[secnet] / make-secnet-sites

#! /usr/bin/env python
# Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# 
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

"""VPN sites file manipulation.

This program enables VPN site descriptions to be submitted for
inclusion in a central database, and allows the resulting database to
be turned into a secnet configuration file.

A database file can be turned into a secnet configuration file simply:
make-secnet-sites.py [infile [outfile]]

It would be wise to run secnet with the "--just-check-config" option
before installing the output on a live system.

The program expects to be invoked via userv to manage the database; it
relies on the USERV_USER and USERV_GROUP environment variables. The
command line arguments for this invocation are:

make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  group

All but the last argument are expected to be set by userv; the 'group'
argument is provided by the user. A suitable userv configuration file
fragment is:

reset
no-disconnect-hup
no-suppress-args
cd ~/secnet/sites-test/
execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites

This program is part of secnet. It relies on the "ipaddr" library from
Cendio Systems AB.

"""

import string
import time
import sys
import os
import getopt
import re

import ipaddr

sys.path.insert(0,"/usr/local/share/secnet")
sys.path.insert(0,"/usr/share/secnet")
import ipaddrset

VERSION="0.1.18"

# Classes describing possible datatypes in the configuration file

class single_ipaddr:
	"An IP address"
	def __init__(self,w):
		self.addr=ipaddr.IPAddress(w[1])
	def __str__(self):
		return '"%s"'%self.addr

class networks:
	"A set of IP addresses specified as a list of networks"
	def __init__(self,w):
		self.set=ipaddrset.IPAddressSet()
		for i in w[1:]:
			x=ipaddr.IPNetwork(i,strict=True)
			self.set.append([x])
	def __str__(self):
		return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))

class dhgroup:
	"A Diffie-Hellman group"
	def __init__(self,w):
		self.mod=w[1]
		self.gen=w[2]
	def __str__(self):
		return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)

class hash:
	"A choice of hash function"
	def __init__(self,w):
		self.ht=w[1]
		if (self.ht!='md5' and self.ht!='sha1'):
			complain("unknown hash type %s"%(self.ht))
	def __str__(self):
		return '%s'%(self.ht)

class email:
	"An email address"
	def __init__(self,w):
		self.addr=w[1]
	def __str__(self):
		return '<%s>'%(self.addr)

class boolean:
	"A boolean"
	def __init__(self,w):
		if re.match('[TtYy1]',w[1]):
			self.b=True
		elif re.match('[FfNn0]',w[1]):
			self.b=False
		else:
			complain("invalid boolean value");
	def __str__(self):
		return ['False','True'][self.b]

class num:
	"A decimal number"
	def __init__(self,w):
		self.n=string.atol(w[1])
	def __str__(self):
		return '%d'%(self.n)

class address:
	"A DNS name and UDP port number"
	def __init__(self,w):
		self.adr=w[1]
		self.port=string.atoi(w[2])
		if (self.port<1 or self.port>65535):
			complain("invalid port number")
	def __str__(self):
		return '"%s"; port %d'%(self.adr,self.port)

class rsakey:
	"An RSA public key"
	def __init__(self,w):
		self.l=string.atoi(w[1])
		self.e=w[2]
		self.n=w[3]
	def __str__(self):
		return 'rsa-public("%s","%s")'%(self.e,self.n)

# Possible properties of configuration nodes
keywords={
 'contact':(email,"Contact address"),
 'dh':(dhgroup,"Diffie-Hellman group"),
 'hash':(hash,"Hash function"),
 'key-lifetime':(num,"Maximum key lifetime (ms)"),
 'setup-timeout':(num,"Key setup timeout (ms)"),
 'setup-retries':(num,"Maximum key setup packet retries"),
 'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
 'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
 'restrict-nets':(networks,"Allowable networks"),
 'networks':(networks,"Claimed networks"),
 'pubkey':(rsakey,"RSA public site key"),
 'peer':(single_ipaddr,"Tunnel peer IP address"),
 'address':(address,"External contact address and port"),
 'mobile':(boolean,"Site is mobile"),
}

def sp(name,value):
	"Simply output a property - the default case"
	return "%s %s;\n"%(name,value)

# All levels support these properties
global_properties={
	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	'dh':sp,
	'hash':sp,
	'key-lifetime':sp,
	'setup-timeout':sp,
	'setup-retries':sp,
	'wait-time':sp,
	'renegotiate-time':sp,
	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
}

class level:
	"A level in the configuration hierarchy"
	depth=0
	leaf=0
	allow_properties={}
	require_properties={}
	def __init__(self,w):
		self.name=w[1]
		self.properties={}
		self.children={}
	def indent(self,w,t):
		w.write("                 "[:t])
	def prop_out(self,n):
		return self.allow_properties[n](n,str(self.properties[n]))
	def output_props(self,w,ind):
		for i in self.properties.keys():
			if self.allow_properties[i]:
				self.indent(w,ind)
				w.write("%s"%self.prop_out(i))
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.output_props(w,ind+2)
		if self.depth==1: w.write("\n");
		for c in self.children.values():
			c.output_data(w,ind+2,np+self.name+"/")
		self.indent(w,ind)
		w.write("};\n")

