make-secnet-sites

   1 #! /usr/bin/env python
   2 # Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 2 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program; if not, write to the Free Software
  16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  17
  18 """VPN sites file manipulation.
  19
  20 This program enables VPN site descriptions to be submitted for
  21 inclusion in a central database, and allows the resulting database to
  22 be turned into a secnet configuration file.
  23
  24 A database file can be turned into a secnet configuration file simply:
  25 make-secnet-sites.py [infile [outfile]]
  26
  27 It would be wise to run secnet with the "--just-check-config" option
  28 before installing the output on a live system.
  29
  30 The program expects to be invoked via userv to manage the database; it
  31 relies on the USERV_USER and USERV_GROUP environment variables. The
  32 command line arguments for this invocation are:
  33
  34 make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  35   group
  36
  37 All but the last argument are expected to be set by userv; the 'group'
  38 argument is provided by the user. A suitable userv configuration file
  39 fragment is:
  40
  41 reset
  42 no-disconnect-hup
  43 no-suppress-args
  44 cd ~/secnet/sites-test/
  45 execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
  46
  47 This program is part of secnet. It relies on the "ipaddr" library from
  48 Cendio Systems AB.
  49
  50 """
  51
  52 import string
  53 import time
  54 import sys
  55 import os
  56 import getopt
  57 import re
  58
  59 # The ipaddr library is installed as part of secnet
  60 sys.path.append("/usr/local/share/secnet")
  61 sys.path.append("/usr/share/secnet")
  62 import ipaddr
  63
  64 VERSION="0.1.18"
  65
  66 # Classes describing possible datatypes in the configuration file
  67
  68 class single_ipaddr:
  69         "An IP address"
  70         def __init__(self,w):
  71                 self.addr=ipaddr.ipaddr(w[1])
  72         def __str__(self):
  73                 return '"%s"'%self.addr.ip_str()
  74
  75 class networks:
  76         "A set of IP addresses specified as a list of networks"
  77         def __init__(self,w):
  78                 self.set=ipaddr.ip_set()
  79                 for i in w[1:]:
  80                         x=string.split(i,"/")
  81                         self.set.append(ipaddr.network(x[0],x[1],
  82                                 ipaddr.DEMAND_NETWORK))
  83         def __str__(self):
  84                 return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
  85                         x.mask.netmask_bits_str),
  86                         self.set.as_list_of_networks()),",")
  87
  88 class dhgroup:
  89         "A Diffie-Hellman group"
  90         def __init__(self,w):
  91                 self.mod=w[1]
  92                 self.gen=w[2]
  93         def __str__(self):
  94                 return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
  95
  96 class hash:
  97         "A choice of hash function"
  98         def __init__(self,w):
  99                 self.ht=w[1]
 100                 if (self.ht!='md5' and self.ht!='sha1'):
 101                         complain("unknown hash type %s"%(self.ht))
 102         def __str__(self):
 103                 return '%s'%(self.ht)
 104
 105 class email:
 106         "An email address"
 107         def __init__(self,w):
 108                 self.addr=w[1]
 109         def __str__(self):
 110                 return '<%s>'%(self.addr)
 111
 112 class boolean:
 113         "A boolean"
 114         def __init__(self,w):
 115                 if re.match('[TtYy1]',w[1]):
 116                         self.b=True
 117                 elif re.match('[FfNn0]',w[1]):
 118                         self.b=False
 119                 else:
 120                         complain("invalid boolean value");
 121         def __str__(self):
 122                 return ['False','True'][self.b]
 123
 124 class num:
 125         "A decimal number"
 126         def __init__(self,w):
 127                 self.n=string.atol(w[1])
 128         def __str__(self):
 129                 return '%d'%(self.n)
 130
 131 class address:
 132         "A DNS name and UDP port number"
 133         def __init__(self,w):
