net-dns/opendnssec: Initial import of opendnssec for sunrise, for bug 304733

svn path=/sunrise/; revision=10607
author: Tom Hendrikx (whyscream) <tom@whyscream.net> 2010-05-27 21:38:15 +0000
committer: Tom Hendrikx (whyscream) <tom@whyscream.net> 2010-05-27 21:38:15 +0000
commit: d469c95ab6a16940433df6e2b135b454939c7162 (patch)
tree: 48aa783b4ec018bef1511d46ce2e5d374f5dd219 /net-dns
parent: dev-ruby/dnsruby: version bump (diff)
download: sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.tar.gz
sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.tar.bz2
sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.zip
6 files changed, 315 insertions, 0 deletions
diff --git a/net-dns/opendnssec/ChangeLog b/net-dns/opendnssec/ChangeLog
new file mode 100644
index 000000000..95e075599
--- /dev/null
+++ b/net-dns/opendnssec/ChangeLog
@@ -0,0 +1,9 @@
+# ChangeLog for net-dns/opendnssec
+# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
+# $Header: $
+
+  27 May 2010; Tom Hendrikx (whyscream) <tom@whyscream.net>
+  +opendnssec-1.1.0.ebuild, +files/opendnssec-1.1.0-drop-privileges.patch,
+  +files/opendnssec.initd, +metadata.xml:
+  Initial import of opendnssec for sunrise, for bug 304733
+
diff --git a/net-dns/opendnssec/Manifest b/net-dns/opendnssec/Manifest
new file mode 100644
index 000000000..0c2b7f115
--- /dev/null
+++ b/net-dns/opendnssec/Manifest
@@ -0,0 +1,6 @@
+AUX opendnssec-1.1.0-drop-privileges.patch 906 RMD160 c7e5f09d08c7431fbe0d5496e980f1468de5185a SHA1 875529fd365e9168f4a34334c884e01b670974d3 SHA256 faecb049748efab2652b890020106748039dbe7022d943393ac50b71b429b340
+AUX opendnssec.initd 2265 RMD160 296d822cd309da1275ea09bafe9702b562693e2e SHA1 0efe005d47d9cd169d460f4eab30582e067ac02b SHA256 48af26aa5508e1fe282097f7aa32358169f6cacc7b8d4d061d64120ec168e140
+DIST opendnssec-1.1.0.tar.gz 2205923 RMD160 ed671c275682298a3d4e4b5764877a1c9544260f SHA1 8ee63ab38164d691dfa05fb09c3ffaa1f663c614 SHA256 bbb56ae56d3ebe7a852e1874f0692da1dbd1f4e67e10972f4b2a3e706978b651
+EBUILD opendnssec-1.1.0.ebuild 5170 RMD160 6d652caf76f9079fd874240e31aafcd36ea57b30 SHA1 9d8e9b14862dc24cd0615bc86d6fd819854f30c7 SHA256 5d29d9b4f5286458a23b1a01d96582f890a16a35813bef91bae00137496f071e
+MISC ChangeLog 356 RMD160 f77a94b07e49a0cc58c9b5ded58dbf99dde1f38c SHA1 5d6bfd7ae4bc12fcc24f8351a72242f43c82df3f SHA256 e41ff62e7ff3a2705301533a1416ecae94a96f87297875ed550de4161badf12f
+MISC metadata.xml 786 RMD160 fff11866a0fc467c76935cfe910aed11204b089a SHA1 ad56f8db0cd091e3e55b5c0cbe0e8e711fd3845c SHA256 ceec09698b9c66b84fe8f264212ffed5b5d703069e117de1a8db41fb7905a0d1
diff --git a/net-dns/opendnssec/files/opendnssec-1.1.0-drop-privileges.patch b/net-dns/opendnssec/files/opendnssec-1.1.0-drop-privileges.patch
new file mode 100644
index 000000000..7c9f72355
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec-1.1.0-drop-privileges.patch
@@ -0,0 +1,43 @@
+Index: conf/conf.xml.in
+===================================================================
+--- conf/conf.xml.in	(revision 3022)
++++ conf/conf.xml.in	(working copy)
+@@ -38,12 +38,10 @@
+ 	</Common>
+ 
+ 	<Enforcer>
+-<!--
+ 		<Privileges>
+ 			<User>opendnssec</User>
