[secnet] / make-secnet-sites.py

#! /usr/bin/env python
# Copyright (C) 2001 Stephen Early <steve@greenend.org.uk>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

"""VPN sites file manipulation.

This program enables VPN site descriptions to be submitted for
inclusion in a central database, and allows the resulting database to
be turned into a secnet configuration file.

A database file can be turned into a secnet configuration file simply:
make-secnet-sites.py [infile [outfile]]

It would be wise to run secnet with the "--just-check-config" option
before installing the output on a live system.

The program expects to be invoked via userv to manage the database; it
relies on the USERV_USER and USERV_GROUP environment variables. The
command line arguments for this invocation are:

make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  group

All but the last argument are expected to be set by userv; the 'group'
argument is provided by the user. A suitable userv configuration file
fragment is:

reset
no-disconnect-hup
no-suppress-args
cd ~/secnet/sites-test/
execute ~/secnet/secnet/make-secnet-sites.py -u vpnheader groupfiles sites

This program is part of secnet. It relies on the "ipaddr" library from
Cendio Systems AB.

"""

import string
import time
import sys
import os
import ipaddr

VERSION="0.1.3"

class vpn:
	def __init__(self,name):
		self.name=name
		self.allow_defs=0
		self.locations={}
		self.defs={}

class location:
	def __init__(self,name,vpn):
		self.group=None
		self.name=name
		self.allow_defs=1
		self.vpn=vpn
		self.sites={}
		self.defs={}

class site:
	def __init__(self,name,location):
		self.name=name
		self.allow_defs=1
		self.location=location
		self.defs={}

class nets:
	def __init__(self,w):
		self.w=w
		self.set=ipaddr.ip_set()
		for i in w[1:]:
			x=string.split(i,"/")
			self.set.append(ipaddr.network(x[0],x[1],
				ipaddr.DEMAND_NETWORK))
	def subsetof(self,s):
		# I'd like to do this:
		# return self.set.is_subset(s)
		# but there isn't an is_subset() method
		# Instead we see if we intersect with the complement of s
		sc=s.set.complement()
		i=sc.intersection(self.set)
		return i.is_empty()
	def out(self):
		rn=''
		if (self.w[0]=='restrict-nets'): rn='# '
		return '%s%s %s;'%(rn,self.w[0],
			string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
				x.mask.netmask_bits_str),
				self.set.as_list_of_networks()),","))

class dhgroup:
	def __init__(self,w):
		self.w=w
	def out(self):
		return 'dh diffie-hellman("%s","%s");'%(self.w[1],self.w[2])

class hash:
	def __init__(self,w):
		self.w=w
		if (w[1]!='md5' and w[1]!='sha1'):
			complain("unknown hash type %s"%(w[1]))
	def out(self):
		return 'hash %s;'%(self.w[1])

class email:
	def __init__(self,w):
		self.w=w
	def out(self):
		return '# Contact email address: <%s>'%(self.w[1])

class num:
	def __init__(self,w):
		self.w=w
	def out(self):
		return '%s %s;'%(self.w[0],self.w[1])

class address:
	def __init__(self,w):
		self.w=w
	def out(self):
		return 'address "%s"; port %s;'%(self.w[1],self.w[2])

class rsakey:
	def __init__(self,w):
		self.w=w
	def out(self):
		return 'key rsa-public("%s","%s");'%(self.w[2],self.w[3])

class mobileoption:
	def __init__(self,w):
		self.w=w
	def out(self):
		return 'netlink-options "soft";'

def complain(msg):
	global complaints
	print ("%s line %d: "%(file,line))+msg
	complaints=complaints+1
def moan(msg):
	global complaints
	print msg;
	complaints=complaints+1

# We don't allow redefinition of properties (because that would allow things
# like restrict-nets to be redefined, which would be bad)
def set(obj,defs,w):
	if (obj.allow_defs | allow_defs):
		if (obj.defs.has_key(w[0])):
			complain("%s is already defined"%(w[0]))
		else:
			t=defs[w[0]]
			obj.defs[w[0]]=t(w)

