chiark / gitweb /
build system: New "make dist" uses git; add release checklist
[secnet.git] / make-secnet-sites
1 #! /usr/bin/env python
2 # Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
3 #
4 # This program is free software; you can redistribute it and/or modify
5 # it under the terms of the GNU General Public License as published by
6 # the Free Software Foundation; either version 2 of the License, or
7 # (at your option) any later version.
8
9 # This program is distributed in the hope that it will be useful,
10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12 # GNU General Public License for more details.
13
14 # You should have received a copy of the GNU General Public License
15 # along with this program; if not, write to the Free Software
16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
17
18 """VPN sites file manipulation.
19
20 This program enables VPN site descriptions to be submitted for
21 inclusion in a central database, and allows the resulting database to
22 be turned into a secnet configuration file.
23
24 A database file can be turned into a secnet configuration file simply:
25 make-secnet-sites.py [infile [outfile]]
26
27 It would be wise to run secnet with the "--just-check-config" option
28 before installing the output on a live system.
29
30 The program expects to be invoked via userv to manage the database; it
31 relies on the USERV_USER and USERV_GROUP environment variables. The
32 command line arguments for this invocation are:
33
34 make-secnet-sites.py -u header-filename groupfiles-directory output-file \
35   group
36
37 All but the last argument are expected to be set by userv; the 'group'
38 argument is provided by the user. A suitable userv configuration file
39 fragment is:
40
41 reset
42 no-disconnect-hup
43 no-suppress-args
44 cd ~/secnet/sites-test/
45 execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
46
47 This program is part of secnet. It relies on the "ipaddr" library from
48 Cendio Systems AB.
49
50 """
51
52 import string
53 import time
54 import sys
55 import os
56 import getopt
57 import re
58
59 # The ipaddr library is installed as part of secnet
60 sys.path.append("/usr/local/share/secnet")
61 sys.path.append("/usr/share/secnet")
62 import ipaddr
63
64 VERSION="0.1.18"
65
66 # Classes describing possible datatypes in the configuration file
67
68 class single_ipaddr:
69         "An IP address"
70         def __init__(self,w):
71                 self.addr=ipaddr.ipaddr(w[1])
72         def __str__(self):
73                 return '"%s"'%self.addr.ip_str()
74
75 class networks:
76         "A set of IP addresses specified as a list of networks"
77         def __init__(self,w):
78                 self.set=ipaddr.ip_set()
79                 for i in w[1:]:
80                         x=string.split(i,"/")
81                         self.set.append(ipaddr.network(x[0],x[1],
82                                 ipaddr.DEMAND_NETWORK))
83         def __str__(self):
84                 return string.join(map(lambda x:'"%s/%s"'%(x.ip_str(),
85                         x.mask.netmask_bits_str),
86                         self.set.as_list_of_networks()),",")
87
88 class dhgroup:
89         "A Diffie-Hellman group"
90         def __init__(self,w):
91                 self.mod=w[1]
92                 self.gen=w[2]
93         def __str__(self):
94                 return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
95
96 class hash:
97         "A choice of hash function"
98         def __init__(self,w):
99                 self.ht=w[1]
100                 if (self.ht!='md5' and self.ht!='sha1'):
101                         complain("unknown hash type %s"%(self.ht))
102         def __str__(self):
103                 return '%s'%(self.ht)
104
105 class email:
106         "An email address"
107         def __init__(self,w):
108                 self.addr=w[1]
109         def __str__(self):
110                 return '<%s>'%(self.addr)
111
112 class boolean:
113         "A boolean"
114         def __init__(self,w):
115                 if re.match('[TtYy1]',w[1]):
116                         self.b=True
117                 elif re.match('[FfNn0]',w[1]):
118                         self.b=False
119                 else:
120                         complain("invalid boolean value");
121         def __str__(self):
122                 return ['False','True'][self.b]
123
124 class num:
125         "A decimal number"
126         def __init__(self,w):
127                 self.n=string.atol(w[1])
128         def __str__(self):
129                 return '%d'%(self.n)
130
131 class address:
132         "A DNS name and UDP port number"
133         def __init__(self,w):
134                 self.adr=w[1]
135                 self.port=string.atoi(w[2])
136                 if (self.port<1 or self.port>65535):
137                         complain("invalid port number")
138         def __str__(self):
139                 return '"%s"; port %d'%(self.adr,self.port)
140
141 class rsakey:
142         "An RSA public key"
143         def __init__(self,w):
144                 self.l=string.atoi(w[1])
145                 self.e=w[2]
146                 self.n=w[3]
147         def __str__(self):
148                 return 'rsa-public("%s","%s")'%(self.e,self.n)
149
150 # Possible properties of configuration nodes
151 keywords={
152  'contact':(email,"Contact address"),
