[secnet] / make-secnet-sites

#! /usr/bin/env python
# Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

"""VPN sites file manipulation.

This program enables VPN site descriptions to be submitted for
inclusion in a central database, and allows the resulting database to
be turned into a secnet configuration file.

A database file can be turned into a secnet configuration file simply:
make-secnet-sites.py [infile [outfile]]

It would be wise to run secnet with the "--just-check-config" option
before installing the output on a live system.

The program expects to be invoked via userv to manage the database; it
relies on the USERV_USER and USERV_GROUP environment variables. The
command line arguments for this invocation are:

make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  group

All but the last argument are expected to be set by userv; the 'group'
argument is provided by the user. A suitable userv configuration file
fragment is:

reset
no-disconnect-hup
no-suppress-args
cd ~/secnet/sites-test/
execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites

This program is part of secnet. It relies on the "ipaddr" library from
Cendio Systems AB.

"""

import string
import time
import sys
import os
import getopt

# The ipaddr library is installed as part of secnet
sys.path.append("/usr/local/share/secnet")
sys.path.append("/usr/share/secnet")
import ipaddr

VERSION="0.1.18"

# Classes describing possible datatypes in the configuration file

class single_ipaddr:
	"An IP address"
	def __init__(self,w):
		self.addr=ipaddr.ipaddr(w[1])
	def __str__(self):
		return '"%s"'%self.addr.ip_str()

class networks:
	"A set of IP addresses specified as a list of networks"
	def __init__(self,w):
		self.set=ipaddr.ip_set()
		for i in w[1:]:
			x=string.split(i,"/")
			self.set.append(ipaddr.network(x[0],x[1],
				ipaddr.DEMAND_NETWORK))
	def __str__(self):
		return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
			x.mask.netmask_bits_str),
			self.set.as_list_of_networks()),",")

class dhgroup:
	"A Diffie-Hellman group"
	def __init__(self,w):
		self.mod=w[1]
		self.gen=w[2]
	def __str__(self):
		return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)

class hash:
	"A choice of hash function"
	def __init__(self,w):
		self.ht=w[1]
		if (self.ht!='md5' and self.ht!='sha1'):
			complain("unknown hash type %s"%(self.ht))
	def __str__(self):
		return '%s'%(self.ht)

class email:
	"An email address"
	def __init__(self,w):
		self.addr=w[1]
	def __str__(self):
		return '<%s>'%(self.addr)

class num:
	"A decimal number"
	def __init__(self,w):
		self.n=string.atol(w[1])
	def __str__(self):
		return '%d'%(self.n)

class address:
	"A DNS name and UDP port number"
	def __init__(self,w):
		self.adr=w[1]
		self.port=string.atoi(w[2])
		if (self.port<1 or self.port>65535):
			complain("invalid port number")
	def __str__(self):
		return '"%s"; port %d'%(self.adr,self.port)

class rsakey:
	"An RSA public key"
	def __init__(self,w):
		self.l=string.atoi(w[1])
		self.e=w[2]
		self.n=w[3]
	def __str__(self):
		return 'rsa-public("%s","%s")'%(self.e,self.n)

# Possible properties of configuration nodes
keywords={
 'contact':(email,"Contact address"),
 'dh':(dhgroup,"Diffie-Hellman group"),
 'hash':(hash,"Hash function"),
 'key-lifetime':(num,"Maximum key lifetime (ms)"),
 'setup-timeout':(num,"Key setup timeout (ms)"),
 'setup-retries':(num,"Maximum key setup packet retries"),
 'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
 'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
 'restrict-nets':(networks,"Allowable networks"),
 'networks':(networks,"Claimed networks"),
 'pubkey':(rsakey,"RSA public site key"),
 'peer':(single_ipaddr,"Tunnel peer IP address"),
 'address':(address,"External contact address and port")
}

def sp(name,value):
	"Simply output a property - the default case"
	return "%s %s;\n"%(name,value)

