| 1 | #! /usr/bin/env python |
| 2 | # Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk> |
| 3 | # |
| 4 | # This program is free software; you can redistribute it and/or modify |
| 5 | # it under the terms of the GNU General Public License as published by |
| 6 | # the Free Software Foundation; either version 2 of the License, or |
| 7 | # (at your option) any later version. |
| 8 | # |
| 9 | # This program is distributed in the hope that it will be useful, |
| 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | # GNU General Public License for more details. |
| 13 | # |
| 14 | # You should have received a copy of the GNU General Public License |
| 15 | # along with this program; if not, write to the Free Software |
| 16 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 17 | |
| 18 | """VPN sites file manipulation. |
| 19 | |
| 20 | This program enables VPN site descriptions to be submitted for |
| 21 | inclusion in a central database, and allows the resulting database to |
| 22 | be turned into a secnet configuration file. |
| 23 | |
| 24 | A database file can be turned into a secnet configuration file simply: |
| 25 | make-secnet-sites.py [infile [outfile]] |
| 26 | |
| 27 | It would be wise to run secnet with the "--just-check-config" option |
| 28 | before installing the output on a live system. |
| 29 | |
| 30 | The program expects to be invoked via userv to manage the database; it |
| 31 | relies on the USERV_USER and USERV_GROUP environment variables. The |
| 32 | command line arguments for this invocation are: |
| 33 | |
| 34 | make-secnet-sites.py -u header-filename groupfiles-directory output-file \ |
| 35 | group |
| 36 | |
| 37 | All but the last argument are expected to be set by userv; the 'group' |
| 38 | argument is provided by the user. A suitable userv configuration file |
| 39 | fragment is: |
| 40 | |
| 41 | reset |
| 42 | no-disconnect-hup |
| 43 | no-suppress-args |
| 44 | cd ~/secnet/sites-test/ |
| 45 | execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites |
| 46 | |
| 47 | This program is part of secnet. It relies on the "ipaddr" library from |
| 48 | Cendio Systems AB. |
| 49 | |
| 50 | """ |
| 51 | |
| 52 | import string |
| 53 | import time |
| 54 | import sys |
| 55 | import os |
| 56 | import getopt |
| 57 | |
| 58 | # The ipaddr library is installed as part of secnet |
| 59 | sys.path.append("/usr/local/share/secnet") |
| 60 | sys.path.append("/usr/share/secnet") |
| 61 | import ipaddr |
| 62 | |
| 63 | VERSION="0.1.18" |
| 64 | |
| 65 | # Classes describing possible datatypes in the configuration file |
| 66 | |
| 67 | class single_ipaddr: |
| 68 | "An IP address" |
| 69 | def __init__(self,w): |
| 70 | self.addr=ipaddr.ipaddr(w[1]) |
| 71 | def __str__(self): |
| 72 | return '"%s"'%self.addr.ip_str() |
| 73 | |
| 74 | class networks: |
| 75 | "A set of IP addresses specified as a list of networks" |
| 76 | def __init__(self,w): |
| 77 | self.set=ipaddr.ip_set() |
| 78 | for i in w[1:]: |
| 79 | x=string.split(i,"/") |
| 80 | self.set.append(ipaddr.network(x[0],x[1], |
| 81 | ipaddr.DEMAND_NETWORK)) |
| 82 | def __str__(self): |
| 83 | return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(), |
| 84 | x.mask.netmask_bits_str), |
