~mdw / secnet / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Makefile.in: Drop dist target
[secnet] / make-secnet-sites
1 #! /usr/bin/env python
2 #
3 # This file is part of secnet.
4 # See README for full list of copyright holders.
5 #
6 # secnet is free software; you can redistribute it and/or modify it
7 # under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # secnet is distributed in the hope that it will be useful, but
12 # WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 # General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # version 3 along with secnet; if not, see
18 # https://www.gnu.org/licenses/gpl.html.
19
20 """VPN sites file manipulation.
21
22 This program enables VPN site descriptions to be submitted for
23 inclusion in a central database, and allows the resulting database to
24 be turned into a secnet configuration file.
25
26 A database file can be turned into a secnet configuration file simply:
27 make-secnet-sites.py [infile [outfile]]
28
29 It would be wise to run secnet with the "--just-check-config" option
30 before installing the output on a live system.
31
32 The program expects to be invoked via userv to manage the database; it
33 relies on the USERV_USER and USERV_GROUP environment variables. The
34 command line arguments for this invocation are:
35
36 make-secnet-sites.py -u header-filename groupfiles-directory output-file \
37 group
38
39 All but the last argument are expected to be set by userv; the 'group'
40 argument is provided by the user. A suitable userv configuration file
41 fragment is:
42
43 reset
44 no-disconnect-hup
45 no-suppress-args
46 cd ~/secnet/sites-test/
47 execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
48
49 This program is part of secnet. It relies on the "ipaddr" library from
50 Cendio Systems AB.
51
52 """
53
54 import string
55 import time
56 import sys
57 import os
58 import getopt
59 import re
60
61 import ipaddr
62
63 sys.path.insert(0,"/usr/local/share/secnet")
64 sys.path.insert(0,"/usr/share/secnet")
65 import ipaddrset
66
67 VERSION="0.1.18"
68
69 # Classes describing possible datatypes in the configuration file
70
71 class single_ipaddr:
72 "An IP address"
73 def __init__(self,w):
74 self.addr=ipaddr.IPAddress(w[1])
75 def __str__(self):
76 return '"%s"'%self.addr
77
78 class networks:
79 "A set of IP addresses specified as a list of networks"
80 def __init__(self,w):
81 self.set=ipaddrset.IPAddressSet()
82 for i in w[1:]:
83 x=ipaddr.IPNetwork(i,strict=True)
84 self.set.append([x])
85 def __str__(self):
86 return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))
87
88 class dhgroup:
89 "A Diffie-Hellman group"
90 def __init__(self,w):
91 self.mod=w[1]
92 self.gen=w[2]
93 def __str__(self):
94 return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
95
96 class hash:
97 "A choice of hash function"
98 def __init__(self,w):
99 self.ht=w[1]
100 if (self.ht!='md5' and self.ht!='sha1'):
101 complain("unknown hash type %s"%(self.ht))
102 def __str__(self):
103 return '%s'%(self.ht)
104
105 class email:
106 "An email address"
107 def __init__(self,w):
108 self.addr=w[1]
109 def __str__(self):
110 return '<%s>'%(self.addr)
111
112 class boolean:
113 "A boolean"
114 def __init__(self,w):
115 if re.match('[TtYy1]',w[1]):
116 self.b=True
117 elif re.match('[FfNn0]',w[1]):
118 self.b=False
119 else:
120 complain("invalid boolean value");
121 def __str__(self):
122 return ['False','True'][self.b]
123
124 class num:
125 "A decimal number"
126 def __init__(self,w):
127 self.n=string.atol(w[1])
128 def __str__(self):
129 return '%d'%(self.n)
130
131 class address:
132 "A DNS name and UDP port number"
133 def __init__(self,w):
134 self.adr=w[1]
135 self.port=string.atoi(w[2])
136 if (self.port<1 or self.port>65535):
137 complain("invalid port number")
138 def __str__(self):
139 return '"%s"; port %d'%(self.adr,self.port)
140
141 class rsakey:
142 "An RSA public key"
143 def __init__(self,w):
144 self.l=string.atoi(w[1])
145 self.e=w[2]
146 self.n=w[3]
147 def __str__(self):
148 return 'rsa-public("%s","%s")'%(self.e,self.n)
149
150 # Possible properties of configuration nodes
151 keywords={
152 'contact':(email,"Contact address"),
153 'dh':(dhgroup,"Diffie-Hellman group"),
154 'hash':(hash,"Hash function"),
155 'key-lifetime':(num,"Maximum key lifetime (ms)"),