# All levels support these properties
global_properties={
	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	'dh':sp,
	'hash':sp,
	'key-lifetime':sp,
	'setup-timeout':sp,
	'setup-retries':sp,
	'wait-time':sp,
	'renegotiate-time':sp,
	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value)
}

class level:
	"A level in the configuration hierarchy"
	depth=0
	leaf=0
	allow_properties={}
	require_properties={}
	def __init__(self,w):
		self.name=w[1]
		self.properties={}
		self.children={}
	def indent(self,w,t):
		w.write("                 "[:t])
	def prop_out(self,n):
		return self.allow_properties[n](n,str(self.properties[n]))
	def output_props(self,w,ind):
		for i in self.properties.keys():
			if self.allow_properties[i]:
				self.indent(w,ind)
				w.write("%s"%self.prop_out(i))
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.output_props(w,ind+2)
		if self.depth==1: w.write("\n");
		for c in self.children.values():
			c.output_data(w,ind+2,np+self.name+"/")
		self.indent(w,ind)
		w.write("};\n")

class vpnlevel(level):
	"VPN level in the configuration hierarchy"
	depth=1
	leaf=0
	type="vpn"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"VPN admin contact address"
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_vpnflat(self,w,ind,h):
		"Output flattened list of site names for this VPN"
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		for i in self.children.keys():
			self.children[i].output_vpnflat(w,ind+2,
				h+"/"+self.name+"/"+i)
		w.write("\n")
		self.indent(w,ind+2)
		w.write("all-sites %s;\n"%
			string.join(self.children.keys(),','))
		self.indent(w,ind)
		w.write("};\n")

class locationlevel(level):
	"Location level in the configuration hierarchy"
	depth=2
	leaf=0
	type="location"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"Location admin contact address",
	}
	def __init__(self,w):
		level.__init__(self,w)
		self.group=w[2]
	def output_vpnflat(self,w,ind,h):
		self.indent(w,ind)
		# The "h=h,self=self" abomination below exists because
		# Python didn't support nested_scopes until version 2.1
		w.write("%s %s;\n"%(self.name,string.join(
			map(lambda x,h=h,self=self:
				h+"/"+x,self.children.keys()),',')))

class sitelevel(level):
	"Site level (i.e. a leafnode) in the configuration hierarchy"
	depth=3
	leaf=1
	type="site"
	allow_properties=global_properties.copy()
	allow_properties.update({
	 'address':sp,
	 'networks':None,
	 'peer':None,
	 'pubkey':(lambda n,v:"key %s;\n"%v)
	})
	require_properties={
	 'dh':"Diffie-Hellman group",
	 'contact':"Site admin contact address",
	 'address':"Site external access address",
	 'networks':"Networks claimed by the site",
	 'hash':"hash function",
	 'peer':"Gateway address of the site",
	 'pubkey':"RSA public key of the site"
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.indent(w,ind+2)
		w.write("name \"%s\";\n"%(np+self.name))
		self.output_props(w,ind+2)
		self.indent(w,ind+2)
		w.write("link netlink {\n");
		self.indent(w,ind+4)
		w.write("routes %s;\n"%str(self.properties["networks"]))
		self.indent(w,ind+4)
		w.write("ptp-address %s;\n"%str(self.properties["peer"]))
		self.indent(w,ind+2)
		w.write("};\n")
		self.indent(w,ind)
		w.write("};\n")

# Levels in the configuration file
# (depth,properties)
levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}

# Reserved vpn/location/site names
reserved={'all-sites':None}
reserved.update(keywords)
reserved.update(levels)

def complain(msg):
	"Complain about a particular input line"
	global complaints
	print ("%s line %d: "%(file,line))+msg
	complaints=complaints+1
def moan(msg):
	"Complain about something in general"
	global complaints
	print msg;
	complaints=complaints+1

root=level(['root','root'])   # All vpns are children of this node
obstack=[root]
allow_defs=0   # Level above which new definitions are permitted

def set_property(obj,w):
	"Set a property on a configuration node"
	if obj.properties.has_key(w[0]):
		complain("%s %s already has property %s defined"%
			(obj.type,obj.name,w[0]))
	else:
		obj.properties[w[0]]=keywords[w[0]][0](w)

def pline(i):
	"Process a configuration file line"
	global allow_defs, obstack, root
	w=string.split(i)
	if len(w)==0: return
	keyword=w[0]
	current=obstack[len(obstack)-1]
	if keyword=='end-definitions':
		allow_defs=sitelevel.depth
		obstack=[root]
		return
	if levels.has_key(keyword):
		# We may go up any number of levels, but only down by one
		newdepth=levels[keyword].depth
		currentdepth=len(obstack) # actually +1...
		if newdepth<=currentdepth:
			obstack=obstack[:newdepth]
		if newdepth>currentdepth:
			complain("May not go from level %d to level %d"%
				(currentdepth-1,newdepth))
		# See if it's a new one (and whether that's permitted)
		# or an existing one
		current=obstack[len(obstack)-1]
		if current.children.has_key(w[1]):
			# Not new
			current=current.children[w[1]]
			if service and group and current.depth==2:
				if group!=current.group:
					complain("Incorrect group!")
		else:
			# New
			# Ignore depth check for now
			nl=levels[keyword](w)
			if nl.depth<allow_defs:
				complain("New definitions not allowed at "
					"level %d"%nl.depth)
			current.children[w[1]]=nl
			current=nl
		obstack.append(current)
		return
	if current.allow_properties.has_key(keyword):
		set_property(current,w)
		return
	else:
		complain("Property %s not allowed at %s level"%
			(keyword,current.type))
		return

