make-secnet-sites

   1 #! /usr/bin/env python
   2 # Copyright (C) 2001-2002 Stephen Early <steve@greenend.org.uk>
   3 #
   4 # This program is free software; you can redistribute it and/or modify
   5 # it under the terms of the GNU General Public License as published by
   6 # the Free Software Foundation; either version 2 of the License, or
   7 # (at your option) any later version.
   8 #
   9 # This program is distributed in the hope that it will be useful,
  10 # but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 # GNU General Public License for more details.
  13 #
  14 # You should have received a copy of the GNU General Public License
  15 # along with this program; if not, write to the Free Software
  16 # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  17
  18 """VPN sites file manipulation.
  19
  20 This program enables VPN site descriptions to be submitted for
  21 inclusion in a central database, and allows the resulting database to
  22 be turned into a secnet configuration file.
  23
  24 A database file can be turned into a secnet configuration file simply:
  25 make-secnet-sites.py [infile [outfile]]
  26
  27 It would be wise to run secnet with the "--just-check-config" option
  28 before installing the output on a live system.
  29
  30 The program expects to be invoked via userv to manage the database; it
  31 relies on the USERV_USER and USERV_GROUP environment variables. The
  32 command line arguments for this invocation are:
  33
  34 make-secnet-sites.py -u header-filename groupfiles-directory output-file \
  35   group
  36
  37 All but the last argument are expected to be set by userv; the 'group'
  38 argument is provided by the user. A suitable userv configuration file
  39 fragment is:
  40
  41 reset
  42 no-disconnect-hup
  43 no-suppress-args
  44 cd ~/secnet/sites-test/
  45 execute ~/secnet/make-secnet-sites.py -u vpnheader groupfiles sites
  46
  47 This program is part of secnet. It relies on the "ipaddr" library from
  48 Cendio Systems AB.
  49
  50 """
  51
  52 import string
  53 import time
  54 import sys
  55 import os
  56 import getopt
  57 import re
  58
  59 import ipaddr
  60
  61 sys.path.insert(0,"/usr/local/share/secnet")
  62 sys.path.insert(0,"/usr/share/secnet")
  63 import ipaddrset
  64
  65 VERSION="0.1.18"
  66
  67 # Classes describing possible datatypes in the configuration file
  68
  69 class single_ipaddr:
  70         "An IP address"
  71         def __init__(self,w):
  72                 self.addr=ipaddr.IPAddress(w[1])
  73         def __str__(self):
  74                 return '"%s"'%self.addr
  75
  76 class networks:
  77         "A set of IP addresses specified as a list of networks"
  78         def __init__(self,w):
  79                 self.set=ipaddrset.IPAddressSet()
  80                 for i in w[1:]:
  81                         x=ipaddr.IPNetwork(i,strict=True)
  82                         self.set.append([x])
  83         def __str__(self):
  84                 return ",".join(map((lambda n: '"%s"'%n), self.set.networks()))
  85
  86 class dhgroup:
  87         "A Diffie-Hellman group"
  88         def __init__(self,w):
  89                 self.mod=w[1]
  90                 self.gen=w[2]
  91         def __str__(self):
  92                 return 'diffie-hellman("%s","%s")'%(self.mod,self.gen)
  93
  94 class hash:
  95         "A choice of hash function"
  96         def __init__(self,w):
  97                 self.ht=w[1]
  98                 if (self.ht!='md5' and self.ht!='sha1'):
  99                         complain("unknown hash type %s"%(self.ht))
 100         def __str__(self):
 101                 return '%s'%(self.ht)
 102
 103 class email:
 104         "An email address"
 105         def __init__(self,w):
 106                 self.addr=w[1]
 107         def __str__(self):
 108                 return '<%s>'%(self.addr)
 109
 110 class boolean:
 111         "A boolean"
 112         def __init__(self,w):
 113                 if re.match('[TtYy1]',w[1]):
 114                         self.b=True
 115                 elif re.match('[FfNn0]',w[1]):
 116                         self.b=False
 117                 else:
 118                         complain("invalid boolean value");
 119         def __str__(self):
 120                 return ['False','True'][self.b]
 121
 122 class num:
 123         "A decimal number"
 124         def __init__(self,w):
 125                 self.n=string.atol(w[1])
 126         def __str__(self):
 127                 return '%d'%(self.n)
 128
 129 class address:
 130         "A DNS name and UDP port number"