class vpnlevel(level):
	"VPN level in the configuration hierarchy"
	depth=1
	leaf=0
	type="vpn"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"VPN admin contact address"
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_vpnflat(self,w,ind,h):
		"Output flattened list of site names for this VPN"
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		for i in self.children.keys():
			self.children[i].output_vpnflat(w,ind+2,
				h+"/"+self.name+"/"+i)
		w.write("\n")
		self.indent(w,ind+2)
		w.write("all-sites %s;\n"%
			string.join(self.children.keys(),','))
		self.indent(w,ind)
		w.write("};\n")

class locationlevel(level):
	"Location level in the configuration hierarchy"
	depth=2
	leaf=0
	type="location"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"Location admin contact address",
	}
	def __init__(self,w):
		level.__init__(self,w)
		self.group=w[2]
	def output_vpnflat(self,w,ind,h):
		self.indent(w,ind)
		# The "h=h,self=self" abomination below exists because
		# Python didn't support nested_scopes until version 2.1
		w.write("%s %s;\n"%(self.name,string.join(
			map(lambda x,h=h,self=self:
				h+"/"+x,self.children.keys()),',')))

class sitelevel(level):
	"Site level (i.e. a leafnode) in the configuration hierarchy"
	depth=3
	leaf=1
	type="site"
	allow_properties=global_properties.copy()
	allow_properties.update({
	 'address':sp,
	 'networks':None,
	 'peer':None,
	 'pubkey':(lambda n,v:"key %s;\n"%v),
	 'address':(lambda n,v:"address %s;\n"%v),
	 'mobile':sp,
	})
	require_properties={
	 'dh':"Diffie-Hellman group",
	 'contact':"Site admin contact address",
	 'networks':"Networks claimed by the site",
	 'hash':"hash function",
	 'peer':"Gateway address of the site",
	 'pubkey':"RSA public key of the site",
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.indent(w,ind+2)
		w.write("name \"%s\";\n"%(np+self.name))
		self.output_props(w,ind+2)
		self.indent(w,ind+2)
		w.write("link netlink {\n");
		self.indent(w,ind+4)
		w.write("routes %s;\n"%str(self.properties["networks"]))
		self.indent(w,ind+4)
		w.write("ptp-address %s;\n"%str(self.properties["peer"]))
		self.indent(w,ind+2)
		w.write("};\n")
		self.indent(w,ind)
		w.write("};\n")

# Levels in the configuration file
# (depth,properties)
levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}

# Reserved vpn/location/site names
reserved={'all-sites':None}
reserved.update(keywords)
reserved.update(levels)

def complain(msg):
	"Complain about a particular input line"
	global complaints
	print ("%s line %d: "%(file,line))+msg
	complaints=complaints+1
def moan(msg):
	"Complain about something in general"
	global complaints
	print msg;
	complaints=complaints+1

root=level(['root','root'])   # All vpns are children of this node
obstack=[root]
allow_defs=0   # Level above which new definitions are permitted
prefix=''

def set_property(obj,w):
	"Set a property on a configuration node"
	if obj.properties.has_key(w[0]):
		complain("%s %s already has property %s defined"%
			(obj.type,obj.name,w[0]))
	else:
		obj.properties[w[0]]=keywords[w[0]][0](w)

def pline(i,allow_include=False):
	"Process a configuration file line"
	global allow_defs, obstack, root
	w=string.split(i.rstrip('\n'))
	if len(w)==0: return [i]
	keyword=w[0]
	current=obstack[len(obstack)-1]
	if keyword=='end-definitions':
		allow_defs=sitelevel.depth
		obstack=[root]
		return [i]
	if keyword=='include':
		if not allow_include:
			complain("include not permitted here")
			return []
		if len(w) != 2:
			complain("include requires one argument")
			return []
		newfile=os.path.join(os.path.dirname(file),w[1])
		return pfilepath(newfile,allow_include=allow_include)
	if levels.has_key(keyword):
		# We may go up any number of levels, but only down by one
		newdepth=levels[keyword].depth
		currentdepth=len(obstack) # actually +1...
		if newdepth<=currentdepth:
			obstack=obstack[:newdepth]
		if newdepth>currentdepth:
			complain("May not go from level %d to level %d"%
				(currentdepth-1,newdepth))
		# See if it's a new one (and whether that's permitted)
		# or an existing one
		current=obstack[len(obstack)-1]
		if current.children.has_key(w[1]):
			# Not new
			current=current.children[w[1]]
			if service and group and current.depth==2:
				if group!=current.group:
					complain("Incorrect group!")
		else:
			# New
			# Ignore depth check for now
			nl=levels[keyword](w)
			if nl.depth<allow_defs:
				complain("New definitions not allowed at "
					"level %d"%nl.depth)
				# we risk crashing if we continue
				sys.exit(1)
			current.children[w[1]]=nl
			current=nl
		obstack.append(current)
		return [i]
	if current.allow_properties.has_key(keyword):
		set_property(current,w)
		return [i]
	else:
		complain("Property %s not allowed at %s level"%
			(keyword,current.type))
		return []