153  'dh':(dhgroup,"Diffie-Hellman group"),
154  'hash':(hash,"Hash function"),
155  'key-lifetime':(num,"Maximum key lifetime (ms)"),
156  'setup-timeout':(num,"Key setup timeout (ms)"),
157  'setup-retries':(num,"Maximum key setup packet retries"),
158  'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
159  'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
160  'restrict-nets':(networks,"Allowable networks"),
161  'networks':(networks,"Claimed networks"),
162  'pubkey':(rsakey,"RSA public site key"),
163  'peer':(single_ipaddr,"Tunnel peer IP address"),
164  'address':(address,"External contact address and port"),
165  'mobile':(boolean,"Site is mobile"),
166 }
167
168 def sp(name,value):
169         "Simply output a property - the default case"
170         return "%s %s;\n"%(name,value)
171
172 # All levels support these properties
173 global_properties={
174         'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
175         'dh':sp,
176         'hash':sp,
177         'key-lifetime':sp,
178         'setup-timeout':sp,
179         'setup-retries':sp,
180         'wait-time':sp,
181         'renegotiate-time':sp,
182         'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
183 }
184
185 class level:
186         "A level in the configuration hierarchy"
187         depth=0
188         leaf=0
189         allow_properties={}
190         require_properties={}
191         def __init__(self,w):
192                 self.name=w[1]
193                 self.properties={}
194                 self.children={}
195         def indent(self,w,t):
196                 w.write("                 "[:t])
197         def prop_out(self,n):
198                 return self.allow_properties[n](n,str(self.properties[n]))
199         def output_props(self,w,ind):
200                 for i in self.properties.keys():
201                         if self.allow_properties[i]:
202                                 self.indent(w,ind)
203                                 w.write("%s"%self.prop_out(i))
204         def output_data(self,w,ind,np):
205                 self.indent(w,ind)
206                 w.write("%s {\n"%(self.name))
207                 self.output_props(w,ind+2)
208                 if self.depth==1: w.write("\n");
209                 for c in self.children.values():
210                         c.output_data(w,ind+2,np+self.name+"/")
211                 self.indent(w,ind)
212                 w.write("};\n")
213
214 class vpnlevel(level):
215         "VPN level in the configuration hierarchy"
216         depth=1
217         leaf=0
218         type="vpn"
219         allow_properties=global_properties.copy()
220         require_properties={
221          'contact':"VPN admin contact address"
222         }
223         def __init__(self,w):
224                 level.__init__(self,w)
225         def output_vpnflat(self,w,ind,h):
226                 "Output flattened list of site names for this VPN"
227                 self.indent(w,ind)
228                 w.write("%s {\n"%(self.name))
229                 for i in self.children.keys():
230                         self.children[i].output_vpnflat(w,ind+2,
231                                 h+"/"+self.name+"/"+i)
232                 w.write("\n")
233                 self.indent(w,ind+2)
234                 w.write("all-sites %s;\n"%
235                         string.join(self.children.keys(),','))
236                 self.indent(w,ind)
237                 w.write("};\n")
238
239 class locationlevel(level):
240         "Location level in the configuration hierarchy"
241         depth=2
242         leaf=0
243         type="location"
244         allow_properties=global_properties.copy()
245         require_properties={
246          'contact':"Location admin contact address",
247         }
248         def __init__(self,w):
249                 level.__init__(self,w)
250                 self.group=w[2]
251         def output_vpnflat(self,w,ind,h):
252                 self.indent(w,ind)
253                 # The "h=h,self=self" abomination below exists because
254                 # Python didn't support nested_scopes until version 2.1
255                 w.write("%s %s;\n"%(self.name,string.join(
256                         map(lambda x,h=h,self=self:
257                                 h+"/"+x,self.children.keys()),',')))
258
259 class sitelevel(level):
260         "Site level (i.e. a leafnode) in the configuration hierarchy"
261         depth=3
262         leaf=1
263         type="site"
264         allow_properties=global_properties.copy()
265         allow_properties.update({
266          'address':sp,
267          'networks':None,
268          'peer':None,
269          'pubkey':(lambda n,v:"key %s;\n"%v),
270          'mobile':sp,
271         })
272         require_properties={
273          'dh':"Diffie-Hellman group",
274          'contact':"Site admin contact address",
275          'address':"Site external access address",
276          'networks':"Networks claimed by the site",
277          'hash':"hash function",
278          'peer':"Gateway address of the site",
279          'pubkey':"RSA public key of the site",
280         }
281         def __init__(self,w):
282                 level.__init__(self,w)
283         def output_data(self,w,ind,np):
284                 self.indent(w,ind)
285                 w.write("%s {\n"%(self.name))
286                 self.indent(w,ind+2)
