Merge branch 'develop' into mandalg

opendnssec · Jul 22, 2016 · 8f8ac26 · 8f8ac26
2 parents ed5ace3 + faaf6aa
commit 8f8ac26
Show file tree

Hide file tree

Showing 264 changed files with 1,612 additions and 2,663 deletions.
diff --git a/.gitignore b/.gitignore
@@ -45,13 +45,14 @@ conf/signconf.xml
 conf/zonelist.xml
 enforcer/man/ods-enforcer.8
 enforcer/man/ods-enforcerd.8
-enforcer/man/ods-ksmutil.1
+enforcer/man/ods-enforcer-db-setup.8
 enforcer/man/ods-migrate.8
 enforcer/src/ods-enforcer
 enforcer/src/ods-enforcerd
 enforcer/src/ods-migrate
 enforcer/src/ods-enforcer-db-setup
 enforcer/src/ods-kaspcheck
+enforcer/src/utils/ods-kaspcheck.1
 libhsm/checks/conf-aepkeyper.xml
 libhsm/checks/conf-etoken.xml
 libhsm/checks/conf-multi.xml

diff --git a/Makefile.am b/Makefile.am
@@ -30,14 +30,14 @@ EXTRA_DIST =	$(srcdir)/LICENSE \
 
 install-data-hook:
 	$(INSTALL) -d $(DESTDIR)$(localstatedir)
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signer
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/enforcer
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signconf
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/unsigned
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/opendnssec/signed
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec/signer
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec/enforcer
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec/signconf
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec/unsigned
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/opendnssec/signed
 	$(INSTALL) -d $(DESTDIR)$(localstatedir)/run
-	$(INSTALL) -d $(DESTDIR)$(localstatedir)/run/opendnssec
+	$(INSTALL) @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ -d $(DESTDIR)$(localstatedir)/run/opendnssec
 
 docs:
 	(cd libhsm; $(MAKE) doxygen)

diff --git a/NEWS b/NEWS
@@ -2,7 +2,11 @@
 * Enforce and signconf tasks are now scheduled individually per zone. Resign
   per policy.
 
-OpenDNSSEC 2.0.0 - 2016-07-07
+OpenDNSSEC 2.0.0-1
+
+* include db creation scripts in dist tarball needed for migration from 1.4.
+
+OpenDNSSEC 2.0.0
 
 * OpenDNSSEC-99: Skip "are you sure" messages. Add --force and -f flag to
   ods-enforcer-db-setup and hsmutil purge

diff --git a/common/log.c b/common/log.c
@@ -84,10 +84,8 @@ ods_log_init(const char *programname, int use_syslog, const char *targetname, in
 {
 #ifdef HAVE_SYSLOG_H
     int facility;
+    int error = 0;
 #endif /* HAVE_SYSLOG_H */
-    ods_log_verbose("[%s] switching log to %s verbosity %i (log level %i)",
-        log_str, use_syslog?"syslog":(targetname&&targetname[0]?targetname:"stderr"),
-        verbosity, verbosity+2);
     if(logfile && logfile != stderr) {
             ods_fclose(logfile);
     }
@@ -107,14 +105,22 @@ ods_log_init(const char *programname, int use_syslog, const char *targetname, in
         logging_to_syslog = 0;
     }
     if(use_syslog) {
-       facility = ods_log_get_facility(targetname);
+       facility = ods_log_get_facility(targetname, &error);
 #ifdef HAVE_OPENLOG_R
        openlog_r(programname, LOG_NDELAY, facility, &sdata);
 #else
        openlog(programname, LOG_NDELAY, facility);
 #endif
        log_ident = strdup(programname);
        logging_to_syslog = 1;
+       if (error == 1) {
+        ods_log_warning("[%s] syslog facility %s not supported, logging to "
+                   "log_daemon", log_str, targetname);
+       }
+       ods_log_verbose("[%s] switching log to %s verbosity %i (log level %i)",
+          log_str, use_syslog?"syslog":(targetname&&targetname[0]?targetname:"stderr"),
+          verbosity, verbosity+2);
+
        return;
     }
 #endif /* HAVE_SYSLOG_H */
@@ -131,6 +137,10 @@ ods_log_init(const char *programname, int use_syslog, const char *targetname, in
     } else {
         logfile = stderr;
     }
+    ods_log_verbose("[%s] switching log to %s verbosity %i (log level %i)",
+          log_str, use_syslog?"syslog":(targetname&&targetname[0]?targetname:"stderr"),
+          verbosity, verbosity+2);
+
 }
 
 int
@@ -160,7 +170,7 @@ ods_log_close(void)
  */
 #ifdef HAVE_SYSLOG_H
 int
-ods_log_get_facility(const char* facility)
+ods_log_get_facility(const char* facility, int* error)
 {
     int length;
 
