#!/usr/pkg/bin/perl -w 
use strict;

use File::Copy;
use File::Basename;

# dnssec-copyprivate
# Author Olaf M. Kolkman
# Documentation contained herin. Use perldoc to view.

# $Id: dnssecmaint-copyprivate,v 1.7 2004/06/29 15:17:16 olaf Exp $

my $_KEY_MODULE_LOADED ;


BEGIN {	
    eval { require Net::DNS::SEC::Maint::Key };
    $_KEY_MODULE_LOADED = $@ ? 0 : 1;
}	


use Log::Log4perl qw(get_logger :levels);

use Getopt::Std;

my $VERSION = do { 
    my @r=(q$Revision: 1.7 $=~/\d+/g); 
    sprintf "%d."."%03d"x$#r,@r 
    };

die "This program only works if Net::DNS::SEC::Maint::Key is installed " if ! $_KEY_MODULE_LOADED ;





my $default_log4perl_conf=q(
    log4perl.category.MAINTKEYDB         = INFO, Logfile, Screen

    log4perl.appender.Logfile          = Log::Log4perl::Appender::File
    log4perl.appender.Logfile.filename = test.log
    log4perl.appender.Logfile.layout   = Log::Log4perl::Layout::PatternLayout
    log4perl.appender.Logfile.layout.ConversionPattern = [%r] %F %L %m%n

    log4perl.appender.Screen         = Log::Log4perl::Appender::Screen
    log4perl.appender.Screen.stderr  = 0
    log4perl.appender.Screen.layout = Log::Log4perl::Layout::SimpleLayout
  );



#
# Need some wrapper to get to the "standard"
#
if (-f "/usr/local/etc/log4perl.conf"){
    Log::Log4perl::init("/usr/local/etc/log4perl.conf");
  }elsif(-f "/etc/log4perl.conf" ){
      Log::Log4perl::init("/etc/log4perl.conf");
    }else{
	Log::Log4perl::init(\$default_log4perl_conf);
      }








my $zonename=shift;
my $destination=shift;
my $keydb=Net::DNS::SEC::Maint::Key->new(1);

my @keys=$keydb->get_active_zone($zonename);
die "Destination is not a directory" if ! -d $destination;

my $gid=getgrnam $keydb->getconf("maintgroup");
if (!defined $gid){
    print "    ". $keydb->getconf("maintgroup") . " is an unknown group\n";
    print "    Please add the group to /etc/group or modify you dnssecmaint configuration\n";
    exit 0;
}



foreach my $keyobj (@keys){
  my $key=$keyobj->get_keypath;
    my $mode="0660";
    my $keybase=basename($key);
    die $! if ! copy ($key,$destination);

    if ( ! chown(-1,$gid,$destination."/".$keybase) ){
	unlink ($destination."/".$keybase);
	die "Can't change group of ".$destination."/".$keybase." to ".$gid.": $!";
    }
    if ( !  chmod oct($mode),$destination."/".$keybase  ){
	unlink ($destination."/".$keybase);
	die "Can't change file permissions on ".$keybase." to ".$gid.": $!";
    }
    $key=~s/private$/key/;
    $keybase=basename($key);
    die $! if  ! copy ($key,$destination);
    if ( ! chown(-1,$gid,$destination."/".$keybase) ){
	unlink ($destination."/".$keybase);
	die "Can't change group of ".$destination."/".$keybase." to ".$gid.": $!";
    }

    if ( !  chmod oct($mode),$destination."/".$keybase  ){
	unlink ($destination."/".$keybase);
	die "Can't change file permissions on ".$keybase." to ".$gid.": $!";
    }
}



1;

__END__;



=head1 NAME

    dnssec-copyprivate Copy the private zone signing keys for a zone
    to another directory.

=head1 SYNOPSIS

    dnssec-copyprivate  example.foo.  /path/dynamiczones/


=head1 DESCRIPTION

A Bind server that is configured for dynamic updates will need it's
private keys on-line. If one wants to use the tools from Net::DNS::SEC::Maint
to resign dynamic zones occasionally one will need to copy the private
keys from the keydatabase to a directory where the BIND nameserver can
find them.

This tool will fetch the 'active' key pairs from the key database and
copy them to the directory specified.



=head1 CONFIGURATION

This tool needs access to the dnssecmaint configuration file. If the
DNSSECMAINT_CONFFILE does not contain a full path to the configuration
file the system will use the default location. (/usr/local/etc/dnssecmaint.conf)


=head1 COPYRIGHT

Copyright (c) 2001  RIPE NCC.  Author Olaf M. Kolkman

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its
documentation for any purpose and without fee is hereby granted,
provided that the above copyright notice appear in all copies and that
both that copyright notice and this permission notice appear in
supporting documentation, and that the name of the author not be used
in advertising or publicity pertaining to distribution of the software
without specific, written prior permission.


THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS; IN NO
EVENT SHALL AUTHOR BE LIABLE FOR ANY SPECIAL, INDIRECT OR
CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
PERFORMANCE OF THIS SOFTWARE.






=head1 SEE ALSO

L<Net::DNS::SEC::Maint::User>,  L<Net::DNS::SEC::Maint::Key>, dnssec-signzone

=cut