	complain("unknown keyword '%s'"%(keyword))

def pfilepath(pathname,allow_include=False):
	f=open(pathname)
	outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
	f.close()
	return outlines

def pfile(name,lines,allow_include=False):
	"Process a file"
	global file,line
	file=name
	line=0
	outlines=[]
	for i in lines:
		line=line+1
		if (i[0]=='#'): continue
		outlines += pline(i,allow_include=allow_include)
	return outlines

def outputsites(w):
	"Output include file for secnet configuration"
	w.write("# secnet sites file autogenerated by make-secnet-sites "
		+"version %s\n"%VERSION)
	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
	w.write("# Command line: %s\n\n"%string.join(sys.argv))

	# Raw VPN data section of file
	w.write(prefix+"vpn-data {\n")
	for i in root.children.values():
		i.output_data(w,2,"")
	w.write("};\n")

	# Per-VPN flattened lists
	w.write(prefix+"vpn {\n")
	for i in root.children.values():
		i.output_vpnflat(w,2,prefix+"vpn-data")
	w.write("};\n")

	# Flattened list of sites
	w.write(prefix+"all-sites %s;\n"%string.join(
		map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
			root.children.keys()),","))

# Are we being invoked from userv?
service=0
# If we are, which group does the caller want to modify?
group=None

line=0
file=None
complaints=0

if len(sys.argv)<2:
	pfile("stdin",sys.stdin.readlines())
	of=sys.stdout
else:
	if sys.argv[1]=='-u':
		if len(sys.argv)!=6:
			print "Wrong number of arguments"
			sys.exit(1)
		service=1
		header=sys.argv[2]
		groupfiledir=sys.argv[3]
		sitesfile=sys.argv[4]
		group=sys.argv[5]
		if not os.environ.has_key("USERV_USER"):
			print "Environment variable USERV_USER not found"
			sys.exit(1)
		user=os.environ["USERV_USER"]
		# Check that group is in USERV_GROUP
		if not os.environ.has_key("USERV_GROUP"):
			print "Environment variable USERV_GROUP not found"
			sys.exit(1)
		ugs=os.environ["USERV_GROUP"]
		ok=0
		for i in string.split(ugs):
			if group==i: ok=1
		if not ok:
			print "caller not in group %s"%group
			sys.exit(1)
		headerinput=pfilepath(header,allow_include=True)
		userinput=sys.stdin.readlines()
		pfile("user input",userinput)
	else:
		if sys.argv[1]=='-P':
			prefix=sys.argv[2]
			sys.argv[1:3]=[]
		if len(sys.argv)>3:
			print "Too many arguments"
			sys.exit(1)
		pfilepath(sys.argv[1])
		of=sys.stdout
		if len(sys.argv)>2:
			of=open(sys.argv[2],'w')

# Sanity check section
# Delete nodes where leaf=0 that have no children

def live(n):
	"Number of leafnodes below node n"
	if n.leaf: return 1
	for i in n.children.keys():
		if live(n.children[i]): return 1
	return 0
def delempty(n):
	"Delete nodes that have no leafnode children"
	for i in n.children.keys():
		delempty(n.children[i])
		if not live(n.children[i]):
			del n.children[i]
delempty(root)

# Check that all constraints are met (as far as I can tell
# restrict-nets/networks/peer are the only special cases)

def checkconstraints(n,p,ra):
	new_p=p.copy()
	new_p.update(n.properties)
	for i in n.require_properties.keys():
		if not new_p.has_key(i):
			moan("%s %s is missing property %s"%
				(n.type,n.name,i))
	for i in new_p.keys():
		if not n.allow_properties.has_key(i):
			moan("%s %s has forbidden property %s"%
				(n.type,n.name,i))
	# Check address range restrictions
	if n.properties.has_key("restrict-nets"):
		new_ra=ra.intersection(n.properties["restrict-nets"].set)
	else:
		new_ra=ra
	if n.properties.has_key("networks"):
		if not n.properties["networks"].set <= new_ra:
			moan("%s %s networks out of bounds"%(n.type,n.name))
		if n.properties.has_key("peer"):
			if not n.properties["networks"].set.contains(
				n.properties["peer"].addr):
				moan("%s %s peer not in networks"%(n.type,n.name))
	for i in n.children.keys():
		checkconstraints(n.children[i],new_p,new_ra)

checkconstraints(root,{},ipaddrset.complete_set())