 131         def __init__(self,w):
 132                 self.adr=w[1]
 133                 self.port=string.atoi(w[2])
 134                 if (self.port<1 or self.port>65535):
 135                         complain("invalid port number")
 136         def __str__(self):
 137                 return '"%s"; port %d'%(self.adr,self.port)
 138
 139 class rsakey:
 140         "An RSA public key"
 141         def __init__(self,w):
 142                 self.l=string.atoi(w[1])
 143                 self.e=w[2]
 144                 self.n=w[3]
 145         def __str__(self):
 146                 return 'rsa-public("%s","%s")'%(self.e,self.n)
 147
 148 # Possible properties of configuration nodes
 149 keywords={
 150  'contact':(email,"Contact address"),
 151  'dh':(dhgroup,"Diffie-Hellman group"),
 152  'hash':(hash,"Hash function"),
 153  'key-lifetime':(num,"Maximum key lifetime (ms)"),
 154  'setup-timeout':(num,"Key setup timeout (ms)"),
 155  'setup-retries':(num,"Maximum key setup packet retries"),
 156  'wait-time':(num,"Time to wait after unsuccessful key setup (ms)"),
 157  'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
 158  'restrict-nets':(networks,"Allowable networks"),
 159  'networks':(networks,"Claimed networks"),
 160  'pubkey':(rsakey,"RSA public site key"),
 161  'peer':(single_ipaddr,"Tunnel peer IP address"),
 162  'address':(address,"External contact address and port"),
 163  'mobile':(boolean,"Site is mobile"),
 164 }
 165
 166 def sp(name,value):
 167         "Simply output a property - the default case"
 168         return "%s %s;\n"%(name,value)
 169
 170 # All levels support these properties
 171 global_properties={
 172         'contact':(lambda name,value:"# Contact email address: %s\n"%(value)),
 173         'dh':sp,
 174         'hash':sp,
 175         'key-lifetime':sp,
 176         'setup-timeout':sp,
 177         'setup-retries':sp,
 178         'wait-time':sp,
 179         'renegotiate-time':sp,
 180         'restrict-nets':(lambda name,value:"# restrict-nets %s\n"%value),
 181 }
 182
 183 class level:
 184         "A level in the configuration hierarchy"
 185         depth=0
 186         leaf=0
 187         allow_properties={}
 188         require_properties={}
 189         def __init__(self,w):
 190                 self.name=w[1]
 191                 self.properties={}
 192                 self.children={}
 193         def indent(self,w,t):
 194                 w.write("                 "[:t])
 195         def prop_out(self,n):
 196                 return self.allow_properties[n](n,str(self.properties[n]))
 197         def output_props(self,w,ind):
 198                 for i in self.properties.keys():
 199                         if self.allow_properties[i]:
 200                                 self.indent(w,ind)
 201                                 w.write("%s"%self.prop_out(i))
 202         def output_data(self,w,ind,np):
 203                 self.indent(w,ind)
 204                 w.write("%s {\n"%(self.name))
 205                 self.output_props(w,ind+2)
 206                 if self.depth==1: w.write("\n");
 207                 for c in self.children.values():
 208                         c.output_data(w,ind+2,np+self.name+"/")
 209                 self.indent(w,ind)
 210                 w.write("};\n")
 211
 212 class vpnlevel(level):
 213         "VPN level in the configuration hierarchy"
 214         depth=1
 215         leaf=0
 216         type="vpn"
 217         allow_properties=global_properties.copy()
 218         require_properties={
 219          'contact':"VPN admin contact address"
 220         }
 221         def __init__(self,w):
 222                 level.__init__(self,w)
 223         def output_vpnflat(self,w,ind,h):
 224                 "Output flattened list of site names for this VPN"
 225                 self.indent(w,ind)
 226                 w.write("%s {\n"%(self.name))
 227                 for i in self.children.keys():
 228                         self.children[i].output_vpnflat(w,ind+2,
 229                                 h+"/"+self.name+"/"+i)
 230                 w.write("\n")
 231                 self.indent(w,ind+2)
 232                 w.write("all-sites %s;\n"%
 233                         string.join(self.children.keys(),','))
 234                 self.indent(w,ind)
 235                 w.write("};\n")
 236
 237 class locationlevel(level):
 238         "Location level in the configuration hierarchy"
 239         depth=2
 240         leaf=0
 241         type="location"
 242         allow_properties=global_properties.copy()
 243         require_properties={
