DNSSEC: platform paths and services

Tickets:
https://fedorahosted.org/freeipa/ticket/3801
https://fedorahosted.org/freeipa/ticket/4417

Design:
https://fedorahosted.org/bind-dyndb-ldap/wiki/BIND9/Design/DNSSEC

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>

4 files changed, 81 insertions, 2 deletions

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 0ba6b46c5..bbe6eed76 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -63,6 +63,10 @@ class BasePathNamespace(object):
     IPA_DNS_UPDATE_TXT = "/etc/ipa/.dns_update.txt"
     IPA_CA_CRT = "/etc/ipa/ca.crt"
     IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
+    IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
+    IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+    DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
+    DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
     IPA_NSSDB_DIR = "/etc/ipa/nssdb"
     IPA_NSSDB_PWDFILE_TXT = "/etc/ipa/nssdb/pwdfile.txt"
     KRB5_CONF = "/etc/krb5.conf"
@@ -81,6 +85,9 @@ class BasePathNamespace(object):
     NSSWITCH_CONF = "/etc/nsswitch.conf"
     NTP_CONF = "/etc/ntp.conf"
     NTP_STEP_TICKERS = "/etc/ntp/step-tickers"
+    ETC_OPENDNSSEC_DIR = "/etc/opendnssec"
+    OPENDNSSEC_CONF_FILE = "/etc/opendnssec/conf.xml"
+    OPENDNSSEC_KASP_FILE = "/etc/opendnssec/kasp.xml"
     OPENLDAP_LDAP_CONF = "/etc/openldap/ldap.conf"
     PAM_LDAP_CONF = "/etc/pam_ldap.conf"
     PASSWD = "/etc/passwd"
@@ -108,12 +115,16 @@ class BasePathNamespace(object):
     SYSCONFIG_DIRSRV_INSTANCE = "/etc/sysconfig/dirsrv-%s"
     SYSCONFIG_DIRSRV_PKI_IPA_DIR = "/etc/sysconfig/dirsrv-PKI-IPA"
     SYSCONFIG_DIRSRV_SYSTEMD = "/etc/sysconfig/dirsrv.systemd"
+    SYSCONFIG_IPA_DNSKEYSYNCD = "/etc/sysconfig/ipa-dnskeysyncd"
+    SYSOCNFIG_IPA_ODS_EXPORTER = "/etc/sysconfig/ipa-ods-exporter"
     SYSCONFIG_HTTPD = "/etc/sysconfig/httpd"
     SYSCONFIG_KRB5KDC_DIR = "/etc/sysconfig/krb5kdc"
+    SYSCONFIG_NAMED = "/etc/sysconfig/named"
     SYSCONFIG_NETWORK = "/etc/sysconfig/network"
     SYSCONFIG_NETWORK_IPABKP = "/etc/sysconfig/network.ipabkp"
     SYSCONFIG_NFS = "/etc/sysconfig/nfs"
     SYSCONFIG_NTPD = "/etc/sysconfig/ntpd"
+    SYSCONFIG_ODS = "/etc/sysconfig/ods"
     SYSCONFIG_PKI = "/etc/sysconfig/pki"
     SYSCONFIG_PKI_CA_DIR = "/etc/sysconfig/pki-ca"
     SYSCONFIG_PKI_TOMCAT = "/etc/sysconfig/pki-tomcat"
@@ -160,6 +171,8 @@ class BasePathNamespace(object):
     NET = "/usr/bin/net"
     BIN_NISDOMAINNAME = "/usr/bin/nisdomainname"
     NSUPDATE = "/usr/bin/nsupdate"
+    ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
+    ODS_SIGNER = "/usr/sbin/ods-signer"
     OPENSSL = "/usr/bin/openssl"
     PERL = "/usr/bin/perl"
     PK12UTIL = "/usr/bin/pk12util"
@@ -169,6 +182,7 @@ class BasePathNamespace(object):
     PKISILENT = "/usr/bin/pkisilent"
     SETPASSWD = "/usr/bin/setpasswd"
     SIGNTOOL = "/usr/bin/signtool"
+    SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
     SSLGET = "/usr/bin/sslget"
     SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys"
     SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy"
@@ -176,18 +190,25 @@ class BasePathNamespace(object):
     BIN_WGET = "/usr/bin/wget"
     ZIP = "/usr/bin/zip"
     BIND_LDAP_SO = "/usr/lib/bind/ldap.so"
+    BIND_LDAP_DNS_ZONE_WORKDIR = "/var/named/dyndb-ldap/ipa/master/"
     USR_LIB_DIRSRV = "/usr/lib/dirsrv"
     USR_LIB_SLAPD_INSTANCE_TEMPLATE = "/usr/lib/dirsrv/slapd-%s"
     USR_LIB_SLAPD_PKI_IPA_DIR = "/usr/lib/dirsrv/slapd-PKI-IPA"
     LIB_FIREFOX = "/usr/lib/firefox"
+    LIBSOFTHSM2_SO = "/usr/lib/pkcs11/libsofthsm2.so"
     LIB_SYSTEMD_SYSTEMD_DIR = "/usr/lib/systemd/system/"
     BIND_LDAP_SO_64 = "/usr/lib64/bind/ldap.so"
     USR_LIB_DIRSRV_64 = "/usr/lib64/dirsrv"
     USR_LIB_DIRSRV_SLAPD_INSTANCE_DIR_TEMPLATE = "/usr/lib64/dirsrv/slapd-%s"
     SLAPD_PKI_IPA = "/usr/lib64/dirsrv/slapd-PKI-IPA"
     LIB64_FIREFOX = "/usr/lib64/firefox"
+    LIBSOFTHSM2_SO_64 = "/usr/lib64/pkcs11/libsofthsm2.so"
     DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
     DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
+    IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
+    IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
+    IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
+    DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
     GETSEBOOL = "/usr/sbin/getsebool"
     GROUPADD = "/usr/sbin/groupadd"
     HTTPD = "/usr/sbin/httpd"
@@ -196,6 +217,8 @@ class BasePathNamespace(object):
     IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck"
     IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab"
     IPACTL = "/usr/sbin/ipactl"
+    NAMED = "/usr/sbin/named"
+    NAMED_PKCS11 = "/usr/sbin/named-pkcs11"
     NTPD = "/usr/sbin/ntpd"
     PKIDESTROY = "/usr/sbin/pkidestroy"
     PKISPAWN = "/usr/sbin/pkispawn"
@@ -246,6 +269,9 @@ class BasePathNamespace(object):
     IPA_CLIENT_SYSRESTORE = "/var/lib/ipa-client/sysrestore"
     SYSRESTORE_INDEX = "/var/lib/ipa-client/sysrestore/sysrestore.index"
     IPA_BACKUP_DIR = "/var/lib/ipa/backup"
+    IPA_DNSSEC_DIR = "/var/lib/ipa/dnssec"
+    DNSSEC_TOKENS_DIR = "/var/lib/ipa/dnssec/tokens"
+    DNSSEC_SOFTHSM_PIN = "/var/lib/ipa/dnssec/softhsm_pin"
     IPA_CA_CSR = "/var/lib/ipa/ca.csr"
     PKI_CA_PUBLISH_DIR = "/var/lib/ipa/pki-ca/publish"
     REPLICA_INFO_TEMPLATE = "/var/lib/ipa/replica-info-%s"
@@ -296,6 +322,8 @@ class BasePathNamespace(object):
     TOMCAT_SIGNEDAUDIT_DIR = "/var/log/pki/pki-tomcat/ca/signedAudit"
     LOG_SECURE = "/var/log/secure"
     NAMED_RUN = "/var/named/data/named.run"
+    VAR_OPENDNSSEC_DIR = "/var/opendnssec"
+    OPENDNSSEC_KASP_DB = "/var/opendnssec/kasp.db"
     VAR_RUN_DIRSRV_DIR = "/var/run/dirsrv"
     SVC_LIST_FILE = "/var/run/ipa/services.list"
     IPA_MEMCACHED_DIR = "/var/run/ipa_memcached"
@@ -307,4 +335,5 @@ class BasePathNamespace(object):
     ENTROPY_AVAIL = '/proc/sys/kernel/random/entropy_avail'
 