| 85 | self.set.as_list_of_networks()),",") |
| 86 | |
| 87 | class dhgroup: |
| 88 | "A Diffie-Hellman group" |
| 89 | def __init__(self,w): |
| 90 | self.mod=w[1] |
| 91 | self.gen=w[2] |
| 92 | def __str__(self): |
| 93 | return 'diffie-hellman("%s","%s")'%(self.mod,self.gen) |
| 94 | |
| 95 | class hash: |
| 96 | "A choice of hash function" |
| 97 | def __init__(self,w): |
| 98 | self.ht=w[1] |
| 99 | if (self.ht!='md5' and self.ht!='sha1'): |
| 100 | complain("unknown hash type %s"%(self.ht)) |
| 101 | def __str__(self): |
| 102 | return '%s'%(self.ht) |
| 103 | |
| 104 | class email: |
| 105 | "An email address" |
| 106 | def __init__(self,w): |
| 107 | self.addr=w[1] |
| 108 | def __str__(self): |
| 109 | return '<%s>'%(self.addr) |
| 110 | |
| 111 | class num: |
| 112 | "A decimal number" |
| 113 | def __init__(self,w): |
| 114 | self.n=string.atol(w[1]) |
| 115 | def __str__(self): |
| 116 | return '%d'%(self.n) |
| 117 | |
| 118 | class address: |
| 119 | "A DNS name and UDP port number" |
| 120 | def __init__(self,w): |
| 121 | self.adr=w[1] |
| 122 | self.port=string.atoi(w[2]) |
| 123 | if (self.port<1 or self.port>65535): |
| 124 | complain("invalid port number") |
| 125 | def __str__(self): |
| 126 | return '"%s"; port %d'%(self.adr,self.port) |
| 127 | |
| 128 | class rsakey: |
| 129 | "An RSA public key" |
| 130 | def __init__(self,w): |
| 131 | self.l=string.atoi(w[1]) |
| 132 | self.e=w[2] |
| 133 | self.n=w[3] |
| 134 | def __str__(self): |
| 135 | return 'rsa-public("%s","%s")'%(self.e,self.n) |
| 136 | |
| 137 | # Possible properties of configuration nodes |
| 138 | keywords={ |
| 139 | 'contact':(email,"Contact address"), |
| 140 | 'dh':(dhgroup,"Diffie-Hellman group"), |
| 141 | 'hash':(hash,"Hash function"), |
| 142 | 'key-lifetime':(num,"Maximum key lifetime (ms)"), |
| 143 | 'setup-timeout':(num,"Key setup timeout (ms)"), |
| 144 | 'setup-retries':(num,"Maximum key setup packet retries"), |
| 145 | 'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"), |
| 146 | 'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"), |
| 147 | 'restrict-nets':(networks,"Allowable networks"), |
| 148 | 'networks':(networks,"Claimed networks"), |
| 149 | 'pubkey':(rsakey,"RSA public site key"), |
| 150 | 'peer':(single_ipaddr,"Tunnel peer IP address"), |
| 151 | 'address':(address,"External contact address and port") |
| 152 | } |
| 153 | |
| 154 | def sp(name,value): |
| 155 | "Simply output a property - the default case" |
| 156 | return "%s %s;\n"%(name,value) |
| 157 | |
| 158 | # All levels support these properties |
| 159 | global_properties={ |
| 160 | 'contact':(lambda name,value:"# Contact email address: %s\n"%(value)), |
| 161 | 'dh':sp, |
| 162 | 'hash':sp, |
| 163 | 'key-lifetime':sp, |
| 164 | 'setup-timeout':sp, |
| 165 | 'setup-retries':sp, |
| 166 | 'wait-time':sp, |
| 167 | 'renegotiate-time':sp, |
| 168 | 'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value) |
| 169 | } |
| 170 | |
| 171 | class level: |
| 172 | "A level in the configuration hierarchy" |
| 173 | depth=0 |
| 174 | leaf=0 |
| 175 | allow_properties={} |
| 176 | require_properties={} |
| 177 | def __init__(self,w): |
| 178 | self.name=w[1] |
| 179 | self.properties={} |
| 180 | self.children={} |
| 181 | def indent(self,w,t): |
