[secnet] / make-secnet-sites

#! /usr/bin/env python
#
# This file is part of secnet.
# See README for full list of copyright holders.
#
# secnet is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
# 
# secnet is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
# General Public License for more details.
# 
# You should have received a copy of the GNU General Public License
# version 3 along with secnet; if not, see
# https://www.gnu.org/licenses/gpl.html.

"""VPN sites file manipulation.

This program enables VPN site descriptions to be submitted for
inclusion in a central database, and allows the resulting database to
be turned into a secnet configuration file.

A database file can be turned into a secnet configuration file simply:
make-secnet-sites.py [infile [outfile]]

It would be wise to run secnet with the "--just-check-config" option
before installing the output on a live system.

The program expects to be invoked via userv to manage the database; it
relies on the USERV_USER and USERV_GROUP environment variables. The
command line arguments for this invocation are:

make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  group

All but the last argument are expected to be set by userv; the 'group'
argument is provided by the user. A suitable userv configuration file
fragment is:

reset
no-disconnect-hup
no-suppress-args
cd ~/secnet/sites-test/
execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites

This program is part of secnet. It relies on the "ipaddr" library from
Cendio Systems AB.

"""

import string
import time
import sys
import os
import getopt
import re

import ipaddr

sys.path.insert(0,"/usr/local/share/secnet")
sys.path.insert(0,"/usr/share/secnet")
import ipaddrset

VERSION="0.1.18"

# Classes describing possible datatypes in the configuration file

class basetype:
	"Common protocol for configuration types."
	pass

class single_ipaddr (basetype):
	"An IP address"
	def __init__(self,w):
		self.addr=ipaddr.IPAddress(w[1])
	def __str__(self):
		return '"%s"'%self.addr

class networks (basetype):
	"A set of IP addresses specified as a list of networks"
	def __init__(self,w):
		self.set=ipaddrset.IPAddressSet()
		for i in w[1:]:
			x=ipaddr.IPNetwork(i,strict=True)
			self.set.append([x])
	def __str__(self):
		return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))

class dhgroup (basetype):
	"A Diffie-Hellman group"
	def __init__(self,w):
		self.mod=w[1]
		self.gen=w[2]
	def __str__(self):
		return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)

class hash (basetype):
	"A choice of hash function"
	def __init__(self,w):
		self.ht=w[1]
		if (self.ht not in ('md5', 'sha1', 'sha512')):
			complain("unknown hash type %s"%(self.ht))
	def __str__(self):
		return '%s'%(self.ht)

class email (basetype):
	"An email address"
	def __init__(self,w):
		self.addr=w[1]
	def __str__(self):
		return '<%s>'%(self.addr)

class boolean (basetype):
	"A boolean"
	def __init__(self,w):
		if re.match('[TtYy1]',w[1]):
			self.b=True
		elif re.match('[FfNn0]',w[1]):
			self.b=False
		else:
			complain("invalid boolean value");
	def __str__(self):
		return ['False','True'][self.b]

class num (basetype):
	"A decimal number"
	def __init__(self,w):
		self.n=string.atol(w[1])
	def __str__(self):
		return '%d'%(self.n)

class address (basetype):
	"A DNS name and UDP port number"
	def __init__(self,w):
		self.adr=w[1]
		self.port=string.atoi(w[2])
		if (self.port<1 or self.port>65535):
			complain("invalid port number")
	def __str__(self):
		return '"%s"; port %d'%(self.adr,self.port)

class rsakey (basetype):
	"An RSA public key"
	def __init__(self,w):
		self.l=string.atoi(w[1])
		self.e=w[2]
		self.n=w[3]
	def __str__(self):
		return 'rsa-public("%s","%s")'%(self.e,self.n)

# Possible properties of configuration nodes
keywords={
 'contact':(email,"Contact address"),
 'dh':(dhgroup,"Diffie-Hellman group"),
 'hash':(hash,"Hash function"),
 'key-lifetime':(num,"Maximum key lifetime (ms)"),
 'setup-timeout':(num,"Key setup timeout (ms)"),
 'setup-retries':(num,"Maximum key setup packet retries"),
 'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
 'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
 'restrict-nets':(networks,"Allowable networks"),
 'networks':(networks,"Claimed networks"),
 'pubkey':(rsakey,"RSA public site key"),
 'peer':(single_ipaddr,"Tunnel peer IP address"),
 'address':(address,"External contact address and port"),
 'mobile':(boolean,"Site is mobile"),
}

def sp(name,value):
	"Simply output a property - the default case"
	return "%s %s;\n"%(name,value)