@@ -203,8 +213,7 @@ ods_log_get_facility(const char* facility)
         return LOG_LOCAL6;
     else if (length == 6 && strncasecmp(facility, "LOCAL7", 6) == 0)
         return LOG_LOCAL7;
-    ods_log_warning("[%s] syslog facility %s not supported, logging to "
-                   "log_daemon", log_str, facility);
+    *error = 1;
     return LOG_DAEMON;
 
 }

diff --git a/common/log.h b/common/log.h
@@ -80,7 +80,7 @@ void ods_log_close(void);
  * \return int facility
  *
  */
-int ods_log_get_facility(const char* facility);
+int ods_log_get_facility(const char* facility, int* error);
 
 /**
  * Get the log level.

diff --git a/conf/Makefile.am b/conf/Makefile.am
@@ -44,16 +44,15 @@ regress: $(RNG)
 		(echo "kasp.xml built")
 
 install-data-hook:
-	test -d ${DESTDIR}${sysconfdir} || mkdir -p ${DESTDIR}${sysconfdir}
-	test -f ${DESTDIR}${sysconfdir}/conf.xml || \
-		${INSTALL_DATA} -m 0640 conf.xml ${DESTDIR}${sysconfdir}
-	${INSTALL_DATA} -m 640 conf.xml ${DESTDIR}${sysconfdir}/conf.xml.sample
+	test -d ${DESTDIR}${sysconfdir} || ${INSTALL_DATA} -m 0775 -d @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ ${DESTDIR}${sysconfdir}
+	test -f ${DESTDIR}${sysconfdir}/conf.xml || ( ${INSTALL_DATA} -m 0640 conf.xml @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ ${DESTDIR}${sysconfdir} ; if which >/dev/null xmlif ; then xmlif < ${DESTDIR}${sysconfdir}/conf.xml > ${DESTDIR}${sysconfdir}/conf.xml~ privdrop=@INSTALLATIONCOND@ ; else ${GREP} -v '^<?xmlif' < ${DESTDIR}${sysconfdir}/conf.xml > ${DESTDIR}${sysconfdir}/conf.xml~ ; fi ; cat < ${DESTDIR}${sysconfdir}/conf.xml~ > ${DESTDIR}${sysconfdir}/conf.xml ; rm ${DESTDIR}${sysconfdir}/conf.xml~ )
+	${INSTALL_DATA} -m 640 conf.xml ${DESTDIR}${sysconfdir}/conf.xml.sample ; ${GREP} -v '^<?xmlif' < ${DESTDIR}${sysconfdir}/conf.xml.sample > ${DESTDIR}${sysconfdir}/conf.xml.sample~ ; cat < ${DESTDIR}${sysconfdir}/conf.xml.sample~ > ${DESTDIR}${sysconfdir}/conf.xml.sample ; rm ${DESTDIR}${sysconfdir}/conf.xml.sample~
 	test -f ${DESTDIR}${sysconfdir}/addns.xml || \
-		${INSTALL_DATA} addns.xml ${DESTDIR}${sysconfdir}
+		${INSTALL_DATA} @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ addns.xml ${DESTDIR}${sysconfdir}
 	${INSTALL_DATA} addns.xml ${DESTDIR}${sysconfdir}/addns.xml.sample
 	test -f ${DESTDIR}${sysconfdir}/zonelist.xml || \
-		${INSTALL_DATA} zonelist.xml ${DESTDIR}${sysconfdir}
+		${INSTALL_DATA} @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ zonelist.xml ${DESTDIR}${sysconfdir}
 	${INSTALL_DATA} zonelist.xml ${DESTDIR}${sysconfdir}/zonelist.xml.sample
 	test -f ${DESTDIR}${sysconfdir}/kasp.xml || \
-		${INSTALL_DATA} kasp.xml ${DESTDIR}${sysconfdir}
+		${INSTALL_DATA} @INSTALLATIONUSERARG@ @INSTALLATIONGROUPARG@ kasp.xml ${DESTDIR}${sysconfdir}
 	${INSTALL_DATA} kasp.xml ${DESTDIR}${sysconfdir}/kasp.xml.sample
diff --git a/conf/conf.rnc b/conf/conf.rnc
@@ -81,10 +81,6 @@ start = element Configuration {
 		# Where to store internal Enforcer state
 		& element Datastore { (mysql | sqlite) }
 
