chiark / gitweb /
portability: Scripts and documentation for Mac OS X support.
[secnet.git] / make-secnet-sites
1 #! /usr/bin/env python
2 # Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 2 of the License, or
7 # (at your option) any later version.
8
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 # GNU General Public License for more details.
13
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
17
18 """VPN sites file manipulation.
19
20 This program enables VPN site descriptions to be submitted for
21 inclusion in a central database, and allows the resulting database to
22 be turned into a secnet configuration file.
23
24 A database file can be turned into a secnet configuration file simply:
25 make-secnet-sites.py [infile [outfile]]
26
27 It would be wise to run secnet with the "--just-check-config" option
28 before installing the output on a live system.
29
30 The program expects to be invoked via userv to manage the database; it
31 relies on the USERV_USER and USERV_GROUP environment variables. The
32 command line arguments for this invocation are:
33
34 make-secnet-sites.py -u header-filename groupfiles-directory output-file \
35   group
36
37 All but the last argument are expected to be set by userv; the 'group'
38 argument is provided by the user. A suitable userv configuration file
39 fragment is:
40
41 reset
42 no-disconnect-hup
43 no-suppress-args
44 cd ~/secnet/sites-test/
45 execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
46
47 This program is part of secnet. It relies on the "ipaddr" library from
48 Cendio Systems AB.
49
50 """
51
52 import string
53 import time
54 import sys
55 import os
56 import getopt
57
58 # The ipaddr library is installed as part of secnet
59 sys.path.append("/usr/local/share/secnet")
60 sys.path.append("/usr/share/secnet")
61 import ipaddr
62
63 VERSION="0.1.16"
64
65 # Classes describing possible datatypes in the configuration file
66
67 class single_ipaddr:
68         "An IP address"
69         def __init__(self,w):
70                 self.addr=ipaddr.ipaddr(w[1])
71         def __str__(self):
72                 return '"%s"'%self.addr.ip_str()
73
74 class networks:
75         "A set of IP addresses specified as a list of networks"
76         def __init__(self,w):
77                 self.set=ipaddr.ip_set()
78                 for i in w[1:]:
79                         x=string.split(i,"/")
80                         self.set.append(ipaddr.network(x[0],x[1],
81                                 ipaddr.DEMAND_NETWORK))
82         def __str__(self):
83                 return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
84                         x.mask.netmask_bits_str),
85                         self.set.as_list_of_networks()),",")
86
87 class dhgroup:
88         "A Diffie-Hellman group"
89         def __init__(self,w):
90                 self.mod=w[1]
91                 self.gen=w[2]
92         def __str__(self):
93                 return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
94
95 class hash:
96         "A choice of hash function"
97         def __init__(self,w):
98                 self.ht=w[1]
99                 if (self.ht!='md5' and self.ht!='sha1'):
100                         complain("unknown hash type %s"%(self.ht))
101         def __str__(self):
102                 return '%s'%(self.ht)
103
104 class email:
105         "An email address"
106         def __init__(self,w):
107                 self.addr=w[1]
108         def __str__(self):
109                 return '<%s>'%(self.addr)
110
111 class num:
112         "A decimal number"
113         def __init__(self,w):
114                 self.n=string.atol(w[1])
115         def __str__(self):
116                 return '%d'%(self.n)
117
118 class address:
119         "A DNS name and UDP port number"
120         def __init__(self,w):
121                 self.adr=w[1]
122                 self.port=string.atoi(w[2])
123                 if (self.port<1 or self.port>65535):
124                         complain("invalid port number")
125         def __str__(self):
126                 return '"%s"; port %d'%(self.adr,self.port)
127
128 class rsakey:
129         "An RSA public key"
130         def __init__(self,w):
131                 self.l=string.atoi(w[1])
132                 self.e=w[2]
133                 self.n=w[3]
134         def __str__(self):
135                 return 'rsa-public("%s","%s")'%(self.e,self.n)
136
137 # Possible properties of configuration nodes
138 keywords={
139  'contact':(email,"Contact address"),
140  'dh':(dhgroup,"Diffie-Hellman group"),
141  'hash':(hash,"Hash function"),
142  'key-lifetime':(num,"Maximum key lifetime (ms)"),
143  'setup-timeout':(num,"Key setup timeout (ms)"),
144  'setup-retries':(num,"Maximum key setup packet retries"),
145  'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
146  'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
147  'restrict-nets':(networks,"Allowable networks"),
148  'networks':(networks,"Claimed networks"),
149  'pubkey':(rsakey,"RSA public site key"),
150  'peer':(single_ipaddr,"Tunnel peer IP address"),