# All levels support these properties
global_properties={
	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	'dh':sp,
	'hash':sp,
	'key-lifetime':sp,
	'setup-timeout':sp,
	'setup-retries':sp,
	'wait-time':sp,
	'renegotiate-time':sp,
	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
}

class level:
	"A level in the configuration hierarchy"
	depth=0
	leaf=0
	allow_properties={}
	require_properties={}
	def __init__(self,w):
		self.name=w[1]
		self.properties={}
		self.children={}
	def indent(self,w,t):
		w.write("                 "[:t])
	def prop_out(self,n):
		return self.allow_properties[n](n,str(self.properties[n]))
	def output_props(self,w,ind):
		for i in self.properties.keys():
			if self.allow_properties[i]:
				self.indent(w,ind)
				w.write("%s"%self.prop_out(i))
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.output_props(w,ind+2)
		if self.depth==1: w.write("\n");
		for c in self.children.values():
			c.output_data(w,ind+2,np+self.name+"/")
		self.indent(w,ind)
		w.write("};\n")

class vpnlevel(level):
	"VPN level in the configuration hierarchy"
	depth=1
	leaf=0
	type="vpn"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"VPN admin contact address"
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_vpnflat(self,w,ind,h):
		"Output flattened list of site names for this VPN"
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		for i in self.children.keys():
			self.children[i].output_vpnflat(w,ind+2,
				h+"/"+self.name+"/"+i)
		w.write("\n")
		self.indent(w,ind+2)
		w.write("all-sites %s;\n"%
			string.join(self.children.keys(),','))
		self.indent(w,ind)
		w.write("};\n")

class locationlevel(level):
	"Location level in the configuration hierarchy"
	depth=2
	leaf=0
	type="location"
	allow_properties=global_properties.copy()
	require_properties={
	 'contact':"Location admin contact address",
	}
	def __init__(self,w):
		level.__init__(self,w)
		self.group=w[2]
	def output_vpnflat(self,w,ind,h):
		self.indent(w,ind)
		# The "h=h,self=self" abomination below exists because
		# Python didn't support nested_scopes until version 2.1
		w.write("%s %s;\n"%(self.name,string.join(
			map(lambda x,h=h,self=self:
				h+"/"+x,self.children.keys()),',')))

class sitelevel(level):
	"Site level (i.e. a leafnode) in the configuration hierarchy"
	depth=3
	leaf=1
	type="site"
	allow_properties=global_properties.copy()
	allow_properties.update({
	 'address':sp,
	 'networks':None,
	 'peer':None,
	 'pubkey':(lambda n,v:"key %s;\n"%v),
	 'mobile':sp,
	})
	require_properties={
	 'dh':"Diffie-Hellman group",
	 'contact':"Site admin contact address",
	 'networks':"Networks claimed by the site",
	 'hash':"hash function",
	 'peer':"Gateway address of the site",
	 'pubkey':"RSA public key of the site",
	}
	def __init__(self,w):
		level.__init__(self,w)
	def output_data(self,w,ind,np):
		self.indent(w,ind)
		w.write("%s {\n"%(self.name))
		self.indent(w,ind+2)
		w.write("name \"%s\";\n"%(np+self.name))
		self.output_props(w,ind+2)
		self.indent(w,ind+2)
		w.write("link netlink {\n");
		self.indent(w,ind+4)
		w.write("routes %s;\n"%str(self.properties["networks"]))
		self.indent(w,ind+4)
		w.write("ptp-address %s;\n"%str(self.properties["peer"]))
		self.indent(w,ind+2)
		w.write("};\n")
		self.indent(w,ind)
		w.write("};\n")

# Levels in the configuration file
# (depth,properties)
levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}

# Reserved vpn/location/site names
reserved={'all-sites':None}
reserved.update(keywords)
reserved.update(levels)

def complain(msg):
	"Complain about a particular input line"
	global complaints
	print ("%s line %d: "%(file,line))+msg
	complaints=complaints+1
def moan(msg):
	"Complain about something in general"
	global complaints
	print msg;
	complaints=complaints+1

root=level(['root','root'])   # All vpns are children of this node
obstack=[root]
allow_defs=0   # Level above which new definitions are permitted
prefix=''

def set_property(obj,w):
	"Set a property on a configuration node"
	if obj.properties.has_key(w[0]):
		complain("%s %s already has property %s defined"%
			(obj.type,obj.name,w[0]))
	else:
		obj.properties[w[0]]=keywords[w[0]][0](w)

def pline(i,allow_include=False):
	"Process a configuration file line"
	global allow_defs, obstack, root
	w=string.split(i.rstrip('\n'))
	if len(w)==0: return [i]
	keyword=w[0]
	current=obstack[len(obstack)-1]
	if keyword=='end-definitions':
		allow_defs=sitelevel.depth
		obstack=[root]
		return [i]
	if keyword=='include':
		if not allow_include:
			complain("include not permitted here")
			return []
		if len(w) != 2:
			complain("include requires one argument")
			return []
		newfile=os.path.join(os.path.dirname(file),w[1])
		return pfilepath(newfile,allow_include=allow_include)
	if levels.has_key(keyword):
		# We may go up any number of levels, but only down by one
		newdepth=levels[keyword].depth
		currentdepth=len(obstack) # actually +1...
		if newdepth<=currentdepth:
			obstack=obstack[:newdepth]
		if newdepth>currentdepth:
			complain("May not go from level %d to level %d"%
				(currentdepth-1,newdepth))
		# See if it's a new one (and whether that's permitted)
		# or an existing one
		current=obstack[len(obstack)-1]
		if current.children.has_key(w[1]):
			# Not new
			current=current.children[w[1]]
			if service and group and current.depth==2:
				if group!=current.group:
					complain("Incorrect group!")
		else:
			# New
			# Ignore depth check for now
			nl=levels[keyword](w)
			if nl.depth<allow_defs:
				complain("New definitions not allowed at "
					"level %d"%nl.depth)
				# we risk crashing if we continue
				sys.exit(1)
			current.children[w[1]]=nl
			current=nl
		obstack.append(current)
		return [i]
	if not current.allow_properties.has_key(keyword):
		complain("Property %s not allowed at %s level"%
			(keyword,current.type))
		return []
	elif current.depth == vpnlevel.depth < allow_defs:
		complain("Not allowed to set VPN properties here")
		return []
	else:
		set_property(current,w)
		return [i]