# Process a line of configuration file
def pline(i):
	global allow_defs, group, current_vpn, current_location, current_object
	w=string.split(i)
	if len(w)==0: return
	keyword=w[0]
	if keyword=='end-definitions':
		allow_defs=0
		current_vpn=None
		current_location=None
		current_object=None
		return
	if keyword=='vpn':
		if vpns.has_key(w[1]):
			current_vpn=vpns[w[1]]
			current_object=current_vpn
		else:
			if allow_defs:
				current_vpn=vpn(w[1])
				vpns[w[1]]=current_vpn
				current_object=current_vpn
			else:
				complain("no new VPN definitions allowed")
		return
	if (current_vpn==None):
		complain("no VPN defined yet")
		return
	# Keywords that can apply at all levels
	if mldefs.has_key(w[0]):
		set(current_object,mldefs,w)
		return
	if keyword=='location':
		if (current_vpn.locations.has_key(w[1])):
			current_location=current_vpn.locations[w[1]]
			current_object=current_location
			if (group and not allow_defs and 
				current_location.group!=group):
				complain(("must be group %s to access "+
					"location %s")%(current_location.group,
					w[1]))
		else:
			if allow_defs:
				if reserved.has_key(w[1]):
					complain("reserved location name")
					return
				current_location=location(w[1],current_vpn)
				current_vpn.locations[w[1]]=current_location
				current_object=current_location
			else:
				complain("no new location definitions allowed")
		return
	if (current_location==None):
		complain("no locations defined yet")
		return
	if keyword=='group':
		current_location.group=w[1]
		return
	if keyword=='site':
		if (current_location.sites.has_key(w[1])):
			current_object=current_location.sites[w[1]]
		else:
			if reserved.has_key(w[1]):
				complain("reserved site name")
				return
			current_object=site(w[1],current_location)
			current_location.sites[w[1]]=current_object
		return
	if keyword=='endsite':
		if isinstance(current_object,site):
			current_object=current_object.location
		else:
			complain("not currently defining a site")
		return
	# Keywords that can only apply to sites
	if isinstance(current_object,site):
		if sitedefs.has_key(w[0]):
			set(current_object,sitedefs,w)
			return
	else:
		if sitedefs.has_key(w[0]):
			complain("keyword '%s' can only be used in the "
				"context of a site definition"%(w[0]))
			return
	complain("unknown keyword '%s'"%(w[0]))

def pfile(name,lines):
	global file,line
	file=name
	line=0
	for i in lines:
		line=line+1
		if (i[0]=='#'): continue
		if (i[len(i)-1]=='\n'):	i=i[:len(i)-1] # strip trailing LF
		pline(i)

def outputsites(w):
	w.write("# secnet sites file autogenerated by make-secnet-sites.py "
		+"version %s\n"%VERSION)
	w.write("# %s\n\n"%time.asctime(time.localtime(time.time())))

	# Raw VPN data section of file
	w.write("vpn-data {\n")
	for i in vpns.values():
		w.write("  %s {\n"%i.name)
		for d in i.defs.values():
			w.write("    %s\n"%d.out())
		w.write("\n")
		for l in i.locations.values():
			w.write("    %s {\n"%l.name)
			for d in l.defs.values():
				w.write("      %s\n"%d.out())
			for s in l.sites.values():
				w.write("      %s {\n"%s.name)
				w.write('        name "%s/%s/%s";\n'%
					(i.name,l.name,s.name))
				for d in s.defs.values():
					w.write("        %s\n"%d.out())
				w.write("      };\n")
			w.write("    };\n")
		w.write("  };\n")
	w.write("};\n")