	complain("unknown keyword '%s'"%(keyword))

def pfile(name,lines):
	"Process a file"
	global file,line
	file=name
	line=0
	for i in lines:
		line=line+1
		if (i[0]=='#'): continue
		if (i[len(i)-1]=='\n'):	i=i[:len(i)-1] # strip trailing LF
		pline(i)

def outputsites(w):
	"Output include file for secnet configuration"
	w.write("# secnet sites file autogenerated by make-secnet-sites "
		+"version %s\n"%VERSION)
	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
	w.write("# Command line: %s\n\n"%string.join(sys.argv))

	# Raw VPN data section of file
	w.write("vpn-data {\n")
	for i in root.children.values():
		i.output_data(w,2,"")
	w.write("};\n")

	# Per-VPN flattened lists
	w.write("vpn {\n")
	for i in root.children.values():
		i.output_vpnflat(w,2,"vpn-data")
	w.write("};\n")

	# Flattened list of sites
	w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
		x,root.children.keys()),","))

# Are we being invoked from userv?
service=0
# If we are, which group does the caller want to modify?
group=None

line=0
file=None
complaints=0

if len(sys.argv)<2:
	pfile("stdin",sys.stdin.readlines())
	of=sys.stdout
else:
	if sys.argv[1]=='-u':
		if len(sys.argv)!=6:
			print "Wrong number of arguments"
			sys.exit(1)
		service=1
		header=sys.argv[2]
		groupfiledir=sys.argv[3]
		sitesfile=sys.argv[4]
		group=sys.argv[5]
		if not os.environ.has_key("USERV_USER"):
			print "Environment variable USERV_USER not found"
			sys.exit(1)
		user=os.environ["USERV_USER"]
		# Check that group is in USERV_GROUP
		if not os.environ.has_key("USERV_GROUP"):
			print "Environment variable USERV_GROUP not found"
			sys.exit(1)
		ugs=os.environ["USERV_GROUP"]
		ok=0
		for i in string.split(ugs):
			if group==i: ok=1
		if not ok:
			print "caller not in group %s"%group
			sys.exit(1)
		f=open(header)
		headerinput=f.readlines()
		f.close()
		pfile(header,headerinput)
		userinput=sys.stdin.readlines()
		pfile("user input",userinput)
	else:
		if len(sys.argv)>3:
			print "Too many arguments"
			sys.exit(1)
		f=open(sys.argv[1])
		pfile(sys.argv[1],f.readlines())
		f.close()
		of=sys.stdout
		if len(sys.argv)>2:
			of=open(sys.argv[2],'w')

# Sanity check section
# Delete nodes where leaf=0 that have no children

def live(n):
	"Number of leafnodes below node n"
	if n.leaf: return 1
	for i in n.children.keys():
		if live(n.children[i]): return 1
	return 0
def delempty(n):
	"Delete nodes that have no leafnode children"
	for i in n.children.keys():
		delempty(n.children[i])
		if not live(n.children[i]):
			del n.children[i]
delempty(root)

# Check that all constraints are met (as far as I can tell
# restrict-nets/networks/peer are the only special cases)

def checkconstraints(n,p,ra):
	new_p=p.copy()
	new_p.update(n.properties)
	for i in n.require_properties.keys():
		if not new_p.has_key(i):
			moan("%s %s is missing property %s"%
				(n.type,n.name,i))
	for i in new_p.keys():
		if not n.allow_properties.has_key(i):
			moan("%s %s has forbidden property %s"%
				(n.type,n.name,i))
	# Check address range restrictions
	if n.properties.has_key("restrict-nets"):
		new_ra=ra.intersection(n.properties["restrict-nets"].set)
	else:
		new_ra=ra
	if n.properties.has_key("networks"):
		# I'd like to do this:
		# n.properties["networks"].set.is_subset(new_ra)
		# but there isn't an is_subset() method
		# Instead we see if we intersect with the complement of new_ra
		rac=new_ra.complement()
		i=rac.intersection(n.properties["networks"].set)
		if not i.is_empty():
			moan("%s %s networks out of bounds"%(n.type,n.name))
		if n.properties.has_key("peer"):
			if not n.properties["networks"].set.contains(
				n.properties["peer"].addr):
				moan("%s %s peer not in networks"%(n.type,n.name))
	for i in n.children.keys():
		checkconstraints(n.children[i],new_p,new_ra)

