sys.path.insert(1,"/usr/local/share/secnet")
sys.path.insert(1,"/usr/share/secnet")
import ipaddrset
+import base91
from argparseactionnoyes import ActionNoYes
VERSION="0.1.18"
+max_version = 1
+
from sys import version_info
if version_info.major == 2: # for python2
import codecs
max={'rsa_bits':8200,'name':33,'dh_bits':8200}
+def debugrepr(*args):
+ if debug_level > 0:
+ print(repr(args), file=sys.stderr)
+
+def base91s_encode(bindata):
+ return base91.encode(bindata).replace('"',"-")
+
+def base91s_decode(string):
+ return base91.decode(string.replace("-",'"'))
+
class Tainted:
def __init__(self,s,tline=None,tfile=None):
self._s=s
assert(self._ok is not True)
self._ok=False
complain('bad parameter: %s: %s' % (what, why))
- return self
+ return False
def _max_ok(self,what,maxlen):
if len(self._s) > maxlen:
- self._bad(what,'too long (max %d)' % maxlen)
- return self
+ return self._bad(what,'too long (max %d)' % maxlen)
+ return True
def _re_ok(self,bad,what,maxlen=None):
if maxlen is None: maxlen=max[what]
self._max_ok(what,maxlen)
- if self._ok is False: return self
- if bad.search(self._s): return self._bad(what,'bad syntax')
- return self
+ if self._ok is False: return False
+ if bad.search(self._s):
+ #print(repr(self), file=sys.stderr)
+ return self._bad(what,'bad syntax')
+ return True
def _rtnval(self, is_ok, ifgood, ifbad=''):
if is_ok:
bad_name=re.compile(r'^[^a-zA-Z]|[^-_0-9a-zA-Z]')
# secnet accepts _ at start of names, but we reserve that
bad_name_counter=0
- def name(self):
- ok=self._re_ok(Tainted.bad_name,'name')
+ def name(self,what='name'):
+ ok=self._re_ok(Tainted.bad_name,what)
return self._rtn(ok,
'_line%d_%s' % (self._line, id(self)))
% (minn,maxx))
return self._rtnval(ok,v,minn)
+ def hexid(self,byteslen,what):
+ ok=self._re_ok(Tainted.bad_hex,what,byteslen*2)
+ if ok:
+ if len(self._s) < byteslen*2:
+ ok=self._bad(what,'too short')
+ return self._rtn(ok,ifbad='00'*byteslen)
+
bad_host=re.compile(r'[^-\][_.:0-9a-zA-Z]')
# We permit _ so we can refer to special non-host domains
# which have A and AAAA RRs. This is a crude check and we may
ok=self._re_ok(Tainted.bad_groupname,'group name',64)
return self._rtn(ok)
+ bad_base91=re.compile(r'[^!-~]|[\'\"\\]')
+ def base91(self,what='base91'):
+ ok=self._re_ok(Tainted.bad_base91,what,4096)
+ return self._rtn(ok)
+
+class ArgActionLambda(argparse.Action):
+ def __init__(self, fn, **kwargs):
+ self.fn=fn
+ argparse.Action.__init__(self,**kwargs)
+ def __call__(self,ap,ns,values,option_string):
+ self.fn(values,ns,ap,option_string)
+
def parse_args():
global service
global inputfile
global header
global groupfiledir
global sitesfile
+ global outputfile
global group
global user
global of
+ global prefix
global key_prefix
+ global debug_level
+ global output_version
ap = argparse.ArgumentParser(description='process secnet sites files')
ap.add_argument('--userv', '-u', action='store_true',
ap.add_argument('--conf-key-prefix', action=ActionNoYes,
default=True,
help='prefix conf file key names derived from sites data')
+ ap.add_argument('--output-version', nargs=1, type=int,
+ help='sites file output version',
+ default=[max_version])
ap.add_argument('--prefix', '-P', nargs=1,
help='set prefix')
+ ap.add_argument('--debug', '-D', action='count', default=0)
ap.add_argument('arg',nargs=argparse.REMAINDER)
av = ap.parse_args()
- #print(repr(av), file=sys.stderr)
+ debug_level = av.debug
+ debugrepr('av',av)
service = 1 if av.userv else 0
+ prefix = '' if av.prefix is None else av.prefix[0]
key_prefix = av.conf_key_prefix
+ output_version = av.output_version[0]
if service:
if len(av.arg)!=4:
print("Wrong number of arguments")
print("Too many arguments")
sys.exit(1)
(inputfile, outputfile) = (av.arg + [None]*2)[0:2]
- if outputfile is None: of=sys.stdout
- else: of=open(outputfile,'w')
parse_args()
def add(self,obj,w):
complain("%s %s already has property %s defined"%
(obj.type,obj.name,w[0].raw()))
+ def forsites(self,version,copy,fs):
+ return copy
class conflist:
"A list of some kind of configuration type."
