix = ipautil.dn_attribute_property('_suffix')
|
|
|
|
def set_dyndb_ldap_workdir_permissions(self):
|
|
"""
|
|
Setting up correct permissions to allow write/read access for daemons
|
|
"""
|
|
if self.named_uid is None:
|
|
self.named_uid = self.__get_named_uid()
|
|
|
|
if self.named_gid is None:
|
|
self.named_gid = self.__get_named_gid()
|
|
|
|
if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
|
|
os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
|
|
# dnssec daemons require to have access into the directory
|
|
os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
|
|
os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
|
|
self.named_gid)
|
|
|
|
def remove_replica_public_keys(self, replica_fqdn):
|
|
ldap = api.Backend.ldap2
|
|
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
|
|
keylabel = replica_keylabel_template % DNSName(replica_fqdn).\
|
|
make_absolute().canonicalize().ToASCII()
|
|
# get old keys from LDAP
|
|
search_kw = {
|
|
'objectclass': u"ipaPublicKeyObject",
|
|
'ipk11Label': keylabel,
|
|
'ipk11Wrap': True,
|
|
}
|
|
filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
|
|
entries, truncated = ldap.find_entries(filter=filter, base_dn=dn_base)
|
|
for entry in entries:
|
|
ldap.delete_entry(entry)
|
|
|
|
def start_dnskeysyncd(self):
|
|
print "Restarting ipa-dnskeysyncd"
|
|
self.__start()
|
|
|
|
def create_instance(self, fqdn, realm_name):
|
|
self.fqdn = fqdn
|
|
self.realm = realm_name
|
|
self.suffix = ipautil.realm_to_suffix(self.realm)
|
|
try:
|
|
self.stop()
|
|
except:
|
|
pass
|
|
|
|
# get a connection to the DS
|
|
self.ldap_connect()
|
|
# checking status step must be first
|
|
self.step("checking status", self.__check_dnssec_status)
|
|
self.step("setting up bind-dyndb-ldap working directory",
|
|
self.set_dyndb_ldap_workdir_permissions)
|
|
self.step("setting up kerberos principal", self.__setup_principal)
|
|
self.step("setting up SoftHSM", self.__setup_softhsm)
|
|
self.step("adding DNSSEC containers", self.__setup_dnssec_containers)
|
|
self.step("creating replica keys", self.__setup_replica_keys)
|
|
self.step("configuring ipa-dnskeysyncd to start on boot", self.__enable)
|
|
# we need restart named after setting up this service
|
|
self.start_creation()
|
|
|
|
def __get_named_uid(self):
|
|
named = services.knownservices.named
|
|
try:
|
|
return pwd.getpwnam(named.get_user_name()).pw_uid
|
|
except KeyError:
|
|
raise RuntimeError("Named UID not found")
|
|
|
|
def __get_named_gid(self):
|
|
named = services.knownservices.named
|
|
try:
|
|
return grp.getgrnam(named.get_group_name()).gr_gid
|
|
except KeyError:
|
|
raise RuntimeError("Named GID not found")
|
|
|
|
def __check_dnssec_status(self):
|
|
ods_enforcerd = services.knownservices.ods_enforcerd
|
|
|
|
self.named_uid = self.__get_named_uid()