 
+
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 4861a5a4b..961c368e6 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -39,7 +39,7 @@ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
                      'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
                      'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
                      'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd',
-                     'domainname']
+                     'domainname', 'named', 'ods_enforcerd', 'ods_signerd']
 
 # The common ports for these services. This is used to wait for the
 # service to become available.
@@ -158,6 +158,18 @@ class PlatformService(object):
     def get_config_dir(self, instance_name=""):
         return
 
+    def get_user_name(self, instance_name=""):
+        return
+
+    def get_group_name(self, instance_name=""):
+        return
+
+    def get_binary_path(self):
+        return
+
+    def get_package_name(self):
+        return
+
 
 class SystemdService(PlatformService):
     SYSTEMD_SRV_TARGET = "%s.target.wants"
diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py
index 6d7e76dc5..b80a1b47a 100644
--- a/ipaplatform/redhat/paths.py
+++ b/ipaplatform/redhat/paths.py
@@ -22,12 +22,16 @@ This Red Hat OS family base platform module exports default filesystem paths as
 common in Red Hat OS family-based systems.
 '''
 
+import sys
+
 # Fallback to default path definitions
 from ipaplatform.base.paths import BasePathNamespace
 
 
 class RedHatPathNamespace(BasePathNamespace):
-    pass
+    # https://docs.python.org/2/library/platform.html#cross-platform
+    if sys.maxsize > 2**32:
+        LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64
 
 
 paths = RedHatPathNamespace()
diff --git a/ipaplatform/redhat/services.py b/ipaplatform/redhat/services.py
index 76e123ebe..58ffebc48 100644
--- a/ipaplatform/redhat/services.py
+++ b/ipaplatform/redhat/services.py
@@ -65,6 +65,14 @@ redhat_system_units['pki_cad'] = redhat_system_units['pki-cad']
 redhat_system_units['pki-tomcatd'] = 'pki-tomcatd@pki-tomcat.service'
 redhat_system_units['pki_tomcatd'] = redhat_system_units['pki-tomcatd']
 redhat_system_units['ipa-otpd'] = 'ipa-otpd.socket'
+redhat_system_units['ipa-dnskeysyncd'] = 'ipa-dnskeysyncd.service'
+redhat_system_units['named-regular'] = 'named.service'
+redhat_system_units['named-pkcs11'] = 'named-pkcs11.service'
+redhat_system_units['named'] = redhat_system_units['named-pkcs11']
+redhat_system_units['ods-enforcerd'] = 'ods-enforcerd.service'
+redhat_system_units['ods_enforcerd'] = redhat_system_units['ods-enforcerd']
+redhat_system_units['ods-signerd'] = 'ods-signerd.service'
+redhat_system_units['ods_signerd'] = redhat_system_units['ods-signerd']
 
 
 # Service classes that implement Red Hat OS family-specific behaviour
@@ -201,6 +209,28 @@ class RedHatCAService(RedHatService):
             self.wait_until_running()
 
 
+class RedHatNamedService(RedHatService):
+    def get_user_name(self):
+        return u'named'
+
+    def get_group_name(self):
+        return u'named'
+
+    def get_binary_path(self):
+        return paths.NAMED_PKCS11
+
+    def get_package_name(self):
+        return u"bind-pkcs11"
+
+
+class RedHatODSEnforcerdService(RedHatService):
+    def get_user_name(self):
+        return u'ods'
+
+    def get_group_name(self):
+        return u'ods'
+
+
 # Function that constructs proper Red Hat OS family-specific server classes for
 # services of specified name
 
@@ -213,6 +243,10 @@ def redhat_service_class_factory(name):
         return RedHatSSHService(name)
     if name in ('pki-cad', 'pki_cad', 'pki-tomcatd', 'pki_tomcatd'):
         return RedHatCAService(name)
+    if name == 'named':
+        return RedHatNamedService(name)
+    if name in ('ods-enforcerd', 'ods_enforcerd'):
+        return RedHatODSEnforcerdService(name)
     return RedHatService(name)