	complain("unknown keyword '%s'"%(keyword))

def pfilepath(pathname,allow_include=False):
	f=open(pathname)
	outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
	f.close()
	return outlines

def pfile(name,lines,allow_include=False):
	"Process a file"
	global file,line
	file=name
	line=0
	outlines=[]
	for i in lines:
		line=line+1
		if (i[0]=='#'): continue
		outlines += pline(i,allow_include=allow_include)
	return outlines

def outputsites(w):
	"Output include file for secnet configuration"
	w.write("# secnet sites file autogenerated by make-secnet-sites "
		+"version %s\n"%VERSION)
	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
	w.write("# Command line: %s\n\n"%string.join(sys.argv))

	# Raw VPN data section of file
	w.write(prefix+"vpn-data {\n")
	for i in root.children.values():
		i.output_data(w,2,"")
	w.write("};\n")

	# Per-VPN flattened lists
	w.write(prefix+"vpn {\n")
	for i in root.children.values():
		i.output_vpnflat(w,2,prefix+"vpn-data")
	w.write("};\n")

	# Flattened list of sites
	w.write(prefix+"all-sites %s;\n"%string.join(
		map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
			root.children.keys()),","))

# Are we being invoked from userv?
service=0
# If we are, which group does the caller want to modify?
group=None

line=0
file=None
complaints=0

if len(sys.argv)<2:
	pfile("stdin",sys.stdin.readlines())
	of=sys.stdout
else:
	if sys.argv[1]=='-u':
		if len(sys.argv)!=6:
			print "Wrong number of arguments"
			sys.exit(1)
		service=1
		header=sys.argv[2]
		groupfiledir=sys.argv[3]
		sitesfile=sys.argv[4]
		group=sys.argv[5]
		if not os.environ.has_key("USERV_USER"):
			print "Environment variable USERV_USER not found"
			sys.exit(1)
		user=os.environ["USERV_USER"]
		# Check that group is in USERV_GROUP
		if not os.environ.has_key("USERV_GROUP"):
			print "Environment variable USERV_GROUP not found"
			sys.exit(1)
		ugs=os.environ["USERV_GROUP"]
		ok=0
		for i in string.split(ugs):
			if group==i: ok=1
		if not ok:
			print "caller not in group %s"%group
			sys.exit(1)
		headerinput=pfilepath(header,allow_include=True)
		userinput=sys.stdin.readlines()
		pfile("user input",userinput)
	else:
		if sys.argv[1]=='-P':
			prefix=sys.argv[2]
			sys.argv[1:3]=[]
		if len(sys.argv)>3:
			print "Too many arguments"
			sys.exit(1)
		pfilepath(sys.argv[1])
		of=sys.stdout
		if len(sys.argv)>2:
			of=open(sys.argv[2],'w')

# Sanity check section
# Delete nodes where leaf=0 that have no children

def live(n):
	"Number of leafnodes below node n"
	if n.leaf: return 1
	for i in n.children.keys():
		if live(n.children[i]): return 1
	return 0
def delempty(n):
	"Delete nodes that have no leafnode children"
	for i in n.children.keys():
		delempty(n.children[i])
		if not live(n.children[i]):
			del n.children[i]
delempty(root)

# Check that all constraints are met (as far as I can tell
# restrict-nets/networks/peer are the only special cases)

def checkconstraints(n,p,ra):
	new_p=p.copy()
	new_p.update(n.properties)
	for i in n.require_properties.keys():
		if not new_p.has_key(i):
			moan("%s %s is missing property %s"%
				(n.type,n.name,i))
	for i in new_p.keys():
		if not n.allow_properties.has_key(i):
			moan("%s %s has forbidden property %s"%
				(n.type,n.name,i))
	# Check address range restrictions
	if n.properties.has_key("restrict-nets"):
		new_ra=ra.intersection(n.properties["restrict-nets"].set)
	else:
		new_ra=ra
	if n.properties.has_key("networks"):
		if not n.properties["networks"].set <= new_ra:
			moan("%s %s networks out of bounds"%(n.type,n.name))
		if n.properties.has_key("peer"):
			if not n.properties["networks"].set.contains(
				n.properties["peer"].addr):
				moan("%s %s peer not in networks"%(n.type,n.name))
	for i in n.children.keys():
		checkconstraints(n.children[i],new_p,new_ra)