| 182 | w.write(" "[:t]) |
| 183 | def prop_out(self,n): |
| 184 | return self.allow_properties[n](n,str(self.properties[n])) |
| 185 | def output_props(self,w,ind): |
| 186 | for i in self.properties.keys(): |
| 187 | if self.allow_properties[i]: |
| 188 | self.indent(w,ind) |
| 189 | w.write("%s"%self.prop_out(i)) |
| 190 | def output_data(self,w,ind,np): |
| 191 | self.indent(w,ind) |
| 192 | w.write("%s {\n"%(self.name)) |
| 193 | self.output_props(w,ind+2) |
| 194 | if self.depth==1: w.write("\n"); |
| 195 | for c in self.children.values(): |
| 196 | c.output_data(w,ind+2,np+self.name+"/") |
| 197 | self.indent(w,ind) |
| 198 | w.write("};\n") |
| 199 | |
| 200 | class vpnlevel(level): |
| 201 | "VPN level in the configuration hierarchy" |
| 202 | depth=1 |
| 203 | leaf=0 |
| 204 | type="vpn" |
| 205 | allow_properties=global_properties.copy() |
| 206 | require_properties={ |
| 207 | 'contact':"VPN admin contact address" |
| 208 | } |
| 209 | def __init__(self,w): |
| 210 | level.__init__(self,w) |
| 211 | def output_vpnflat(self,w,ind,h): |
| 212 | "Output flattened list of site names for this VPN" |
| 213 | self.indent(w,ind) |
| 214 | w.write("%s {\n"%(self.name)) |
| 215 | for i in self.children.keys(): |
| 216 | self.children[i].output_vpnflat(w,ind+2, |
| 217 | h+"/"+self.name+"/"+i) |
| 218 | w.write("\n") |
| 219 | self.indent(w,ind+2) |
| 220 | w.write("all-sites %s;\n"% |
| 221 | string.join(self.children.keys(),',')) |
| 222 | self.indent(w,ind) |
| 223 | w.write("};\n") |
| 224 | |
| 225 | class locationlevel(level): |
| 226 | "Location level in the configuration hierarchy" |
| 227 | depth=2 |
| 228 | leaf=0 |
| 229 | type="location" |
| 230 | allow_properties=global_properties.copy() |
| 231 | require_properties={ |
| 232 | 'contact':"Location admin contact address", |
| 233 | } |
| 234 | def __init__(self,w): |
| 235 | level.__init__(self,w) |
| 236 | self.group=w[2] |
| 237 | def output_vpnflat(self,w,ind,h): |
| 238 | self.indent(w,ind) |
| 239 | # The "h=h,self=self" abomination below exists because |
| 240 | # Python didn't support nested_scopes until version 2.1 |
| 241 | w.write("%s %s;\n"%(self.name,string.join( |
| 242 | map(lambda x,h=h,self=self: |
| 243 | h+"/"+x,self.children.keys()),','))) |
| 244 | |
| 245 | class sitelevel(level): |
| 246 | "Site level (i.e. a leafnode) in the configuration hierarchy" |
| 247 | depth=3 |
| 248 | leaf=1 |
| 249 | type="site" |
| 250 | allow_properties=global_properties.copy() |
| 251 | allow_properties.update({ |
| 252 | 'address':sp, |
| 253 | 'networks':None, |
| 254 | 'peer':None, |
| 255 | 'pubkey':(lambda n,v:"key %s;\n"%v) |
| 256 | }) |
| 257 | require_properties={ |
| 258 | 'dh':"Diffie-Hellman group", |
| 259 | 'contact':"Site admin contact address", |
| 260 | 'address':"Site external access address", |
| 261 | 'networks':"Networks claimed by the site", |
| 262 | 'hash':"hash function", |
| 263 | 'peer':"Gateway address of the site", |
| 264 | 'pubkey':"RSA public key of the site" |
| 265 | } |
| 266 | def __init__(self,w): |
| 267 | level.__init__(self,w) |
| 268 | def output_data(self,w,ind,np): |
| 269 | self.indent(w,ind) |
| 270 | w.write("%s {\n"%(self.name)) |
| 271 | self.indent(w,ind+2) |
| 272 | w.write("name \"%s\";\n"%(np+self.name)) |