151  'address':(address,"External contact address and port")
152 }
153
154 def sp(name,value):
155         "Simply output a property - the default case"
156         return "%s %s;\n"%(name,value)
157
158 # All levels support these properties
159 global_properties={
160         'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
161         'dh':sp,
162         'hash':sp,
163         'key-lifetime':sp,
164         'setup-timeout':sp,
165         'setup-retries':sp,
166         'wait-time':sp,
167         'renegotiate-time':sp,
168         'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value)
169 }
170
171 class level:
172         "A level in the configuration hierarchy"
173         depth=0
174         leaf=0
175         allow_properties={}
176         require_properties={}
177         def __init__(self,w):
178                 self.name=w[1]
179                 self.properties={}
180                 self.children={}
181         def indent(self,w,t):
182                 w.write("                 "[:t])
183         def prop_out(self,n):
184                 return self.allow_properties[n](n,str(self.properties[n]))
185         def output_props(self,w,ind):
186                 for i in self.properties.keys():
187                         if self.allow_properties[i]:
188                                 self.indent(w,ind)
189                                 w.write("%s"%self.prop_out(i))
190         def output_data(self,w,ind,np):
191                 self.indent(w,ind)
192                 w.write("%s {\n"%(self.name))
193                 self.output_props(w,ind+2)
194                 if self.depth==1: w.write("\n");
195                 for c in self.children.values():
196                         c.output_data(w,ind+2,np+self.name+"/")
197                 self.indent(w,ind)
198                 w.write("};\n")
199
200 class vpnlevel(level):
201         "VPN level in the configuration hierarchy"
202         depth=1
203         leaf=0
204         type="vpn"
205         allow_properties=global_properties.copy()
206         require_properties={
207          'contact':"VPN admin contact address"
208         }
209         def __init__(self,w):
210                 level.__init__(self,w)
211         def output_vpnflat(self,w,ind,h):
212                 "Output flattened list of site names for this VPN"
213                 self.indent(w,ind)
214                 w.write("%s {\n"%(self.name))
215                 for i in self.children.keys():
216                         self.children[i].output_vpnflat(w,ind+2,
217                                 h+"/"+self.name+"/"+i)
218                 w.write("\n")
219                 self.indent(w,ind+2)
220                 w.write("all-sites %s;\n"%
221                         string.join(self.children.keys(),','))
222                 self.indent(w,ind)
223                 w.write("};\n")
224
225 class locationlevel(level):
226         "Location level in the configuration hierarchy"
227         depth=2
228         leaf=0
229         type="location"
230         allow_properties=global_properties.copy()
231         require_properties={
232          'contact':"Location admin contact address",
233         }
234         def __init__(self,w):
235                 level.__init__(self,w)
236                 self.group=w[2]
237         def output_vpnflat(self,w,ind,h):
238                 self.indent(w,ind)
239                 # The "h=h,self=self" abomination below exists because
240                 # Python didn't support nested_scopes until version 2.1
241                 w.write("%s %s;\n"%(self.name,string.join(
242                         map(lambda x,h=h,self=self:
243                                 h+"/"+x,self.children.keys()),',')))
244
245 class sitelevel(level):
246         "Site level (i.e. a leafnode) in the configuration hierarchy"
247         depth=3
248         leaf=1
249         type="site"
250         allow_properties=global_properties.copy()
251         allow_properties.update({
252          'address':sp,
253          'networks':None,
254          'peer':None,
255          'pubkey':(lambda n,v:"key %s;\n"%v)
256         })
257         require_properties={
258          'dh':"Diffie-Hellman group",
259          'contact':"Site admin contact address",
260          'address':"Site external access address",
261          'networks':"Networks claimed by the site",
262          'hash':"hash function",
263          'peer':"Gateway address of the site",
264          'pubkey':"RSA public key of the site"
265         }
266         def __init__(self,w):
267                 level.__init__(self,w)
268         def output_data(self,w,ind,np):
269                 self.indent(w,ind)
270                 w.write("%s {\n"%(self.name))
271                 self.indent(w,ind+2)
272                 w.write("name \"%s\";\n"%(np+self.name))
273                 self.output_props(w,ind+2)
274                 self.indent(w,ind+2)
275                 w.write("link netlink {\n");
276                 self.indent(w,ind+4)
277                 w.write("routes %s;\n"%str(self.properties["networks"]))
