| 1 | #! /usr/bin/env python |
| 2 | # Copyright (C) 2001 Stephen Early <steve@greenend.org.uk> |
| 3 | # |
| 4 | # This program is free software; you can redistribute it and/or modify |
| 5 | # it under the terms of the GNU General Public License as published by |
| 6 | # the Free Software Foundation; either version 2 of the License, or |
| 7 | # (at your option) any later version. |
| 8 | # |
| 9 | # This program is distributed in the hope that it will be useful, |
| 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 12 | # GNU General Public License for more details. |
| 13 | # |
| 14 | # You should have received a copy of the GNU General Public License |
| 15 | # along with this program; if not, write to the Free Software |
| 16 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA |
| 17 | |
| 18 | """VPN sites file manipulation. |
| 19 | |
| 20 | This program enables VPN site descriptions to be submitted for |
| 21 | inclusion in a central database, and allows the resulting database to |
| 22 | be turned into a secnet configuration file. |
| 23 | |
| 24 | A database file can be turned into a secnet configuration file simply: |
| 25 | make-secnet-sites.py [infile [outfile]] |
| 26 | |
| 27 | It would be wise to run secnet with the "--just-check-config" option |
| 28 | before installing the output on a live system. |
| 29 | |
| 30 | The program expects to be invoked via userv to manage the database; it |
| 31 | relies on the USERV_USER and USERV_GROUP environment variables. The |
| 32 | command line arguments for this invocation are: |
| 33 | |
| 34 | make-secnet-sites.py -u header-filename groupfiles-directory output-file \ |
| 35 | group |
| 36 | |
| 37 | All but the last argument are expected to be set by userv; the 'group' |
| 38 | argument is provided by the user. A suitable userv configuration file |
| 39 | fragment is: |
| 40 | |
| 41 | reset |
| 42 | no-disconnect-hup |
| 43 | no-suppress-args |
| 44 | cd ~/secnet/sites-test/ |
| 45 | execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites |
| 46 | |
| 47 | This program is part of secnet. It relies on the "ipaddr" library from |
| 48 | Cendio Systems AB. |
| 49 | |
| 50 | """ |
| 51 | |
| 52 | import string |
| 53 | import time |
| 54 | import sys |
| 55 | import os |
| 56 | |
| 57 | sys.path.append("/usr/local/share/secnet") |
| 58 | sys.path.append("/usr/share/secnet") |
| 59 | import ipaddr |
| 60 | |
| 61 | VERSION="0.1.10" |
| 62 | |
| 63 | class vpn: |
| 64 | def __init__(self,name): |
| 65 | self.name=name |
| 66 | self.allow_defs=0 |
| 67 | self.locations={} |
| 68 | self.defs={} |
| 69 | |
| 70 | class location: |
| 71 | def __init__(self,name,vpn): |
| 72 | self.group=None |
| 73 | self.name=name |
| 74 | self.allow_defs=1 |
| 75 | self.vpn=vpn |
| 76 | self.sites={} |
| 77 | self.defs={} |
| 78 | |
| 79 | class site: |
| 80 | def __init__(self,name,location): |
| 81 | self.name=name |
| 82 | self.allow_defs=1 |
| 83 | self.location=location |
| 84 | self.defs={} |
| 85 | |
| 86 | class nets: |
| 87 | def __init__(self,w): |
| 88 | self.w=w |
| 89 | self.set=ipaddr.ip_set() |
| 90 | for i in w[1:]: |
| 91 | x=string.split(i,"/") |
| 92 | self.set.append(ipaddr.network(x[0],x[1], |
| 93 | ipaddr.DEMAND_NETWORK)) |
| 94 | def subsetof(self,s): |
| 95 | # I'd like to do this: |
| 96 | # return self.set.is_subset(s) |
