X-Git-Url: https://git.ralfj.de/zonemaker.git/blobdiff_plain/52e3737d003bf4b1eda5d213254e397c0a85a37a..13758adbef009bf1c9e0890d78ac9f368a48c7b4:/zonemaker/zone.py diff --git a/zonemaker/zone.py b/zonemaker/zone.py index 15add06..b543d31 100644 --- a/zonemaker/zone.py +++ b/zonemaker/zone.py @@ -1,6 +1,32 @@ -import re -from ipaddress import IPv4Address, IPv6Address -from typing import List, Dict, Any, Iterator, Tuple, Sequence +# Copyright (c) 2014, Ralf Jung +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are met: +# +# 1. Redistributions of source code must retain the above copyright notice, this +# list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# The views and conclusions contained in the software and documentation are those +# of the authors and should not be interpreted as representing official policies, +# either expressed or implied, of the FreeBSD Project. + +import re, datetime +#from typing import * second = 1 @@ -9,17 +35,43 @@ hour = 60*minute day = 24*hour week = 7*day -TCP = 'tcp' -UDP = 'udp' +REGEX_label = r'[a-zA-Z90-9]([a-zA-Z90-9-]{0,61}[a-zA-Z90-9])?' # max. 63 characters; must not start or end with hyphen +REGEX_ipv4 = r'^\d{1,3}(\.\d{1,3}){3}$' +REGEX_ipv6 = r'^[a-fA-F0-9]{1,4}(:[a-fA-F0-9]{1,4}){7}$' + +def check_label(label: str) -> str: + label = str(label) + pattern = r'^{0}$'.format(REGEX_label) + if re.match(pattern, label): + return label + raise Exception(label+" is not a valid label") def check_hostname(name: str) -> str: + name = str(name) # check hostname for validity - label = r'[a-zA-Z90-9]([a-zA-Z90-9-]{0,61}[a-zA-Z90-9])?' # must not start or end with hyphen - pattern = r'^{0}(\.{0})*\.?'.format(label) + pattern = r'^{0}(\.{0})*\.?$'.format(REGEX_label) if re.match(pattern, name): return name raise Exception(name+" is not a valid hostname") +def check_hex(data: str) -> str: + data = str(data) + if re.match('^[a-fA-F0-9]+$', data): + return data + raise Exception(data+" is not valid hex data") + +def check_ipv4(address: str) -> str: + address = str(address) + if re.match(REGEX_ipv4, address): + return address + raise Exception(address+" is not a valid IPv4 address") + +def check_ipv6(address: str) -> str: + address = str(address) + if re.match(REGEX_ipv6, address): + return address + raise Exception(address+" is not a valid IPv6 address") + def time(time: int) -> str: if time == 0: return "0" @@ -34,7 +86,7 @@ def time(time: int) -> str: else: return str(time) -def column_widths(datas: Sequence, widths: Sequence[int]): +def column_widths(datas: 'Sequence', widths: 'Sequence[int]'): assert len(datas) == len(widths)+1, "There must be as one more data points as widths" result = "" width_sum = 0 @@ -47,20 +99,33 @@ def column_widths(datas: Sequence, widths: Sequence[int]): return result+str(datas[-1]) +## Enums +class Protocol: + TCP = 'tcp' + UDP = 'udp' + +class Algorithm: + RSA_SHA256 = 8 + +class Digest: + SHA1 = 1 + SHA256 = 2 + + ## Record types class A: def __init__(self, address: str) -> None: - self._address = IPv4Address(address) + self._address = check_ipv4(address) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR(owner, 'A', self._address) class AAAA: def __init__(self, address: str) -> None: - self._address = IPv6Address(address) + self._address = check_ipv6(address) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR(owner, 'AAAA', self._address) @@ -69,40 +134,57 @@ class MX: self._priority = int(prio) self._name = check_hostname(name) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR(owner, 'MX', '{0} {1}'.format(self._priority, zone.abs_hostname(self._name))) class SRV: def __init__(self, protocol: str, service: str, name: str, port: int, prio: int, weight: int) -> None: - self._service = str(service) - self._protocol = str(protocol) + self._service = check_label(service) + self._protocol = check_label(protocol) self._priority = int(prio) self._weight = int(weight) self._port = int(port) self._name = check_hostname(name) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR('_{0}._{1}.{2}'.format(self._service, self._protocol, owner), 'SRV', '{0} {1} {2} {3}'.format(self._priority, self._weight, self._port, zone.abs_hostname(self._name))) class TLSA: - def __init__(self, protocol: str, port: int, key: str) -> None: - # TODO: fix key stuff + class Usage: + CA = 0 # certificate must pass the usual CA check, with the CA specified by the TLSA record + EndEntity_PlusCAs = 1 # the certificate must match the TLSA record *and* pass the usual CA check + TrustAnchor = 2 # the certificate must pass a check with the TLSA record giving the (only) trust anchor + EndEntity = 3 # the certificate must match the TLSA record + + class Selector: + Full = 0 + SubjectPublicKeyInfo = 1 + + class MatchingType: + Exact = 0 + SHA256 = 1 + SHA512 = 2 + + def __init__(self, protocol: str, port: int, usage: int, selector: int, matching_type: int, data: str) -> None: self._port = int(port) self._protocol = str(protocol) - self._key = str(key) + self._usage = int(usage) + self._selector = int(selector) + self._matching_type = int(matching_type) + self._data = check_hex(data) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: - return zone.RR('_{0}._{1}.