| 273 | self.output_props(w,ind+2) |
| 274 | self.indent(w,ind+2) |
| 275 | w.write("link netlink {\n"); |
| 276 | self.indent(w,ind+4) |
| 277 | w.write("routes %s;\n"%str(self.properties["networks"])) |
| 278 | self.indent(w,ind+4) |
| 279 | w.write("ptp-address %s;\n"%str(self.properties["peer"])) |
| 280 | self.indent(w,ind+2) |
| 281 | w.write("};\n") |
| 282 | self.indent(w,ind) |
| 283 | w.write("};\n") |
| 284 | |
| 285 | # Levels in the configuration file |
| 286 | # (depth,properties) |
| 287 | levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel} |
| 288 | |
| 289 | # Reserved vpn/location/site names |
| 290 | reserved={'all-sites':None} |
| 291 | reserved.update(keywords) |
| 292 | reserved.update(levels) |
| 293 | |
| 294 | def complain(msg): |
| 295 | "Complain about a particular input line" |
| 296 | global complaints |
| 297 | print ("%s line %d: "%(file,line))+msg |
| 298 | complaints=complaints+1 |
| 299 | def moan(msg): |
| 300 | "Complain about something in general" |
| 301 | global complaints |
| 302 | print msg; |
| 303 | complaints=complaints+1 |
| 304 | |
| 305 | root=level(['root','root']) # All vpns are children of this node |
| 306 | obstack=[root] |
| 307 | allow_defs=0 # Level above which new definitions are permitted |
| 308 | |
| 309 | def set_property(obj,w): |
| 310 | "Set a property on a configuration node" |
| 311 | if obj.properties.has_key(w[0]): |
| 312 | complain("%s %s already has property %s defined"% |
| 313 | (obj.type,obj.name,w[0])) |
| 314 | else: |
| 315 | obj.properties[w[0]]=keywords[w[0]][0](w) |
| 316 | |
| 317 | def pline(i): |
| 318 | "Process a configuration file line" |
| 319 | global allow_defs, obstack, root |
| 320 | w=string.split(i) |
| 321 | if len(w)==0: return |
| 322 | keyword=w[0] |
| 323 | current=obstack[len(obstack)-1] |
| 324 | if keyword=='end-definitions': |
| 325 | allow_defs=sitelevel.depth |
| 326 | obstack=[root] |
| 327 | return |
| 328 | if levels.has_key(keyword): |
| 329 | # We may go up any number of levels, but only down by one |
| 330 | newdepth=levels[keyword].depth |
| 331 | currentdepth=len(obstack) # actually +1... |
| 332 | if newdepth<=currentdepth: |
| 333 | obstack=obstack[:newdepth] |
| 334 | if newdepth>currentdepth: |
| 335 | complain("May not go from level %d to level %d"% |
| 336 | (currentdepth-1,newdepth)) |
| 337 | # See if it's a new one (and whether that's permitted) |
| 338 | # or an existing one |
| 339 | current=obstack[len(obstack)-1] |
| 340 | if current.children.has_key(w[1]): |
| 341 | # Not new |
| 342 | current=current.children[w[1]] |
| 343 | if service and group and current.depth==2: |
| 344 | if group!=current.group: |
| 345 | complain("Incorrect group!") |
| 346 | else: |
| 347 | # New |
| 348 | # Ignore depth check for now |
| 349 | nl=levels[keyword](w) |
| 350 | if nl.depth<allow_defs: |
| 351 | complain("New definitions not allowed at " |
| 352 | "level %d"%nl.depth) |
| 353 | current.children[w[1]]=nl |
| 354 | current=nl |
| 355 | obstack.append(current) |
| 356 | return |
| 357 | if current.allow_properties.has_key(keyword): |
| 358 | set_property(current,w) |
| 359 | return |
| 360 | else: |
| 361 | complain("Property %s not allowed at %s level"% |