| 97 | # but there isn't an is_subset() method |
| 98 | # Instead we see if we intersect with the complement of s |
| 99 | sc=s.set.complement() |
| 100 | i=sc.intersection(self.set) |
| 101 | return i.is_empty() |
| 102 | def out(self): |
| 103 | if (self.w[0]=='restrict-nets'): pattern="# restrict-nets %s;" |
| 104 | else: |
| 105 | pattern="link netlink { routes %s; };" |
| 106 | return pattern%string.join(map(lambda x:'"%s/%s"'%(x.ip_str(), |
| 107 | x.mask.netmask_bits_str), |
| 108 | self.set.as_list_of_networks()),",") |
| 109 | |
| 110 | class dhgroup: |
| 111 | def __init__(self,w): |
| 112 | self.mod=w[1] |
| 113 | self.gen=w[2] |
| 114 | def out(self): |
| 115 | return 'dh diffie-hellman("%s","%s");'%(self.mod,self.gen) |
| 116 | |
| 117 | class hash: |
| 118 | def __init__(self,w): |
| 119 | self.ht=w[1] |
| 120 | if (self.ht!='md5' and self.ht!='sha1'): |
| 121 | complain("unknown hash type %s"%(self.ht)) |
| 122 | def out(self): |
| 123 | return 'hash %s;'%(self.ht) |
| 124 | |
| 125 | class email: |
| 126 | def __init__(self,w): |
| 127 | self.addr=w[1] |
| 128 | def out(self): |
| 129 | return '# Contact email address: <%s>'%(self.addr) |
| 130 | |
| 131 | class num: |
| 132 | def __init__(self,w): |
| 133 | self.what=w[0] |
| 134 | self.n=string.atol(w[1]) |
| 135 | def out(self): |
| 136 | return '%s %d;'%(self.what,self.n) |
| 137 | |
| 138 | class address: |
| 139 | def __init__(self,w): |
| 140 | self.w=w |
| 141 | self.adr=w[1] |
| 142 | self.port=string.atoi(w[2]) |
| 143 | if (self.port<1 or self.port>65535): |
| 144 | complain("invalid port number") |
| 145 | def out(self): |
| 146 | return 'address "%s"; port %d;'%(self.adr,self.port) |
| 147 | |
| 148 | class rsakey: |
| 149 | def __init__(self,w): |
| 150 | self.l=string.atoi(w[1]) |
| 151 | self.e=w[2] |
| 152 | self.n=w[3] |
| 153 | def out(self): |
| 154 | return 'key rsa-public("%s","%s");'%(self.e,self.n) |
| 155 | |
| 156 | class mobileoption: |
| 157 | def __init__(self,w): |
| 158 | self.w=w |
| 159 | def out(self): |
| 160 | return '# netlink-options "soft";' |
| 161 | |
| 162 | def complain(msg): |
| 163 | global complaints |
| 164 | print ("%s line %d: "%(file,line))+msg |
| 165 | complaints=complaints+1 |
| 166 | def moan(msg): |
| 167 | global complaints |
| 168 | print msg; |
| 169 | complaints=complaints+1 |
| 170 | |
| 171 | # We don't allow redefinition of properties (because that would allow things |
| 172 | # like restrict-nets to be redefined, which would be bad) |
| 173 | def set(obj,defs,w): |
| 174 | if (obj.allow_defs | allow_defs): |
| 175 | if (obj.defs.has_key(w[0])): |
| 176 | complain("%s is already defined"%(w[0])) |
| 177 | else: |
| 178 | t=defs[w[0]] |
| 179 | obj.defs[w[0]]=t(w) |
| 180 | |
| 181 | # Process a line of configuration file |
| 182 | def pline(i): |
| 183 | global allow_defs, group, current_vpn, current_location, current_object |
| 184 | w=string.split(i) |
| 185 | if len(w)==0: return |
| 186 | keyword=w[0] |
| 187 | if keyword=='end-definitions': |
| 188 | allow_defs=0 |
| 189 | current_vpn=None |
| 190 | current_location=None |
| 191 | current_object=None |
| 192 | return |
| 193 | if keyword=='vpn': |
| 194 | if vpns.has_key(w[1]): |
| 195 | current_vpn=vpns[w[1]] |
| 196 | current_object=current_vpn |
| 197 | else: |
| 198 | if allow_defs: |
| 199 | current_vpn=vpn(w[1]) |