checkconstraints(root,{},ipaddrset.complete_set())

if complaints>0:
	if complaints==1: print "There was 1 problem."
	else: print "There were %d problems."%(complaints)
	sys.exit(1)

if service:
	# Put the user's input into their group file, and rebuild the main
	# sites file
	f=open(groupfiledir+"/T"+group,'w')
	f.write("# Section submitted by user %s, %s\n"%
		(user,time.asctime(time.localtime(time.time()))))
	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
	for i in userinput: f.write(i)
	f.write("\n")
	f.close()
	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
	f=open(sitesfile+"-tmp",'w')
	f.write("# sites file autogenerated by make-secnet-sites\n")
	f.write("# generated %s, invoked by %s\n"%
		(time.asctime(time.localtime(time.time())),user))
	f.write("# use make-secnet-sites to turn this file into a\n")
	f.write("# valid /etc/secnet/sites.conf file\n\n")
	for i in headerinput: f.write(i)
	files=os.listdir(groupfiledir)
	for i in files:
		if i[0]=='R':
			j=open(groupfiledir+"/"+i)
			f.write(j.read())
			j.close()
	f.write("# end of sites file\n")
	f.close()
	os.rename(sitesfile+"-tmp",sitesfile)
else:
	outputsites(of)
Commit	Line	Data
3454dce4	1	#! /usr/bin/env python
3454dce4	2	#
c215a4bc IJ	3	# This file is part of secnet.
	4	# See README for full list of copyright holders.
	5	#
	6	# secnet is free software; you can redistribute it and/or modify it
	7	# under the terms of the GNU General Public License as published by
9c6a8729	8	# the Free Software Foundation; either version 3 of the License, or
3454dce4 SE	9	# (at your option) any later version.
3454dce4 SE	10	#
c215a4bc IJ	11	# secnet is distributed in the hope that it will be useful, but
	12	# WITHOUT ANY WARRANTY; without even the implied warranty of
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	# General Public License for more details.
3454dce4 SE	15	#
3454dce4 SE	16	# You should have received a copy of the GNU General Public License
c215a4bc IJ	17	# version 3 along with secnet; if not, see
c215a4bc IJ	18	# https://www.gnu.org/licenses/gpl.html.
3454dce4 SE	19
	20	"""VPN sites file manipulation.
	21
	22	This program enables VPN site descriptions to be submitted for
	23	inclusion in a central database, and allows the resulting database to
	24	be turned into a secnet configuration file.
	25
	26	A database file can be turned into a secnet configuration file simply:
	27	make-secnet-sites.py [infile [outfile]]
	28
	29	It would be wise to run secnet with the "--just-check-config" option
	30	before installing the output on a live system.
	31
	32	The program expects to be invoked via userv to manage the database; it
	33	relies on the USERV_USER and USERV_GROUP environment variables. The
	34	command line arguments for this invocation are:
	35
	36	make-secnet-sites.py -u header-filename groupfiles-directory output-file \
	37	group
	38
	39	All but the last argument are expected to be set by userv; the 'group'
	40	argument is provided by the user. A suitable userv configuration file
	41	fragment is:
	42
	43	reset
	44	no-disconnect-hup
	45	no-suppress-args
	46	cd ~/secnet/sites-test/
08f344d3	47	execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
3454dce4 SE	48
	49	This program is part of secnet. It relies on the "ipaddr" library from
	50	Cendio Systems AB.
	51
	52	"""
	53
	54	import string
	55	import time
	56	import sys
	57	import os
3b83c932	58	import getopt
040040f3	59	import re
8dea8d37	60
71d65e4c IJ	61	import ipaddr
71d65e4c IJ	62
90ad8cd4 IJ	63	sys.path.insert(0,"/usr/local/share/secnet")
90ad8cd4 IJ	64	sys.path.insert(0,"/usr/share/secnet")
71d65e4c	65	import ipaddrset
3454dce4	66
00152558	67	VERSION="0.1.18"
3b83c932 SE	68
	69	# Classes describing possible datatypes in the configuration file
	70
d252f549 MW	71	class basetype:
	72	"Common protocol for configuration types."
	73	pass
	74
	75	class single_ipaddr (basetype):
3b83c932 SE	76	"An IP address"
3b83c932 SE	77	def __init__(self,w):
71d65e4c	78	self.addr=ipaddr.IPAddress(w[1])
3b83c932	79	def __str__(self):
71d65e4c	80	return '"%s"'%self.addr
3b83c932	81
d252f549	82	class networks (basetype):
3b83c932	83	"A set of IP addresses specified as a list of networks"
