DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP

Key purging has to be only only after key metadata purging so ipa-dnskeysyncd on replices does not fail while dereferencing non-existing keys. https://fedorahosted.org/freeipa/ticket/5334 Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Petr Spacek <pspacek@redhat.com> 2015-12-15 15:22:45 +0100
committer: Martin Basti <mbasti@redhat.com> 2016-01-07 14:13:23 +0100
commit: ddf7397a4beb8095a24981998461aecc0e1ec40d (patch)
tree: edbbc64f29207813f28ed959ef7a063f9f2d4fa0 /daemons
parent: 6bdc18d0c538c658ae6022b127bf5776436f68e7 (diff)
download: freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.tar.gz
freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.tar.xz
freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.zip
1 files changed, 38 insertions, 7 deletions
diff --git a/daemons/dnssec/ipa-ods-exporter b/daemons/dnssec/ipa-ods-exporter
index 758b0d9a7..e169864e0 100755
--- a/daemons/dnssec/ipa-ods-exporter
+++ b/daemons/dnssec/ipa-ods-exporter
@@ -383,7 +383,10 @@ def master2ldap_master_keys_sync(log, ldapkeydb, localhsm):
     ldapkeydb.flush()
 
 def master2ldap_zone_keys_sync(log, ldapkeydb, localhsm):
-    # synchroniza zone keys
+    """add and update zone key material from local HSM to LDAP
+
+    No key material will be removed, only new keys will be added or updated.
+    Key removal is hanled by master2ldap_zone_keys_purge()."""
     log = log.getChild('master2ldap_zone_keys')
     keypairs_ldap = ldapkeydb.zone_keypairs
     log.debug("zone keys in LDAP: %s", hex_set(keypairs_ldap))
@@ -392,10 +395,10 @@ def master2ldap_zone_keys_sync(log, ldapkeydb, localhsm):
     privkeys_local = localhsm.zone_privkeys
     log.debug("zone keys in local HSM: %s", hex_set(privkeys_local))
 
-    assert set(pubkeys_local) == set(privkeys_local), \
-            "IDs of private and public keys for DNS zones in local HSM does " \
-            "not match to key pairs: %s vs. %s" % \
-            (hex_set(pubkeys_local), hex_set(privkeys_local))
+    assert set(pubkeys_local) == set(privkeys_local), (
+            "IDs of private and public keys for DNS zones in local HSM does "
+            "not match to key pairs: %s vs. %s" %
+            (hex_set(pubkeys_local), hex_set(privkeys_local)))
 
     new_keys = set(pubkeys_local) - set(keypairs_ldap)
     log.debug("new zone keys in local HSM: %s", hex_set(new_keys))
@@ -416,6 +419,29 @@ def master2ldap_zone_keys_sync(log, ldapkeydb, localhsm):
     sync_set_metadata_2ldap(log, privkeys_local, keypairs_ldap)
     ldapkeydb.flush()
 
+def master2ldap_zone_keys_purge(log, ldapkeydb, localhsm):
+    """purge removed key material from LDAP (but not metadata)
+
+    Keys which are present in LDAP but not in local HSM will be removed.
+    Key metadata must be removed first so references to removed key material
+    are removed before actually removing the keys."""
+    keypairs_ldap = ldapkeydb.zone_keypairs
+    log.debug("zone keys in LDAP: %s", hex_set(keypairs_ldap))
+
+    pubkeys_local = localhsm.zone_pubkeys
+    privkeys_local = localhsm.zone_privkeys
+    log.debug("zone keys in local HSM: %s", hex_set(privkeys_local))
+    assert set(pubkeys_local) == set(privkeys_local), \
+            "IDs of private and public keys for DNS zones in local HSM does " \
+            "not match to key pairs: %s vs. %s" % \
+            (hex_set(pubkeys_local), hex_set(privkeys_local))
+
+    deleted_key_ids = set(keypairs_ldap) - set(pubkeys_local)
+    log.debug("zone keys deleted from local HSM but present in LDAP: %s",
+            hex_set(deleted_key_ids))
+    for zkey_id in deleted_key_ids:
+        keypairs_ldap[zkey_id].schedule_deletion()
+    ldapkeydb.flush()
 
 def hex_set(s):
     out = set()
@@ -595,7 +621,7 @@ ldap.gssapi_bind()
 log.debug('Connected')
 
 
-### DNSSEC master: key synchronization
+### DNSSEC master: key material upload & synchronization (but not deletion)
 ldapkeydb = LdapKeyDB(log, ldap, DN(('cn', 'keys'), ('cn', 'sec'),
                                     ipalib.api.env.container_dns,
                                     ipalib.api.env.basedn))
@@ -607,7 +633,7 @@ master2ldap_master_keys_sync(log, ldapkeydb, localhsm)
 master2ldap_zone_keys_sync(log, ldapkeydb, localhsm)
 
 
-### DNSSEC master: DNSSEC key metadata upload
+### DNSSEC master: DNSSEC key metadata upload & synchronization & deletion
 # command receive is delayed so the command will stay in socket queue until
 # the problem with LDAP server or HSM is fixed
 try:
@@ -661,6 +687,11 @@ try:
         for zone_row in db.execute("SELECT name FROM zones"):
             sync_zone(log, ldap, dns_dn, zone_row['name'])
 
+    ### DNSSEC master: DNSSEC key material purging
+    # references to old key material were removed above in sync_zone()
+    # so now we can purge old key material from LDAP
+    master2ldap_zone_keys_purge(log, ldapkeydb, localhsm)
+
 except Exception as ex:
     msg = "ipa-ods-exporter exception: %s" % traceback.format_exc(ex)
     log.exception(ex)
author	Petr Spacek <pspacek@redhat.com>	2015-12-15 15:22:45 +0100
committer	Martin Basti <mbasti@redhat.com>	2016-01-07 14:13:23 +0100
commit	ddf7397a4beb8095a24981998461aecc0e1ec40d (patch)
tree	edbbc64f29207813f28ed959ef7a063f9f2d4fa0 /daemons
parent	6bdc18d0c538c658ae6022b127bf5776436f68e7 (diff)
download	freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.tar.gz freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.tar.xz freeipa-ddf7397a4beb8095a24981998461aecc0e1ec40d.zip