	# Per-VPN flattened lists
	w.write("vpn {\n")
	for i in vpns.values():
		w.write("  %s {\n"%(i.name))
		for l in i.locations.values():
			slist=map(lambda x:"vpn-data/%s/%s/%s"%
				(i.name,l.name,x.name),
				l.sites.values())
			w.write("    %s %s;\n"%(l.name,string.join(slist,",")))
		w.write("\n    all-sites %s;\n"%
			string.join(i.locations.keys(),","))
		w.write("  };\n")
	w.write("};\n")

	# Flattened list of sites
	w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
		x,vpns.keys()),","))

# Are we being invoked from userv?
service=0
# If we are, which group does the caller want to modify?
group=None

vpns={}
allow_defs=1
current_vpn=None
current_location=None
current_object=None

line=0
file=None
complaints=0

# Things that can be defined at any level
mldefs={
	'dh':dhgroup,
	'hash':hash,
	'contact':email,
	'key-lifetime':num,
	'setup-retries':num,
	'setup-timeout':num,
	'wait-time':num,
	'renegotiate-time':num,
	'restrict-nets':nets
	}

# Things that can only be defined for sites
sitedefs={
	'address':address,
	'networks':nets,
	'pubkey':rsakey,
	'mobile':mobileoption
	}

# Reserved vpn/location/site names
reserved={'all-sites':None}
reserved.update(mldefs)
reserved.update(sitedefs)

# Each site must have the following defined at some level:
required={
	'dh':"Diffie-Hellman group",
	'networks':"network list",
	'pubkey':"public key",
	'hash':"hash function"
	}

if len(sys.argv)<2:
	pfile("stdin",sys.stdin.readlines())
	of=sys.stdout
else:
	if sys.argv[1]=='-u':
		if len(sys.argv)!=6:
			print "Wrong number of arguments"
			sys.exit(1)
		service=1
		header=sys.argv[2]
		groupfiledir=sys.argv[3]
		sitesfile=sys.argv[4]
		group=sys.argv[5]
		if not os.environ.has_key("USERV_USER"):
			print "Environment variable USERV_USER not found"
			sys.exit(1)
		user=os.environ["USERV_USER"]
		# Check that group is in USERV_GROUP
		if not os.environ.has_key("USERV_GROUP"):
			print "Environment variable USERV_GROUP not found"
			sys.exit(1)
		ugs=os.environ["USERV_GROUP"]
		ok=0
		for i in string.split(ugs):
			if group==i: ok=1
		if not ok:
			print "caller not in group %s"%group
			sys.exit(1)
		f=open(header)
		pfile(header,f.readlines())
		f.close()
		userinput=sys.stdin.readlines()
		pfile("user input",userinput)
	else:
		if len(sys.argv)>3:
			print "Too many arguments"
			sys.exit(1)
		f=open(sys.argv[1])
		pfile(sys.argv[1],f.readlines())
		f.close()
		of=sys.stdout
		if len(sys.argv)>2:
			of=open(sys.argv[2],'w')

# Sanity check section

# Delete locations that have no sites defined
for i in vpns.values():
	for l in i.locations.keys():
		if (len(i.locations[l].sites.values())==0):
			del i.locations[l]

# Delete VPNs that have no locations with sites defined
for i in vpns.keys():
	if (len(vpns[i].locations.values())==0):
		del vpns[i]

# Check all sites
for i in vpns.values():
	if i.defs.has_key('restrict-nets'):
		vr=i.defs['restrict-nets']
	else:
		vr=None
	for l in i.locations.values():
		if l.defs.has_key('restrict-nets'):
			lr=l.defs['restrict-nets']
			if (not lr.subsetof(vr)):
				moan("location %s/%s restrict-nets is invalid"%
					(i.name,l.name))
		else:
			lr=vr
		for s in l.sites.values():
			sn="%s/%s/%s"%(i.name,l.name,s.name)
			for r in required.keys():
				if (not (s.defs.has_key(r) or
					l.defs.has_key(r) or
					i.defs.has_key(r))):
					moan("site %s missing parameter %s"%
						(sn,r))
			if s.defs.has_key('restrict-nets'):
				sr=s.defs['restrict-nets']
				if (not sr.subsetof(lr)):
					moan("site %s restrict-nets not valid"%
						sn)
			else:
				sr=lr
			if not s.defs.has_key('networks'): continue
			nets=s.defs['networks']
			if (not nets.subsetof(sr)):
				moan("site %s networks exceed restriction"%sn)


