Merge branch 'dns-dnssec-fix-dbmaster' into 'stable-3.1'

Till Brehm · Till Brehm · commit c92a4ee47ce5 · 2016-04-12T10:12:04.000+02:00
Fix: DNSSEC-Info not written back into master DB

adds some permissions for slave servers to DB and enables the slave to write back it's dnssec-info into the master db

See merge request !312
diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php
@@ -658,6 +658,15 @@ public function grant_master_database_rights($verbose = false) {
 				if(!$this->dbmaster->query($query, $value['db'] . '.mail_backup', $value['user'], $host)) {
 					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
 				}
+				
+				$query = "GRANT SELECT, UPDATE(`dnssec_initialized`, `dnssec_info`, `dnssec_last_signed`) ON ?? TO ?@?";
+				if ($verbose){
+					echo $query ."\n";
+				}
+				if(!$this->dbmaster->query($query, $value['db'] . '.dns_soa', $value['user'], $host)) {
+					$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);
+				}
+
 			}
 
 		}
diff --git a/server/lib/classes/cron.d/550-bind_dnssec.inc.php b/server/lib/classes/cron.d/550-bind_dnssec.inc.php
@@ -68,14 +68,13 @@ public function onRunJob() {
 		
 		//TODO : change this when distribution information has been integrated into server record
 		$filespre = (file_exists('/etc/gentoo-release')) ? 'pri/' : 'pri.';
-		
-		$soas = $app->db->queryAllRecords('SELECT * FROM dns_soa WHERE dnssec_wanted=\'Y\' AND dnssec_initialized=\'Y\' AND dnssec_last_signed < '.(time()-(3600*24*5)+900)); //Resign zones every 5 days (expiry is 16 days so we have enough safety, 15 minutes tolerance)
-		
+		$soas = $app->db->queryAllRecords('SELECT `id`,`serial`,`origin` FROM dns_soa WHERE server_id=? AND active=\'Y\' AND dnssec_wanted=\'Y\' AND dnssec_initialized=\'Y\' AND (dnssec_last_signed < ? OR dnssec_last_signed > ?)', intval($conf['server_id']), time()-(3600*24*5)+900, time()+900); //Resign zones every 5 days (expiry is 16 days so we have enough safety, 15 minutes tolerance)
+
 		foreach ($soas as $data) {
 			$domain = substr($data['origin'], 0, strlen($data['origin'])-1);
-			if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) return false;
+			if (!file_exists($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain)) continue;
 			
-			$app->log('DNSSEC Auto-Resign: Touching zone '.$domain, LOGLEVEL_INFO);
+			$app->log('DNSSEC Auto-Resign: Touching zone '.$domain, LOGLEVEL_DEBUG);
 			$app->db->datalogUpdate('dns_soa', array("serial" => $this->increase_serial($data['serial'])), 'id', $data['id']);
 		}
 		
diff --git a/server/plugins-available/bind_plugin.inc.php b/server/plugins-available/bind_plugin.inc.php
@@ -95,6 +95,7 @@ function soa_dnssec_create(&$data) {
 		//* Check Entropy
 		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 400) {
 			$app->log('DNSSEC ERROR: We are low on entropy. Not generating new Keys for '.$domain.'. Please consider installing package haveged.', LOGLEVEL_WARN);
+			echo "DNSSEC ERROR: We are low on entropy. Not generating new Keys for $domain. Please consider installing package haveged.\n";
 			return false;
 		}
 		
@@ -157,7 +158,8 @@ function soa_dnssec_sign(&$data) {
 			$dnssecdata .= file_get_contents($keyfile)."\n\n";
 		}
 		
-		$app->db->query('UPDATE dns_soa SET dnssec_info=\''.$dnssecdata.'\', dnssec_initialized=\'Y\', dnssec_last_signed=\''.time().'\' WHERE id='.$data['new']['id']);
+		if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
+		$app->db->query('UPDATE dns_soa SET dnssec_info=?, dnssec_initialized=\'Y\', dnssec_last_signed=? WHERE id=?', $dnssecdata, intval(time()), intval($data['new']['id']));
 	}
 	
 	function soa_dnssec_update(&$data, $new=false) {
@@ -178,12 +180,13 @@ function soa_dnssec_update(&$data, $new=false) {
 		//* Check for available entropy
 		if (file_get_contents('/proc/sys/kernel/random/entropy_avail') < 200) {
 			$app->log('DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.', LOGLEVEL_ERR);
+			echo "DNSSEC ERROR: We are low on entropy. This could cause server script to fail. Please consider installing package haveged.\n";
 			return false;
 		}
 		
 		if (!$new && !file_exists($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.')) $this->soa_dnssec_create($data);
 		
-		$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id='.$data['new']['id']);
+		$dbdata = $app->db->queryOneRecord('SELECT id,serial FROM dns_soa WHERE id=?', intval($data['new']['id']));
 		exec('cd '.escapeshellcmd($dns_config['bind_zonefiles_dir']).';'.
 			 'named-checkzone '.escapeshellcmd($domain).' '.escapeshellcmd($dns_config['bind_zonefiles_dir']).'/'.$filespre.escapeshellcmd($domain).' | egrep -ho \'[0-9]{10}\'', $serial, $retState);
 		if ($retState != 0) {
@@ -212,7 +215,8 @@ function soa_dnssec_delete(&$data) {
 		unlink($dns_config['bind_zonefiles_dir'].'/'.$filespre.$domain.'.signed');
 		unlink($dns_config['bind_zonefiles_dir'].'/dsset-'.$domain.'.');
 		
-		$app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id='.$data['new']['id']);
+		if ($app->dbmaster !== $app->db) $app->dbmaster->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
+		$app->db->query('UPDATE dns_soa SET dnssec_info=\'\', dnssec_initialized=\'N\' WHERE id=?', intval($data['new']['id']));
 	}
 
 	function soa_insert($event_name, $data) {

Original file line number	Diff line number	Diff line change
`@@ -658,6 +658,15 @@ public function grant_master_database_rights($verbose = false) {`
`658`	`658`	`if(!$this->dbmaster->query($query, $value['db'] . '.mail_backup', $value['user'], $host)) {`
`659`	`659`	`$this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);`
`660`	`660`	`}`
	`661`	`+`
	`662`	+ $query = "GRANT SELECT, UPDATE(`dnssec_initialized`, `dnssec_info`, `dnssec_last_signed`) ON ?? TO ?@?";
	`663`	`+ if ($verbose){`
	`664`	`+ echo $query ."\n";`
	`665`	`+ }`
	`666`	`+ if(!$this->dbmaster->query($query, $value['db'] . '.dns_soa', $value['user'], $host)) {`
	`667`	`+ $this->warning('Unable to set rights of user in master database: '.$value['db']."\n Query: ".$query."\n Error: ".$this->dbmaster->errorMessage);`
	`668`	`+ }`
	`669`	`+`
`661`	`670`	`}`
`662`	`671`
`663`	`672`	`}`