self.list.append(self.subtype(w))
def __str__(self):
return ', '.join(map(str, self.list))
+ def forsites(self,version,copy,fs):
+ most_recent=self.list[len(self.list)-1]
+ return most_recent.forsites(version,copy,fs)
def listof(subtype):
return lambda w: conflist(subtype, w)
def __str__(self):
return '%d'%(self.n)
+class serial (basetype):
+ def __init__(self,w):
+ self.i=w[1].hexid(4,'serial')
+ def __str__(self):
+ return self.i
+ def forsites(self,version,copy,fs):
+ if version < 2: return []
+ return copy
+
class address (basetype):
"A DNS name and UDP port number"
def __init__(self,w):
def __str__(self):
return '"%s"; port %d'%(self.adr,self.port)
-class rsakey (basetype):
+class pubkey (basetype):
+ "Some kind of publie key"
+
+class rsakey (pubkey):
"An RSA public key"
def __init__(self,w):
self.l=w[1].number(0,max['rsa_bits'],'rsa len')
def __str__(self):
return 'rsa-public("%s","%s")'%(self.e,self.n)
+def somepubkey(w):
+ if w[0]=='pubkey':
+ return rsakey(w)
+ else:
+ assert(False)
+
# Possible properties of configuration nodes
keywords={
'contact':(email,"Contact address"),
'renegotiate-time':(num,"Time after key setup to begin renegotiation (ms)"),
'restrict-nets':(networks,"Allowable networks"),
'networks':(networks,"Claimed networks"),
- 'pubkey':(rsakey,"RSA public site key"),
+ 'pubkey':(listof(somepubkey),"RSA public site key"),
'peer':(single_ipaddr,"Tunnel peer IP address"),
'address':(address,"External contact address and port"),
'mobile':(boolean,"Site is mobile"),
def prop_out(self,n):
return self.allow_properties[n](n,str(self.properties[n]))
def output_props(self,w,ind):
- for i in self.properties.keys():
+ for i in sorted(self.properties.keys()):
if self.allow_properties[i]:
self.indent(w,ind)
w.write("%s"%self.prop_out(i))
w.write("%s {\n"%(self.kname()))
self.output_props(w,ind+2)
if self.depth==1: w.write("\n");
- for c in self.children.values():
+ for k in sorted(self.children.keys()):
+ c=self.children[k]
c.output_data(w,path+(c,))
self.indent(w,ind)
w.write("};\n")
'address':sp,
'networks':None,
'peer':None,
- 'pubkey':(lambda n,v:"key %s;\n"%v),
+ 'pubkey':None,
'mobile':sp,
})
require_properties={
w.write("%s {\n"%(self.kname()))
self.indent(w,ind+2)
w.write("name \"%s\";\n"%(np,))
+ self.indent(w,ind+2)
+ w.write("key %s;\n"%str(self.properties["pubkey"].list[0]))
self.output_props(w,ind+2)
self.indent(w,ind+2)
w.write("link netlink {\n");
# (depth,properties)
levels={'vpn':vpnlevel, 'location':locationlevel, 'site':sitelevel}
-# Reserved vpn/location/site names
-reserved={'all-sites':None}
-reserved.update(keywords)
-reserved.update(levels)
-
def complain(msg):
"Complain about a particular input line"
- global complaints
- print(("%s line %d: "%(file,line))+msg)
- complaints=complaints+1
+ moan(("%s line %d: "%(file,line))+msg)
def moan(msg):
"Complain about something in general"
global complaints
print(msg);
+ if complaints is None: sys.exit(1)
complaints=complaints+1
class UntaintedRoot():
# All vpns are children of this node
obstack=[root]
allow_defs=0 # Level above which new definitions are permitted
-prefix=''
def set_property(obj,w):
"Set a property on a configuration node"
prop=w[0]
- if prop.raw() in obj.properties:
- obj.properties[prop.raw_mark_ok()].add(obj,w)
+ propname=prop.raw_mark_ok()
+ kw=keywords[propname]
+ if len(kw) >= 3: propname=kw[2] # for aliases
+ if propname in obj.properties:
+ obj.properties[propname].add(obj,w)
else:
- obj.properties[prop.raw()]=keywords[prop.raw_mark_ok()][0](w)
-
-
-def pline(il,allow_include=False):
+ obj.properties[propname]=kw[0](w)
+ return obj.properties[propname]
+
+class FilterState:
+ def __init__(self):
+ self.reset()
+ def reset(self):
+ # called when we enter a new node,
+ # in particular, at the start of each site
+ pass
+
+def pline(il,filterstate,allow_include=False):
"Process a configuration file line"
global allow_defs, obstack, root
w=il.rstrip('\n').split()
w=list([Tainted(x) for x in w])
keyword=w[0]
current=obstack[len(obstack)-1]
- copyout=lambda: [' '*len(obstack) +
- ' '.join([ww.output() for ww in w]) +
- '\n']
+ copyout_core=lambda: ' '.join([ww.output() for ww in w])
+ indent=' '*len(obstack)
+ copyout=lambda: [indent + copyout_core() + '\n']
if keyword=='end-definitions':
keyword.raw_mark_ok()
allow_defs=sitelevel.depth
sys.exit(1)
current.children[tname]=nl
current=nl
+ filterstate.reset()
obstack.append(current)
return copyout()
if keyword.raw() not in current.allow_properties:
complain("Not allowed to set VPN properties here")
return []
else:
- set_property(current,w)
- return copyout()
+ prop=set_property(current,w)
+ out=[copyout_core()]
+ out=prop.forsites(output_version,out,filterstate)
+ if len(out)==0: return [indent + '#', copyout_core(), '\n']
+ return [indent + ' '.join(out) + '\n']
complain("unknown keyword '%s'"%(keyword.raw()))
file=name
line=0
outlines=[]
+ filterstate = FilterState()
for i in lines:
line=line+1
if (i[0]=='#'): continue
- outlines += pline(i,allow_include=allow_include)
+ outlines += pline(i,filterstate,allow_include=allow_include)
return outlines
def outputsites(w):
f.close()
os.rename(sitesfile+"-tmp",sitesfile)
else:
+ if outputfile is None:
+ of=sys.stdout
+ else:
+ tmp_outputfile=outputfile+'~tmp~'
+ of=open(tmp_outputfile,'w')
outputsites(of)
+ if outputfile is not None:
+ os.rename(tmp_outputfile,outputfile)
~ianmdlvl / secnet.git / blobdiff