|
|
self.named_gid = self.__get_named_gid()
|
|
|
|
try:
|
|
self.ods_uid = pwd.getpwnam(ods_enforcerd.get_user_name()).pw_uid
|
|
except KeyError:
|
|
raise RuntimeError("OpenDNSSEC UID not found")
|
|
|
|
try:
|
|
self.ods_gid = grp.getgrnam(ods_enforcerd.get_group_name()).gr_gid
|
|
except KeyError:
|
|
raise RuntimeError("OpenDNSSEC GID not found")
|
|
|
|
if not dns_container_exists(
|
|
self.fqdn, self.suffix, realm=self.realm, ldapi=True,
|
|
dm_password=self.dm_password, autobind=ipaldap.AUTOBIND_AUTO
|
|
):
|
|
raise RuntimeError("DNS container does not exist")
|
|
|
|
# ready to be installed, storing a state is required to run uninstall
|
|
self.backup_state("configured", True)
|
|
|
|
def __setup_dnssec_containers(self):
|
|
"""
|
|
Setup LDAP containers for DNSSEC
|
|
"""
|
|
if dnssec_container_exists(self.fqdn, self.suffix, ldapi=True,
|
|
dm_password=self.dm_password,
|
|
realm=self.realm,
|
|
autobind=ipaldap.AUTOBIND_AUTO):
|
|
|
|
self.logger.info("DNSSEC container exists (step skipped)")
|
|
return
|
|
|
|
self._ldap_mod("dnssec.ldif", {'SUFFIX': self.suffix, })
|
|
|
|
def __setup_softhsm(self):
|
|
assert self.ods_uid is not None
|
|
assert self.named_gid is not None
|
|
|
|
token_dir_exists = os.path.exists(paths.DNSSEC_TOKENS_DIR)
|
|
|
|
# create dnssec directory
|
|
if not os.path.exists(paths.IPA_DNSSEC_DIR):
|
|
self.logger.debug("Creating %s directory", paths.IPA_DNSSEC_DIR)
|
|
os.mkdir(paths.IPA_DNSSEC_DIR, 0770)
|
|
# chown ods:named
|
|
os.chown(paths.IPA_DNSSEC_DIR, self.ods_uid, self.named_gid)
|
|
|
|
# setup softhsm2 config file
|
|
softhsm_conf_txt = ("# SoftHSM v2 configuration file \n"
|
|
"# File generated by IPA instalation\n"
|
|
"directories.tokendir = %(tokens_dir)s\n"
|
|
"objectstore.backend = file") % {
|
|
'tokens_dir': paths.DNSSEC_TOKENS_DIR
|
|
}
|
|
self.logger.debug("Creating new softhsm config file")
|
|
named_fd = open(paths.DNSSEC_SOFTHSM2_CONF, 'w')
|
|
named_fd.seek(0)
|
|
named_fd.truncate(0)
|
|
named_fd.write(softhsm_conf_txt)
|
|
named_fd.close()
|
|
|
|
# setting up named to use softhsm2
|
|
if not self.fstore.has_file(paths.SYSCONFIG_NAMED):
|
|
self.fstore.backup_file(paths.SYSCONFIG_NAMED)
|
|
|
|
# setting up named and ipa-dnskeysyncd to use our softhsm2 config
|
|
for sysconfig in [paths.SYSCONFIG_NAMED,
|
|
paths.SYSCONFIG_IPA_DNSKEYSYNCD]:
|
|
installutils.set_directive(sysconfig, 'SOFTHSM2_CONF',
|
|
paths.DNSSEC_SOFTHSM2_CONF,
|
|
quotes=False, separator='=')
|
|
|
|
if (token_dir_exists and os.path.exists(paths.DNSSEC_SOFTHSM_PIN) and
|
|
os.path.exists(paths.DNSSEC_SOFTHSM_PIN_SO)):
|
|
# there is initialized softhsm
|
|
return
|
|
|
|
# remove old tokens
|
|
if token_dir_exists:
|
|
self.logger.debug('Removing old tokens directory %s',
|
|
paths.DNSSEC_TOKENS_DIR)
|
|
shutil.rmtree(paths.DNSSEC_TOKENS_DIR)