278                 self.indent(w,ind+4)
279                 w.write("ptp-address %s;\n"%str(self.properties["peer"]))
280                 self.indent(w,ind+2)
281                 w.write("};\n")
282                 self.indent(w,ind)
283                 w.write("};\n")
284
285 # Levels in the configuration file
286 # (depth,properties)
287 levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
288
289 # Reserved vpn/location/site names
290 reserved={'all-sites':None}
291 reserved.update(keywords)
292 reserved.update(levels)
293
294 def complain(msg):
295         "Complain about a particular input line"
296         global complaints
297         print ("%s line %d: "%(file,line))+msg
298         complaints=complaints+1
299 def moan(msg):
300         "Complain about something in general"
301         global complaints
302         print msg;
303         complaints=complaints+1
304
305 root=level(['root','root'])   # All vpns are children of this node
306 obstack=[root]
307 allow_defs=0   # Level above which new definitions are permitted
308
309 def set_property(obj,w):
310         "Set a property on a configuration node"
311         if obj.properties.has_key(w[0]):
312                 complain("%s %s already has property %s defined"%
313                         (obj.type,obj.name,w[0]))
314         else:
315                 obj.properties[w[0]]=keywords[w[0]][0](w)
316
317 def pline(i):
318         "Process a configuration file line"
319         global allow_defs, obstack, root
320         w=string.split(i)
321         if len(w)==0: return
322         keyword=w[0]
323         current=obstack[len(obstack)-1]
324         if keyword=='end-definitions':
325                 allow_defs=sitelevel.depth
326                 obstack=[root]
327                 return
328         if levels.has_key(keyword):
329                 # We may go up any number of levels, but only down by one
330                 newdepth=levels[keyword].depth
331                 currentdepth=len(obstack) # actually +1...
332                 if newdepth<=currentdepth:
333                         obstack=obstack[:newdepth]
334                 if newdepth>currentdepth:
335                         complain("May not go from level %d to level %d"%
336                                 (currentdepth-1,newdepth))
337                 # See if it's a new one (and whether that's permitted)
338                 # or an existing one
339                 current=obstack[len(obstack)-1]
340                 if current.children.has_key(w[1]):
341                         # Not new
342                         current=current.children[w[1]]
343                         if service and group and current.depth==2:
344                                 if group!=current.group:
345                                         complain("Incorrect group!")
346                 else:
347                         # New
348                         # Ignore depth check for now
349                         nl=levels[keyword](w)
350                         if nl.depth<allow_defs:
351                                 complain("New definitions not allowed at "
352                                         "level %d"%nl.depth)
353                         current.children[w[1]]=nl
354                         current=nl
355                 obstack.append(current)
356                 return
357         if current.allow_properties.has_key(keyword):
358                 set_property(current,w)
359                 return
360         else:
361                 complain("Property %s not allowed at %s level"%
362                         (keyword,current.type))
363                 return
364
365         complain("unknown keyword '%s'"%(keyword))
366
367 def pfile(name,lines):
368         "Process a file"
369         global file,line
370         file=name
371         line=0
372         for i in lines:
373                 line=line+1
374                 if (i[0]=='#'): continue
375                 if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF
376                 pline(i)
377
378 def outputsites(w):
379         "Output include file for secnet configuration"
380         w.write("# secnet sites file autogenerated by make-secnet-sites "
381                 +"version %s\n"%VERSION)
382         w.write("# %s\n"%time.asctime(time.localtime(time.time())))
383         w.write("# Command line: %s\n\n"%string.join(sys.argv))
384
385         # Raw VPN data section of file
386         w.write("vpn-data {\n")
387         for i in root.children.values():
388                 i.output_data(w,2,"")
389         w.write("};\n")
390
391         # Per-VPN flattened lists
392         w.write("vpn {\n")
393         for i in root.children.values():
394                 i.output_vpnflat(w,2,"vpn-data")
395         w.write("};\n")
396
397         # Flattened list of sites
398         w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
399                 x,root.children.keys()),","))
400
401 # Are we being invoked from userv?
402 service=0
403 # If we are, which group does the caller want to modify?