if complaints>0:
	if complaints==1: print "There was 1 problem."
	else: print "There were %d problems."%(complaints)
	sys.exit(1)

if service:
	# Put the user's input into their group file, and rebuild the main
	# sites file
	f=open(groupfiledir+"-tmp/"+group,'w')
	f.write("# Section submitted by user %s, %s\n"%
		(user,time.asctime(time.localtime(time.time()))))
	f.write("# Checked by make-secnet-sites.py version %s\n\n"%VERSION)
	for i in userinput: f.write(i)
	f.write("\n")
	f.close()
	os.rename(groupfiledir+"-tmp/"+group,groupfiledir+"/"+group)
	# XXX rebuild main sites file!
else:
	outputsites(of)
Commit	Line	Data
3454dce4 SE	1	#! /usr/bin/env python
	2	# Copyright (C) 2001 Stephen Early <steve@greenend.org.uk>
	3	#
	4	# This program is free software; you can redistribute it and/or modify
	5	# it under the terms of the GNU General Public License as published by
	6	# the Free Software Foundation; either version 2 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17
	18	"""VPN sites file manipulation.
	19
	20	This program enables VPN site descriptions to be submitted for
	21	inclusion in a central database, and allows the resulting database to
	22	be turned into a secnet configuration file.
	23
	24	A database file can be turned into a secnet configuration file simply:
	25	make-secnet-sites.py [infile [outfile]]
	26
	27	It would be wise to run secnet with the "--just-check-config" option
	28	before installing the output on a live system.
	29
	30	The program expects to be invoked via userv to manage the database; it
	31	relies on the USERV_USER and USERV_GROUP environment variables. The
	32	command line arguments for this invocation are:
	33
	34	make-secnet-sites.py -u header-filename groupfiles-directory output-file \
	35	group
	36
	37	All but the last argument are expected to be set by userv; the 'group'
	38	argument is provided by the user. A suitable userv configuration file
	39	fragment is:
	40
	41	reset
	42	no-disconnect-hup
	43	no-suppress-args
	44	cd ~/secnet/sites-test/
	45	execute ~/secnet/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
	46
	47	This program is part of secnet. It relies on the "ipaddr" library from
	48	Cendio Systems AB.
	49
	50	"""
	51
	52	import string
	53	import time
	54	import sys
	55	import os
	56	import ipaddr
	57
	58	VERSION="0.1.3"
	59
	60	class vpn:
	61	def __init__(self,name):
	62	self.name=name
	63	self.allow_defs=0
	64	self.locations={}
65	self.defs={}
66
67	class location:
68	def __init__(self,name,vpn):
69	self.group=None
70	self.name=name
71	self.allow_defs=1
72	self.vpn=vpn
73	self.sites={}
74	self.defs={}
75
76	class site:
77	def __init__(self,name,location):
78	self.name=name
79	self.allow_defs=1
80	self.location=location
81	self.defs={}
82
83	class nets:
84	def __init__(self,w):
85	self.w=w
86	self.set=ipaddr.ip_set()
87	for i in w[1:]:
88	x=string.split(i,"/")
89	self.set.append(ipaddr.network(x[0],x[1],
90	ipaddr.DEMAND_NETWORK))
91	def subsetof(self,s):
92	# I'd like to do this:
93	# return self.set.is_subset(s)
94	# but there isn't an is_subset() method
95	# Instead we see if we intersect with the complement of s
96	sc=s.set.complement()
97	i=sc.intersection(self.set)
98	return i.is_empty()
99	def out(self):
100	rn=''
101	if (self.w[0]=='restrict-nets'): rn='# '
102	return '%s%s %s;'%(rn,self.w[0],
