3 9Pe2g@s:ddlZddljZddljZddlTddlmZGdddZGdddZGdd d e Z Gd d d Z e d kr6ddl Z e jd dkree jdZejZejed dZejenxe jd dkr6y4e e jddddZeejdeejdWn2e k r4ZzeejdWYddZ[XnXdS)N)*)copyc @seZdZd3Zed4ZiZdZdZdZdZ dZ ddZ ddZ d d!Z d"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2S)5 PolicyLexPOLICYALGORITHM_POLICYZONE ALGORITHM DIRECTORYKEYTTLKEY_SIZE ROLL_PERIOD PRE_PUBLISH POST_PUBLISHCOVERAGESTANDBYNONE DATESUFFIXKEYTYPEALGNAMESTRQSTRINGNUMBERLBRACERBRACESEMIz z (//|\#).*z\{z\};cCs|jj|jjd7_dS)z\n+ N)lexerlinenovaluecount)selftr#/usr/lib/python3.6/policy.py t_newline7szPolicyLex.t_newlinecCs|jj|jjd7_dS)z/\*(.|\n)*?\*/rN)rrrr )r!r"r#r#r$ t_comment;szPolicyLex.t_commentcCstjd|jjdj|_|S)z(?i)(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\bz(?i)(y|mo|w|d|h|mi|s)([a-z]*))rematchrgrouplower)r!r"r#r#r$ t_DATESUFFIX?szPolicyLex.t_DATESUFFIXcCs|jj|_|S)z(?i)\b(KSK|ZSK)\b)rupper)r!r"r#r#r$ t_KEYTYPEDs zPolicyLex.t_KEYTYPEcCs|jj|_|S)z(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b)rr-)r!r"r#r#r$ t_ALGNAMEIs zPolicyLex.t_ALGNAMEcCs|jj|jd|_|S)z[A-Za-z._-][\w._-]*r) reserved_mapgetrtype)r!r"r#r#r$t_STRNszPolicyLex.t_STRcCs&|jj|jd|_|jdd|_|S)z"([^"\n]|(\\"))*"rr')r0r1rr2)r!r"r#r#r$ t_QSTRINGSszPolicyLex.t_QSTRINGcCst|j|_|S)z\d+)intr)r!r"r#r#r$t_NUMBERYs zPolicyLex.t_NUMBERcCs"td|jd|jjddS)NzIllegal character '%s'rr')printrrskip)r!r"r#r#r$t_error^szPolicyLex.t_errorcKsbdttkrtjdd}n tdd}x"|jD]}||j|jj|<q,Wtjfd|i||_dS)N maketrans_-object) dirstrr;reservedr0r+ translatelexr)r!kwargsZtransrr#r#r$__init__bs    zPolicyLex.__init__cCs.|jj|x|jj}|sPt|qWdS)N)rinputtokenr8)r!textr"r#r#r$testks   zPolicyLex.testN) rrrrr r r r r rrrr) rrrrrrrrr)__name__ __module__ __qualname__rAtokensr0Zt_ignoreZt_ignore_olcommentZt_LBRACEZt_RBRACEZt_SEMIr%r&r,r.r/r3r5r7r:rFrJr#r#r#r$rsN rc @seZdZdZdZdZdZdZdZdZ dZ dZ dZ dZ dZdZdZdZdZddgddgddgddgddgddgddgdddddd ZdddZd d Zd d Zd dZddZddZdS)PolicyFNiii) DSANSEC3DSARSAMD5RSASHA1 NSEC3RSASHA1 RSASHA256 RSASHA512ECCGOSTECDSAP256SHA256ECDSAP384SHA384ED25519ED448cCs||_||_||_dS)N)name algorithmparent)r!r\r]r^r#r#r$rFszPolicy.__init__cCsFd|jr dp"|jrdp"|jr dp"d|jp*d|jr8|jjp:d|jrRdt|jdpTd|jp\d|jrlt|jpnd|j r~t|j pd|j rt|j pd|j rt|j pd|j rt|j pd|j rt|j pd|jrt|jpd|jrt|jpd|jrt|jpd|jrt|jpd|jr(t|jp*d|jr>t|jp@dfS) Na%spolicy %s: inherits %s directory %s algorithm %s coverage %s ksk_keysize %s zsk_keysize %s ksk_rollperiod %s zsk_rollperiod %s ksk_prepublish %s ksk_postpublish %s zsk_prepublish %s zsk_postpublish %s ksk_standby %s zsk_standby %s keyttl %s z constructed zzone z algorithm ZUNKNOWNNone")is_constructedis_zoneis_algr\r^ directoryr@r]coverage ksk_keysize zsk_keysizeksk_rollperiodzsk_rollperiodksk_prepublishksk_postpublishzsk_prepublishzsk_postpublish ksk_standby zsk_standbykeyttl)r!r#r#r$__repr__s(   zPolicy.