3454dce4	84	def __init__(self,w):
71d65e4c	85	self.set=ipaddrset.IPAddressSet()
3454dce4	86	for i in w[1:]:
71d65e4c IJ	87	x=ipaddr.IPNetwork(i,strict=True)
71d65e4c IJ	88	self.set.append([x])
3b83c932	89	def __str__(self):
71d65e4c	90	return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))
3454dce4	91
d252f549	92	class dhgroup (basetype):
3b83c932	93	"A Diffie-Hellman group"
3454dce4	94	def __init__(self,w):
b2a56f7c SE	95	self.mod=w[1]
b2a56f7c SE	96	self.gen=w[2]
3b83c932 SE	97	def __str__(self):
3b83c932 SE	98	return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
3454dce4	99
d252f549	100	class hash (basetype):
3b83c932	101	"A choice of hash function"
3454dce4	102	def __init__(self,w):
b2a56f7c	103	self.ht=w[1]
757aecff	104	if (self.ht not in ('md5', 'sha1', 'sha512')):
b2a56f7c	105	complain("unknown hash type %s"%(self.ht))
3b83c932 SE	106	def __str__(self):
3b83c932 SE	107	return '%s'%(self.ht)
3454dce4	108
d252f549	109	class email (basetype):
3b83c932	110	"An email address"
3454dce4	111	def __init__(self,w):
b2a56f7c	112	self.addr=w[1]
3b83c932 SE	113	def __str__(self):
3b83c932 SE	114	return '<%s>'%(self.addr)
3454dce4	115
d252f549	116	class boolean (basetype):
040040f3 IJ	117	"A boolean"
	118	def __init__(self,w):
	119	if re.match('[TtYy1]',w[1]):
	120	self.b=True
	121	elif re.match('[FfNn0]',w[1]):
	122	self.b=False
	123	else:
	124	complain("invalid boolean value");
	125	def __str__(self):
	126	return ['False','True'][self.b]
	127
d252f549	128	class num (basetype):
3b83c932	129	"A decimal number"
3454dce4	130	def __init__(self,w):
b2a56f7c	131	self.n=string.atol(w[1])
3b83c932 SE	132	def __str__(self):
3b83c932 SE	133	return '%d'%(self.n)
3454dce4	134
d252f549	135	class address (basetype):
3b83c932	136	"A DNS name and UDP port number"
3454dce4	137	def __init__(self,w):
b2a56f7c SE	138	self.adr=w[1]
	139	self.port=string.atoi(w[2])
	140	if (self.port<1 or self.port>65535):
	141	complain("invalid port number")
3b83c932 SE	142	def __str__(self):
3b83c932 SE	143	return '"%s"; port %d'%(self.adr,self.port)
3454dce4	144
d252f549	145	class rsakey (basetype):
3b83c932	146	"An RSA public key"
3454dce4	147	def __init__(self,w):
b2a56f7c SE	148	self.l=string.atoi(w[1])
	149	self.e=w[2]
	150	self.n=w[3]
3b83c932 SE	151	def __str__(self):
	152	return 'rsa-public("%s","%s")'%(self.e,self.n)
	153
	154	# Possible properties of configuration nodes
	155	keywords={
	156	'contact':(email,"Contact address"),
	157	'dh':(dhgroup,"Diffie-Hellman group"),
	158	'hash':(hash,"Hash function"),
	159	'key-lifetime':(num,"Maximum key lifetime (ms)"),
	160	'setup-timeout':(num,"Key setup timeout (ms)"),
	161	'setup-retries':(num,"Maximum key setup packet retries"),
	162	'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
	163	'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
	164	'restrict-nets':(networks,"Allowable networks"),
	165	'networks':(networks,"Claimed networks"),
	166	'pubkey':(rsakey,"RSA public site key"),
	167	'peer':(single_ipaddr,"Tunnel peer IP address"),
a25b1149	168	'address':(address,"External contact address and port"),
040040f3	169	'mobile':(boolean,"Site is mobile"),
3b83c932 SE	170	}
	171
	172	def sp(name,value):
	173	"Simply output a property - the default case"
	174	return "%s %s;\n"%(name,value)
	175
	176	# All levels support these properties
	177	global_properties={
	178	'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
	179	'dh':sp,
	180	'hash':sp,
	181	'key-lifetime':sp,
	182	'setup-timeout':sp,
	183	'setup-retries':sp,
	184	'wait-time':sp,
	185	'renegotiate-time':sp,
a25b1149	186	'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
3b83c932 SE	187	}
	188
	189	class level:
	190	"A level in the configuration hierarchy"
	191	depth=0
	192	leaf=0
	193	allow_properties={}
	194	require_properties={}
	195	def __init__(self,w):
	196	self.name=w[1]
	197	self.properties={}
	198	self.children={}
	199	def indent(self,w,t):
	200	w.write(" "[:t])
	201	def prop_out(self,n):
	202	return self.allow_properties[n](n,str(self.properties[n]))
	203	def output_props(self,w,ind):
	204	for i in self.properties.keys():
	205	if self.allow_properties[i]:
	206	self.indent(w,ind)
	207	w.write("%s"%self.prop_out(i))