{2}'.format(self._port, self._protocol, owner), 'TLSA', self._key) + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': + return zone.RR('_{0}._{1}.{2}'.format(self._port, self._protocol, owner), 'TLSA', '{0} {1} {2} {3}'.format(self._usage, self._selector, self._matching_type, self._data)) class CNAME: def __init__(self, name: str) -> None: self._name = check_hostname(name) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR(owner, 'CNAME', zone.abs_hostname(self._name)) @@ -110,24 +192,26 @@ class NS: def __init__(self, name: str) -> None: self._name = check_hostname(name) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': return zone.RR(owner, 'NS', zone.abs_hostname(self._name)) class DS: - def __init__(self, key: str) -> None: - # TODO: fix key stuff - self._key = str(key) + def __init__(self, tag: int, alg: int, digest: int, key: str) -> None: + self._tag = int(tag) + self._key = check_hex(key) + self._alg = int(alg) + self._digest = int(digest) - def generate_rr(self, owner: str, zone: 'Zone') -> Any: - return zone.RR(owner, 'DS', self._key) + def generate_rr(self, owner: str, zone: 'Zone') -> 'Any': + return zone.RR(owner, 'DS', '{0} {1} {2} {3}'.format(self._tag, self._alg, self._digest, self._key)) ## Higher-level classes class Name: - def __init__(self, *records: List[Any]) -> None: + def __init__(self, *records: 'List[Any]') -> None: self._records = records - def generate_rrs(self, owner: str, zone: 'Zone') -> Iterator: + def generate_rrs(self, owner: str, zone: 'Zone') -> 'Iterator': for record in self._records: # this could still be a list if isinstance(record, list): @@ -141,52 +225,43 @@ def CName(name: str) -> Name: return Name(CNAME(name)) -def Delegation(name: str, key: str = None) -> Name: - records = [NS(name)] - if key is not None: - records.append(DS(key)) - return Name(*records) +def Delegation(name: str) -> Name: + return Name(NS(name)) + + +def SecureDelegation(name: str, tag: int, alg: int, digest: int, key: str) -> Name: + return Name(NS(name), DS(tag, alg, digest, key)) class Zone: - def __init__(self, name: str, serialfile: str, dbfile: str, mail: str, NS: List[str], + def __init__(self, name: str, serialfile: str, mail: str, NS: 'List[str]', TTLs: 'Dict[str, int]', secondary_refresh: int, secondary_retry: int, secondary_expire: int, - NX_TTL: int = None, A_TTL: int = None, other_TTL: int = None, - domains: Dict[str, Any] = {}) -> None: - self._serialfile = serialfile - self._dbfile = dbfile - + domains: 'Dict[str, Any]') -> None: if not name.endswith('.'): raise Exception("Expected an absolute hostname") self._name = check_hostname(name) + self._serialfile = serialfile + if not mail.endswith('.'): raise Exception("Mail must be absolute, end with a dot") atpos = mail.find('@') if atpos < 0 or atpos > mail.find('.'): raise Exception("Mail must contain an @ before the first dot") self._mail = check_hostname(mail.replace('@', '.', 1)) self._NS = list(map(check_hostname, NS)) + if '' not in TTLs: raise Exception("Must give a default TTL with empty key") + self._TTLs = TTLs self._refresh = secondary_refresh self._retry = secondary_retry self._expire = secondary_expire - if other_TTL is None: raise Exception("Must give other_TTL") - self._NX_TTL = NX_TTL - self._A_TTL = self._AAAA_TTL = A_TTL - self._other_TTL = other_TTL - self._domains = domains + def getTTL(self, recordType: str) -> str: + return self._TTLs.get(recordType, self._TTLs['']) + def RR(self, owner: str, recordType: str, data: str) -> str: '''generate given RR, in textual representation''' assert re.match(r'^[A-Z]+$', recordType), "got invalid record type" - # figure out TTL - attrname = "_"+recordType+"_TTL" - TTL = None # type: int - if hasattr(self, attrname): - TTL = getattr(self, attrname) - if TTL is None: - TTL = self._other_TTL - # be done - return column_widths((self.abs_hostname(owner), time(TTL), recordType, data), (32, 8, 8)) + return column_widths((self.abs_hostname(owner), time(self.getTTL(recordType)), recordType, data), (32, 8, 8)) def abs_hostname(self, name): if name == '.' or name == '@': @@ -201,7 +276,7 @@ class Zone: try: with open(self._serialfile) as f: cur_serial = int(f.read()) - except FileNotFoundError: + except (OSError, IOError): # FileNotFoundError has been added in Python 3.3 pass # increment serial cur_serial += 1 @@ -211,15 +286,15 @@ class Zone: # be done return cur_serial - def generate_rrs(self) -> Iterator: + def generate_rrs(self) -> 'Iterator': # SOA record serial = self.inc_serial() yield self.RR(self._name, 'SOA', - ('{NS} {mail} ({serial} {refresh} {retry} {expire} {NX_TTL}) ; '+ - '(serial refresh retry expire NX_TTL)').format( + ('{NS} {mail} {serial} {refresh} {retry} {expire} {NX_TTL}'+ + ' ; primns mail serial refresh retry expire NX_TTL').format( NS=self.abs_hostname(self._NS[0]), mail=self._mail, serial=serial, refresh=time(self._refresh), retry=time(self._retry), expire=time(self._expire), - NX_TTL=time(self._NX_TTL)) + NX_TTL=time(self.getTTL('NX'))) ) # NS records for name in self._NS: @@ -230,7 +305,6 @@ class Zone: yield rr def write(self) -> None: - with open(self._dbfile, 'w') as f: - for rr in self.generate_rrs(): - f.write(rr+"\n") - print(rr) + print(";; {0} zone file, generated by zonemaker on {1}".format(self._name, datetime.datetime.now())) + for rr in self.generate_rrs(): + print(rr)