404 group=None
405
406 line=0
407 file=None
408 complaints=0
409
410 if len(sys.argv)<2:
411         pfile("stdin",sys.stdin.readlines())
412         of=sys.stdout
413 else:
414         if sys.argv[1]=='-u':
415                 if len(sys.argv)!=6:
416                         print "Wrong number of arguments"
417                         sys.exit(1)
418                 service=1
419                 header=sys.argv[2]
420                 groupfiledir=sys.argv[3]
421                 sitesfile=sys.argv[4]
422                 group=sys.argv[5]
423                 if not os.environ.has_key("USERV_USER"):
424                         print "Environment variable USERV_USER not found"
425                         sys.exit(1)
426                 user=os.environ["USERV_USER"]
427                 # Check that group is in USERV_GROUP
428                 if not os.environ.has_key("USERV_GROUP"):
429                         print "Environment variable USERV_GROUP not found"
430                         sys.exit(1)
431                 ugs=os.environ["USERV_GROUP"]
432                 ok=0
433                 for i in string.split(ugs):
434                         if group==i: ok=1
435                 if not ok:
436                         print "caller not in group %s"%group
437                         sys.exit(1)
438                 f=open(header)
439                 headerinput=f.readlines()
440                 f.close()
441                 pfile(header,headerinput)
442                 userinput=sys.stdin.readlines()
443                 pfile("user input",userinput)
444         else:
445                 if len(sys.argv)>3:
446                         print "Too many arguments"
447                         sys.exit(1)
448                 f=open(sys.argv[1])
449                 pfile(sys.argv[1],f.readlines())
450                 f.close()
451                 of=sys.stdout
452                 if len(sys.argv)>2:
453                         of=open(sys.argv[2],'w')
454
455 # Sanity check section
456 # Delete nodes where leaf=0 that have no children
457
458 def live(n):
459         "Number of leafnodes below node n"
460         if n.leaf: return 1
461         for i in n.children.keys():
462                 if live(n.children[i]): return 1
463         return 0
464 def delempty(n):
465         "Delete nodes that have no leafnode children"
466         for i in n.children.keys():
467                 delempty(n.children[i])
468                 if not live(n.children[i]):
469                         del n.children[i]
470 delempty(root)
471
472 # Check that all constraints are met (as far as I can tell
473 # restrict-nets/networks/peer are the only special cases)
474
475 def checkconstraints(n,p,ra):
476         new_p=p.copy()
477         new_p.update(n.properties)
478         for i in n.require_properties.keys():
479                 if not new_p.has_key(i):
480                         moan("%s %s is missing property %s"%
481                                 (n.type,n.name,i))
482         for i in new_p.keys():
483                 if not n.allow_properties.has_key(i):
484                         moan("%s %s has forbidden property %s"%
485                                 (n.type,n.name,i))
486         # Check address range restrictions
487         if n.properties.has_key("restrict-nets"):
488                 new_ra=ra.intersection(n.properties["restrict-nets"].set)
489         else:
490                 new_ra=ra
491         if n.properties.has_key("networks"):
492                 # I'd like to do this:
493                 # n.properties["networks"].set.is_subset(new_ra)
494                 # but there isn't an is_subset() method
495                 # Instead we see if we intersect with the complement of new_ra
496                 rac=new_ra.complement()
497                 i=rac.intersection(n.properties["networks"].set)
498                 if not i.is_empty():
499                         moan("%s %s networks out of bounds"%(n.type,n.name))
500                 if n.properties.has_key("peer"):
501                         if not n.properties["networks"].set.contains(
502                                 n.properties["peer"].addr):
503                                 moan("%s %s peer not in networks"%(n.type,n.name))
504         for i in n.children.keys():
505                 checkconstraints(n.children[i],new_p,new_ra)
506
507 checkconstraints(root,{},ipaddr.complete_set)
508
509 if complaints>0:
510         if complaints==1: print "There was 1 problem."
511         else: print "There were %d problems."%(complaints)
512         sys.exit(1)
513
514 if service:
515         # Put the user's input into their group file, and rebuild the main
516         # sites file
517         f=open(groupfiledir+"/T"+group,'w')
518         f.write("# Section submitted by user %s, %s\n"%
519                 (user,time.asctime(time.localtime(time.time()))))
520         f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
521         for i in userinput: f.write(i)
522         f.write("\n")
523         f.close()
524         os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
525         f=open(sitesfile+"-tmp",'w')
526         f.write("# sites file autogenerated by make-secnet-sites\n")
527         f.write("# generated %s, invoked by %s\n"%
528                 (time.asctime(time.localtime(time.time())),user))
529         f.write("# use make-secnet-sites to turn this file into a\n")
530         f.write("# valid /etc/secnet/sites.conf file\n\n")
531         for i in headerinput: f.write(i)
532         files=os.listdir(groupfiledir)
533         for i in files:
534                 if i[0]=='R':
535                         j=open(groupfiledir+"/"+i)
536                         f.write(j.read())
537                         j.close()
538         f.write("# end of sites file\n")
539         f.close()
540         os.rename(sitesfile+"-tmp",sitesfile)
541 else:
542         outputsites(of)