| 362 | (keyword,current.type)) |
| 363 | return |
| 364 | |
| 365 | complain("unknown keyword '%s'"%(keyword)) |
| 366 | |
| 367 | def pfile(name,lines): |
| 368 | "Process a file" |
| 369 | global file,line |
| 370 | file=name |
| 371 | line=0 |
| 372 | for i in lines: |
| 373 | line=line+1 |
| 374 | if (i[0]=='#'): continue |
| 375 | if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF |
| 376 | pline(i) |
| 377 | |
| 378 | def outputsites(w): |
| 379 | "Output include file for secnet configuration" |
| 380 | w.write("# secnet sites file autogenerated by make-secnet-sites " |
| 381 | +"version %s\n"%VERSION) |
| 382 | w.write("# %s\n"%time.asctime(time.localtime(time.time()))) |
| 383 | w.write("# Command line: %s\n\n"%string.join(sys.argv)) |
| 384 | |
| 385 | # Raw VPN data section of file |
| 386 | w.write("vpn-data {\n") |
| 387 | for i in root.children.values(): |
| 388 | i.output_data(w,2,"") |
| 389 | w.write("};\n") |
| 390 | |
| 391 | # Per-VPN flattened lists |
| 392 | w.write("vpn {\n") |
| 393 | for i in root.children.values(): |
| 394 | i.output_vpnflat(w,2,"vpn-data") |
| 395 | w.write("};\n") |
| 396 | |
| 397 | # Flattened list of sites |
| 398 | w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"% |
| 399 | x,root.children.keys()),",")) |
| 400 | |
| 401 | # Are we being invoked from userv? |
| 402 | service=0 |
| 403 | # If we are, which group does the caller want to modify? |
| 404 | group=None |
| 405 | |
| 406 | line=0 |
| 407 | file=None |
| 408 | complaints=0 |
| 409 | |
| 410 | if len(sys.argv)<2: |
| 411 | pfile("stdin",sys.stdin.readlines()) |
| 412 | of=sys.stdout |
| 413 | else: |
| 414 | if sys.argv[1]=='-u': |
| 415 | if len(sys.argv)!=6: |
| 416 | print "Wrong number of arguments" |
| 417 | sys.exit(1) |
| 418 | service=1 |
| 419 | header=sys.argv[2] |
| 420 | groupfiledir=sys.argv[3] |
| 421 | sitesfile=sys.argv[4] |
| 422 | group=sys.argv[5] |
| 423 | if not os.environ.has_key("USERV_USER"): |
| 424 | print "Environment variable USERV_USER not found" |
| 425 | sys.exit(1) |
| 426 | user=os.environ["USERV_USER"] |
| 427 | # Check that group is in USERV_GROUP |
| 428 | if not os.environ.has_key("USERV_GROUP"): |
| 429 | print "Environment variable USERV_GROUP not found" |
| 430 | sys.exit(1) |
| 431 | ugs=os.environ["USERV_GROUP"] |
| 432 | ok=0 |
| 433 | for i in string.split(ugs): |
| 434 | if group==i: ok=1 |
| 435 | if not ok: |
| 436 | print "caller not in group %s"%group |
| 437 | sys.exit(1) |
| 438 | f=open(header) |
| 439 | headerinput=f.readlines() |
| 440 | f.close() |
| 441 | pfile(header,headerinput) |
| 442 | userinput=sys.stdin.readlines() |
| 443 | pfile("user input",userinput) |
| 444 | else: |
| 445 | if len(sys.argv)>3: |
| 446 | print "Too many arguments" |
| 447 | sys.exit(1) |
| 448 | f=open(sys.argv[1]) |
| 449 | pfile(sys.argv[1],f.readlines()) |
| 450 | f.close() |
| 451 | of=sys.stdout |
| 452 | if len(sys.argv)>2: |
| 453 | of=open(sys.argv[2],'w') |
| 454 | |
| 455 | # Sanity check section |
| 456 | # Delete nodes where leaf=0 that have no children |
| 457 | |
| 458 | def live(n): |
| 459 | "Number of leafnodes below node n" |
| 460 | if n.leaf: return 1 |
| 461 | for i in n.children.keys(): |
| 462 | if live(n.children[i]): return 1 |
| 463 | return 0 |