|
|
|
|
# create tokens subdirectory
|
|
self.logger.debug('Creating tokens %s directory',
|
|
paths.DNSSEC_TOKENS_DIR)
|
|
# sticky bit is required by daemon
|
|
os.mkdir(paths.DNSSEC_TOKENS_DIR)
|
|
os.chmod(paths.DNSSEC_TOKENS_DIR, 0770 | stat.S_ISGID)
|
|
# chown to ods:named
|
|
os.chown(paths.DNSSEC_TOKENS_DIR, self.ods_uid, self.named_gid)
|
|
|
|
# generate PINs for softhsm
|
|
allowed_chars = u'123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
|
|
pin_length = 30 # Bind allows max 32 bytes including ending '\0'
|
|
pin = ipautil.ipa_generate_password(allowed_chars, pin_length)
|
|
pin_so = ipautil.ipa_generate_password(allowed_chars, pin_length)
|
|
|
|
self.logger.debug("Saving user PIN to %s", paths.DNSSEC_SOFTHSM_PIN)
|
|
named_fd = open(paths.DNSSEC_SOFTHSM_PIN, 'w')
|
|
named_fd.seek(0)
|
|
named_fd.truncate(0)
|
|
named_fd.write(pin)
|
|
named_fd.close()
|
|
os.chmod(paths.DNSSEC_SOFTHSM_PIN, 0770)
|
|
# chown to ods:named
|
|
os.chown(paths.DNSSEC_SOFTHSM_PIN, self.ods_uid, self.named_gid)
|
|
|
|
self.logger.debug("Saving SO PIN to %s", paths.DNSSEC_SOFTHSM_PIN_SO)
|
|
named_fd = open(paths.DNSSEC_SOFTHSM_PIN_SO, 'w')
|
|
named_fd.seek(0)
|
|
named_fd.truncate(0)
|
|
named_fd.write(pin_so)
|
|
named_fd.close()
|
|
# owner must be root
|
|
os.chmod(paths.DNSSEC_SOFTHSM_PIN_SO, 0400)
|
|
|
|
# initialize SoftHSM
|
|
|
|
command = [
|
|
paths.SOFTHSM2_UTIL,
|
|
'--init-token',
|
|
'--slot', str(softhsm_slot),
|
|
'--label', softhsm_token_label,
|
|
'--pin', pin,
|
|
'--so-pin', pin_so,
|
|
]
|
|
self.logger.debug("Initializing tokens")
|
|
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
|
|
ipautil.run(command, nolog=(pin, pin_so,))
|
|
|
|
def __setup_replica_keys(self):
|
|
keylabel = replica_keylabel_template % DNSName(self.fqdn).\
|
|
make_absolute().canonicalize().ToASCII()
|
|
|
|
ldap = self.admin_conn
|
|
dn_base = DN(('cn', 'keys'), ('cn', 'sec'), ('cn', 'dns'), api.env.basedn)
|
|
|
|
with open(paths.DNSSEC_SOFTHSM_PIN, "r") as f:
|
|
pin = f.read()
|
|
|
|
os.environ["SOFTHSM2_CONF"] = paths.DNSSEC_SOFTHSM2_CONF
|
|
p11 = _ipap11helper.P11_Helper(softhsm_slot, pin, paths.LIBSOFTHSM2_SO)
|
|
|
|
try:
|
|
# generate replica keypair
|
|
self.logger.debug("Creating replica's key pair")
|
|
key_id = None
|
|
while True:
|
|
# check if key with this ID exist in softHSM
|
|
# id is 16 Bytes long
|
|
key_id = "".join(chr(random.randint(0, 255))
|
|
for _ in xrange(0, 16))
|
|
replica_pubkey_dn = DN(('ipk11UniqueId', 'autogenerate'), dn_base)
|
|
|
|
|
|
pub_keys = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY,
|
|
label=keylabel,
|
|
id=key_id)
|
|
if pub_keys:
|
|
# key with id exists
|
|
continue
|
|
|
|
priv_keys = p11.find_keys(_ipap11helper.KEY_CLASS_PRIVATE_KEY,
|
|
label=keylabel,
|
|
id=key_id)
|
|
if not priv_keys:
|
|
break # we found unique id
|
|
|
|
public_key_handle, private_key_handle = p11.generate_replica_key_pair(
|
|
keylabel, key_id,
|
|
pub_cka_verify=False,
|
|
pub_cka_verify_recover=False,
|
|
pub_cka_wrap=True,
|
|
priv_cka_unwrap=True,
|
|
priv_cka_sensitive=True,
|
|
priv_cka_extractable=False)
|
|
|
|
# export public key
|
|
public_key_blob = p11.export_public_key(public_key_handle)
|
|
|
|
# save key to LDAP
|
|
replica_pubkey_objectclass = [
|
|
'ipk11Object', 'ipk11PublicKey', 'ipaPublicKeyObject', 'top'
|
|
]
|
|
kw = {
|
|
'objectclass': replica_pubkey_objectclass,
|
|
'ipk11UniqueId': [u'autogenerate'],
|
|
'ipk11Label': [keylabel],
|
|
'ipaPublicKey': [public_key_blob],
|
|
'ipk11Id': [key_id],
|
|
'ipk11Wrap': [True],
|
|
'ipk11Verify': [False],
|
|
'ipk11VerifyRecover': [False],
|
|
}
|
|
|
|
self.logger.debug("Storing replica public key to LDAP, %s",
|
|
replica_pubkey_dn)
|
|
|
|
entry = ldap.make_entry(replica_pubkey_dn, **kw)
|
|
ldap.add_entry(entry)
|
|
self.logger.debug("Replica public key stored")
|
|
|
|
self.logger.debug("Setting CKA_WRAP=False for old replica keys")
|
|
# first create new keys, we don't want disable keys before, we
|
|
# have new keys in softhsm and LDAP
|
|
|
|
# get replica pub keys with CKA_WRAP=True
|
|
replica_pub_keys = p11.find_keys(_ipap11helper.KEY_CLASS_PUBLIC_KEY,
|
|
label=keylabel,
|
|
cka_wrap=True)
|
|
# old keys in softHSM
|
|
for handle in replica_pub_keys:
|
|
# don't disable wrapping for new key
|
|
# compare IDs not handle
|
|
if key_id != p11.get_attribute(handle, _ipap11helper.CKA_ID):
|
|
p11.set_attribute(handle, _ipap11helper.CKA_WRAP, False)
|
|
|
|
# get old keys from LDAP
|
|
search_kw = {
|
|
'objectclass': u"ipaPublicKeyObject",
|
|
'ipk11Label': keylabel,
|
|
'ipk11Wrap': True,
|
|
}
|
|
filter = ldap.make_filter(search_kw, rules=ldap.MATCH_ALL)
|
|
entries, truncated = ldap.find_entries(filter=filter,
|
|
base_dn=dn_base)
|
|
for entry in entries:
|
|
# don't disable wrapping for new key
|
|
if entry.single_value['ipk11Id'] != key_id:
|
|
entry['ipk11Wrap'] = [False]
|
|
ldap.update_entry(entry)
|
|
|
|
finally:
|
|
p11.finalize()
|
|
|
|
# change tokens mod/owner
|
|
self.logger.debug("Changing ownership of token files")
|
|
for (root, dirs, files) in os.walk(paths.DNSSEC_TOKENS_DIR):
|
|
for directory in dirs:
|
|
dir_path = os.path.join(root, directory)
|
|
os.chmod(dir_path, 0770 | stat.S_ISGID)
|
|
# chown to ods:named
|
|
os.chown(dir_path, self.ods_uid, self.named_gid)
|
|
for filename in files:
|
|
file_path = os.path.join(root, filename)
|
|
os.chmod(file_path, 0770 | stat.S_ISGID)
|
|
# chown to ods:named
|
|
os.chown(file_path, self.ods_uid, self.named_gid)
|
|
|
|
def __enable(self):
|
|
try:
|
|
self.ldap_enable('DNSKeySync', self.fqdn, self.dm_password,
|
|