156 'setup-timeout':(num,"Key setup timeout (ms)"),
157 'setup-retries':(num,"Maximum key setup packet retries"),
158 'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
159 'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
160 'restrict-nets':(networks,"Allowable networks"),
161 'networks':(networks,"Claimed networks"),
162 'pubkey':(rsakey,"RSA public site key"),
163 'peer':(single_ipaddr,"Tunnel peer IP address"),
164 'address':(address,"External contact address and port"),
165 'mobile':(boolean,"Site is mobile"),
166 }
167
168 def sp(name,value):
169 "Simply output a property - the default case"
170 return "%s %s;\n"%(name,value)
171
172 # All levels support these properties
173 global_properties={
174 'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
175 'dh':sp,
176 'hash':sp,
177 'key-lifetime':sp,
178 'setup-timeout':sp,
179 'setup-retries':sp,
180 'wait-time':sp,
181 'renegotiate-time':sp,
182 'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
183 }
184
185 class level:
186 "A level in the configuration hierarchy"
187 depth=0
188 leaf=0
189 allow_properties={}
190 require_properties={}
191 def __init__(self,w):
192 self.name=w[1]
193 self.properties={}
194 self.children={}
195 def indent(self,w,t):
196 w.write(" "[:t])
197 def prop_out(self,n):
198 return self.allow_properties[n](n,str(self.properties[n]))
199 def output_props(self,w,ind):
200 for i in self.properties.keys():
201 if self.allow_properties[i]:
202 self.indent(w,ind)
203 w.write("%s"%self.prop_out(i))
204 def output_data(self,w,ind,np):
205 self.indent(w,ind)
206 w.write("%s {\n"%(self.name))
207 self.output_props(w,ind+2)
208 if self.depth==1: w.write("\n");
209 for c in self.children.values():
210 c.output_data(w,ind+2,np+self.name+"/")
211 self.indent(w,ind)
212 w.write("};\n")
213
214 class vpnlevel(level):
215 "VPN level in the configuration hierarchy"
216 depth=1
217 leaf=0
218 type="vpn"
219 allow_properties=global_properties.copy()
220 require_properties={
221 'contact':"VPN admin contact address"
222 }
223 def __init__(self,w):
224 level.__init__(self,w)
225 def output_vpnflat(self,w,ind,h):
226 "Output flattened list of site names for this VPN"
227 self.indent(w,ind)
228 w.write("%s {\n"%(self.name))
229 for i in self.children.keys():
230 self.children[i].output_vpnflat(w,ind+2,
231 h+"/"+self.name+"/"+i)
232 w.write("\n")
233 self.indent(w,ind+2)
234 w.write("all-sites %s;\n"%
235 string.join(self.children.keys(),','))
236 self.indent(w,ind)
237 w.write("};\n")
238
239 class locationlevel(level):
240 "Location level in the configuration hierarchy"
241 depth=2
242 leaf=0
243 type="location"
244 allow_properties=global_properties.copy()
245 require_properties={
246 'contact':"Location admin contact address",
247 }
248 def __init__(self,w):
249 level.__init__(self,w)
250 self.group=w[2]
251 def output_vpnflat(self,w,ind,h):
252 self.indent(w,ind)
253 # The "h=h,self=self" abomination below exists because
254 # Python didn't support nested_scopes until version 2.1
255 w.write("%s %s;\n"%(self.name,string.join(
256 map(lambda x,h=h,self=self:
257 h+"/"+x,self.children.keys()),',')))
258
259 class sitelevel(level):
260 "Site level (i.e. a leafnode) in the configuration hierarchy"
261 depth=3
262 leaf=1
263 type="site"
264 allow_properties=global_properties.copy()
265 allow_properties.update({
266 'address':sp,
267 'networks':None,
268 'peer':None,
269 'pubkey':(lambda n,v:"key %s;\n"%v),
270 'mobile':sp,
271 })
272 require_properties={
273 'dh':"Diffie-Hellman group",
274 'contact':"Site admin contact address",
275 'networks':"Networks claimed by the site",
276 'hash':"hash function",
277 'peer':"Gateway address of the site",
278 'pubkey':"RSA public key of the site",
279 }
280 def __init__(self,w):
281 level.__init__(self,w)
282 def output_data(self,w,ind,np):
283 self.indent(w,ind)
284 w.write("%s {\n"%(self.name))
285 self.indent(w,ind+2)
286 w.write("name \"%s\";\n"%(np+self.name))
287 self.output_props(w,ind+2)
288 self.indent(w,ind+2)
289 w.write("link netlink {\n");
290 self.indent(w,ind+4)
291 w.write("routes %s;\n"%str(self.properties["networks"]))
292 self.indent(w,ind+4)
293 w.write("ptp-address %s;\n"%str(self.properties["peer"]))
294 self.indent(w,ind+2)
295 w.write("};\n")
296 self.indent(w,ind)
297 w.write("};\n")
298