 134                 self.adr=w[1]
 135                 self.port=string.atoi(w[2])
 136                 if (self.port<1 or self.port>65535):
 137                         complain("invalid port number")
 138         def __str__(self):
 139                 return '"%s"; port %d'%(self.adr,self.port)
 140
 141 class rsakey:
 142         "An RSA public key"
 143         def __init__(self,w):
 144                 self.l=string.atoi(w[1])
 145                 self.e=w[2]
 146                 self.n=w[3]
 147         def __str__(self):
 148                 return 'rsa-public("%s","%s")'%(self.e,self.n)
 149
 150 # Possible properties of configuration nodes
 151 keywords={
 152  'contact':(email,"Contact address"),
 153  'dh':(dhgroup,"Diffie-Hellman group"),
 154  'hash':(hash,"Hash function"),
 155  'key-lifetime':(num,"Maximum key lifetime (ms)"),
 156  'setup-timeout':(num,"Key setup timeout (ms)"),
 157  'setup-retries':(num,"Maximum key setup packet retries"),
 158  'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
 159  'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
 160  'restrict-nets':(networks,"Allowable networks"),
 161  'networks':(networks,"Claimed networks"),
 162  'pubkey':(rsakey,"RSA public site key"),
 163  'peer':(single_ipaddr,"Tunnel peer IP address"),
 164  'address':(address,"External contact address and port"),
 165  'mobile':(boolean,"Site is mobile"),
 166 }
 167
 168 def sp(name,value):
 169         "Simply output a property - the default case"
 170         return "%s %s;\n"%(name,value)
 171
 172 # All levels support these properties
 173 global_properties={
 174         'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
 175         'dh':sp,
 176         'hash':sp,
 177         'key-lifetime':sp,
 178         'setup-timeout':sp,
 179         'setup-retries':sp,
 180         'wait-time':sp,
 181         'renegotiate-time':sp,
 182         'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
 183 }
 184
 185 class level:
 186         "A level in the configuration hierarchy"
 187         depth=0
 188         leaf=0
 189         allow_properties={}
 190         require_properties={}
 191         def __init__(self,w):
 192                 self.name=w[1]
 193                 self.properties={}
 194                 self.children={}
 195         def indent(self,w,t):
 196                 w.write("                 "[:t])
 197         def prop_out(self,n):
 198                 return self.allow_properties[n](n,str(self.properties[n]))
 199         def output_props(self,w,ind):
 200                 for i in self.properties.keys():
 201                         if self.allow_properties[i]:
 202                                 self.indent(w,ind)
 203                                 w.write("%s"%self.prop_out(i))
 204         def output_data(self,w,ind,np):
 205                 self.indent(w,ind)
 206                 w.write("%s {\n"%(self.name))
 207                 self.output_props(w,ind+2)
 208                 if self.depth==1: w.write("\n");
 209                 for c in self.children.values():
 210                         c.output_data(w,ind+2,np+self.name+"/")
 211                 self.indent(w,ind)
 212                 w.write("};\n")
 213
 214 class vpnlevel(level):
 215         "VPN level in the configuration hierarchy"
 216         depth=1
 217         leaf=0
 218         type="vpn"
 219         allow_properties=global_properties.copy()
 220         require_properties={
 221          'contact':"VPN admin contact address"
 222         }
 223         def __init__(self,w):
 224                 level.__init__(self,w)
 225         def output_vpnflat(self,w,ind,h):
 226                 "Output flattened list of site names for this VPN"
 227                 self.indent(w,ind)
 228                 w.write("%s {\n"%(self.name))
 229                 for i in self.children.keys():
 230                         self.children[i].output_vpnflat(w,ind+2,
 231                                 h+"/"+self.name+"/"+i)
 232                 w.write("\n")
 233                 self.indent(w,ind+2)
 234                 w.write("all-sites %s;\n"%
 235                         string.join(self.children.keys(),','))
 236                 self.indent(w,ind)
 237                 w.write("};\n")
 238
 239 class locationlevel(level):