checkconstraints(root,{},ipaddr.complete_set)

if complaints>0:
	if complaints==1: print "There was 1 problem."
	else: print "There were %d problems."%(complaints)
	sys.exit(1)

if service:
	# Put the user's input into their group file, and rebuild the main
	# sites file
	f=open(groupfiledir+"/T"+group,'w')
	f.write("# Section submitted by user %s, %s\n"%
		(user,time.asctime(time.localtime(time.time()))))
	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
	for i in userinput: f.write(i)
	f.write("\n")
	f.close()
	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
	f=open(sitesfile+"-tmp",'w')
	f.write("# sites file autogenerated by make-secnet-sites\n")
	f.write("# generated %s, invoked by %s\n"%
		(time.asctime(time.localtime(time.time())),user))
	f.write("# use make-secnet-sites to turn this file into a\n")
	f.write("# valid /etc/secnet/sites.conf file\n\n")
	for i in headerinput: f.write(i)
	files=os.listdir(groupfiledir)
	for i in files:
		if i[0]=='R':
			j=open(groupfiledir+"/"+i)
			f.write(j.read())
			j.close()
	f.write("# end of sites file\n")
	f.close()
	os.rename(sitesfile+"-tmp",sitesfile)
else:
	outputsites(of)
Commit	Line	Data
3454dce4	1	#! /usr/bin/env python
3b83c932	2	# Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
3454dce4 SE	3	#
	4	# This program is free software; you can redistribute it and/or modify
	5	# it under the terms of the GNU General Public License as published by
	6	# the Free Software Foundation; either version 2 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17
	18	"""VPN sites file manipulation.
	19
	20	This program enables VPN site descriptions to be submitted for
	21	inclusion in a central database, and allows the resulting database to
	22	be turned into a secnet configuration file.
	23
	24	A database file can be turned into a secnet configuration file simply:
	25	make-secnet-sites.py [infile [outfile]]
	26
	27	It would be wise to run secnet with the "--just-check-config" option
	28	before installing the output on a live system.
	29
	30	The program expects to be invoked via userv to manage the database; it
	31	relies on the USERV_USER and USERV_GROUP environment variables. The
	32	command line arguments for this invocation are:
	33
	34	make-secnet-sites.py -u header-filename groupfiles-directory output-file \
	35	group
	36
	37	All but the last argument are expected to be set by userv; the 'group'
	38	argument is provided by the user. A suitable userv configuration file
	39	fragment is:
	40
	41	reset
	42	no-disconnect-hup
	43	no-suppress-args
	44	cd ~/secnet/sites-test/
08f344d3	45	execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
3454dce4 SE	46
	47	This program is part of secnet. It relies on the "ipaddr" library from
	48	Cendio Systems AB.
	49
	50	"""
	51
	52	import string
	53	import time
	54	import sys
	55	import os
3b83c932	56	import getopt
8dea8d37	57
3b83c932	58	# The ipaddr library is installed as part of secnet
8dea8d37 SE	59	sys.path.append("/usr/local/share/secnet")
8dea8d37 SE	60	sys.path.append("/usr/share/secnet")
3454dce4 SE	61	import ipaddr
3454dce4 SE	62
00152558	63	VERSION="0.1.18"
3b83c932 SE	64
	65	# Classes describing possible datatypes in the configuration file
	66
	67	class single_ipaddr:
	68	"An IP address"
	69	def __init__(self,w):
	70	self.addr=ipaddr.ipaddr(w[1])
	71	def __str__(self):
	72	return '"%s"'%self.addr.ip_str()
	73
	74	class networks:
	75	"A set of IP addresses specified as a list of networks"
3454dce4	76	def __init__(self,w):
3454dce4 SE	77	self.set=ipaddr.ip_set()
	78	for i in w[1:]:
	79	x=string.split(i,"/")
	80	self.set.append(ipaddr.network(x[0],x[1],
	81	ipaddr.DEMAND_NETWORK))
3b83c932 SE	82	def __str__(self):
	83	return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
	84	x.mask.netmask_bits_str),