if complaints>0:
	if complaints==1: print "There was 1 problem."
	else: print "There were %d problems."%(complaints)
	sys.exit(1)

if service:
	# Put the user's input into their group file, and rebuild the main
	# sites file
	f=open(groupfiledir+"/T"+group,'w')
	f.write("# Section submitted by user %s, %s\n"%
		(user,time.asctime(time.localtime(time.time()))))
	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
	for i in userinput: f.write(i)
	f.write("\n")
	f.close()
	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
	f=open(sitesfile+"-tmp",'w')
	f.write("# sites file autogenerated by make-secnet-sites\n")
	f.write("# generated %s, invoked by %s\n"%
		(time.asctime(time.localtime(time.time())),user))
	f.write("# use make-secnet-sites to turn this file into a\n")
	f.write("# valid /etc/secnet/sites.conf file\n\n")
	for i in headerinput: f.write(i)
	files=os.listdir(groupfiledir)
	for i in files:
		if i[0]=='R':
			j=open(groupfiledir+"/"+i)
			f.write(j.read())
			j.close()
	f.write("# end of sites file\n")
	f.close()
	os.rename(sitesfile+"-tmp",sitesfile)
else:
	outputsites(of)
Commit	Line	Data
3454dce4	1	#! /usr/bin/env python
3b83c932	2	# Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
3454dce4 SE	3	#
	4	# This program is free software; you can redistribute it and/or modify
	5	# it under the terms of the GNU General Public License as published by
	6	# the Free Software Foundation; either version 2 of the License, or
	7	# (at your option) any later version.
	8	#
	9	# This program is distributed in the hope that it will be useful,
	10	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	11	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	12	# GNU General Public License for more details.
	13	#
	14	# You should have received a copy of the GNU General Public License
	15	# along with this program; if not, write to the Free Software
	16	# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
	17
	18	"""VPN sites file manipulation.
	19
	20	This program enables VPN site descriptions to be submitted for
	21	inclusion in a central database, and allows the resulting database to
	22	be turned into a secnet configuration file.
	23
	24	A database file can be turned into a secnet configuration file simply:
	25	make-secnet-sites.py [infile [outfile]]
	26
	27	It would be wise to run secnet with the "--just-check-config" option
	28	before installing the output on a live system.
	29
	30	The program expects to be invoked via userv to manage the database; it
	31	relies on the USERV_USER and USERV_GROUP environment variables. The
	32	command line arguments for this invocation are:
	33
	34	make-secnet-sites.py -u header-filename groupfiles-directory output-file \
	35	group
	36
	37	All but the last argument are expected to be set by userv; the 'group'
	38	argument is provided by the user. A suitable userv configuration file
	39	fragment is:
	40
	41	reset
	42	no-disconnect-hup
	43	no-suppress-args
	44	cd ~/secnet/sites-test/
08f344d3	45	execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
3454dce4 SE	46
	47	This program is part of secnet. It relies on the "ipaddr" library from
	48	Cendio Systems AB.
	49
	50	"""
	51
	52	import string
	53	import time
	54	import sys
	55	import os
3b83c932	56	import getopt
040040f3	57	import re
8dea8d37	58
71d65e4c IJ	59	import ipaddr
71d65e4c IJ	60
90ad8cd4 IJ	61	sys.path.insert(0,"/usr/local/share/secnet")
90ad8cd4 IJ	62	sys.path.insert(0,"/usr/share/secnet")
71d65e4c	63	import ipaddrset
3454dce4	64
00152558	65	VERSION="0.1.18"
3b83c932 SE	66
	67	# Classes describing possible datatypes in the configuration file
	68
	69	class single_ipaddr:
	70	"An IP address"
	71	def __init__(self,w):
71d65e4c	72	self.addr=ipaddr.IPAddress(w[1])
3b83c932	73	def __str__(self):
71d65e4c	74	return '"%s"'%self.addr
3b83c932 SE	75
	76	class networks:
	77	"A set of IP addresses specified as a list of networks"
3454dce4	78	def __init__(self,w):
71d65e4c	79	self.set=ipaddrset.IPAddressSet()
3454dce4	80	for i in w[1:]:
71d65e4c IJ	81	x=ipaddr.IPNetwork(i,strict=True)
71d65e4c IJ	82	self.set.append([x])
3b83c932	83	def __str__(self):