 244          'contact':"Location admin contact address",
 245         }
 246         def __init__(self,w):
 247                 level.__init__(self,w)
 248                 self.group=w[2]
 249         def output_vpnflat(self,w,ind,h):
 250                 self.indent(w,ind)
 251                 # The "h=h,self=self" abomination below exists because
 252                 # Python didn't support nested_scopes until version 2.1
 253                 w.write("%s %s;\n"%(self.name,string.join(
 254                         map(lambda x,h=h,self=self:
 255                                 h+"/"+x,self.children.keys()),',')))
 256
 257 class sitelevel(level):
 258         "Site level (i.e. a leafnode) in the configuration hierarchy"
 259         depth=3
 260         leaf=1
 261         type="site"
 262         allow_properties=global_properties.copy()
 263         allow_properties.update({
 264          'address':sp,
 265          'networks':None,
 266          'peer':None,
 267          'pubkey':(lambda n,v:"key %s;\n"%v),
 268          'address':(lambda n,v:"address %s;\n"%v),
 269          'mobile':sp,
 270         })
 271         require_properties={
 272          'dh':"Diffie-Hellman group",
 273          'contact':"Site admin contact address",
 274          'networks':"Networks claimed by the site",
 275          'hash':"hash function",
 276          'peer':"Gateway address of the site",
 277          'pubkey':"RSA public key of the site",
 278         }
 279         def __init__(self,w):
 280                 level.__init__(self,w)
 281         def output_data(self,w,ind,np):
 282                 self.indent(w,ind)
 283                 w.write("%s {\n"%(self.name))
 284                 self.indent(w,ind+2)
 285                 w.write("name \"%s\";\n"%(np+self.name))
 286                 self.output_props(w,ind+2)
 287                 self.indent(w,ind+2)
 288                 w.write("link netlink {\n");
 289                 self.indent(w,ind+4)
 290                 w.write("routes %s;\n"%str(self.properties["networks"]))
 291                 self.indent(w,ind+4)
 292                 w.write("ptp-address %s;\n"%str(self.properties["peer"]))
 293                 self.indent(w,ind+2)
 294                 w.write("};\n")
 295                 self.indent(w,ind)
 296                 w.write("};\n")
 297
 298 # Levels in the configuration file
 299 # (depth,properties)
 300 levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
 301
 302 # Reserved vpn/location/site names
 303 reserved={'all-sites':None}
 304 reserved.update(keywords)
 305 reserved.update(levels)
 306
 307 def complain(msg):
 308         "Complain about a particular input line"
 309         global complaints
 310         print ("%s line %d: "%(file,line))+msg
 311         complaints=complaints+1
 312 def moan(msg):
 313         "Complain about something in general"
 314         global complaints
 315         print msg;
 316         complaints=complaints+1
 317
 318 root=level(['root','root'])   # All vpns are children of this node
 319 obstack=[root]
 320 allow_defs=0   # Level above which new definitions are permitted
 321 prefix=''
 322
 323 def set_property(obj,w):
 324         "Set a property on a configuration node"
 325         if obj.properties.has_key(w[0]):
 326                 complain("%s %s already has property %s defined"%
 327                         (obj.type,obj.name,w[0]))
 328         else:
 329                 obj.properties[w[0]]=keywords[w[0]][0](w)
 330
 331 def pline(i,allow_include=False):
 332         "Process a configuration file line"
 333         global allow_defs, obstack, root
 334         w=string.split(i.rstrip('\n'))
 335         if len(w)==0: return [i]
 336         keyword=w[0]
 337         current=obstack[len(obstack)-1]
 338         if keyword=='end-definitions':
 339                 allow_defs=sitelevel.depth
 340                 obstack=[root]
 341                 return [i]
 342         if keyword=='include':
 343                 if not allow_include:
 344                         complain("include not permitted here")
 345                         return []
 346                 if len(w) != 2:
 347                         complain("include requires one argument")
 348                         return []
 349                 newfile=os.path.join(os.path.dirname(file),w[1])
 350                 return pfilepath(newfile,allow_include=allow_include)
 351         if levels.has_key(keyword):
 352                 # We may go up any number of levels, but only down by one
 353                 newdepth=levels[keyword].depth
 354                 currentdepth=len(obstack) # actually +1...