| 464 | def delempty(n): |
| 465 | "Delete nodes that have no leafnode children" |
| 466 | for i in n.children.keys(): |
| 467 | delempty(n.children[i]) |
| 468 | if not live(n.children[i]): |
| 469 | del n.children[i] |
| 470 | delempty(root) |
| 471 | |
| 472 | # Check that all constraints are met (as far as I can tell |
| 473 | # restrict-nets/networks/peer are the only special cases) |
| 474 | |
| 475 | def checkconstraints(n,p,ra): |
| 476 | new_p=p.copy() |
| 477 | new_p.update(n.properties) |
| 478 | for i in n.require_properties.keys(): |
| 479 | if not new_p.has_key(i): |
| 480 | moan("%s %s is missing property %s"% |
| 481 | (n.type,n.name,i)) |
| 482 | for i in new_p.keys(): |
| 483 | if not n.allow_properties.has_key(i): |
| 484 | moan("%s %s has forbidden property %s"% |
| 485 | (n.type,n.name,i)) |
| 486 | # Check address range restrictions |
| 487 | if n.properties.has_key("restrict-nets"): |
| 488 | new_ra=ra.intersection(n.properties["restrict-nets"].set) |
| 489 | else: |
| 490 | new_ra=ra |
| 491 | if n.properties.has_key("networks"): |
| 492 | # I'd like to do this: |
| 493 | # n.properties["networks"].set.is_subset(new_ra) |
| 494 | # but there isn't an is_subset() method |
| 495 | # Instead we see if we intersect with the complement of new_ra |
| 496 | rac=new_ra.complement() |
| 497 | i=rac.intersection(n.properties["networks"].set) |
| 498 | if not i.is_empty(): |
| 499 | moan("%s %s networks out of bounds"%(n.type,n.name)) |
| 500 | if n.properties.has_key("peer"): |
| 501 | if not n.properties["networks"].set.contains( |
| 502 | n.properties["peer"].addr): |
| 503 | moan("%s %s peer not in networks"%(n.type,n.name)) |
| 504 | for i in n.children.keys(): |
| 505 | checkconstraints(n.children[i],new_p,new_ra) |
| 506 | |
| 507 | checkconstraints(root,{},ipaddr.complete_set) |
| 508 | |
| 509 | if complaints>0: |
| 510 | if complaints==1: print "There was 1 problem." |
| 511 | else: print "There were %d problems."%(complaints) |
| 512 | sys.exit(1) |
| 513 | |
| 514 | if service: |
| 515 | # Put the user's input into their group file, and rebuild the main |
| 516 | # sites file |
| 517 | f=open(groupfiledir+"/T"+group,'w') |
| 518 | f.write("# Section submitted by user %s, %s\n"% |
| 519 | (user,time.asctime(time.localtime(time.time())))) |
| 520 | f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION) |
| 521 | for i in userinput: f.write(i) |
| 522 | f.write("\n") |
| 523 | f.close() |
| 524 | os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group) |
| 525 | f=open(sitesfile+"-tmp",'w') |
| 526 | f.write("# sites file autogenerated by make-secnet-sites\n") |
| 527 | f.write("# generated %s, invoked by %s\n"% |
| 528 | (time.asctime(time.localtime(time.time())),user)) |
| 529 | f.write("# use make-secnet-sites to turn this file into a\n") |
| 530 | f.write("# valid /etc/secnet/sites.conf file\n\n") |
| 531 | for i in headerinput: f.write(i) |
| 532 | files=os.listdir(groupfiledir) |
| 533 | for i in files: |
| 534 | if i[0]=='R': |
| 535 | j=open(groupfiledir+"/"+i) |
| 536 | f.write(j.read()) |
| 537 | j.close() |
| 538 | f.write("# end of sites file\n") |
| 539 | f.close() |
| 540 | os.rename(sitesfile+"-tmp",sitesfile) |
| 541 | else: |
| 542 | outputsites(of) |