| 200 | vpns[w[1]]=current_vpn |
| 201 | current_object=current_vpn |
| 202 | else: |
| 203 | complain("no new VPN definitions allowed") |
| 204 | return |
| 205 | if (current_vpn==None): |
| 206 | complain("no VPN defined yet") |
| 207 | return |
| 208 | # Keywords that can apply at all levels |
| 209 | if mldefs.has_key(w[0]): |
| 210 | set(current_object,mldefs,w) |
| 211 | return |
| 212 | if keyword=='location': |
| 213 | if (current_vpn.locations.has_key(w[1])): |
| 214 | current_location=current_vpn.locations[w[1]] |
| 215 | current_object=current_location |
| 216 | if (group and not allow_defs and |
| 217 | current_location.group!=group): |
| 218 | complain(("must be group %s to access "+ |
| 219 | "location %s")%(current_location.group, |
| 220 | w[1])) |
| 221 | else: |
| 222 | if allow_defs: |
| 223 | if reserved.has_key(w[1]): |
| 224 | complain("reserved location name") |
| 225 | return |
| 226 | current_location=location(w[1],current_vpn) |
| 227 | current_vpn.locations[w[1]]=current_location |
| 228 | current_object=current_location |
| 229 | else: |
| 230 | complain("no new location definitions allowed") |
| 231 | return |
| 232 | if (current_location==None): |
| 233 | complain("no locations defined yet") |
| 234 | return |
| 235 | if keyword=='group': |
| 236 | current_location.group=w[1] |
| 237 | return |
| 238 | if keyword=='site': |
| 239 | if (current_location.sites.has_key(w[1])): |
| 240 | current_object=current_location.sites[w[1]] |
| 241 | else: |
| 242 | if reserved.has_key(w[1]): |
| 243 | complain("reserved site name") |
| 244 | return |
| 245 | current_object=site(w[1],current_location) |
| 246 | current_location.sites[w[1]]=current_object |
| 247 | return |
| 248 | if keyword=='endsite': |
| 249 | if isinstance(current_object,site): |
| 250 | current_object=current_object.location |
| 251 | else: |
| 252 | complain("not currently defining a site") |
| 253 | return |
| 254 | # Keywords that can only apply to sites |
| 255 | if isinstance(current_object,site): |
| 256 | if sitedefs.has_key(w[0]): |
| 257 | set(current_object,sitedefs,w) |
| 258 | return |
| 259 | else: |
| 260 | if sitedefs.has_key(w[0]): |
| 261 | complain("keyword '%s' can only be used in the " |
| 262 | "context of a site definition"%(w[0])) |
| 263 | return |
| 264 | complain("unknown keyword '%s'"%(w[0])) |
| 265 | |
| 266 | def pfile(name,lines): |
| 267 | global file,line |
| 268 | file=name |
| 269 | line=0 |
| 270 | for i in lines: |
| 271 | line=line+1 |
| 272 | if (i[0]=='#'): continue |
| 273 | if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF |
| 274 | pline(i) |
| 275 | |
| 276 | def outputsites(w): |
| 277 | w.write("# secnet sites file autogenerated by make-secnet-sites.py " |
| 278 | +"version %s\n"%VERSION) |
| 279 | w.write("# %s\n\n"%time.asctime(time.localtime(time.time()))) |
| 280 | |
| 281 | # Raw VPN data section of file |
| 282 | w.write("vpn-data {\n") |
| 283 | for i in vpns.values(): |
| 284 | w.write(" %s {\n"%i.name) |
| 285 | for d in i.defs.values(): |
| 286 | w.write(" %s\n"%d.out()) |
| 287 | w.write("\n") |
| 288 | for l in i.locations.values(): |
| 289 | w.write(" %s {\n"%l.name) |
| 290 | for d in l.defs.values(): |
| 291 | w.write(" %s\n"%d.out()) |
| 292 | for s in l.sites.values(): |
| 293 | w.write(" %s {\n"%s.name) |
| 294 | w.write(' name "%s/%s/%s";\n'% |