+ 			<Group>opendnssec</Group>
+ 		</Privileges>
+--->
+ 
+ 		<Datastore><SQLite>@OPENDNSSEC_STATE_DIR@/kasp.db</SQLite></Datastore>
+ 		<Interval>PT3600S</Interval>
+@@ -56,12 +54,10 @@
+ 	</Enforcer>
+ 
+ 	<Signer>
+-<!--
+ 		<Privileges>
+ 			<User>opendnssec</User>
+ 			<Group>opendnssec</Group>
+ 		</Privileges>
+--->
+ 
+ 		<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory>
+ 		<WorkerThreads>8</WorkerThreads>
+@@ -80,12 +76,10 @@
+ 	</Signer>
+ 
+ 	<Auditor>
+-<!--
+ 		<Privileges>
+ 			<User>opendnssec</User>
+ 			<Group>opendnssec</Group>
+ 		</Privileges>
+--->
+ 
+ 		<WorkingDirectory>@OPENDNSSEC_STATE_DIR@/tmp</WorkingDirectory>
+ 	</Auditor>
diff --git a/net-dns/opendnssec/files/opendnssec.initd b/net-dns/opendnssec/files/opendnssec.initd
new file mode 100644
index 000000000..0e646a864
--- /dev/null
+++ b/net-dns/opendnssec/files/opendnssec.initd
@@ -0,0 +1,93 @@
+#!/sbin/runscript
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+# for openrc
+description="An open-source turn-key solution for DNSSEC"
+
+checkconf_binary=/usr/bin/ods-kaspcheck
+signerd_binary=/usr/sbin/ods-signer
+signerd_pidfile=/var/lib/run/opendnssec/signerd.pid
+enforcerd_binary=/usr/sbin/ods-enforcerd
+enforcerd_pidfile=/var/lib/run/opendnssec/enforcerd.pid
+eppclientd_binary=/usr/sbin/eppclientd
+eppclientd_pidfile=/var/lib/run/opendnssec/eppclientd.pid
+
+depend() {
+	need net
+	use logger
+}
+
+checkconfig() {
+	if [ -x "${checkconf_binary}" ]; then
+		output=$(${checkconf_binary})
+		echo $output
+
+		errors=$(echo $output | grep ERROR | wc -l)
+		if [ $errors -gt 0 ]; then
+			ewarn "$errors error(s) found in OpenDNSSEC configuration."
+		fi
+		return $errors
+	fi
+	return
+}
+
+start_signerd() {
+	ebegin "Starting OpenDNSSEC Signer"
+	start-stop-daemon --start --exec "${signerd_binary}" --pidfile "${signerd_pidfile}" -- start > /dev/null
+	eend $?
+}
+
+stop_signerd() {
+	ebegin "Stopping OpenDNSSEC Signer"
+	start-stop-daemon --stop --exec "${signerd_binary}" --pidfile "${signerd_pidfile}" -- stop > /dev/null
+	eend $?
+}
+
+start_enforcerd() {
+	ebegin "Starting OpenDNSSEC Enforcer"
+	start-stop-daemon --start --exec "${enforcerd_binary}" --pidfile "${enforcerd_pidfile}" > /dev/null
+	eend $?
+}
+
+stop_enforcerd() {
+	ebegin "Stopping OpenDNSSEC Enforcer"
+	start-stop-daemon --stop --exec "${enforcerd_binary}" --pidfile "${enforcerd_pidfile}" > /dev/null
+	eend $?
+}
+
+start_eppclientd() {
+	if [ -x "${eppclientd_binary}" ]; then
+		ebegin "Starting OpenDNSSEC Eppclient"
+		start-stop-daemon --start --exec "${eppclientd_binary}" --pidfile "${eppclientd_pidfile}" > /dev/null
+		eend $?
+	fi
+}
+
+stop_eppclientd() {
+	if [ -f "${eppclientd_pidfile}" ]; then
+		ebegin "Stopping OpenDNSSEC Eppclient"
+		start-stop-daemon --stop --exec "${eppclientd_binary}" --pidfile "${eppclientd_pidfile}" > /dev/null
+		eend $?
+	fi
+}
+
+start() {
+	checkconfig || return $?
+	start_signerd || return $?
+	start_enforcerd || return $?
+	start_eppclientd || return $?
+}
+
+stop() {
+	stop_enforcerd || return $?
+	stop_signerd || return $?
+	stop_eppclientd || return $?
+}
+
+restart() {
+	checkconfig || return $?