-		# Interval between runs of the key rollover procedure
-		# This is no longer used in 2.0 and will be deprecated in 2.1
-		& element Interval { xsd:duration }?
-
 		# Use manual key generation?
 		& element ManualKeyGeneration { empty }?
 

diff --git a/conf/conf.xml.in b/conf/conf.xml.in
@@ -36,16 +36,12 @@
 	</Common>
 
 	<Enforcer>
-<!--
-		<Privileges>
-			<User>opendnssec</User>
-			<Group>opendnssec</Group>
-		</Privileges>
--->
+<?xmlif if condition privdrop="user|group|both"?>		<Privileges>
+<?xmlif fi?><?xmlif if condition privdrop="user|both"?>			<User>@INSTALLATIONUSER@</User>
+<?xmlif fi?><?xmlif if condition privdrop="group|both"?>			<Group>@INSTALLATIONGROUP@</Group>
+<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>		</Privileges><?xmlif fi?>
 
 		<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
-		<!--The enforcer interval parameter is no long used in 2.0 and will be deprecated in 2.1 -->
-		<Interval>PT3600S</Interval>
 		<!-- <ManualKeyGeneration/> -->
 		<AutomaticKeyGenerationPeriod>P1Y</AutomaticKeyGenerationPeriod>
 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
@@ -60,12 +56,10 @@
 	</Enforcer>
 
 	<Signer>
-<!--
-		<Privileges>
-			<User>opendnssec</User>
-			<Group>opendnssec</Group>
-		</Privileges>
--->
+<?xmlif if condition privdrop="user|group|both"?>		<Privileges>
+<?xmlif fi?><?xmlif if condition privdrop="user|both"?>			<User>@INSTALLATIONUSER@</User>
+<?xmlif fi?><?xmlif if condition privdrop="group|both"?>			<Group>@INSTALLATIONGROUP@</Group>
+<?xmlif fi?><?xmlif if condition privdrop="user|group|both"?>		</Privileges><?xmlif fi?>
 
 		<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/signer</WorkingDirectory>
 		<WorkerThreads>4</WorkerThreads>

diff --git a/configure.ac b/configure.ac
@@ -194,6 +194,43 @@ AH_BOTTOM([
 ])
 AM_CONDITIONAL([ENABLE_SIGNER], [test "${enable_signer}" = "yes"])
 
+INSTALLATIONCOND=""
+AC_ARG_ENABLE(installation-user,
+	AC_HELP_STRING([--enable-installation-user],
+		[Install for usage by specific user (default=disabled)]),
+		[enable_installationuser=$enableval],
+		[enable_installationuser="no"])
+AC_ARG_ENABLE(installation-group,
+	AC_HELP_STRING([--enable-installation-group],
+		[Install for usage by specific group (default=disabled)]),
+		[enable_installationgroup=$enableval],
+		[enable_installationgroup="no"])
+if test "x${enable_installationuser}" != "xno"; then
+	INSTALLATIONUSER="${enable_installationuser}"
+	INSTALLATIONUSERARG="-o${enable_installationuser}"
+	INSTALLATIONCOND="user"
+else
+	INSTALLATIONUSER=""
+	INSTALLATIONUSERARG=""
+fi
+if test "x${enable_installationgroup}" != "xno"; then
+	INSTALLATIONGROUP="${enable_installationgroup}"
+	INSTALLATIONGROUPARG="-g${enable_installationgroup}"
+	if test "x${enable_installationuser}" != "xno"; then
+		INSTALLATIONCOND="both"
+	else
+		INSTALLATIONCOND="group"
+	fi
+else
+	INSTALLATIONGROUP=""
+	INSTALLATIONGROUPARG=""
+fi
+AC_SUBST([INSTALLATIONGROUP])
+AC_SUBST([INSTALLATIONGROUPARG])
+AC_SUBST([INSTALLATIONUSER])
+AC_SUBST([INSTALLATIONUSERARG])
+AC_SUBST([INSTALLATIONCOND])
+
 # doxygen
 DX_PDF_FEATURE(OFF)
 DX_PS_FEATURE(OFF)
@@ -218,8 +255,10 @@ AC_CONFIG_FILES([
 	enforcer/man/Makefile
 	enforcer/src/db/test/Makefile
 	enforcer/man/ods-enforcer.8
+	enforcer/man/ods-enforcer-db-setup.8
 	enforcer/man/ods-enforcerd.8
-	enforcer/man/ods-ksmutil.1
+	enforcer/src/utils/Makefile
+	enforcer/src/utils/ods-kaspcheck.1
 	libhsm/Makefile
 	libhsm/src/Makefile
 	libhsm/src/bin/Makefile

diff --git a/enforcer/Makefile.am b/enforcer/Makefile.am
@@ -1,7 +1,7 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
 EXTRA_DIST = utils
-SUBDIRS = src man
+SUBDIRS = src man src/utils
 
 doxygen:
 	rm -fr $(top_builddir)/enforcer/doxygen-doc

diff --git a/enforcer/man/Makefile.am b/enforcer/man/Makefile.am
@@ -1,4 +1,3 @@
 MAINTAINERCLEANFILES = $(srcdir)/Makefile.in
 