287                 w.write("name \"%s\";\n"%(np+self.name))
288                 self.output_props(w,ind+2)
289                 self.indent(w,ind+2)
290                 w.write("link netlink {\n");
291                 self.indent(w,ind+4)
292                 w.write("routes %s;\n"%str(self.properties["networks"]))
293                 self.indent(w,ind+4)
294                 w.write("ptp-address %s;\n"%str(self.properties["peer"]))
295                 self.indent(w,ind+2)
296                 w.write("};\n")
297                 self.indent(w,ind)
298                 w.write("};\n")
299
300 # Levels in the configuration file
301 # (depth,properties)
302 levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
303
304 # Reserved vpn/location/site names
305 reserved={'all-sites':None}
306 reserved.update(keywords)
307 reserved.update(levels)
308
309 def complain(msg):
310         "Complain about a particular input line"
311         global complaints
312         print ("%s line %d: "%(file,line))+msg
313         complaints=complaints+1
314 def moan(msg):
315         "Complain about something in general"
316         global complaints
317         print msg;
318         complaints=complaints+1
319
320 root=level(['root','root'])   # All vpns are children of this node
321 obstack=[root]
322 allow_defs=0   # Level above which new definitions are permitted
323
324 def set_property(obj,w):
325         "Set a property on a configuration node"
326         if obj.properties.has_key(w[0]):
327                 complain("%s %s already has property %s defined"%
328                         (obj.type,obj.name,w[0]))
329         else:
330                 obj.properties[w[0]]=keywords[w[0]][0](w)
331
332 def pline(i):
333         "Process a configuration file line"
334         global allow_defs, obstack, root
335         w=string.split(i)
336         if len(w)==0: return
337         keyword=w[0]
338         current=obstack[len(obstack)-1]
339         if keyword=='end-definitions':
340                 allow_defs=sitelevel.depth
341                 obstack=[root]
342                 return
343         if levels.has_key(keyword):
344                 # We may go up any number of levels, but only down by one
345                 newdepth=levels[keyword].depth
346                 currentdepth=len(obstack) # actually +1...
347                 if newdepth<=currentdepth:
348                         obstack=obstack[:newdepth]
349                 if newdepth>currentdepth:
350                         complain("May not go from level %d to level %d"%
351                                 (currentdepth-1,newdepth))
352                 # See if it's a new one (and whether that's permitted)
353                 # or an existing one
354                 current=obstack[len(obstack)-1]
355                 if current.children.has_key(w[1]):
356                         # Not new
357                         current=current.children[w[1]]
358                         if service and group and current.depth==2:
359                                 if group!=current.group:
360                                         complain("Incorrect group!")
361                 else:
362                         # New
363                         # Ignore depth check for now
364                         nl=levels[keyword](w)
365                         if nl.depth<allow_defs:
366                                 complain("New definitions not allowed at "
367                                         "level %d"%nl.depth)
368                         current.children[w[1]]=nl
369                         current=nl
370                 obstack.append(current)
371                 return
372         if current.allow_properties.has_key(keyword):
373                 set_property(current,w)
374                 return
375         else:
376                 complain("Property %s not allowed at %s level"%
377                         (keyword,current.type))
378                 return
379
380         complain("unknown keyword '%s'"%(keyword))
381
382 def pfile(name,lines):
383         "Process a file"
384         global file,line
385         file=name
386         line=0
387         for i in lines:
388                 line=line+1
389                 if (i[0]=='#'): continue
390                 if (i[len(i)-1]=='\n'): i=i[:len(i)-1] # strip trailing LF
391                 pline(i)
392
393 def outputsites(w):
394         "Output include file for secnet configuration"
395         w.write("# secnet sites file autogenerated by make-secnet-sites "
396                 +"version %s\n"%VERSION)
397         w.write("# %s\n"%time.asctime(time.localtime(time.time())))
398         w.write("# Command line: %s\n\n"%string.join(sys.argv))
399
400         # Raw VPN data section of file
401         w.write("vpn-data {\n")
402         for i in root.children.values():
403                 i.output_data(w,2,"")
404         w.write("};\n")
405
406         # Per-VPN flattened lists
407         w.write("vpn {\n")
408         for i in root.children.values():
409                 i.output_vpnflat(w,2,"vpn-data")
410         w.write("};\n")
411
412         # Flattened list of sites
413         w.write("all-sites %s;\n"%string.join(map(lambda x:"vpn/%s/all-sites"%
414                 x,root.children.keys()),","))
415
416 # Are we being invoked from userv?
417 service=0
418 # If we are, which group does the caller want to modify?
