From 1836688dde1bbc746365f85b803a53afe7f83a47 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 2 Mar 2020 16:49:48 +0100
Subject: [PATCH 1/3] Support opendnssec 2.1.6

The installation of IPA DNS server is using ods-ksmutil, but
openddnssec 2.1.6 does not ship any more /usr/bin/ods-ksmutil. The tool
is replaced by /usr/sbin/ods-enforcer and /usr/sbin/ods-enforcer-db-setup.

The master branch currently supports fedora 30+, but fedora 30 and 31 are
still shipping opendnssec 1.4 while fedora 32+ is shipping opendnssec 2.1.6.
Because of this, the code needs to check at run-time if the ods-ksmutil
command is available. If the file is missing, the code falls back to
the new ods-enforcer and ods-enforcer-db-setup commands.

This commit defines paths.ODS_ENFORCER and paths.ODS_ENFORCER_DB_SETUP
for all platforms, but the commands are used only if ods-ksmutil is not found.

Fixes: https://pagure.io/freeipa/issue/8214
---
 ipaplatform/base/paths.py   | 4 ++--
 ipaplatform/base/tasks.py   | 6 ++++--
 ipaplatform/debian/paths.py | 2 --
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index f3a95500e3..0efe8b5a90 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -190,8 +190,8 @@ class BasePathNamespace:
     NSUPDATE = "/usr/bin/nsupdate"
     ODS_KSMUTIL = "/usr/bin/ods-ksmutil"
     ODS_SIGNER = "/usr/sbin/ods-signer"
-    ODS_ENFORCER = None
-    ODS_ENFORCER_DB_SETUP = None
+    ODS_ENFORCER = "/usr/sbin/ods-enforcer"
+    ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
     OPENSSL = "/usr/bin/openssl"
     PK12UTIL = "/usr/bin/pk12util"
     SOFTHSM2_UTIL = "/usr/bin/softhsm2-util"
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index 86617a07f5..d36039aa23 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -290,9 +290,11 @@ def unconfigure_dns_resolver(self, fstore=None):
     def run_ods_setup(self):
         """Initialize a new kasp.db
         """
-        if paths.ODS_KSMUTIL is not None:
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
             cmd = [paths.ODS_KSMUTIL, 'setup']
         else:
+            # OpenDNSSEC 2.x
             cmd = [paths.ODS_ENFORCER_DB_SETUP]
         return ipautil.run(cmd, stdin="y", runas=constants.ODS_USER)
 
@@ -305,7 +307,7 @@ def run_ods_manager(self, params, **kwargs):
         """
         assert params[0] != 'setup'
 
-        if paths.ODS_KSMUTIL is not None:
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
             # OpenDNSSEC 1.4
             cmd = [paths.ODS_KSMUTIL]
         else:
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 764b5a2815..3a28c70ff4 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -67,8 +67,6 @@ class DebianPathNamespace(BasePathNamespace):
     SBIN_SERVICE = "/usr/sbin/service"
     CERTMONGER_COMMAND_TEMPLATE = "/usr/lib/ipa/certmonger/%s"
     ODS_KSMUTIL = None
-    ODS_ENFORCER = "/usr/sbin/ods-enforcer"
-    ODS_ENFORCER_DB_SETUP = "/usr/sbin/ods-enforcer-db-setup"
     UPDATE_CA_TRUST = "/usr/sbin/update-ca-certificates"
     BIND_LDAP_DNS_IPA_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/"
     BIND_LDAP_DNS_ZONE_WORKDIR = "/var/cache/bind/dyndb-ldap/ipa/master/"

From 70acce828f46d9d6516b590a9b84d379359b8204 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 3 Mar 2020 08:00:58 +0100
Subject: [PATCH 3/3] Remove the <Interval> from opendnssec conf

In opendnssec 2.1.6, the <Interval> element is not supported in the
configuration file.

Related: https://pagure.io/freeipa/issue/8214
---
 install/share/opendnssec_conf.template  | 2 +-
 ipaserver/install/opendnssecinstance.py | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/install/share/opendnssec_conf.template b/install/share/opendnssec_conf.template
index 3d01fb4156..5658693ac3 100644
--- a/install/share/opendnssec_conf.template
+++ b/install/share/opendnssec_conf.template
@@ -33,7 +33,7 @@
 		</Privileges>
 
 		<Datastore><SQLite>$KASP_DB</SQLite></Datastore>
-		<Interval>PT3600S</Interval>
+		$INTERVAL
 		<!-- <ManualKeyGeneration/> -->
 		<!-- <RolloverNotification>P14D</RolloverNotification> -->
 
diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index df39705a44..6354521b4e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -179,6 +179,12 @@ def __setup_conf_files(self):
         # add pin to template
         sub_conf_dict = self.conf_file_dict
         sub_conf_dict['PIN'] = pin
+        if paths.ODS_KSMUTIL is not None and os.path.exists(paths.ODS_KSMUTIL):
+            # OpenDNSSEC 1.4
+            sub_conf_dict['INTERVAL'] = '<Interval>PT3600S</Interval>'
+        else:
+            # OpenDNSSEC 2.x
+            sub_conf_dict['INTERVAL'] = '<!-- Interval not used in 2x -->'
 
         ods_conf_txt = ipautil.template_file(
             os.path.join(paths.USR_SHARE_IPA_DIR, "opendnssec_conf.template"),