71d65e4c	84	return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))
3454dce4 SE	85
3454dce4 SE	86	class dhgroup:
3b83c932	87	"A Diffie-Hellman group"
3454dce4	88	def __init__(self,w):
b2a56f7c SE	89	self.mod=w[1]
b2a56f7c SE	90	self.gen=w[2]
3b83c932 SE	91	def __str__(self):
3b83c932 SE	92	return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
3454dce4 SE	93
3454dce4 SE	94	class hash:
3b83c932	95	"A choice of hash function"
3454dce4	96	def __init__(self,w):
b2a56f7c SE	97	self.ht=w[1]
	98	if (self.ht!='md5' and self.ht!='sha1'):
	99	complain("unknown hash type %s"%(self.ht))
3b83c932 SE	100	def __str__(self):
3b83c932 SE	101	return '%s'%(self.ht)
3454dce4 SE	102
3454dce4 SE	103	class email:
3b83c932	104	"An email address"
3454dce4	105	def __init__(self,w):
b2a56f7c	106	self.addr=w[1]
3b83c932 SE	107	def __str__(self):
3b83c932 SE	108	return '<%s>'%(self.addr)
3454dce4	109
040040f3 IJ	110	class boolean:
	111	"A boolean"
	112	def __init__(self,w):
	113	if re.match('[TtYy1]',w[1]):
	114	self.b=True
	115	elif re.match('[FfNn0]',w[1]):
	116	self.b=False
	117	else:
	118	complain("invalid boolean value");
	119	def __str__(self):
	120	return ['False','True'][self.b]
	121
3454dce4	122	class num:
3b83c932	123	"A decimal number"
3454dce4	124	def __init__(self,w):
b2a56f7c	125	self.n=string.atol(w[1])
3b83c932 SE	126	def __str__(self):
3b83c932 SE	127	return '%d'%(self.n)
3454dce4 SE	128
3454dce4 SE	129	class address:
3b83c932	130	"A DNS name and UDP port number"
3454dce4	131	def __init__(self,w):
b2a56f7c SE	132	self.adr=w[1]
	133	self.port=string.atoi(w[2])
	134	if (self.port<1 or self.port>65535):
	135	complain("invalid port number")
3b83c932 SE	136	def __str__(self):
3b83c932 SE	137	return '"%s"; port %d'%(self.adr,self.port)
3454dce4 SE	138
3454dce4 SE	139	class rsakey:
3b83c932	140	"An RSA public key"
3454dce4	141	def __init__(self,w):
b2a56f7c SE	142	self.l=string.atoi(w[1])
	143	self.e=w[2]
	144	self.n=w[3]
3b83c932 SE	145	def __str__(self):
	146	return 'rsa-public("%s","%s")'%(self.e,self.n)
	147
	148	# Possible properties of configuration nodes
	149	keywords={
	150	'contact':(email,"Contact address"),
	151	'dh':(dhgroup,"Diffie-Hellman group"),
	152	'hash':(hash,"Hash function"),
	153	'key-lifetime':(num,"Maximum key lifetime (ms)"),
	154	'setup-timeout':(num,"Key setup timeout (ms)"),
	155	'setup-retries':(num,"Maximum key setup packet retries"),
	156	'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
	157	'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
	158	'restrict-nets':(networks,"Allowable networks"),
	159	'networks':(networks,"Claimed networks"),
	160	'pubkey':(rsakey,"RSA public site key"),
	161	'peer':(single_ipaddr,"Tunnel peer IP address"),
a25b1149	162	'address':(address,"External contact address and port"),
040040f3	163	'mobile':(boolean,"Site is mobile"),
3b83c932 SE	164	}
	165
	166	def sp(name,value):
	167	"Simply output a property - the default case"
	168	return "%s %s;\n"%(name,value)
	169
	170	# All levels support these properties
	171	global_properties={
	172	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	173	'dh':sp,
	174	'hash':sp,
	175	'key-lifetime':sp,
	176	'setup-timeout':sp,
	177	'setup-retries':sp,
	178	'wait-time':sp,
	179	'renegotiate-time':sp,
a25b1149	180	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
3b83c932 SE	181	}
	182
	183	class level:
	184	"A level in the configuration hierarchy"
	185	depth=0
	186	leaf=0
	187	allow_properties={}
	188	require_properties={}
	189	def __init__(self,w):
	190	self.name=w[1]
	191	self.properties={}
	192	self.children={}
	193	def indent(self,w,t):
	194	w.write(" "[:t])
	195	def prop_out(self,n):
	196	return self.allow_properties[n](n,str(self.properties[n]))
	197	def output_props(self,w,ind):
	198	for i in self.properties.keys():
	199	if self.allow_properties[i]:
	200	self.indent(w,ind)
	201	w.write("%s"%self.prop_out(i))
	202	def output_data(self,w,ind,np):
	203	self.indent(w,ind)
	204	w.write("%s {\n"%(self.name))
	205	self.output_props(w,ind+2)
	206	if self.depth==1: w.write("\n");
	207	for c in self.children.values():