+	svc_stop
+	svc_start
+}
diff --git a/net-dns/opendnssec/metadata.xml b/net-dns/opendnssec/metadata.xml
new file mode 100644
index 000000000..f1ee33352
--- /dev/null
+++ b/net-dns/opendnssec/metadata.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<herd>maintainer-wanted</herd>
+	<use>
+		<flag name='auditor'>Enables auditing capabilities for OpenDNSSEC</flag>
+		<flag name='eppclient'>Enables support for automatic submission of DNSSEC keys to an upstream epp server</flag>
+		<flag name='external-hsm'>Enables support for storing DNSSEC keys through an arbitrary non-portage PKCS#11 interface, specified through an environment variable</flag>
+		<flag name='opensc'>Enables support for storing DNSSEC keys through a <pkg>dev-libs/opensc</pkg> PKCS#11 interface</flag>
+		<flag name='softhsm'>Enables support for storing DNSSEC keys in a <pkg>dev-libs/softhsm</pkg> PKCS#11 object</flag>
+	</use>
+</pkgmetadata>
diff --git a/net-dns/opendnssec/opendnssec-1.1.0.ebuild b/net-dns/opendnssec/opendnssec-1.1.0.ebuild
new file mode 100644
index 000000000..1367fd82f
--- /dev/null
+++ b/net-dns/opendnssec/opendnssec-1.1.0.ebuild
@@ -0,0 +1,152 @@
+# Copyright 1999-2010 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: $
+
+EAPI=2
+
+inherit confutils eutils multilib
+
+DESCRIPTION="An open-source turn-key solution for DNSSEC"
+HOMEPAGE="http://www.opendnssec.org/"
+SRC_URI="http://www.opendnssec.org/files/source/${P}.tar.gz"
+LICENSE="BSD"
+
+SLOT="0"
+KEYWORDS="~amd64 ~x86"
+IUSE="+auditor debug eppclient external-hsm mysql opensc softhsm sqlite"
+# Test suite needs a preconfigured sqlite/mysql database
+RESTRICT="test"
+
+DEPEND=">=net-libs/ldns-1.6.4
+	dev-libs/libxml2
+	dev-python/4suite
+	auditor? ( dev-lang/ruby[ssl] dev-ruby/dnsruby )
+	eppclient? ( net-misc/curl )
+	mysql? ( >=virtual/mysql-5.0 )
+	opensc? ( dev-libs/opensc )
+	softhsm? ( dev-libs/softhsm )
+	sqlite? ( dev-db/sqlite:3 )"
+RDEPEND="${DEPEND}"
+
+PKCS11_LIB=""
+PKCS11_PATH=""
+
+check_pkcs11_setup() {
+	# PKCS#11 HSM's are often only available with proprietary drivers not available in portage.
+	# The following setup routine allows to build against these drivers.
+
+	if use softhsm; then
+		PKCS11_LIB=softhsm
+		PKCS11_PATH=/usr/$(get_libdir)/libsofthsm.so
+		einfo "Building with SoftHSM PKCS#11 library support."
+
+	elif use opensc; then
+		PKCS11_LIB=opensc
+		PKCS11_PATH=/usr/$(get_libdir)/opensc-pkcs11.so
+		einfo "Building with OpenSC PKCS#11 library support."
+
+	elif use external-hsm; then
+		# Use an arbitrary non-portage PKCS#11 library, set by an environment variable
+		if [ -n "$PKCS11_SOFTHSM" ]; then
+			# This is for testing, since it's the only actual library I have, set USE=softhsm instead.
+			PKCS11_LIB=softhsm
+			PKCS11_PATH="$PKCS11_SOFTHSM"
+
+		elif [ -n "$PKCS11_SCA6000" ]; then
+			PKCS11_LIB=sca6000
+			PKCS11_PATH="$PKCS11_SCA6000"
+
+		elif [ -n "$PKCS11_ETOKEN" ]; then
+			PKCS11_LIB=etoken
+			PKCS11_PATH="$PKCS11_ETOKEN"
+
+		elif [ -n "$PKCS11_NCIPHER" ]; then
+			PKCS11_LIB=ncipher
+			PKCS11_PATH="$PKCS11_NCIPHER"
+
+		elif [ -n "$PKCS11_AEPKEYPER" ]; then
+			PKCS11_LIB=aepkeyper
+			PKCS11_PATH="$PKCS11_AEPKEYPER"
+
+		else
+			ewarn "You enabled USE flag 'external-hsm' but did not specify a path to a PKCS#11"
+			ewarn "library. To set a path, set one of the following environment variables:"
+			ewarn "  for Sun Crypto Accelerator 6000, set: PKCS11_SCA6000=<path>"
+			ewarn "  for Aladdin eToken, set: PKCS11_ETOKEN=<path>"
+			ewarn "  for Thales/nCipher netHSM, set: PKCS11_NCIPHER=<path>"
+			ewarn "  for AEP Keyper, set: PKCS11_AEPKEYPER=<path>"
+			ewarn "Example:"
+			ewarn "  PKCS11_ETOKEN=\"/opt/etoken/lib/libeTPkcs11.so\" emerge -pv opendnssec"
+			ewarn "Note: For SoftHSM or OpenSC support, just enable the appropriate USE flag."