	85	self.set.as_list_of_networks()),",")
3454dce4 SE	86
3454dce4 SE	87	class dhgroup:
3b83c932	88	"A Diffie-Hellman group"
3454dce4	89	def __init__(self,w):
b2a56f7c SE	90	self.mod=w[1]
b2a56f7c SE	91	self.gen=w[2]
3b83c932 SE	92	def __str__(self):
3b83c932 SE	93	return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
3454dce4 SE	94
3454dce4 SE	95	class hash:
3b83c932	96	"A choice of hash function"
3454dce4	97	def __init__(self,w):
b2a56f7c SE	98	self.ht=w[1]
	99	if (self.ht!='md5' and self.ht!='sha1'):
	100	complain("unknown hash type %s"%(self.ht))
3b83c932 SE	101	def __str__(self):
3b83c932 SE	102	return '%s'%(self.ht)
3454dce4 SE	103
3454dce4 SE	104	class email:
3b83c932	105	"An email address"
3454dce4	106	def __init__(self,w):
b2a56f7c	107	self.addr=w[1]
3b83c932 SE	108	def __str__(self):
3b83c932 SE	109	return '<%s>'%(self.addr)
3454dce4 SE	110
3454dce4 SE	111	class num:
3b83c932	112	"A decimal number"
3454dce4	113	def __init__(self,w):
b2a56f7c	114	self.n=string.atol(w[1])
3b83c932 SE	115	def __str__(self):
3b83c932 SE	116	return '%d'%(self.n)
3454dce4 SE	117
3454dce4 SE	118	class address:
3b83c932	119	"A DNS name and UDP port number"
3454dce4	120	def __init__(self,w):
b2a56f7c SE	121	self.adr=w[1]
	122	self.port=string.atoi(w[2])
	123	if (self.port<1 or self.port>65535):
	124	complain("invalid port number")
3b83c932 SE	125	def __str__(self):
3b83c932 SE	126	return '"%s"; port %d'%(self.adr,self.port)
3454dce4 SE	127
3454dce4 SE	128	class rsakey:
3b83c932	129	"An RSA public key"
3454dce4	130	def __init__(self,w):
b2a56f7c SE	131	self.l=string.atoi(w[1])
	132	self.e=w[2]
	133	self.n=w[3]
3b83c932 SE	134	def __str__(self):
	135	return 'rsa-public("%s","%s")'%(self.e,self.n)
	136
	137	# Possible properties of configuration nodes
	138	keywords={
	139	'contact':(email,"Contact address"),
	140	'dh':(dhgroup,"Diffie-Hellman group"),
	141	'hash':(hash,"Hash function"),
	142	'key-lifetime':(num,"Maximum key lifetime (ms)"),
	143	'setup-timeout':(num,"Key setup timeout (ms)"),
	144	'setup-retries':(num,"Maximum key setup packet retries"),
	145	'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
	146	'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
	147	'restrict-nets':(networks,"Allowable networks"),
	148	'networks':(networks,"Claimed networks"),
	149	'pubkey':(rsakey,"RSA public site key"),
	150	'peer':(single_ipaddr,"Tunnel peer IP address"),
	151	'address':(address,"External contact address and port")
	152	}
	153
	154	def sp(name,value):
	155	"Simply output a property - the default case"
	156	return "%s %s;\n"%(name,value)
	157
	158	# All levels support these properties
	159	global_properties={
	160	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	161	'dh':sp,
	162	'hash':sp,
	163	'key-lifetime':sp,
	164	'setup-timeout':sp,
	165	'setup-retries':sp,
	166	'wait-time':sp,
	167	'renegotiate-time':sp,
	168	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value)
	169	}
	170
	171	class level:
	172	"A level in the configuration hierarchy"
	173	depth=0
	174	leaf=0
	175	allow_properties={}
	176	require_properties={}
	177	def __init__(self,w):
	178	self.name=w[1]
	179	self.properties={}
	180	self.children={}
	181	def indent(self,w,t):
	182	w.write(" "[:t])
	183	def prop_out(self,n):
	184	return self.allow_properties[n](n,str(self.properties[n]))
	185	def output_props(self,w,ind):
	186	for i in self.properties.keys():
	187	if self.allow_properties[i]:
	188	self.indent(w,ind)
	189	w.write("%s"%self.prop_out(i))
	190	def output_data(self,w,ind,np):
	191	self.indent(w,ind)
	192	w.write("%s {\n"%(self.name))
	193	self.output_props(w,ind+2)
	194	if self.depth==1: w.write("\n");
	195	for c in self.children.values():
	196	c.output_data(w,ind+2,np+self.name+"/")
	197	self.indent(w,ind)