	208	def output_data(self,w,ind,np):
	209	self.indent(w,ind)
	210	w.write("%s {\n"%(self.name))
	211	self.output_props(w,ind+2)
	212	if self.depth==1: w.write("\n");
	213	for c in self.children.values():
	214	c.output_data(w,ind+2,np+self.name+"/")
	215	self.indent(w,ind)
	216	w.write("};\n")
	217
	218	class vpnlevel(level):
	219	"VPN level in the configuration hierarchy"
	220	depth=1
	221	leaf=0
	222	type="vpn"
	223	allow_properties=global_properties.copy()
	224	require_properties={
	225	'contact':"VPN admin contact address"
	226	}
	227	def __init__(self,w):
	228	level.__init__(self,w)
	229	def output_vpnflat(self,w,ind,h):
	230	"Output flattened list of site names for this VPN"
	231	self.indent(w,ind)
	232	w.write("%s {\n"%(self.name))
	233	for i in self.children.keys():
	234	self.children[i].output_vpnflat(w,ind+2,
	235	h+"/"+self.name+"/"+i)
	236	w.write("\n")
	237	self.indent(w,ind+2)
	238	w.write("all-sites %s;\n"%
	239	string.join(self.children.keys(),','))
	240	self.indent(w,ind)
	241	w.write("};\n")
	242
	243	class locationlevel(level):
	244	"Location level in the configuration hierarchy"
	245	depth=2
	246	leaf=0
	247	type="location"
	248	allow_properties=global_properties.copy()
	249	require_properties={
	250	'contact':"Location admin contact address",
251	}
252	def __init__(self,w):
253	level.__init__(self,w)
254	self.group=w[2]
255	def output_vpnflat(self,w,ind,h):
256	self.indent(w,ind)
257	# The "h=h,self=self" abomination below exists because
258	# Python didn't support nested_scopes until version 2.1
259	w.write("%s %s;\n"%(self.name,string.join(
260	map(lambda x,h=h,self=self:
261	h+"/"+x,self.children.keys()),',')))
262
263	class sitelevel(level):
264	"Site level (i.e. a leafnode) in the configuration hierarchy"
265	depth=3
266	leaf=1
267	type="site"
268	allow_properties=global_properties.copy()
269	allow_properties.update({
270	'address':sp,
271	'networks':None,
272	'peer':None,
a25b1149	273	'pubkey':(lambda n,v:"key %s;\n"%v),
040040f3	274	'mobile':sp,
3b83c932 SE	275	})
	276	require_properties={
	277	'dh':"Diffie-Hellman group",
	278	'contact':"Site admin contact address",
3b83c932 SE	279	'networks':"Networks claimed by the site",
	280	'hash':"hash function",
	281	'peer':"Gateway address of the site",
a25b1149	282	'pubkey':"RSA public key of the site",
3b83c932	283	}
3454dce4	284	def __init__(self,w):
3b83c932 SE	285	level.__init__(self,w)
	286	def output_data(self,w,ind,np):
	287	self.indent(w,ind)
	288	w.write("%s {\n"%(self.name))
	289	self.indent(w,ind+2)
	290	w.write("name \"%s\";\n"%(np+self.name))
	291	self.output_props(w,ind+2)
	292	self.indent(w,ind+2)
	293	w.write("link netlink {\n");
	294	self.indent(w,ind+4)
	295	w.write("routes %s;\n"%str(self.properties["networks"]))
	296	self.indent(w,ind+4)
	297	w.write("ptp-address %s;\n"%str(self.properties["peer"]))
	298	self.indent(w,ind+2)
	299	w.write("};\n")
	300	self.indent(w,ind)
	301	w.write("};\n")
	302
	303	# Levels in the configuration file
	304	# (depth,properties)
	305	levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
	306
	307	# Reserved vpn/location/site names
	308	reserved={'all-sites':None}
	309	reserved.update(keywords)
	310	reserved.update(levels)
3454dce4 SE	311
3454dce4 SE	312	def complain(msg):
3b83c932	313	"Complain about a particular input line"
3454dce4 SE	314	global complaints
	315	print ("%s line %d: "%(file,line))+msg
	316	complaints=complaints+1
	317	def moan(msg):
3b83c932	318	"Complain about something in general"
3454dce4 SE	319	global complaints
	320	print msg;
	321	complaints=complaints+1
	322
3b83c932 SE	323	root=level(['root','root']) # All vpns are children of this node
	324	obstack=[root]
	325	allow_defs=0 # Level above which new definitions are permitted
26f727b9	326	prefix=''
3b83c932 SE	327
	328	def set_property(obj,w):
	329	"Set a property on a configuration node"
	330	if obj.properties.has_key(w[0]):
	331	complain("%s %s already has property %s defined"%
	332	(obj.type,obj.name,w[0]))
	333	else:
	334	obj.properties[w[0]]=keywords[w[0]][0](w)
3454dce4	335
c4497add	336	def pline(i,allow_include=False):
3b83c932 SE	337	"Process a configuration file line"
3b83c932 SE	338	global allow_defs, obstack, root