103	string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
104	x.mask.netmask_bits_str),
105	self.set.as_list_of_networks()),","))
106
107	class dhgroup:
108	def __init__(self,w):
109	self.w=w
110	def out(self):
111	return 'dh diffie-hellman("%s","%s");'%(self.w[1],self.w[2])
112
113	class hash:
114	def __init__(self,w):
115	self.w=w
116	if (w[1]!='md5' and w[1]!='sha1'):
117	complain("unknown hash type %s"%(w[1]))
118	def out(self):
119	return 'hash %s;'%(self.w[1])
120
121	class email:
122	def __init__(self,w):
123	self.w=w
124	def out(self):
125	return '# Contact email address: <%s>'%(self.w[1])
126
127	class num:
128	def __init__(self,w):
129	self.w=w
130	def out(self):
131	return '%s %s;'%(self.w[0],self.w[1])
132
133	class address:
134	def __init__(self,w):
135	self.w=w
136	def out(self):
137	return 'address "%s"; port %s;'%(self.w[1],self.w[2])
138
139	class rsakey:
140	def __init__(self,w):
141	self.w=w
142	def out(self):
143	return 'key rsa-public("%s","%s");'%(self.w[2],self.w[3])
144
145	class mobileoption:
146	def __init__(self,w):
147	self.w=w
148	def out(self):
149	return 'netlink-options "soft";'
150
151	def complain(msg):
152	global complaints
153	print ("%s line %d: "%(file,line))+msg
154	complaints=complaints+1
155	def moan(msg):
156	global complaints
157	print msg;
158	complaints=complaints+1
159
160	# We don't allow redefinition of properties (because that would allow things
161	# like restrict-nets to be redefined, which would be bad)
162	def set(obj,defs,w):
163	if (obj.allow_defs \| allow_defs):
164	if (obj.defs.has_key(w[0])):
165	complain("%s is already defined"%(w[0]))
166	else:
167	t=defs[w[0]]
168	obj.defs[w[0]]=t(w)
169
170	# Process a line of configuration file
171	def pline(i):
172	global allow_defs, group, current_vpn, current_location, current_object
173	w=string.split(i)
174	if len(w)==0: return
175	keyword=w[0]
176	if keyword=='end-definitions':
177	allow_defs=0
178	current_vpn=None
179	current_location=None
180	current_object=None
181	return
182	if keyword=='vpn':
183	if vpns.has_key(w[1]):
184	current_vpn=vpns[w[1]]
185	current_object=current_vpn
186	else:
187	if allow_defs:
188	current_vpn=vpn(w[1])
189	vpns[w[1]]=current_vpn
190	current_object=current_vpn
191	else:
192	complain("no new VPN definitions allowed")
193	return
194	if (current_vpn==None):
195	complain("no VPN defined yet")
196	return
197	# Keywords that can apply at all levels
198	if mldefs.has_key(w[0]):
199	set(current_object,mldefs,w)
200	return
201	if keyword=='location':
202	if (current_vpn.locations.has_key(w[1])):
203	current_location=current_vpn.locations[w[1]]
204	current_object=current_location
205	if (group and not allow_defs and
206	current_location.group!=group):
207	complain(("must be group %s to access "+
208	"location %s")%(current_location.group,
209	w[1]))
210	else:
211	if allow_defs:
212	if reserved.has_key(w[1]):
213	complain("reserved location name")
214	return
215	current_location=location(w[1],current_vpn)
216	current_vpn.locations[w[1]]=current_location
217	current_object=current_location
218	else:
219	complain("no new location definitions allowed")
220	return
221	if (current_location==None):
222	complain("no locations defined yet")
223	return
224	if keyword=='group':
225	current_location.group=w[1]