 240         "Location level in the configuration hierarchy"
 241         depth=2
 242         leaf=0
 243         type="location"
 244         allow_properties=global_properties.copy()
 245         require_properties={
 246          'contact':"Location admin contact address",
 247         }
 248         def __init__(self,w):
 249                 level.__init__(self,w)
 250                 self.group=w[2]
 251         def output_vpnflat(self,w,ind,h):
 252                 self.indent(w,ind)
 253                 # The "h=h,self=self" abomination below exists because
 254                 # Python didn't support nested_scopes until version 2.1
 255                 w.write("%s %s;\n"%(self.name,string.join(
 256                         map(lambda x,h=h,self=self:
 257                                 h+"/"+x,self.children.keys()),',')))
 258
 259 class sitelevel(level):
 260         "Site level (i.e. a leafnode) in the configuration hierarchy"
 261         depth=3
 262         leaf=1
 263         type="site"
 264         allow_properties=global_properties.copy()
 265         allow_properties.update({
 266          'address':sp,
 267          'networks':None,
 268          'peer':None,
 269          'pubkey':(lambda n,v:"key %s;\n"%v),
 270          'mobile':sp,
 271         })
 272         require_properties={
 273          'dh':"Diffie-Hellman group",
 274          'contact':"Site admin contact address",
 275          'address':"Site external access address",
 276          'networks':"Networks claimed by the site",
 277          'hash':"hash function",
 278          'peer':"Gateway address of the site",
 279          'pubkey':"RSA public key of the site",
 280         }
 281         def __init__(self,w):
 282                 level.__init__(self,w)
 283         def output_data(self,w,ind,np):
 284                 self.indent(w,ind)
 285                 w.write("%s {\n"%(self.name))
 286                 self.indent(w,ind+2)
 287                 w.write("name \"%s\";\n"%(np+self.name))
 288                 self.output_props(w,ind+2)
 289                 self.indent(w,ind+2)
 290                 w.write("link netlink {\n");
 291                 self.indent(w,ind+4)
 292                 w.write("routes %s;\n"%str(self.properties["networks"]))
 293                 self.indent(w,ind+4)
 294                 w.write("ptp-address %s;\n"%str(self.properties["peer"]))
 295                 self.indent(w,ind+2)
 296                 w.write("};\n")
 297                 self.indent(w,ind)
 298                 w.write("};\n")
 299
 300 # Levels in the configuration file
 301 # (depth,properties)
 302 levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
 303
 304 # Reserved vpn/location/site names
 305 reserved={'all-sites':None}
 306 reserved.update(keywords)
 307 reserved.update(levels)
 308
 309 def complain(msg):
 310         "Complain about a particular input line"
 311         global complaints
 312         print ("%s line %d: "%(file,line))+msg
 313         complaints=complaints+1
 314 def moan(msg):
 315         "Complain about something in general"
 316         global complaints
 317         print msg;
 318         complaints=complaints+1
 319
 320 root=level(['root','root'])   # All vpns are children of this node
 321 obstack=[root]
 322 allow_defs=0   # Level above which new definitions are permitted
 323
 324 def set_property(obj,w):
 325         "Set a property on a configuration node"
 326         if obj.properties.has_key(w[0]):
 327                 complain("%s %s already has property %s defined"%
 328                         (obj.type,obj.name,w[0]))
 329         else:
 330                 obj.properties[w[0]]=keywords[w[0]][0](w)
 331
 332 def pline(i):
 333         "Process a configuration file line"
 334         global allow_defs, obstack, root
 335         w=string.split(i)
 336         if len(w)==0: return
 337         keyword=w[0]
 338         current=obstack[len(obstack)-1]
 339         if keyword=='end-definitions':
 340                 allow_defs=sitelevel.depth
 341                 obstack=[root]
 342                 return
 343         if levels.has_key(keyword):
 344                 # We may go up any number of levels, but only down by one
 345                 newdepth=levels[keyword].depth
 346                 currentdepth=len(obstack) # actually +1...