198	w.write("};\n")
199
200	class vpnlevel(level):
201	"VPN level in the configuration hierarchy"
202	depth=1
203	leaf=0
204	type="vpn"
205	allow_properties=global_properties.copy()
206	require_properties={
207	'contact':"VPN admin contact address"
208	}
209	def __init__(self,w):
210	level.__init__(self,w)
211	def output_vpnflat(self,w,ind,h):
212	"Output flattened list of site names for this VPN"
213	self.indent(w,ind)
214	w.write("%s {\n"%(self.name))
215	for i in self.children.keys():
216	self.children[i].output_vpnflat(w,ind+2,
217	h+"/"+self.name+"/"+i)
218	w.write("\n")
219	self.indent(w,ind+2)
220	w.write("all-sites %s;\n"%
221	string.join(self.children.keys(),','))
222	self.indent(w,ind)
223	w.write("};\n")
224
225	class locationlevel(level):
226	"Location level in the configuration hierarchy"
227	depth=2
228	leaf=0
229	type="location"
230	allow_properties=global_properties.copy()
231	require_properties={
232	'contact':"Location admin contact address",
233	}
234	def __init__(self,w):
235	level.__init__(self,w)
236	self.group=w[2]
237	def output_vpnflat(self,w,ind,h):
238	self.indent(w,ind)
239	# The "h=h,self=self" abomination below exists because
240	# Python didn't support nested_scopes until version 2.1
241	w.write("%s %s;\n"%(self.name,string.join(
242	map(lambda x,h=h,self=self:
243	h+"/"+x,self.children.keys()),',')))
244
245	class sitelevel(level):
246	"Site level (i.e. a leafnode) in the configuration hierarchy"
247	depth=3
248	leaf=1
249	type="site"
250	allow_properties=global_properties.copy()
251	allow_properties.update({
252	'address':sp,
253	'networks':None,
254	'peer':None,
255	'pubkey':(lambda n,v:"key %s;\n"%v)
256	})
257	require_properties={
258	'dh':"Diffie-Hellman group",
259	'contact':"Site admin contact address",
260	'address':"Site external access address",
261	'networks':"Networks claimed by the site",
262	'hash':"hash function",
263	'peer':"Gateway address of the site",
264	'pubkey':"RSA public key of the site"
265	}
3454dce4	266	def __init__(self,w):
3b83c932 SE	267	level.__init__(self,w)
	268	def output_data(self,w,ind,np):
	269	self.indent(w,ind)
	270	w.write("%s {\n"%(self.name))
	271	self.indent(w,ind+2)
	272	w.write("name \"%s\";\n"%(np+self.name))
	273	self.output_props(w,ind+2)
	274	self.indent(w,ind+2)
	275	w.write("link netlink {\n");
	276	self.indent(w,ind+4)
	277	w.write("routes %s;\n"%str(self.properties["networks"]))
	278	self.indent(w,ind+4)
	279	w.write("ptp-address %s;\n"%str(self.properties["peer"]))
	280	self.indent(w,ind+2)
	281	w.write("};\n")
	282	self.indent(w,ind)
	283	w.write("};\n")
	284
	285	# Levels in the configuration file
	286	# (depth,properties)
	287	levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
	288
	289	# Reserved vpn/location/site names
	290	reserved={'all-sites':None}
	291	reserved.update(keywords)
	292	reserved.update(levels)
3454dce4 SE	293
3454dce4 SE	294	def complain(msg):
3b83c932	295	"Complain about a particular input line"
3454dce4 SE	296	global complaints
	297	print ("%s line %d: "%(file,line))+msg
	298	complaints=complaints+1
	299	def moan(msg):
3b83c932	300	"Complain about something in general"
3454dce4 SE	301	global complaints
	302	print msg;
	303	complaints=complaints+1
	304
3b83c932 SE	305	root=level(['root','root']) # All vpns are children of this node
	306	obstack=[root]
	307	allow_defs=0 # Level above which new definitions are permitted
	308
	309	def set_property(obj,w):
	310	"Set a property on a configuration node"
	311	if obj.properties.has_key(w[0]):
	312	complain("%s %s already has property %s defined"%
	313	(obj.type,obj.name,w[0]))
	314	else:
	315	obj.properties[w[0]]=keywords[w[0]][0](w)
3454dce4	316
3454dce4	317	def pline(i):
3b83c932 SE	318	"Process a configuration file line"