-man1_MANS = ods-ksmutil.1
-man8_MANS = ods-enforcer.8 ods-enforcerd.8
+man8_MANS = ods-enforcer.8 ods-enforcerd.8 ods-enforcer-db-setup.8
diff --git a/enforcer/man/ods-enforcer-db-setup.8.in b/enforcer/man/ods-enforcer-db-setup.8.in
@@ -0,0 +1,52 @@
+.TH "ods-enforcer-db-setup" "8" "July 2016" "OpenDNSSEC" "OpenDNSSEC"
+.SH "NAME"
+.LP
+.B ods\-enforcer\-db\-setup
+\- OpenDNSSEC enforcer daemon initialization utility
+.SH "SYNOPSIS"
+.LP
+.B ods\-enforcer\-db\-setup
+.RB [ \-h ] 
+.RB [ \-f ] 
+.RB [ \-V ] 
+.P
+.SH "DESCRIPTION"
+.LP
+The ods\-enforcer\-db\-setup initializes the database used by the
+ods\-enforcerd.  It should be used with care since all existing information
+in the database schema will be deleted.  If you have existing zones stored
+in this database this means that you loose the information on which zones
+are signed with which keys.  Key material itself and signer information
+are not removed.
+.P
+ods\-enforcer\-db\-setup is part of the OpenDNSSEC software.  For more
+information, go to
+.B http://www.opendnssec.org
+and visit the Documentation page.
+.P
+.SH "OPTIONS"
+.LP
+.TP
+.B \-h
+Show this help.
+.TP
+.B \-f
+Do not ask for confirmation.
+.TP
+.B \-V
+Show version and exit.
+.P
+.SH "DIAGNOSTICS"
+.LP
+May log problems via standard syslog(8).
+.SH "SEE ALSO"
+.LP
+ods\-control(8), ods\-enforcer(8), ods\-signerd(8),
+ods\-signer(8), ods\-ksmutil(1), ods\-kasp(5),
+ods\-kaspcheck(1), ods\-timing(5), ods\-hsmspeed(1),
+ods\-hsmutil(1), opendnssec(7),
+.B http://www.opendnssec.org/
+.SH "AUTHORS"
+.LP
+.B ods\-enforcerd
+was written by NLnet Labs as part of the OpenDNSSEC project.
diff --git a/enforcer/man/ods-enforcer.8.in b/enforcer/man/ods-enforcer.8.in
@@ -220,9 +220,9 @@ will log all the problems via stderr.
 .SH "SEE ALSO"
 .LP
 ods\-control(8), ods\-enforcerd(8), ods\-signerd(8),
-ods\-signer(8), ods\-ksmutil(1), ods\-kasp(5), 
-ods\-kaspcheck(1), ods\-timing(5), ods\-hsmspeed(1),
-ods\-hsmutil(1), opendnssec(7),
+ods\-signer(8), ods\-kasp(5), ods\-kaspcheck(1),
+ods\-timing(5), ods\-hsmspeed(1), ods\-hsmutil(1),
+opendnssec(7),
 .B http://www.opendnssec.org/
 .SH "AUTHORS"
 .LP

diff --git a/enforcer/man/ods-enforcerd.8.in b/enforcer/man/ods-enforcerd.8.in
@@ -48,9 +48,9 @@ will log all the problems via standard syslog(8).
 .SH "SEE ALSO"
 .LP
 ods\-control(8), ods\-enforcer(8), ods\-signerd(8),
-ods\-signer(8), ods\-ksmutil(1), ods\-kasp(5),
-ods\-kaspcheck(1), ods\-timing(5), ods\-hsmspeed(1),
-ods\-hsmutil(1), opendnssec(7),
+ods\-signer(8), ods\-kasp(5), ods\-kaspcheck(1),
+ods\-timing(5), ods\-hsmspeed(1), ods\-hsmutil(1),
+opendnssec(7),
 .B http://www.opendnssec.org/
 .SH "AUTHORS"
 .LP

diff --git a/enforcer/man/ods-ksmutil.1.in b/enforcer/man/ods-ksmutil.1.in