299 # Levels in the configuration file
300 # (depth,properties)
301 levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
302
303 # Reserved vpn/location/site names
304 reserved={'all-sites':None}
305 reserved.update(keywords)
306 reserved.update(levels)
307
308 def complain(msg):
309 "Complain about a particular input line"
310 global complaints
311 print ("%s line %d: "%(file,line))+msg
312 complaints=complaints+1
313 def moan(msg):
314 "Complain about something in general"
315 global complaints
316 print msg;
317 complaints=complaints+1
318
319 root=level(['root','root']) # All vpns are children of this node
320 obstack=[root]
321 allow_defs=0 # Level above which new definitions are permitted
322 prefix=''
323
324 def set_property(obj,w):
325 "Set a property on a configuration node"
326 if obj.properties.has_key(w[0]):
327 complain("%s %s already has property %s defined"%
328 (obj.type,obj.name,w[0]))
329 else:
330 obj.properties[w[0]]=keywords[w[0]][0](w)
331
332 def pline(i,allow_include=False):
333 "Process a configuration file line"
334 global allow_defs, obstack, root
335 w=string.split(i.rstrip('\n'))
336 if len(w)==0: return [i]
337 keyword=w[0]
338 current=obstack[len(obstack)-1]
339 if keyword=='end-definitions':
340 allow_defs=sitelevel.depth
341 obstack=[root]
342 return [i]
343 if keyword=='include':
344 if not allow_include:
345 complain("include not permitted here")
346 return []
347 if len(w) != 2:
348 complain("include requires one argument")
349 return []
350 newfile=os.path.join(os.path.dirname(file),w[1])
351 return pfilepath(newfile,allow_include=allow_include)
352 if levels.has_key(keyword):
353 # We may go up any number of levels, but only down by one
354 newdepth=levels[keyword].depth
355 currentdepth=len(obstack) # actually +1...
356 if newdepth<=currentdepth:
357 obstack=obstack[:newdepth]
358 if newdepth>currentdepth:
359 complain("May not go from level %d to level %d"%
360 (currentdepth-1,newdepth))
361 # See if it's a new one (and whether that's permitted)
362 # or an existing one
363 current=obstack[len(obstack)-1]
364 if current.children.has_key(w[1]):
365 # Not new
366 current=current.children[w[1]]
367 if service and group and current.depth==2:
368 if group!=current.group:
369 complain("Incorrect group!")
370 else:
371 # New
372 # Ignore depth check for now
373 nl=levels[keyword](w)
374 if nl.depth<allow_defs:
375 complain("New definitions not allowed at "
376 "level %d"%nl.depth)
377 # we risk crashing if we continue
378 sys.exit(1)
379 current.children[w[1]]=nl
380 current=nl
381 obstack.append(current)
382 return [i]
383 if not current.allow_properties.has_key(keyword):
384 complain("Property %s not allowed at %s level"%
385 (keyword,current.type))
386 return []
387 elif current.depth == vpnlevel.depth < allow_defs:
388 complain("Not allowed to set VPN properties here")
389 return []
390 else:
391 set_property(current,w)
392 return [i]
393
394 complain("unknown keyword '%s'"%(keyword))
395
396 def pfilepath(pathname,allow_include=False):
397 f=open(pathname)
398 outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
399 f.close()
400 return outlines
401
402 def pfile(name,lines,allow_include=False):
403 "Process a file"
404 global file,line
405 file=name
406 line=0
407 outlines=[]
408 for i in lines:
409 line=line+1
410 if (i[0]=='#'): continue
411 outlines += pline(i,allow_include=allow_include)
412 return outlines
413
414 def outputsites(w):
415 "Output include file for secnet configuration"
416 w.write("# secnet sites file autogenerated by make-secnet-sites "
417 +"version %s\n"%VERSION)
418 w.write("# %s\n"%time.asctime(time.localtime(time.time())))
419 w.write("# Command line: %s\n\n"%string.join(sys.argv))
420
421 # Raw VPN data section of file
422 w.write(prefix+"vpn-data {\n")
423 for i in root.children.values():
424 i.output_data(w,2,"")
425 w.write("};\n")
426
427 # Per-VPN flattened lists
428 w.write(prefix+"vpn {\n")
429 for i in root.children.values():
430 i.output_vpnflat(w,2,prefix+"vpn-data")
431 w.write("};\n")
432
433 # Flattened list of sites
434 w.write(prefix+"all-sites %s;\n"%string.join(
435 map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
436 root.children.keys()),","))
437
438 # Are we being invoked from userv?
439 service=0
440 # If we are, which group does the caller want to modify?