419 group=None
420
421 line=0
422 file=None
423 complaints=0
424
425 if len(sys.argv)<2:
426         pfile("stdin",sys.stdin.readlines())
427         of=sys.stdout
428 else:
429         if sys.argv[1]=='-u':
430                 if len(sys.argv)!=6:
431                         print "Wrong number of arguments"
432                         sys.exit(1)
433                 service=1
434                 header=sys.argv[2]
435                 groupfiledir=sys.argv[3]
436                 sitesfile=sys.argv[4]
437                 group=sys.argv[5]
438                 if not os.environ.has_key("USERV_USER"):
439                         print "Environment variable USERV_USER not found"
440                         sys.exit(1)
441                 user=os.environ["USERV_USER"]
442                 # Check that group is in USERV_GROUP
443                 if not os.environ.has_key("USERV_GROUP"):
444                         print "Environment variable USERV_GROUP not found"
445                         sys.exit(1)
446                 ugs=os.environ["USERV_GROUP"]
447                 ok=0
448                 for i in string.split(ugs):
449                         if group==i: ok=1
450                 if not ok:
451                         print "caller not in group %s"%group
452                         sys.exit(1)
453                 f=open(header)
454                 headerinput=f.readlines()
455                 f.close()
456                 pfile(header,headerinput)
457                 userinput=sys.stdin.readlines()
458                 pfile("user input",userinput)
459         else:
460                 if len(sys.argv)>3:
461                         print "Too many arguments"
462                         sys.exit(1)
463                 f=open(sys.argv[1])
464                 pfile(sys.argv[1],f.readlines())
465                 f.close()
466                 of=sys.stdout
467                 if len(sys.argv)>2:
468                         of=open(sys.argv[2],'w')
469
470 # Sanity check section
471 # Delete nodes where leaf=0 that have no children
472
473 def live(n):
474         "Number of leafnodes below node n"
475         if n.leaf: return 1
476         for i in n.children.keys():
477                 if live(n.children[i]): return 1
478         return 0
479 def delempty(n):
480         "Delete nodes that have no leafnode children"
481         for i in n.children.keys():
482                 delempty(n.children[i])
483                 if not live(n.children[i]):
484                         del n.children[i]
485 delempty(root)
486
487 # Check that all constraints are met (as far as I can tell
488 # restrict-nets/networks/peer are the only special cases)
489
490 def checkconstraints(n,p,ra):
491         new_p=p.copy()
492         new_p.update(n.properties)
493         for i in n.require_properties.keys():
494                 if not new_p.has_key(i):
495                         moan("%s %s is missing property %s"%
496                                 (n.type,n.name,i))
497         for i in new_p.keys():
498                 if not n.allow_properties.has_key(i):
499                         moan("%s %s has forbidden property %s"%
500                                 (n.type,n.name,i))
501         # Check address range restrictions
502         if n.properties.has_key("restrict-nets"):
503                 new_ra=ra.intersection(n.properties["restrict-nets"].set)
504         else:
505                 new_ra=ra
506         if n.properties.has_key("networks"):
507                 # I'd like to do this:
508                 # n.properties["networks"].set.is_subset(new_ra)
509                 # but there isn't an is_subset() method
510                 # Instead we see if we intersect with the complement of new_ra
511                 rac=new_ra.complement()
512                 i=rac.intersection(n.properties["networks"].set)
513                 if not i.is_empty():
514                         moan("%s %s networks out of bounds"%(n.type,n.name))
515                 if n.properties.has_key("peer"):
516                         if not n.properties["networks"].set.contains(
517                                 n.properties["peer"].addr):
518                                 moan("%s %s peer not in networks"%(n.type,n.name))
519         for i in n.children.keys():
520                 checkconstraints(n.children[i],new_p,new_ra)
521
522 checkconstraints(root,{},ipaddr.complete_set)
523
524 if complaints>0:
525         if complaints==1: print "There was 1 problem."
526         else: print "There were %d problems."%(complaints)
527         sys.exit(1)
528
529 if service:
530         # Put the user's input into their group file, and rebuild the main
531         # sites file
532         f=open(groupfiledir+"/T"+group,'w')
533         f.write("# Section submitted by user %s, %s\n"%
534                 (user,time.asctime(time.localtime(time.time()))))
535         f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
536         for i in userinput: f.write(i)
537         f.write("\n")
538         f.close()
539         os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
540         f=open(sitesfile+"-tmp",'w')
541         f.write("# sites file autogenerated by make-secnet-sites\n")
542         f.write("# generated %s, invoked by %s\n"%
543                 (time.asctime(time.localtime(time.time())),user))
544         f.write("# use make-secnet-sites to turn this file into a\n")
545         f.write("# valid /etc/secnet/sites.conf file\n\n")
546         for i in headerinput: f.write(i)
547         files=os.listdir(groupfiledir)
548         for i in files:
549                 if i[0]=='R':
550                         j=open(groupfiledir+"/"+i)
551                         f.write(j.read())
552                         j.close()
553         f.write("# end of sites file\n")
554         f.close()
555         os.rename(sitesfile+"-tmp",sitesfile)
556 else:
557         outputsites(of)