 347                 if newdepth<=currentdepth:
 348                         obstack=obstack[:newdepth]
 349                 if newdepth>currentdepth:
 350                         complain("May not go from level %d to level %d"%
 351                                 (currentdepth-1,newdepth))
 352                 # See if it's a new one (and whether that's permitted)
 353                 # or an existing one
 354                 current=obstack[len(obstack)-1]
 355                 if current.children.has_key(w[1]):
 356                         # Not new
 357                         current=current.children[w[1]]
 358                         if service and group and current.depth==2:
 359                                 if group!=current.group:
 360                                         complain("Incorrect group!")
 361                 else:
 362                         # New
 363                         # Ignore depth check for now
 364                         nl=levels[keyword](w)
 365                         if nl.depth<allow_defs:
 366                                 complain("New definitions not allowed at "
 367                                         "level %d"%nl.depth)
 368                         current.children[w[1]]=nl
 369                         current=nl
 370                 obstack.append(current)
 371                 return
 372         if current.allow_properties.has_key(keyword):
 373                 set_property(current,w)
 374                 return
 375         else:
 376                 complain("Property %s not allowed at %s level"%
 377                         (keyword,current.type))
 378                 return
 379
 380         complain("unknown keyword '%s'"%(keyword))
 381
 382 def pfilepath(pathname):
 383         f=open(pathname)
 384         pfile(pathname,f.readlines())
 385         f.close()
 386
 387 def pfile(name,lines):
 388         "Process a file"
 389         global file,line
 390         file=name
 391         line=0
 392         for i in lines:
 393                 line=line+1
 394                 if (i[0]=='#'): continue
 395                 if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF
 396                 pline(i)
 397
 398 def outputsites(w):
 399         "Output include file for secnet configuration"
 400         w.write("# secnet sites file autogenerated by make-secnet-sites "
 401                 +"version %s\n"%VERSION)
 402         w.write("# %s\n"%time.asctime(time.localtime(time.time())))
 403         w.write("# Command line: %s\n\n"%string.join(sys.argv))
 404
 405         # Raw VPN data section of file
 406         w.write("vpn-data {\n")
 407         for i in root.children.values():
 408                 i.output_data(w,2,"")
 409         w.write("};\n")
 410
 411         # Per-VPN flattened lists
 412         w.write("vpn {\n")
 413         for i in root.children.values():
 414                 i.output_vpnflat(w,2,"vpn-data")
 415         w.write("};\n")
 416
 417         # Flattened list of sites
 418         w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
 419                 x,root.children.keys()),","))
 420
 421 # Are we being invoked from userv?
 422 service=0
 423 # If we are, which group does the caller want to modify?
 424 group=None
 425
 426 line=0
 427 file=None
 428 complaints=0
 429
 430 if len(sys.argv)<2:
 431         pfile("stdin",sys.stdin.readlines())
 432         of=sys.stdout
 433 else:
 434         if sys.argv[1]=='-u':
 435                 if len(sys.argv)!=6:
 436                         print "Wrong number of arguments"
 437                         sys.exit(1)
 438                 service=1
 439                 header=sys.argv[2]
 440                 groupfiledir=sys.argv[3]
 441                 sitesfile=sys.argv[4]
 442                 group=sys.argv[5]
 443                 if not os.environ.has_key("USERV_USER"):
 444                         print "Environment variable USERV_USER not found"
 445                         sys.exit(1)
 446                 user=os.environ["USERV_USER"]
 447                 # Check that group is in USERV_GROUP
 448                 if not os.environ.has_key("USERV_GROUP"):
 449                         print "Environment variable USERV_GROUP not found"
 450                         sys.exit(1)
 451                 ugs=os.environ["USERV_GROUP"]
 452                 ok=0
 453                 for i in string.split(ugs):
 454                         if group==i: ok=1
 455                 if not ok:
 456                         print "caller not in group %s"%group