self.suffix, self.extra_config)
|
|
except errors.DuplicateEntry:
|
|
self.logger.error("DNSKeySync service already exists")
|
|
|
|
def __setup_principal(self):
|
|
assert self.ods_gid is not None
|
|
dnssynckey_principal = "ipa-dnskeysyncd/" + self.fqdn + "@" + self.realm
|
|
installutils.kadmin_addprinc(dnssynckey_principal)
|
|
|
|
# Store the keytab on disk
|
|
installutils.create_keytab(paths.IPA_DNSKEYSYNCD_KEYTAB, dnssynckey_principal)
|
|
p = self.move_service(dnssynckey_principal)
|
|
if p is None:
|
|
# the service has already been moved, perhaps we're doing a DNS reinstall
|
|
dnssynckey_principal_dn = DN(
|
|
('krbprincipalname', dnssynckey_principal),
|
|
('cn', 'services'), ('cn', 'accounts'), self.suffix)
|
|
else:
|
|
dnssynckey_principal_dn = p
|
|
|
|
# Make sure access is strictly reserved to the named user
|
|
os.chown(paths.IPA_DNSKEYSYNCD_KEYTAB, 0, self.ods_gid)
|
|
os.chmod(paths.IPA_DNSKEYSYNCD_KEYTAB, 0440)
|
|
|
|
dns_group = DN(('cn', 'DNS Servers'), ('cn', 'privileges'),
|
|
('cn', 'pbac'), self.suffix)
|
|
mod = [(ldap.MOD_ADD, 'member', dnssynckey_principal_dn)]
|
|
|
|
try:
|
|
self.admin_conn.modify_s(dns_group, mod)
|
|
except ldap.TYPE_OR_VALUE_EXISTS:
|
|
pass
|
|
except Exception, e:
|
|
self.logger.critical("Could not modify principal's %s entry: %s"
|
|
% (dnssynckey_principal_dn, str(e)))
|
|
raise
|
|
|
|
# bind-dyndb-ldap persistent search feature requires both size and time
|
|
# limit-free connection
|
|
|
|
mod = [(ldap.MOD_REPLACE, 'nsTimeLimit', '-1'),
|
|
(ldap.MOD_REPLACE, 'nsSizeLimit', '-1'),
|
|
(ldap.MOD_REPLACE, 'nsIdleTimeout', '-1'),
|
|
(ldap.MOD_REPLACE, 'nsLookThroughLimit', '-1')]
|
|
try:
|
|
self.admin_conn.modify_s(dnssynckey_principal_dn, mod)
|
|
except Exception, e:
|
|
self.logger.critical("Could not set principal's %s LDAP limits: %s"
|
|
% (dnssynckey_principal_dn, str(e)))
|
|
raise
|
|
|
|
def __start(self):
|
|
try:
|
|
self.restart()
|
|
except Exception as e:
|
|
print "Failed to start ipa-dnskeysyncd"
|
|
self.logger.debug("Failed to start ipa-dnskeysyncd: %s", e)
|
|
|
|
|
|
def uninstall(self):
|
|
if self.is_configured():
|
|
self.print_msg("Unconfiguring %s" % self.service_name)
|
|
|
|
# Just eat states
|
|
self.restore_state("running")
|
|
self.restore_state("enabled")
|
|
self.restore_state("configured")
|
|
|
|
# stop and disable service (IPA service, we do not need it anymore)
|
|
self.stop()
|
|
self.disable()
|
|
|
|
for f in [paths.SYSCONFIG_NAMED]:
|
|
try:
|
|
self.fstore.restore_file(f)
|
|
except ValueError, error:
|
|
self.logger.debug(error)
|
|
pass
|
|
|
|
# remove softhsm pin, to make sure new installation will generate
|
|
# new token database
|
|
# do not delete *so pin*, user can need it to get token data
|
|
try:
|
|
os.remove(paths.DNSSEC_SOFTHSM_PIN)
|
|
except Exception:
|
|
pass
|