__repr__cCs |d|ko|dkSS)Nrr'r#)r!Zkey_sizeZ size_ranger#r#r$Z __verify_sizeszPolicy.__verify_sizecCs|jS)N)r\)r!r#r#r$get_nameszPolicy.get_namecCs|jS)N)rb)r!r#r#r$ constructedszPolicy.constructedcCs$|jr:|jdk r:|j|jkr:t|jdd|j|jffS|jrj|jdk rj|j|jkrjdd|j|jffS|jr|jdk r|j|jkrdd|j|jffS|jr|jdk r|j|jkrdd|j|jffS|jo|jo|jo|j|j|jkrdd|j|j|jffS|jrL|jrL|jrL|j|j|jkrLdd|j|j|jffS|jdk r |jj |j}|dk r|j |j |sdd |j |ffS|j |j |sdd |j |ffS|jdkr|j ddkrdd|j fS|jdkr|j ddkrdd|j fS|jd kr d|_ d|_ d!S)"zr Check if the values in the policy make sense :return: True/False if the policy passes validation NFz6KSK pre-publish period (%d) exceeds rollover period %dz7KSK post-publish period (%d) exceeds rollover period %dz6ZSK pre-publish period (%d) exceeds rollover period %dz7ZSK post-publish period (%d) exceeds rollover period %dz%KSK pre/post-publish periods (%d/%d) z"combined exceed rollover period %dz%ZSK pre/post-publish periods (%d/%d) z&KSK key size %d outside valid range %sz&ZSK key size %d outside valid range %srPrQ@rz$KSK key size %d not divisible by 64 zas required for DSAz$ZSK key size %d not divisible by 64 rWrXrYrZr[Tr_zGKSK pre/post-publish periods (%d/%d) combined exceed rollover period %dzGZSK pre/post-publish periods (%d/%d) combined exceed rollover period %d)rPrQz7KSK key size %d not divisible by 64 as required for DSA)rPrQz7ZSK key size %d not divisible by 64 as required for DSA)rWrXrYrZr[)Tr_) rirkr8rlrjrmrnr]valid_key_sz_per_algor1_Policy__verify_sizergrh)r!Z key_sz_ranger#r#r$validates                  zPolicy.validate)NNN)rKrLrMrcrdrbrirjrkrmrlrnrgrhrorprqrfrervrFrrrwrsrtrxr#r#r#r$rOvsD &rOc@s eZdZdS)PolicyExceptionN)rKrLrMr#r#r#r$ry)sryc@s.eZdZiZiZiZdZdZdZdEddZ ddZ ddZ d d Z d d Z d dZddZddZddZddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Z d3d4Z!d5d6Z"d7d8Z#d9d:Z$d;d<Z%d=d>Z&d?d@Z'dAdBZ(dCdDZ)dS)F dnssec_policyNTcKst|_|jj|_d|kr"d|d<d|kr2d|d<tjfd|i||_|jdt}d|_d|_d|_ d|_ t ||j d<d|j d_d|j d_ d |j d_ t ||j d <d |j d _d |j d _ d |j d _ t ||j d <d |j d _d |j d _ t ||j d <d |j d _d |j d _ t ||j d <d |j d _d |j d _ t ||j d<d|j d_d|j d_ t ||j d<d|j d_d|j d_ t ||j d<d|j d_d|j d_ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ |r|j|dS)NdebugF write_tablesmoduleapolicy global { algorithm rsasha256; key-size ksk 2048; key-size zsk 2048; roll-period ksk 0; roll-period zsk 1y; pre-publish ksk 1mo; pre-publish zsk 1mo; post-publish ksk 1mo; post-publish zsk 1mo; standby ksk 0; standby zsk 0; keyttl 1h; coverage 6mo; }; policy default { policy global; };TirPirQrRrSrTrUrVrWrXrYrZr[)rplexrNyaccparsersetuprOr]rdrgrhr alg_policyr\load)r!filenamerDpr#r#r$rF4s|                                    zdnssec_policy.__init__c CsH||_d|_t|$}|j}d|jj_|jj|WdQRXd|_dS)NTr) rinitialopenreadr~rrrparse)r!rfrIr#r#r$rs  zdnssec_policy.loadcCs d|_d|jj_|jj|dS)NTr)rr~rrrr)r!rIr#r#r$rs zdnssec_policy.setupc Ks`|j}d}||jkr |j|}|dkrBt|jd}||_d|_|jdkr|jpZ|jd}x|rr|j rr|j}q^W|r~|jpd|_|j|jkr|j|j}nt d|j dkr|jp|jd}x|dk r|j r|j}qW|o|j |_ |j dkr:|jp|jd}x|r"|j r"|j}qW|r2|j p6|j |_ |j dkr|jpV|jd}x|jrv|j rv|j}qZW|r|j p|j |_ |j dkr|jp|jd}x|jr|j r|j}qW|r|j p|j |_ |jdkr6|jp|jd}x|jr|j r|j}qW|r.|jp2|j|_|jdkr|jpR|jd}x|jrr|j rr|j}qVW|r|jp|j|_|jdkr|jp|jd}x|jr|j r|j}qW|r|jp|j|_|jdkr2|jp|jd}x|jr|j r|j}qW|r*|jp.|j|_|jdkr|jpN|jd}x|jrn|j rn|j}qRW|r~|jp|j|_|jdkr|jp|jd}x|jr|j r|j}qW|r|jp|j|_|jdkr(|jp|jd}x |dk r|j r|j}qW|o$|j|_d|ks>|d r\|j\}}|s\t |dS|S)NdefaultTzalgorithm not foundZ novalidate)r+ zone_policyr named_policyr\rbr]r^rryrerfrgrhrirjrkrmrlrnrqrx) r!ZzonerDzrr^ZapZvalidmsgr#r#r$policys                             zdnssec_policy.policycCsdS)zBpolicylist : init policy | policylist policyNr#)r!rr#r#r$ p_policylist szdnssec_policy.p_policylistcCs d|_dS)zinit :FN)r)r!rr#r#r$p_initszdnssec_policy.p_initcCsdS)zTpolicy : alg_policy | zone_policy | named_policyNr#)r!rr#r#r$p_policyszdnssec_policy.p_policycCs|d|d<dS)zAname : STR | KEYTYPE | DATESUFFIXr'rNr#)r!rr#r#r$p_names zdnssec_policy.p_namecCs,|dj|d<tjd|ds(tddS)zcdomain : STR | QSTRING | KEYTYPE | DATESUFFIXr'rz^[\w.-][\w.-]*$zinvalid domainN)stripr(r)ry)r!rr#r#r$p_domain szdnssec_policy.p_domaincCs t|_dS)z new_policy :N)rOcurrent)r!rr#r#r$ p_new_policy*szdnssec_policy.p_new_policycCs(|d|j_d|j_|j|j|d<dS)zFalg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMITN)rr\rdr)r!rr#r#r$ p_alg_policy.s zdnssec_policy.p_alg_policycCs8|djd|j_d|j_|j|j|djdj<dS)z=zone_policy : ZONE domain new_policy policy_option_group SEMIr.TN)rstriprr\rcrr+)r!rr#r#r$ p_zone_policy5szdnssec_policy.p_zone_policycCs$|d|j_|j|j|dj<dS)z>named_policy : POLICY name new_policy policy_option_group SEMIrN)rr\rr+)r!rr#r#r$p_named_policy<s