+			die "USE flag 'external-hsm' set but no PKCS#11 library path specified."
+		fi
+
+		elog "Building with external PKCS#11 library support ($PKCS11_LIB): $PKCS11_PATH ."
+	else
+		# Should never happen because of 'confutils_require_one softhsm opensc external-hsm'
+		die "No PKCS#11 library specified through USE flags."
+	fi
+}
+
+pkg_setup() {
+	if use eppclient; then
+		ewarn "Use of Eppclient is still considered experimental upstream."
+	fi
+
+	confutils_require_one mysql sqlite
+	confutils_require_one softhsm opensc external-hsm
+
+	check_pkcs11_setup
+
+	enewgroup opendnssec
+	enewuser opendnssec -1 -1 -1 opendnssec
+}
+
+src_prepare() {
+	# Patch removes xml comments from config file to enable privilege dropping by default
+	epatch "${FILESDIR}/${P}-drop-privileges.patch"
+}
+
+src_configure() {
+	# Values set by check_pkcs11_setup
+	local myconf="--with-pkcs11-${PKCS11_LIB}=${PKCS11_PATH}"
+
+	use mysql && myconf="$myconf --with-database-backend=mysql"
+	use sqlite && myconf="$myconf --with-database-backend=sqlite3"
+
+	econf $myconf \
+	$(use_enable auditor) \
+	$(use_enable debug timeshift) \
+	$(use_enable eppclient)
+}
+
+src_install() {
+	emake DESTDIR="${D}" install || die "emake install failed"
+
+	newinitd "${FILESDIR}"/opendnssec.initd opendnssec || die "newinitd failed"
+	dodoc KNOWN_ISSUES NEWS README || die "dodoc failed"
+	rm "${D}"/usr/share/opendnssec.spec || die "failed to remove spec file"
+
+	# Remove subversion tags from config files to avoid useless config updates
+	sed -i -e 's/<!-- \$Id:.* \$ -->//g' "${D}"/etc/opendnssec/* || die "sed failed for files in /etc/opendnssec"
+
+	# Set ownership of config files
+	fowners root:opendnssec /etc/opendnssec/{conf,kasp,zonelist,zonefetch}.xml || die "fowners failed for files in /etc/opendnssec"
+	if use eppclient; then
+		fowners root:opendnssec /etc/opendnssec/eppclientd.conf || die "fowners failed for /etc/opendnssec/eppclientd.conf"
+	fi
+
+	# Set ownership of working directories
+	fowners opendnssec:opendnssec /var/lib/opendnssec/{,signconf,signed,tmp} || die "fowners failed for dirs in /var/lib/opendnssec"
+}
+
+pkg_postinst() {
+	if use softhsm; then
+		elog "Please make sure that you create your softhsm database in a location readable"
+		elog "by the opendnssec user. You can set its location in ${ROOT}etc/softhsm.conf."
+		elog "Suggested configuration is:"
+		elog "  echo \"0:${ROOT}var/lib/opendnssec/softhsm_slot0.db\" >> ${ROOT}etc/softhsm.conf"
+		elog "  softhsm --init-token --slot 0 --label OpenDNSSEC"
+		elog "  chown opendnssec:opendnssec ${ROOT}var/lib/opendnssec/softhsm_slot0.db"
+	fi
+}
author	Tom Hendrikx (whyscream) <tom@whyscream.net>	2010-05-27 21:38:15 +0000
committer	Tom Hendrikx (whyscream) <tom@whyscream.net>	2010-05-27 21:38:15 +0000
commit	d469c95ab6a16940433df6e2b135b454939c7162 (patch)
tree	48aa783b4ec018bef1511d46ce2e5d374f5dd219 /net-dns
parent	dev-ruby/dnsruby: version bump (diff)
download	sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.tar.gz sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.tar.bz2 sunrise-reviewed-d469c95ab6a16940433df6e2b135b454939c7162.zip