	208	c.output_data(w,ind+2,np+self.name+"/")
	209	self.indent(w,ind)
	210	w.write("};\n")
	211
	212	class vpnlevel(level):
	213	"VPN level in the configuration hierarchy"
	214	depth=1
	215	leaf=0
	216	type="vpn"
	217	allow_properties=global_properties.copy()
	218	require_properties={
	219	'contact':"VPN admin contact address"
	220	}
	221	def __init__(self,w):
	222	level.__init__(self,w)
	223	def output_vpnflat(self,w,ind,h):
	224	"Output flattened list of site names for this VPN"
	225	self.indent(w,ind)
	226	w.write("%s {\n"%(self.name))
	227	for i in self.children.keys():
	228	self.children[i].output_vpnflat(w,ind+2,
	229	h+"/"+self.name+"/"+i)
	230	w.write("\n")
	231	self.indent(w,ind+2)
	232	w.write("all-sites %s;\n"%
	233	string.join(self.children.keys(),','))
	234	self.indent(w,ind)
	235	w.write("};\n")
	236
	237	class locationlevel(level):
	238	"Location level in the configuration hierarchy"
	239	depth=2
	240	leaf=0
	241	type="location"
	242	allow_properties=global_properties.copy()
	243	require_properties={
	244	'contact':"Location admin contact address",
245	}
246	def __init__(self,w):
247	level.__init__(self,w)
248	self.group=w[2]
249	def output_vpnflat(self,w,ind,h):
250	self.indent(w,ind)
251	# The "h=h,self=self" abomination below exists because
252	# Python didn't support nested_scopes until version 2.1
253	w.write("%s %s;\n"%(self.name,string.join(
254	map(lambda x,h=h,self=self:
255	h+"/"+x,self.children.keys()),',')))
256
257	class sitelevel(level):
258	"Site level (i.e. a leafnode) in the configuration hierarchy"
259	depth=3
260	leaf=1
261	type="site"
262	allow_properties=global_properties.copy()
263	allow_properties.update({
264	'address':sp,
265	'networks':None,
266	'peer':None,
a25b1149	267	'pubkey':(lambda n,v:"key %s;\n"%v),
2489e9eb	268	'address':(lambda n,v:"address %s;\n"%v),
040040f3	269	'mobile':sp,
3b83c932 SE	270	})
	271	require_properties={
	272	'dh':"Diffie-Hellman group",
	273	'contact':"Site admin contact address",
3b83c932 SE	274	'networks':"Networks claimed by the site",
	275	'hash':"hash function",
	276	'peer':"Gateway address of the site",
a25b1149	277	'pubkey':"RSA public key of the site",
3b83c932	278	}
3454dce4	279	def __init__(self,w):
3b83c932 SE	280	level.__init__(self,w)
	281	def output_data(self,w,ind,np):
	282	self.indent(w,ind)
	283	w.write("%s {\n"%(self.name))
	284	self.indent(w,ind+2)
	285	w.write("name \"%s\";\n"%(np+self.name))
	286	self.output_props(w,ind+2)
	287	self.indent(w,ind+2)
	288	w.write("link netlink {\n");
	289	self.indent(w,ind+4)
	290	w.write("routes %s;\n"%str(self.properties["networks"]))
	291	self.indent(w,ind+4)
	292	w.write("ptp-address %s;\n"%str(self.properties["peer"]))
	293	self.indent(w,ind+2)
	294	w.write("};\n")
	295	self.indent(w,ind)
	296	w.write("};\n")
	297
	298	# Levels in the configuration file
	299	# (depth,properties)
	300	levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
	301
	302	# Reserved vpn/location/site names
	303	reserved={'all-sites':None}
	304	reserved.update(keywords)
	305	reserved.update(levels)
3454dce4 SE	306
3454dce4 SE	307	def complain(msg):
3b83c932	308	"Complain about a particular input line"
3454dce4 SE	309	global complaints
	310	print ("%s line %d: "%(file,line))+msg
	311	complaints=complaints+1
	312	def moan(msg):
3b83c932	313	"Complain about something in general"
3454dce4 SE	314	global complaints
	315	print msg;
	316	complaints=complaints+1
	317
3b83c932 SE	318	root=level(['root','root']) # All vpns are children of this node
	319	obstack=[root]
	320	allow_defs=0 # Level above which new definitions are permitted
26f727b9	321	prefix=''
3b83c932 SE	322
	323	def set_property(obj,w):
	324	"Set a property on a configuration node"
	325	if obj.properties.has_key(w[0]):
	326	complain("%s %s already has property %s defined"%
	327	(obj.type,obj.name,w[0]))
	328	else:
	329	obj.properties[w[0]]=keywords[w[0]][0](w)
3454dce4	330
c4497add	331	def pline(i,allow_include=False):
3b83c932 SE	332	"Process a configuration file line"
3b83c932 SE	333	global allow_defs, obstack, root
6d8cd9b2	334	w=string.split(i.rstrip('\n'))