 457                         sys.exit(1)
 458                 pfilepath(header)
 459                 userinput=sys.stdin.readlines()
 460                 pfile("user input",userinput)
 461         else:
 462                 if len(sys.argv)>3:
 463                         print "Too many arguments"
 464                         sys.exit(1)
 465                 pfilepath(sys.argv[1])
 466                 of=sys.stdout
 467                 if len(sys.argv)>2:
 468                         of=open(sys.argv[2],'w')
 469
 470 # Sanity check section
 471 # Delete nodes where leaf=0 that have no children
 472
 473 def live(n):
 474         "Number of leafnodes below node n"
 475         if n.leaf: return 1
 476         for i in n.children.keys():
 477                 if live(n.children[i]): return 1
 478         return 0
 479 def delempty(n):
 480         "Delete nodes that have no leafnode children"
 481         for i in n.children.keys():
 482                 delempty(n.children[i])
 483                 if not live(n.children[i]):
 484                         del n.children[i]
 485 delempty(root)
 486
 487 # Check that all constraints are met (as far as I can tell
 488 # restrict-nets/networks/peer are the only special cases)
 489
 490 def checkconstraints(n,p,ra):
 491         new_p=p.copy()
 492         new_p.update(n.properties)
 493         for i in n.require_properties.keys():
 494                 if not new_p.has_key(i):
 495                         moan("%s %s is missing property %s"%
 496                                 (n.type,n.name,i))
 497         for i in new_p.keys():
 498                 if not n.allow_properties.has_key(i):
 499                         moan("%s %s has forbidden property %s"%
 500                                 (n.type,n.name,i))
 501         # Check address range restrictions
 502         if n.properties.has_key("restrict-nets"):
 503                 new_ra=ra.intersection(n.properties["restrict-nets"].set)
 504         else:
 505                 new_ra=ra
 506         if n.properties.has_key("networks"):
 507                 # I'd like to do this:
 508                 # n.properties["networks"].set.is_subset(new_ra)
 509                 # but there isn't an is_subset() method
 510                 # Instead we see if we intersect with the complement of new_ra
 511                 rac=new_ra.complement()
 512                 i=rac.intersection(n.properties["networks"].set)
 513                 if not i.is_empty():
 514                         moan("%s %s networks out of bounds"%(n.type,n.name))
 515                 if n.properties.has_key("peer"):
 516                         if not n.properties["networks"].set.contains(
 517                                 n.properties["peer"].addr):
 518                                 moan("%s %s peer not in networks"%(n.type,n.name))
 519         for i in n.children.keys():
 520                 checkconstraints(n.children[i],new_p,new_ra)
 521
 522 checkconstraints(root,{},ipaddr.complete_set)
 523
 524 if complaints>0:
 525         if complaints==1: print "There was 1 problem."
 526         else: print "There were %d problems."%(complaints)
 527         sys.exit(1)
 528
 529 if service:
 530         # Put the user's input into their group file, and rebuild the main
 531         # sites file
 532         f=open(groupfiledir+"/T"+group,'w')
 533         f.write("# Section submitted by user %s, %s\n"%
 534                 (user,time.asctime(time.localtime(time.time()))))
 535         f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
 536         for i in userinput: f.write(i)
 537         f.write("\n")
 538         f.close()
 539         os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
 540         f=open(sitesfile+"-tmp",'w')
 541         f.write("# sites file autogenerated by make-secnet-sites\n")
 542         f.write("# generated %s, invoked by %s\n"%
 543                 (time.asctime(time.localtime(time.time())),user))
 544         f.write("# use make-secnet-sites to turn this file into a\n")
 545         f.write("# valid /etc/secnet/sites.conf file\n\n")
 546         for i in headerinput: f.write(i)
 547         files=os.listdir(groupfiledir)
 548         for i in files:
 549                 if i[0]=='R':
 550                         j=open(groupfiledir+"/"+i)
 551                         f.write(j.read())
 552                         j.close()
 553         f.write("# end of sites file\n")
 554         f.close()
 555         os.rename(sitesfile+"-tmp",sitesfile)
 556 else:
 557         outputsites(of)