441 group=None
442
443 line=0
444 file=None
445 complaints=0
446
447 if len(sys.argv)<2:
448 pfile("stdin",sys.stdin.readlines())
449 of=sys.stdout
450 else:
451 if sys.argv[1]=='-u':
452 if len(sys.argv)!=6:
453 print "Wrong number of arguments"
454 sys.exit(1)
455 service=1
456 header=sys.argv[2]
457 groupfiledir=sys.argv[3]
458 sitesfile=sys.argv[4]
459 group=sys.argv[5]
460 if not os.environ.has_key("USERV_USER"):
461 print "Environment variable USERV_USER not found"
462 sys.exit(1)
463 user=os.environ["USERV_USER"]
464 # Check that group is in USERV_GROUP
465 if not os.environ.has_key("USERV_GROUP"):
466 print "Environment variable USERV_GROUP not found"
467 sys.exit(1)
468 ugs=os.environ["USERV_GROUP"]
469 ok=0
470 for i in string.split(ugs):
471 if group==i: ok=1
472 if not ok:
473 print "caller not in group %s"%group
474 sys.exit(1)
475 headerinput=pfilepath(header,allow_include=True)
476 userinput=sys.stdin.readlines()
477 pfile("user input",userinput)
478 else:
479 if sys.argv[1]=='-P':
480 prefix=sys.argv[2]
481 sys.argv[1:3]=[]
482 if len(sys.argv)>3:
483 print "Too many arguments"
484 sys.exit(1)
485 pfilepath(sys.argv[1])
486 of=sys.stdout
487 if len(sys.argv)>2:
488 of=open(sys.argv[2],'w')
489
490 # Sanity check section
491 # Delete nodes where leaf=0 that have no children
492
493 def live(n):
494 "Number of leafnodes below node n"
495 if n.leaf: return 1
496 for i in n.children.keys():
497 if live(n.children[i]): return 1
498 return 0
499 def delempty(n):
500 "Delete nodes that have no leafnode children"
501 for i in n.children.keys():
502 delempty(n.children[i])
503 if not live(n.children[i]):
504 del n.children[i]
505 delempty(root)
506
507 # Check that all constraints are met (as far as I can tell
508 # restrict-nets/networks/peer are the only special cases)
509
510 def checkconstraints(n,p,ra):
511 new_p=p.copy()
512 new_p.update(n.properties)
513 for i in n.require_properties.keys():
514 if not new_p.has_key(i):
515 moan("%s %s is missing property %s"%
516 (n.type,n.name,i))
517 for i in new_p.keys():
518 if not n.allow_properties.has_key(i):
519 moan("%s %s has forbidden property %s"%
520 (n.type,n.name,i))
521 # Check address range restrictions
522 if n.properties.has_key("restrict-nets"):
523 new_ra=ra.intersection(n.properties["restrict-nets"].set)
524 else:
525 new_ra=ra
526 if n.properties.has_key("networks"):
527 if not n.properties["networks"].set <= new_ra:
528 moan("%s %s networks out of bounds"%(n.type,n.name))
529 if n.properties.has_key("peer"):
530 if not n.properties["networks"].set.contains(
531 n.properties["peer"].addr):
532 moan("%s %s peer not in networks"%(n.type,n.name))
533 for i in n.children.keys():
534 checkconstraints(n.children[i],new_p,new_ra)
535
536 checkconstraints(root,{},ipaddrset.complete_set())
537
538 if complaints>0:
539 if complaints==1: print "There was 1 problem."
540 else: print "There were %d problems."%(complaints)
541 sys.exit(1)
542
543 if service:
544 # Put the user's input into their group file, and rebuild the main
545 # sites file
546 f=open(groupfiledir+"/T"+group,'w')
547 f.write("# Section submitted by user %s, %s\n"%
548 (user,time.asctime(time.localtime(time.time()))))
549 f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
550 for i in userinput: f.write(i)
551 f.write("\n")
552 f.close()
553 os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
554 f=open(sitesfile+"-tmp",'w')
555 f.write("# sites file autogenerated by make-secnet-sites\n")
556 f.write("# generated %s, invoked by %s\n"%
557 (time.asctime(time.localtime(time.time())),user))
558 f.write("# use make-secnet-sites to turn this file into a\n")
559 f.write("# valid /etc/secnet/sites.conf file\n\n")
560 for i in headerinput: f.write(i)
561 files=os.listdir(groupfiledir)
562 for i in files:
563 if i[0]=='R':
564 j=open(groupfiledir+"/"+i)
565 f.write(j.read())
566 j.close()
567 f.write("# end of sites file\n")
568 f.close()
569 os.rename(sitesfile+"-tmp",sitesfile)
570 else:
571 outputsites(of)
Secnet virtual private network: clone of http://www.chiark.greenend.org.uk/ucgi/~ian/git/secnet.git/