3b83c932 SE	319	global allow_defs, obstack, root
3454dce4 SE	320	w=string.split(i)
	321	if len(w)==0: return
	322	keyword=w[0]
3b83c932	323	current=obstack[len(obstack)-1]
3454dce4	324	if keyword=='end-definitions':
3b83c932 SE	325	allow_defs=sitelevel.depth
3b83c932 SE	326	obstack=[root]
3454dce4	327	return
3b83c932 SE	328	if levels.has_key(keyword):
	329	# We may go up any number of levels, but only down by one
	330	newdepth=levels[keyword].depth
	331	currentdepth=len(obstack) # actually +1...
	332	if newdepth<=currentdepth:
	333	obstack=obstack[:newdepth]
	334	if newdepth>currentdepth:
	335	complain("May not go from level %d to level %d"%
	336	(currentdepth-1,newdepth))
	337	# See if it's a new one (and whether that's permitted)
	338	# or an existing one
	339	current=obstack[len(obstack)-1]
	340	if current.children.has_key(w[1]):
	341	# Not new
	342	current=current.children[w[1]]
	343	if service and group and current.depth==2:
	344	if group!=current.group:
	345	complain("Incorrect group!")
3454dce4	346	else:
3b83c932 SE	347	# New
	348	# Ignore depth check for now
	349	nl=levels[keyword](w)
	350	if nl.depth<allow_defs:
	351	complain("New definitions not allowed at "
	352	"level %d"%nl.depth)
	353	current.children[w[1]]=nl
	354	current=nl
	355	obstack.append(current)
3454dce4	356	return
3b83c932 SE	357	if current.allow_properties.has_key(keyword):
3b83c932 SE	358	set_property(current,w)
3454dce4	359	return
3454dce4	360	else:
3b83c932 SE	361	complain("Property %s not allowed at %s level"%
	362	(keyword,current.type))
	363	return
	364
	365	complain("unknown keyword '%s'"%(keyword))
3454dce4 SE	366
3454dce4 SE	367	def pfile(name,lines):
3b83c932	368	"Process a file"
3454dce4 SE	369	global file,line
	370	file=name
	371	line=0
	372	for i in lines:
	373	line=line+1
	374	if (i[0]=='#'): continue
	375	if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF
	376	pline(i)
	377
	378	def outputsites(w):
3b83c932 SE	379	"Output include file for secnet configuration"
3b83c932 SE	380	w.write("# secnet sites file autogenerated by make-secnet-sites "
3454dce4	381	+"version %s\n"%VERSION)
3b83c932 SE	382	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
3b83c932 SE	383	w.write("# Command line: %s\n\n"%string.join(sys.argv))
3454dce4 SE	384
	385	# Raw VPN data section of file
	386	w.write("vpn-data {\n")
3b83c932 SE	387	for i in root.children.values():
3b83c932 SE	388	i.output_data(w,2,"")
3454dce4 SE	389	w.write("};\n")
	390
	391	# Per-VPN flattened lists
	392	w.write("vpn {\n")
3b83c932 SE	393	for i in root.children.values():
3b83c932 SE	394	i.output_vpnflat(w,2,"vpn-data")
3454dce4 SE	395	w.write("};\n")
	396
	397	# Flattened list of sites
	398	w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
3b83c932	399	x,root.children.keys()),","))
3454dce4 SE	400
	401	# Are we being invoked from userv?
	402	service=0
	403	# If we are, which group does the caller want to modify?
	404	group=None
	405
3454dce4 SE	406	line=0
	407	file=None
	408	complaints=0
	409
3454dce4 SE	410	if len(sys.argv)<2:
	411	pfile("stdin",sys.stdin.readlines())
	412	of=sys.stdout
	413	else:
	414	if sys.argv[1]=='-u':
	415	if len(sys.argv)!=6:
	416	print "Wrong number of arguments"
	417	sys.exit(1)
	418	service=1
	419	header=sys.argv[2]
	420	groupfiledir=sys.argv[3]
	421	sitesfile=sys.argv[4]
	422	group=sys.argv[5]
	423	if not os.environ.has_key("USERV_USER"):
	424	print "Environment variable USERV_USER not found"
	425	sys.exit(1)
	426	user=os.environ["USERV_USER"]
	427	# Check that group is in USERV_GROUP
	428	if not os.environ.has_key("USERV_GROUP"):
	429	print "Environment variable USERV_GROUP not found"
	430	sys.exit(1)
	431	ugs=os.environ["USERV_GROUP"]
	432	ok=0
	433	for i in string.split(ugs):
	434	if group==i: ok=1
	435	if not ok:
	436	print "caller not in group %s"%group