433b0ae8	335	if len(w)==0: return [i]
3454dce4	336	keyword=w[0]
3b83c932	337	current=obstack[len(obstack)-1]
3454dce4	338	if keyword=='end-definitions':
3b83c932 SE	339	allow_defs=sitelevel.depth
3b83c932 SE	340	obstack=[root]
433b0ae8	341	return [i]
c4497add IJ	342	if keyword=='include':
	343	if not allow_include:
	344	complain("include not permitted here")
433b0ae8	345	return []
c4497add IJ	346	if len(w) != 2:
c4497add IJ	347	complain("include requires one argument")
433b0ae8	348	return []
c4497add	349	newfile=os.path.join(os.path.dirname(file),w[1])
433b0ae8	350	return pfilepath(newfile,allow_include=allow_include)
3b83c932 SE	351	if levels.has_key(keyword):
	352	# We may go up any number of levels, but only down by one
	353	newdepth=levels[keyword].depth
	354	currentdepth=len(obstack) # actually +1...
	355	if newdepth<=currentdepth:
	356	obstack=obstack[:newdepth]
	357	if newdepth>currentdepth:
	358	complain("May not go from level %d to level %d"%
	359	(currentdepth-1,newdepth))
	360	# See if it's a new one (and whether that's permitted)
	361	# or an existing one
	362	current=obstack[len(obstack)-1]
	363	if current.children.has_key(w[1]):
	364	# Not new
	365	current=current.children[w[1]]
	366	if service and group and current.depth==2:
	367	if group!=current.group:
	368	complain("Incorrect group!")
3454dce4	369	else:
3b83c932 SE	370	# New
	371	# Ignore depth check for now
	372	nl=levels[keyword](w)
	373	if nl.depth<allow_defs:
	374	complain("New definitions not allowed at "
	375	"level %d"%nl.depth)
4a9b680b IJ	376	# we risk crashing if we continue
4a9b680b IJ	377	sys.exit(1)
3b83c932 SE	378	current.children[w[1]]=nl
	379	current=nl
	380	obstack.append(current)
433b0ae8	381	return [i]
3b83c932 SE	382	if current.allow_properties.has_key(keyword):
3b83c932 SE	383	set_property(current,w)
433b0ae8	384	return [i]
3454dce4	385	else:
3b83c932 SE	386	complain("Property %s not allowed at %s level"%
3b83c932 SE	387	(keyword,current.type))
433b0ae8	388	return []
3b83c932 SE	389
3b83c932 SE	390	complain("unknown keyword '%s'"%(keyword))
3454dce4	391
c4497add	392	def pfilepath(pathname,allow_include=False):
9b8369e0	393	f=open(pathname)
433b0ae8	394	outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
9b8369e0	395	f.close()
433b0ae8	396	return outlines
9b8369e0	397
c4497add	398	def pfile(name,lines,allow_include=False):
3b83c932	399	"Process a file"
3454dce4 SE	400	global file,line
	401	file=name
	402	line=0
433b0ae8	403	outlines=[]
3454dce4 SE	404	for i in lines:
	405	line=line+1
	406	if (i[0]=='#'): continue
433b0ae8 IJ	407	outlines += pline(i,allow_include=allow_include)
433b0ae8 IJ	408	return outlines
3454dce4 SE	409
3454dce4 SE	410	def outputsites(w):
3b83c932 SE	411	"Output include file for secnet configuration"
3b83c932 SE	412	w.write("# secnet sites file autogenerated by make-secnet-sites "
3454dce4	413	+"version %s\n"%VERSION)
3b83c932 SE	414	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
3b83c932 SE	415	w.write("# Command line: %s\n\n"%string.join(sys.argv))
3454dce4 SE	416
3454dce4 SE	417	# Raw VPN data section of file
26f727b9	418	w.write(prefix+"vpn-data {\n")
3b83c932 SE	419	for i in root.children.values():
3b83c932 SE	420	i.output_data(w,2,"")
3454dce4 SE	421	w.write("};\n")
	422
	423	# Per-VPN flattened lists
26f727b9	424	w.write(prefix+"vpn {\n")
3b83c932	425	for i in root.children.values():
26f727b9	426	i.output_vpnflat(w,2,prefix+"vpn-data")
3454dce4 SE	427	w.write("};\n")
	428
	429	# Flattened list of sites
26f727b9 IJ	430	w.write(prefix+"all-sites %s;\n"%string.join(
	431	map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
	432	root.children.keys()),","))
3454dce4 SE	433
	434	# Are we being invoked from userv?
	435	service=0
	436	# If we are, which group does the caller want to modify?
	437	group=None
	438
3454dce4 SE	439	line=0
	440	file=None
	441	complaints=0
	442
3454dce4 SE	443	if len(sys.argv)<2:
	444	pfile("stdin",sys.stdin.readlines())
	445	of=sys.stdout
	446	else:
	447	if sys.argv[1]=='-u':
	448	if len(sys.argv)!=6:
	449	print "Wrong number of arguments"
	450	sys.exit(1)
	451	service=1
	452	header=sys.argv[2]