226	return
227	if keyword=='site':
228	if (current_location.sites.has_key(w[1])):
229	current_object=current_location.sites[w[1]]
230	else:
231	if reserved.has_key(w[1]):
232	complain("reserved site name")
233	return
234	current_object=site(w[1],current_location)
235	current_location.sites[w[1]]=current_object
236	return
237	if keyword=='endsite':
238	if isinstance(current_object,site):
239	current_object=current_object.location
240	else:
241	complain("not currently defining a site")
242	return
243	# Keywords that can only apply to sites
244	if isinstance(current_object,site):
245	if sitedefs.has_key(w[0]):
246	set(current_object,sitedefs,w)
247	return
248	else:
249	if sitedefs.has_key(w[0]):
250	complain("keyword '%s' can only be used in the "
251	"context of a site definition"%(w[0]))
252	return
253	complain("unknown keyword '%s'"%(w[0]))
254
255	def pfile(name,lines):
256	global file,line
257	file=name
258	line=0
259	for i in lines:
260	line=line+1
261	if (i[0]=='#'): continue
262	if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF
263	pline(i)
264
265	def outputsites(w):
266	w.write("# secnet sites file autogenerated by make-secnet-sites.py "
267	+"version %s\n"%VERSION)
268	w.write("# %s\n\n"%time.asctime(time.localtime(time.time())))
269
270	# Raw VPN data section of file
271	w.write("vpn-data {\n")
272	for i in vpns.values():
273	w.write(" %s {\n"%i.name)
274	for d in i.defs.values():
275	w.write(" %s\n"%d.out())
276	w.write("\n")
277	for l in i.locations.values():
278	w.write(" %s {\n"%l.name)
279	for d in l.defs.values():
280	w.write(" %s\n"%d.out())
281	for s in l.sites.values():
282	w.write(" %s {\n"%s.name)
283	w.write(' name "%s/%s/%s";\n'%
284	(i.name,l.name,s.name))
285	for d in s.defs.values():
286	w.write(" %s\n"%d.out())
287	w.write(" };\n")
288	w.write(" };\n")
289	w.write(" };\n")
290	w.write("};\n")
291
292	# Per-VPN flattened lists
293	w.write("vpn {\n")
294	for i in vpns.values():
295	w.write(" %s {\n"%(i.name))
296	for l in i.locations.values():
297	slist=map(lambda x:"vpn-data/%s/%s/%s"%
298	(i.name,l.name,x.name),
299	l.sites.values())
300	w.write(" %s %s;\n"%(l.name,string.join(slist,",")))
301	w.write("\n all-sites %s;\n"%
302	string.join(i.locations.keys(),","))
303	w.write(" };\n")
304	w.write("};\n")
305
306	# Flattened list of sites
307	w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
308	x,vpns.keys()),","))
309
310	# Are we being invoked from userv?
311	service=0
312	# If we are, which group does the caller want to modify?
313	group=None
314
315	vpns={}
316	allow_defs=1
317	current_vpn=None
318	current_location=None
319	current_object=None
320
321	line=0
322	file=None
323	complaints=0
324
325	# Things that can be defined at any level
326	mldefs={
327	'dh':dhgroup,
328	'hash':hash,
329	'contact':email,
330	'key-lifetime':num,
331	'setup-retries':num,
332	'setup-timeout':num,
333	'wait-time':num,
334	'renegotiate-time':num,
335	'restrict-nets':nets
336	}
337
338	# Things that can only be defined for sites
339	sitedefs={
340	'address':address,
341	'networks':nets,
342	'pubkey':rsakey,
343	'mobile':mobileoption
344	}
345
346	# Reserved vpn/location/site names
347	reserved={'all-sites':None}
348	reserved.update(mldefs)
349	reserved.update(sitedefs)
350
351	# Each site must have the following defined at some level:
352	required={
353	'dh':"Diffie-Hellman group",
354	'networks':"network list",
355	'pubkey':"public key",
356	'hash':"hash function"
357	}
358
359	if len(sys.argv)<2:
360	pfile("stdin",sys.stdin.readlines())
361	of=sys.stdout
362	else:
363	if sys.argv[1]=='-u':
364	if len(sys.argv)!=6:
365	print "Wrong number of arguments"
366	sys.exit(1)
367	service=1
368	header=sys.argv[2]
369	groupfiledir=sys.argv[3]
370	sitesfile=sys.argv[4]
371	group=sys.argv[5]
372	if not os.environ.has_key("USERV_USER"):
373	print "Environment variable USERV_USER not found"
374	sys.exit(1)
375	user=os.environ["USERV_USER"]
376	# Check that group is in USERV_GROUP
377	if not os.environ.has_key("USERV_GROUP"):
378	print "Environment variable USERV_GROUP not found"
379	sys.exit(1)
380	ugs=os.environ["USERV_GROUP"]
381	ok=0
382	for i in string.split(ugs):
383	if group==i: ok=1
384	if not ok:
385	print "caller not in group %s"%group
386	sys.exit(1)
387	f=open(header)
388	pfile(header,f.readlines())
389	f.close()
390	userinput=sys.stdin.readlines()
391	pfile("user input",userinput)
392	else:
393	if len(sys.argv)>3:
394	print "Too many arguments"
395	sys.exit(1)
396	f=open(sys.argv[1])
397	pfile(sys.argv[1],f.readlines())
398	f.close()
399	of=sys.stdout
400	if len(sys.argv)>2:
401	of=open(sys.argv[2],'w')
402
403	# Sanity check section
404
405	# Delete locations that have no sites defined
406	for i in vpns.values():
407	for l in i.locations.keys():
408	if (len(i.locations[l].sites.values())==0):
409	del i.locations[l]
410
411	# Delete VPNs that have no locations with sites defined
412	for i in vpns.keys():
413	if (len(vpns[i].locations.values())==0):
414	del vpns[i]
415
416	# Check all sites
417	for i in vpns.values():
418	if i.defs.has_key('restrict-nets'):
419	vr=i.defs['restrict-nets']
420	else:
421	vr=None
422	for l in i.locations.values():
423	if l.defs.has_key('restrict-nets'):
424	lr=l.defs['restrict-nets']
425	if (not lr.subsetof(vr)):
426	moan("location %s/%s restrict-nets is invalid"%
427	(i.name,l.name))
428	else:
429	lr=vr
430	for s in l.sites.values():
431	sn="%s/%s/%s"%(i.name,l.name,s.name)
432	for r in required.keys():
433	if (not (s.defs.has_key(r) or
434	l.defs.has_key(r) or
435	i.defs.has_key(r))):
436	moan("site %s missing parameter %s"%
437	(sn,r))
438	if s.defs.has_key('restrict-nets'):
439	sr=s.defs['restrict-nets']
440	if (not sr.subsetof(lr)):
441	moan("site %s restrict-nets not valid"%
442	sn)
443	else:
444	sr=lr
445	if not s.defs.has_key('networks'): continue
446	nets=s.defs['networks']
447	if (not nets.subsetof(sr)):
448	moan("site %s networks exceed restriction"%sn)
449
450
451	if complaints>0:
452	if complaints==1: print "There was 1 problem."
453	else: print "There were %d problems."%(complaints)
454	sys.exit(1)
455
456	if service:
457	# Put the user's input into their group file, and rebuild the main
458	# sites file
459	f=open(groupfiledir+"-tmp/"+group,'w')
460	f.write("# Section submitted by user %s, %s\n"%
461	(user,time.asctime(time.localtime(time.time()))))
462	f.write("# Checked by make-secnet-sites.py version %s\n\n"%VERSION)
463	for i in userinput: f.write(i)
464	f.write("\n")
465	f.close()
466	os.rename(groupfiledir+"-tmp/"+group,groupfiledir+"/"+group)
467	# XXX rebuild main sites file!
468	else:
469	outputsites(of)