6d8cd9b2	339	w=string.split(i.rstrip('\n'))
433b0ae8	340	if len(w)==0: return [i]
3454dce4	341	keyword=w[0]
3b83c932	342	current=obstack[len(obstack)-1]
3454dce4	343	if keyword=='end-definitions':
3b83c932 SE	344	allow_defs=sitelevel.depth
3b83c932 SE	345	obstack=[root]
433b0ae8	346	return [i]
c4497add IJ	347	if keyword=='include':
	348	if not allow_include:
	349	complain("include not permitted here")
433b0ae8	350	return []
c4497add IJ	351	if len(w) != 2:
c4497add IJ	352	complain("include requires one argument")
433b0ae8	353	return []
c4497add	354	newfile=os.path.join(os.path.dirname(file),w[1])
433b0ae8	355	return pfilepath(newfile,allow_include=allow_include)
3b83c932 SE	356	if levels.has_key(keyword):
	357	# We may go up any number of levels, but only down by one
	358	newdepth=levels[keyword].depth
	359	currentdepth=len(obstack) # actually +1...
	360	if newdepth<=currentdepth:
	361	obstack=obstack[:newdepth]
	362	if newdepth>currentdepth:
	363	complain("May not go from level %d to level %d"%
	364	(currentdepth-1,newdepth))
	365	# See if it's a new one (and whether that's permitted)
	366	# or an existing one
	367	current=obstack[len(obstack)-1]
	368	if current.children.has_key(w[1]):
	369	# Not new
	370	current=current.children[w[1]]
	371	if service and group and current.depth==2:
	372	if group!=current.group:
	373	complain("Incorrect group!")
3454dce4	374	else:
3b83c932 SE	375	# New
	376	# Ignore depth check for now
	377	nl=levels[keyword](w)
	378	if nl.depth<allow_defs:
	379	complain("New definitions not allowed at "
	380	"level %d"%nl.depth)
4a9b680b IJ	381	# we risk crashing if we continue
4a9b680b IJ	382	sys.exit(1)
3b83c932 SE	383	current.children[w[1]]=nl
	384	current=nl
	385	obstack.append(current)
433b0ae8	386	return [i]
8644ac83	387	if not current.allow_properties.has_key(keyword):
3b83c932 SE	388	complain("Property %s not allowed at %s level"%
3b83c932 SE	389	(keyword,current.type))
433b0ae8	390	return []
8644ac83 MW	391	elif current.depth == vpnlevel.depth < allow_defs:
	392	complain("Not allowed to set VPN properties here")
	393	return []
	394	else:
	395	set_property(current,w)
	396	return [i]
3b83c932 SE	397
3b83c932 SE	398	complain("unknown keyword '%s'"%(keyword))
3454dce4	399
c4497add	400	def pfilepath(pathname,allow_include=False):
9b8369e0	401	f=open(pathname)
433b0ae8	402	outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
9b8369e0	403	f.close()
433b0ae8	404	return outlines
9b8369e0	405
c4497add	406	def pfile(name,lines,allow_include=False):
3b83c932	407	"Process a file"
3454dce4 SE	408	global file,line
	409	file=name
	410	line=0
433b0ae8	411	outlines=[]
3454dce4 SE	412	for i in lines:
	413	line=line+1
	414	if (i[0]=='#'): continue
433b0ae8 IJ	415	outlines += pline(i,allow_include=allow_include)
433b0ae8 IJ	416	return outlines
3454dce4 SE	417
3454dce4 SE	418	def outputsites(w):
3b83c932 SE	419	"Output include file for secnet configuration"
3b83c932 SE	420	w.write("# secnet sites file autogenerated by make-secnet-sites "
3454dce4	421	+"version %s\n"%VERSION)
3b83c932 SE	422	w.write("# %s\n"%time.asctime(time.localtime(time.time())))
3b83c932 SE	423	w.write("# Command line: %s\n\n"%string.join(sys.argv))
3454dce4 SE	424
3454dce4 SE	425	# Raw VPN data section of file
26f727b9	426	w.write(prefix+"vpn-data {\n")
3b83c932 SE	427	for i in root.children.values():
3b83c932 SE	428	i.output_data(w,2,"")
3454dce4 SE	429	w.write("};\n")
	430
	431	# Per-VPN flattened lists
26f727b9	432	w.write(prefix+"vpn {\n")
3b83c932	433	for i in root.children.values():
26f727b9	434	i.output_vpnflat(w,2,prefix+"vpn-data")
3454dce4 SE	435	w.write("};\n")
	436
	437	# Flattened list of sites
26f727b9 IJ	438	w.write(prefix+"all-sites %s;\n"%string.join(
	439	map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
	440	root.children.keys()),","))
3454dce4 SE	441
	442	# Are we being invoked from userv?
	443	service=0
	444	# If we are, which group does the caller want to modify?
	445	group=None
	446
3454dce4 SE	447	line=0
	448	file=None
	449	complaints=0
	450
3454dce4 SE	451	if len(sys.argv)<2:
	452	pfile("stdin",sys.stdin.readlines())
	453	of=sys.stdout
	454	else:
	455	if sys.argv[1]=='-u':
	456	if len(sys.argv)!=6:
	457	print "Wrong number of arguments"
	458	sys.exit(1)
	459	service=1
	460	header=sys.argv[2]
	461	groupfiledir=sys.argv[3]
	462	sitesfile=sys.argv[4]
	463	group=sys.argv[5]
	464	if not os.environ.has_key("USERV_USER"):
	465	print "Environment variable USERV_USER not found"
	466	sys.exit(1)
	467	user=os.environ["USERV_USER"]
	468	# Check that group is in USERV_GROUP
	469	if not os.environ.has_key("USERV_GROUP"):
	470	print "Environment variable USERV_GROUP not found"
	471	sys.exit(1)
	472	ugs=os.environ["USERV_GROUP"]
	473	ok=0
	474	for i in string.split(ugs):
	475	if group==i: ok=1
	476	if not ok:
	477	print "caller not in group %s"%group
	478	sys.exit(1)
5b77d1a9	479	headerinput=pfilepath(header,allow_include=True)
3454dce4 SE	480	userinput=sys.stdin.readlines()
	481	pfile("user input",userinput)
	482	else:
26f727b9 IJ	483	if sys.argv[1]=='-P':
	484	prefix=sys.argv[2]
	485	sys.argv[1:3]=[]
3454dce4 SE	486	if len(sys.argv)>3:
	487	print "Too many arguments"
	488	sys.exit(1)
21fd3a92	489	pfilepath(sys.argv[1])
3454dce4 SE	490	of=sys.stdout
	491	if len(sys.argv)>2:
	492	of=open(sys.argv[2],'w')
	493
	494	# Sanity check section
3b83c932 SE	495	# Delete nodes where leaf=0 that have no children
	496
	497	def live(n):
	498	"Number of leafnodes below node n"
	499	if n.leaf: return 1
	500	for i in n.children.keys():
	501	if live(n.children[i]): return 1
	502	return 0
	503	def delempty(n):
	504	"Delete nodes that have no leafnode children"
	505	for i in n.children.keys():
	506	delempty(n.children[i])
	507	if not live(n.children[i]):
	508	del n.children[i]
	509	delempty(root)
	510
	511	# Check that all constraints are met (as far as I can tell
	512	# restrict-nets/networks/peer are the only special cases)
	513
	514	def checkconstraints(n,p,ra):
	515	new_p=p.copy()
	516	new_p.update(n.properties)
	517	for i in n.require_properties.keys():
	518	if not new_p.has_key(i):
	519	moan("%s %s is missing property %s"%
	520	(n.type,n.name,i))
	521	for i in new_p.keys():
	522	if not n.allow_properties.has_key(i):
	523	moan("%s %s has forbidden property %s"%
	524	(n.type,n.name,i))
	525	# Check address range restrictions
	526	if n.properties.has_key("restrict-nets"):
	527	new_ra=ra.intersection(n.properties["restrict-nets"].set)
3454dce4	528	else:
3b83c932 SE	529	new_ra=ra
3b83c932 SE	530	if n.properties.has_key("networks"):
71d65e4c	531	if not n.properties["networks"].set <= new_ra:
3b83c932 SE	532	moan("%s %s networks out of bounds"%(n.type,n.name))
	533	if n.properties.has_key("peer"):
	534	if not n.properties["networks"].set.contains(
	535	n.properties["peer"].addr):
	536	moan("%s %s peer not in networks"%(n.type,n.name))
	537	for i in n.children.keys():
	538	checkconstraints(n.children[i],new_p,new_ra)
	539
71d65e4c	540	checkconstraints(root,{},ipaddrset.complete_set())
3454dce4 SE	541
	542	if complaints>0:
	543	if complaints==1: print "There was 1 problem."
	544	else: print "There were %d problems."%(complaints)
	545	sys.exit(1)
	546
	547	if service:
	548	# Put the user's input into their group file, and rebuild the main
	549	# sites file
08f344d3	550	f=open(groupfiledir+"/T"+group,'w')
3454dce4 SE	551	f.write("# Section submitted by user %s, %s\n"%
3454dce4 SE	552	(user,time.asctime(time.localtime(time.time()))))
3b83c932	553	f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
3454dce4 SE	554	for i in userinput: f.write(i)
	555	f.write("\n")
	556	f.close()
08f344d3 SE	557	os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
08f344d3 SE	558	f=open(sitesfile+"-tmp",'w')
ff05a229	559	f.write("# sites file autogenerated by make-secnet-sites\n")
08f344d3 SE	560	f.write("# generated %s, invoked by %s\n"%
08f344d3 SE	561	(time.asctime(time.localtime(time.time())),user))
ff05a229	562	f.write("# use make-secnet-sites to turn this file into a\n")
08f344d3 SE	563	f.write("# valid /etc/secnet/sites.conf file\n\n")
	564	for i in headerinput: f.write(i)
	565	files=os.listdir(groupfiledir)
	566	for i in files:
	567	if i[0]=='R':
	568	j=open(groupfiledir+"/"+i)
	569	f.write(j.read())
	570	j.close()
	571	f.write("# end of sites file\n")
	572	f.close()
	573	os.rename(sitesfile+"-tmp",sitesfile)
3454dce4 SE	574	else:
3454dce4 SE	575	outputsites(of)