| 295 | (i.name,l.name,s.name)) |
| 296 | for d in s.defs.values(): |
| 297 | w.write(" %s\n"%d.out()) |
| 298 | w.write(" };\n") |
| 299 | w.write(" };\n") |
| 300 | w.write(" };\n") |
| 301 | w.write("};\n") |
| 302 | |
| 303 | # Per-VPN flattened lists |
| 304 | w.write("vpn {\n") |
| 305 | for i in vpns.values(): |
| 306 | w.write(" %s {\n"%(i.name)) |
| 307 | for l in i.locations.values(): |
| 308 | tmpl="vpn-data/%s/%s/%%s"%(i.name,l.name) |
| 309 | slist=[] |
| 310 | for s in l.sites.values(): slist.append(tmpl%s.name) |
| 311 | w.write(" %s %s;\n"%(l.name,string.join(slist,","))) |
| 312 | w.write("\n all-sites %s;\n"% |
| 313 | string.join(i.locations.keys(),",")) |
| 314 | w.write(" };\n") |
| 315 | w.write("};\n") |
| 316 | |
| 317 | # Flattened list of sites |
| 318 | w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"% |
| 319 | x,vpns.keys()),",")) |
| 320 | |
| 321 | # Are we being invoked from userv? |
| 322 | service=0 |
| 323 | # If we are, which group does the caller want to modify? |
| 324 | group=None |
| 325 | |
| 326 | vpns={} |
| 327 | allow_defs=1 |
| 328 | current_vpn=None |
| 329 | current_location=None |
| 330 | current_object=None |
| 331 | |
| 332 | line=0 |
| 333 | file=None |
| 334 | complaints=0 |
| 335 | |
| 336 | # Things that can be defined at any level |
| 337 | mldefs={ |
| 338 | 'dh':dhgroup, |
| 339 | 'hash':hash, |
| 340 | 'contact':email, |
| 341 | 'key-lifetime':num, |
| 342 | 'setup-retries':num, |
| 343 | 'setup-timeout':num, |
| 344 | 'wait-time':num, |
| 345 | 'renegotiate-time':num, |
| 346 | 'restrict-nets':nets |
| 347 | } |
| 348 | |
| 349 | # Things that can only be defined for sites |
| 350 | sitedefs={ |
| 351 | 'address':address, |
| 352 | 'networks':nets, |
| 353 | 'pubkey':rsakey, |
| 354 | 'mobile':mobileoption |
| 355 | } |
| 356 | |
| 357 | # Reserved vpn/location/site names |
| 358 | reserved={'all-sites':None} |
| 359 | reserved.update(mldefs) |
| 360 | reserved.update(sitedefs) |
| 361 | |
| 362 | # Each site must have the following defined at some level: |
| 363 | required={ |
| 364 | 'dh':"Diffie-Hellman group", |
| 365 | 'networks':"network list", |
| 366 | 'pubkey':"public key", |
| 367 | 'hash':"hash function" |
| 368 | } |
| 369 | |
| 370 | if len(sys.argv)<2: |
| 371 | pfile("stdin",sys.stdin.readlines()) |
| 372 | of=sys.stdout |
| 373 | else: |
| 374 | if sys.argv[1]=='-u': |
| 375 | if len(sys.argv)!=6: |
| 376 | print "Wrong number of arguments" |
| 377 | sys.exit(1) |
| 378 | service=1 |
| 379 | header=sys.argv[2] |
| 380 | groupfiledir=sys.argv[3] |
| 381 | sitesfile=sys.argv[4] |
| 382 | group=sys.argv[5] |
| 383 | if not os.environ.has_key("USERV_USER"): |
| 384 | print "Environment variable USERV_USER not found" |
| 385 | sys.exit(1) |
| 386 | user=os.environ["USERV_USER"] |
| 387 | # Check that group is in USERV_GROUP |
| 388 | if not os.environ.has_key("USERV_GROUP"): |
| 389 | print "Environment variable USERV_GROUP not found" |
| 390 | sys.exit(1) |
| 391 | ugs=os.environ["USERV_GROUP"] |
| 392 | ok=0 |
| 393 | for i in string.split(ugs): |
| 394 | if group==i: ok=1 |
| 395 | if not ok: |
| 396 | print "caller not in group %s"%group |
| 397 | sys.exit(1) |
| 398 | f=open(header) |
| 399 | headerinput=f.readlines() |
| 400 | f.close() |
| 401 | pfile(header,headerinput) |
| 402 | userinput=sys.stdin.readlines() |