 355                 if newdepth<=currentdepth:
 356                         obstack=obstack[:newdepth]
 357                 if newdepth>currentdepth:
 358                         complain("May not go from level %d to level %d"%
 359                                 (currentdepth-1,newdepth))
 360                 # See if it's a new one (and whether that's permitted)
 361                 # or an existing one
 362                 current=obstack[len(obstack)-1]
 363                 if current.children.has_key(w[1]):
 364                         # Not new
 365                         current=current.children[w[1]]
 366                         if service and group and current.depth==2:
 367                                 if group!=current.group:
 368                                         complain("Incorrect group!")
 369                 else:
 370                         # New
 371                         # Ignore depth check for now
 372                         nl=levels[keyword](w)
 373                         if nl.depth<allow_defs:
 374                                 complain("New definitions not allowed at "
 375                                         "level %d"%nl.depth)
 376                                 # we risk crashing if we continue
 377                                 sys.exit(1)
 378                         current.children[w[1]]=nl
 379                         current=nl
 380                 obstack.append(current)
 381                 return [i]
 382         if current.allow_properties.has_key(keyword):
 383                 set_property(current,w)
 384                 return [i]
 385         else:
 386                 complain("Property %s not allowed at %s level"%
 387                         (keyword,current.type))
 388                 return []
 389
 390         complain("unknown keyword '%s'"%(keyword))
 391
 392 def pfilepath(pathname,allow_include=False):
 393         f=open(pathname)
 394         outlines=pfile(pathname,f.readlines(),allow_include=allow_include)
 395         f.close()
 396         return outlines
 397
 398 def pfile(name,lines,allow_include=False):
 399         "Process a file"
 400         global file,line
 401         file=name
 402         line=0
 403         outlines=[]
 404         for i in lines:
 405                 line=line+1
 406                 if (i[0]=='#'): continue
 407                 outlines += pline(i,allow_include=allow_include)
 408         return outlines
 409
 410 def outputsites(w):
 411         "Output include file for secnet configuration"
 412         w.write("# secnet sites file autogenerated by make-secnet-sites "
 413                 +"version %s\n"%VERSION)
 414         w.write("# %s\n"%time.asctime(time.localtime(time.time())))
 415         w.write("# Command line: %s\n\n"%string.join(sys.argv))
 416
 417         # Raw VPN data section of file
 418         w.write(prefix+"vpn-data {\n")
 419         for i in root.children.values():
 420                 i.output_data(w,2,"")
 421         w.write("};\n")
 422
 423         # Per-VPN flattened lists
 424         w.write(prefix+"vpn {\n")
 425         for i in root.children.values():
 426                 i.output_vpnflat(w,2,prefix+"vpn-data")
 427         w.write("};\n")
 428
 429         # Flattened list of sites
 430         w.write(prefix+"all-sites %s;\n"%string.join(
 431                 map(lambda x:"%svpn/%s/all-sites"%(prefix,x),
 432                         root.children.keys()),","))
 433
 434 # Are we being invoked from userv?
 435 service=0
 436 # If we are, which group does the caller want to modify?