	453	groupfiledir=sys.argv[3]
	454	sitesfile=sys.argv[4]
	455	group=sys.argv[5]
	456	if not os.environ.has_key("USERV_USER"):
	457	print "Environment variable USERV_USER not found"
	458	sys.exit(1)
	459	user=os.environ["USERV_USER"]
	460	# Check that group is in USERV_GROUP
	461	if not os.environ.has_key("USERV_GROUP"):
	462	print "Environment variable USERV_GROUP not found"
	463	sys.exit(1)
	464	ugs=os.environ["USERV_GROUP"]
	465	ok=0
	466	for i in string.split(ugs):
	467	if group==i: ok=1
	468	if not ok:
	469	print "caller not in group %s"%group
	470	sys.exit(1)
5b77d1a9	471	headerinput=pfilepath(header,allow_include=True)
3454dce4 SE	472	userinput=sys.stdin.readlines()
	473	pfile("user input",userinput)
	474	else:
26f727b9 IJ	475	if sys.argv[1]=='-P':
	476	prefix=sys.argv[2]
	477	sys.argv[1:3]=[]
3454dce4 SE	478	if len(sys.argv)>3:
	479	print "Too many arguments"
	480	sys.exit(1)
21fd3a92	481	pfilepath(sys.argv[1])
3454dce4 SE	482	of=sys.stdout
	483	if len(sys.argv)>2:
	484	of=open(sys.argv[2],'w')
	485
	486	# Sanity check section
3b83c932 SE	487	# Delete nodes where leaf=0 that have no children
	488
	489	def live(n):
	490	"Number of leafnodes below node n"
	491	if n.leaf: return 1
	492	for i in n.children.keys():
	493	if live(n.children[i]): return 1
	494	return 0
	495	def delempty(n):
	496	"Delete nodes that have no leafnode children"
	497	for i in n.children.keys():
	498	delempty(n.children[i])
	499	if not live(n.children[i]):
	500	del n.children[i]
	501	delempty(root)
	502
	503	# Check that all constraints are met (as far as I can tell
	504	# restrict-nets/networks/peer are the only special cases)
	505
	506	def checkconstraints(n,p,ra):
	507	new_p=p.copy()
	508	new_p.update(n.properties)
	509	for i in n.require_properties.keys():
	510	if not new_p.has_key(i):
	511	moan("%s %s is missing property %s"%
	512	(n.type,n.name,i))
	513	for i in new_p.keys():
	514	if not n.allow_properties.has_key(i):
	515	moan("%s %s has forbidden property %s"%
	516	(n.type,n.name,i))
	517	# Check address range restrictions
	518	if n.properties.has_key("restrict-nets"):
	519	new_ra=ra.intersection(n.properties["restrict-nets"].set)
3454dce4	520	else:
3b83c932 SE	521	new_ra=ra
3b83c932 SE	522	if n.properties.has_key("networks"):
71d65e4c	523	if not n.properties["networks"].set <= new_ra:
3b83c932 SE	524	moan("%s %s networks out of bounds"%(n.type,n.name))
	525	if n.properties.has_key("peer"):
	526	if not n.properties["networks"].set.contains(
	527	n.properties["peer"].addr):
	528	moan("%s %s peer not in networks"%(n.type,n.name))
	529	for i in n.children.keys():
	530	checkconstraints(n.children[i],new_p,new_ra)
	531
71d65e4c	532	checkconstraints(root,{},ipaddrset.complete_set())
3454dce4 SE	533
	534	if complaints>0:
	535	if complaints==1: print "There was 1 problem."
	536	else: print "There were %d problems."%(complaints)
	537	sys.exit(1)
	538
	539	if service:
	540	# Put the user's input into their group file, and rebuild the main
	541	# sites file
08f344d3	542	f=open(groupfiledir+"/T"+group,'w')
3454dce4 SE	543	f.write("# Section submitted by user %s, %s\n"%
3454dce4 SE	544	(user,time.asctime(time.localtime(time.time()))))
3b83c932	545	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
3454dce4 SE	546	for i in userinput: f.write(i)
	547	f.write("\n")
	548	f.close()
08f344d3 SE	549	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
08f344d3 SE	550	f=open(sitesfile+"-tmp",'w')
ff05a229	551	f.write("# sites file autogenerated by make-secnet-sites\n")
08f344d3 SE	552	f.write("# generated %s, invoked by %s\n"%
08f344d3 SE	553	(time.asctime(time.localtime(time.time())),user))
ff05a229	554	f.write("# use make-secnet-sites to turn this file into a\n")
08f344d3 SE	555	f.write("# valid /etc/secnet/sites.conf file\n\n")
	556	for i in headerinput: f.write(i)
	557	files=os.listdir(groupfiledir)
	558	for i in files:
	559	if i[0]=='R':
	560	j=open(groupfiledir+"/"+i)
	561	f.write(j.read())
	562	j.close()
	563	f.write("# end of sites file\n")
	564	f.close()
	565	os.rename(sitesfile+"-tmp",sitesfile)
3454dce4 SE	566	else:
3454dce4 SE	567	outputsites(of)