| 403 | pfile("user input",userinput) |
| 404 | else: |
| 405 | if len(sys.argv)>3: |
| 406 | print "Too many arguments" |
| 407 | sys.exit(1) |
| 408 | f=open(sys.argv[1]) |
| 409 | pfile(sys.argv[1],f.readlines()) |
| 410 | f.close() |
| 411 | of=sys.stdout |
| 412 | if len(sys.argv)>2: |
| 413 | of=open(sys.argv[2],'w') |
| 414 | |
| 415 | # Sanity check section |
| 416 | |
| 417 | # Delete locations that have no sites defined |
| 418 | for i in vpns.values(): |
| 419 | for l in i.locations.keys(): |
| 420 | if (len(i.locations[l].sites.values())==0): |
| 421 | del i.locations[l] |
| 422 | |
| 423 | # Delete VPNs that have no locations with sites defined |
| 424 | for i in vpns.keys(): |
| 425 | if (len(vpns[i].locations.values())==0): |
| 426 | del vpns[i] |
| 427 | |
| 428 | # Check all sites |
| 429 | for i in vpns.values(): |
| 430 | if i.defs.has_key('restrict-nets'): |
| 431 | vr=i.defs['restrict-nets'] |
| 432 | else: |
| 433 | vr=None |
| 434 | for l in i.locations.values(): |
| 435 | if l.defs.has_key('restrict-nets'): |
| 436 | lr=l.defs['restrict-nets'] |
| 437 | if (not lr.subsetof(vr)): |
| 438 | moan("location %s/%s restrict-nets is invalid"% |
| 439 | (i.name,l.name)) |
| 440 | else: |
| 441 | lr=vr |
| 442 | for s in l.sites.values(): |
| 443 | sn="%s/%s/%s"%(i.name,l.name,s.name) |
| 444 | for r in required.keys(): |
| 445 | if (not (s.defs.has_key(r) or |
| 446 | l.defs.has_key(r) or |
| 447 | i.defs.has_key(r))): |
| 448 | moan("site %s missing parameter %s"% |
| 449 | (sn,r)) |
| 450 | if s.defs.has_key('restrict-nets'): |
| 451 | sr=s.defs['restrict-nets'] |
| 452 | if (not sr.subsetof(lr)): |
| 453 | moan("site %s restrict-nets not valid"% |
| 454 | sn) |
| 455 | else: |
| 456 | sr=lr |
| 457 | if not s.defs.has_key('networks'): continue |
| 458 | nets=s.defs['networks'] |
| 459 | if (not nets.subsetof(sr)): |
| 460 | moan("site %s networks exceed restriction"%sn) |
| 461 | |
| 462 | |
| 463 | if complaints>0: |
| 464 | if complaints==1: print "There was 1 problem." |
| 465 | else: print "There were %d problems."%(complaints) |
| 466 | sys.exit(1) |
| 467 | |
| 468 | if service: |
| 469 | # Put the user's input into their group file, and rebuild the main |
| 470 | # sites file |
| 471 | f=open(groupfiledir+"/T"+group,'w') |
| 472 | f.write("# Section submitted by user %s, %s\n"% |
| 473 | (user,time.asctime(time.localtime(time.time())))) |
| 474 | f.write("# Checked by make-secnet-sites.py version %s\n\n"%VERSION) |
| 475 | for i in userinput: f.write(i) |
| 476 | f.write("\n") |
| 477 | f.close() |
| 478 | os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group) |
| 479 | f=open(sitesfile+"-tmp",'w') |
| 480 | f.write("# sites file autogenerated by make-secnet-sites.py\n") |
| 481 | f.write("# generated %s, invoked by %s\n"% |
| 482 | (time.asctime(time.localtime(time.time())),user)) |
| 483 | f.write("# use make-secnet-sites.py to turn this file into a\n") |
| 484 | f.write("# valid /etc/secnet/sites.conf file\n\n") |
| 485 | for i in headerinput: f.write(i) |
| 486 | files=os.listdir(groupfiledir) |
| 487 | for i in files: |
| 488 | if i[0]=='R': |
| 489 | j=open(groupfiledir+"/"+i) |
| 490 | f.write(j.read()) |
| 491 | j.close() |
| 492 | f.write("# end of sites file\n") |
| 493 | f.close() |
| 494 | os.rename(sitesfile+"-tmp",sitesfile) |
| 495 | else: |
| 496 | outputsites(of) |