	437	sys.exit(1)
	438	f=open(header)
08f344d3	439	headerinput=f.readlines()
3454dce4	440	f.close()
08f344d3	441	pfile(header,headerinput)
3454dce4 SE	442	userinput=sys.stdin.readlines()
	443	pfile("user input",userinput)
	444	else:
	445	if len(sys.argv)>3:
	446	print "Too many arguments"
	447	sys.exit(1)
	448	f=open(sys.argv[1])
	449	pfile(sys.argv[1],f.readlines())
	450	f.close()
	451	of=sys.stdout
	452	if len(sys.argv)>2:
	453	of=open(sys.argv[2],'w')
	454
	455	# Sanity check section
3b83c932 SE	456	# Delete nodes where leaf=0 that have no children
	457
	458	def live(n):
	459	"Number of leafnodes below node n"
	460	if n.leaf: return 1
	461	for i in n.children.keys():
	462	if live(n.children[i]): return 1
	463	return 0
	464	def delempty(n):
	465	"Delete nodes that have no leafnode children"
	466	for i in n.children.keys():
	467	delempty(n.children[i])
	468	if not live(n.children[i]):
	469	del n.children[i]
	470	delempty(root)
	471
	472	# Check that all constraints are met (as far as I can tell
	473	# restrict-nets/networks/peer are the only special cases)
	474
	475	def checkconstraints(n,p,ra):
	476	new_p=p.copy()
	477	new_p.update(n.properties)
	478	for i in n.require_properties.keys():
	479	if not new_p.has_key(i):
	480	moan("%s %s is missing property %s"%
	481	(n.type,n.name,i))
	482	for i in new_p.keys():
	483	if not n.allow_properties.has_key(i):
	484	moan("%s %s has forbidden property %s"%
	485	(n.type,n.name,i))
	486	# Check address range restrictions
	487	if n.properties.has_key("restrict-nets"):
	488	new_ra=ra.intersection(n.properties["restrict-nets"].set)
3454dce4	489	else:
3b83c932 SE	490	new_ra=ra
	491	if n.properties.has_key("networks"):
	492	# I'd like to do this:
	493	# n.properties["networks"].set.is_subset(new_ra)
	494	# but there isn't an is_subset() method
	495	# Instead we see if we intersect with the complement of new_ra
	496	rac=new_ra.complement()
	497	i=rac.intersection(n.properties["networks"].set)
	498	if not i.is_empty():
	499	moan("%s %s networks out of bounds"%(n.type,n.name))
	500	if n.properties.has_key("peer"):
	501	if not n.properties["networks"].set.contains(
	502	n.properties["peer"].addr):
	503	moan("%s %s peer not in networks"%(n.type,n.name))
	504	for i in n.children.keys():
	505	checkconstraints(n.children[i],new_p,new_ra)
	506
	507	checkconstraints(root,{},ipaddr.complete_set)
3454dce4 SE	508
	509	if complaints>0:
	510	if complaints==1: print "There was 1 problem."
	511	else: print "There were %d problems."%(complaints)
	512	sys.exit(1)
	513
	514	if service:
	515	# Put the user's input into their group file, and rebuild the main
	516	# sites file
08f344d3	517	f=open(groupfiledir+"/T"+group,'w')
3454dce4 SE	518	f.write("# Section submitted by user %s, %s\n"%
3454dce4 SE	519	(user,time.asctime(time.localtime(time.time()))))
3b83c932	520	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
3454dce4 SE	521	for i in userinput: f.write(i)
	522	f.write("\n")
	523	f.close()
08f344d3 SE	524	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
08f344d3 SE	525	f=open(sitesfile+"-tmp",'w')
ff05a229	526	f.write("# sites file autogenerated by make-secnet-sites\n")
08f344d3 SE	527	f.write("# generated %s, invoked by %s\n"%
08f344d3 SE	528	(time.asctime(time.localtime(time.time())),user))
ff05a229	529	f.write("# use make-secnet-sites to turn this file into a\n")
08f344d3 SE	530	f.write("# valid /etc/secnet/sites.conf file\n\n")
	531	for i in headerinput: f.write(i)
	532	files=os.listdir(groupfiledir)
	533	for i in files:
	534	if i[0]=='R':
	535	j=open(groupfiledir+"/"+i)
	536	f.write(j.read())
	537	j.close()
	538	f.write("# end of sites file\n")
	539	f.close()
	540	os.rename(sitesfile+"-tmp",sitesfile)
3454dce4 SE	541	else:
3454dce4 SE	542	outputsites(of)