 437 group=None
 438
 439 line=0
 440 file=None
 441 complaints=0
 442
 443 if len(sys.argv)<2:
 444         pfile("stdin",sys.stdin.readlines())
 445         of=sys.stdout
 446 else:
 447         if sys.argv[1]=='-u':
 448                 if len(sys.argv)!=6:
 449                         print "Wrong number of arguments"
 450                         sys.exit(1)
 451                 service=1
 452                 header=sys.argv[2]
 453                 groupfiledir=sys.argv[3]
 454                 sitesfile=sys.argv[4]
 455                 group=sys.argv[5]
 456                 if not os.environ.has_key("USERV_USER"):
 457                         print "Environment variable USERV_USER not found"
 458                         sys.exit(1)
 459                 user=os.environ["USERV_USER"]
 460                 # Check that group is in USERV_GROUP
 461                 if not os.environ.has_key("USERV_GROUP"):
 462                         print "Environment variable USERV_GROUP not found"
 463                         sys.exit(1)
 464                 ugs=os.environ["USERV_GROUP"]
 465                 ok=0
 466                 for i in string.split(ugs):
 467                         if group==i: ok=1
 468                 if not ok:
 469                         print "caller not in group %s"%group
 470                         sys.exit(1)
 471                 headerinput=pfilepath(header,allow_include=True)
 472                 userinput=sys.stdin.readlines()
 473                 pfile("user input",userinput)
 474         else:
 475                 if sys.argv[1]=='-P':
 476                         prefix=sys.argv[2]
 477                         sys.argv[1:3]=[]
 478                 if len(sys.argv)>3:
 479                         print "Too many arguments"
 480                         sys.exit(1)
 481                 pfilepath(sys.argv[1])
 482                 of=sys.stdout
 483                 if len(sys.argv)>2:
 484                         of=open(sys.argv[2],'w')
 485
 486 # Sanity check section
 487 # Delete nodes where leaf=0 that have no children
 488
 489 def live(n):
 490         "Number of leafnodes below node n"
 491         if n.leaf: return 1
 492         for i in n.children.keys():
 493                 if live(n.children[i]): return 1
 494         return 0
 495 def delempty(n):
 496         "Delete nodes that have no leafnode children"
 497         for i in n.children.keys():
 498                 delempty(n.children[i])
 499                 if not live(n.children[i]):
 500                         del n.children[i]
 501 delempty(root)
 502
 503 # Check that all constraints are met (as far as I can tell
 504 # restrict-nets/networks/peer are the only special cases)
 505
 506 def checkconstraints(n,p,ra):
 507         new_p=p.copy()
 508         new_p.update(n.properties)
 509         for i in n.require_properties.keys():
 510                 if not new_p.has_key(i):
 511                         moan("%s %s is missing property %s"%
 512                                 (n.type,n.name,i))
 513         for i in new_p.keys():
 514                 if not n.allow_properties.has_key(i):
 515                         moan("%s %s has forbidden property %s"%
 516                                 (n.type,n.name,i))
 517         # Check address range restrictions
 518         if n.properties.has_key("restrict-nets"):
 519                 new_ra=ra.intersection(n.properties["restrict-nets"].set)
 520         else:
 521                 new_ra=ra
 522         if n.properties.has_key("networks"):
 523                 if not n.properties["networks"].set <= new_ra:
 524                         moan("%s %s networks out of bounds"%(n.type,n.name))
 525                 if n.properties.has_key("peer"):
 526                         if not n.properties["networks"].set.contains(
 527                                 n.properties["peer"].addr):
 528                                 moan("%s %s peer not in networks"%(n.type,n.name))
 529         for i in n.children.keys():
 530                 checkconstraints(n.children[i],new_p,new_ra)
 531
 532 checkconstraints(root,{},ipaddrset.complete_set())
 533
 534 if complaints>0:
 535         if complaints==1: print "There was 1 problem."
 536         else: print "There were %d problems."%(complaints)
 537         sys.exit(1)
 538
 539 if service:
 540         # Put the user's input into their group file, and rebuild the main
 541         # sites file
 542         f=open(groupfiledir+"/T"+group,'w')
 543         f.write("# Section submitted by user %s, %s\n"%
 544                 (user,time.asctime(time.localtime(time.time()))))
 545         f.write("# Checked by make-secnet-sites version %s\n\n"%VERSION)
 546         for i in userinput: f.write(i)
 547         f.write("\n")
 548         f.close()
 549         os.rename(groupfiledir+"/T"+group,groupfiledir+"/R"+group)
 550         f=open(sitesfile+"-tmp",'w')
 551         f.write("# sites file autogenerated by make-secnet-sites\n")
 552         f.write("# generated %s, invoked by %s\n"%
 553                 (time.asctime(time.localtime(time.time())),user))
 554         f.write("# use make-secnet-sites to turn this file into a\n")
 555         f.write("# valid /etc/secnet/sites.conf file\n\n")
 556         for i in headerinput: f.write(i)
 557         files=os.listdir(groupfiledir)
 558         for i in files:
 559                 if i[0]=='R':
 560                         j=open(groupfiledir+"/"+i)
 561                         f.write(j.read())
 562                         j.close()
 563         f.write("# end of sites file\n")
 564         f.close()
 565         os.rename(sitesfile+"-tmp",sitesfile)
 566 else:
 567         outputsites(of)