zdnssec_policy.p_named_policycCs|d|d<dS)zduration : NUMBERr'rNr#)r!rr#r#r$ p_duration_1Bs zdnssec_policy.p_duration_1cCs d|d<dS)zduration : NONENrr#)r!rr#r#r$ p_duration_2Gszdnssec_policy.p_duration_2cCs|ddkr|dd|d<n|ddkr<|dd|d<n|ddkrZ|dd |d<n||dd krx|dd |d<n^|dd kr|dd |d<n@|ddkr|dd|d<n"|ddkr|d|d<ntddS)zduration : NUMBER DATESUFFIXryr'i3rmoi'wi: diQhiZmi<szinvalid durationN)ry)r!rr#r#r$ p_duration_3Ls       zdnssec_policy.p_duration_3cCsdS)z6policy_option_group : LBRACE policy_option_list RBRACENr#)r!rr#r#r$p_policy_option_group_sz#dnssec_policy.p_policy_option_groupcCsdS)zmpolicy_option_list : policy_option SEMI | policy_option_list policy_option SEMINr#)r!rr#r#r$p_policy_option_listcsz"dnssec_policy.p_policy_option_listcCsdS)apolicy_option : parent_option | directory_option | coverage_option | rollperiod_option | prepublish_option | postpublish_option | keysize_option | algorithm_option | keyttl_option | standby_optionNr#)r!rr#r#r$p_policy_optionhs zdnssec_policy.p_policy_optioncCsdS)z0alg_option_group : LBRACE alg_option_list RBRACENr#)r!rr#r#r$p_alg_option_groupusz dnssec_policy.p_alg_option_groupcCsdS)z^alg_option_list : alg_option SEMI | alg_option_list alg_option SEMINr#)r!rr#r#r$p_alg_option_listyszdnssec_policy.p_alg_option_listcCsdS)aalg_option : coverage_option | rollperiod_option | prepublish_option | postpublish_option | keyttl_option | keysize_option | standby_optionNr#)r!rr#r#r$ p_alg_option~szdnssec_policy.p_alg_optioncCs|j|dj|j_dS)zparent_option : POLICY namerN)rr+rr^)r!rr#r#r$p_parent_optionszdnssec_policy.p_parent_optioncCs|d|j_dS)z$directory_option : DIRECTORY QSTRINGrN)rre)r!rr#r#r$p_directory_optionsz dnssec_policy.p_directory_optioncCs|d|j_dS)z#coverage_option : COVERAGE durationrN)rrf)r!rr#r#r$p_coverage_optionszdnssec_policy.p_coverage_optioncCs*|ddkr|d|j_n |d|j_dS)z0rollperiod_option : ROLL_PERIOD KEYTYPE durationrKSKN)rrirj)r!rr#r#r$p_rollperiod_options z!dnssec_policy.p_rollperiod_optioncCs*|ddkr|d|j_n |d|j_dS)z0prepublish_option : PRE_PUBLISH KEYTYPE durationrrrN)rrkrm)r!rr#r#r$p_prepublish_options z!dnssec_policy.p_prepublish_optioncCs*|ddkr|d|j_n |d|j_dS)z2postpublish_option : POST_PUBLISH KEYTYPE durationrrrN)rrlrn)r!rr#r#r$p_postpublish_options z"dnssec_policy.p_postpublish_optioncCs*|ddkr|d|j_n |d|j_dS)z(keysize_option : KEY_SIZE KEYTYPE NUMBERrrrN)rrgrh)r!rr#r#r$p_keysize_options zdnssec_policy.p_keysize_optioncCs*|ddkr|d|j_n |d|j_dS)z'standby_option : STANDBY KEYTYPE NUMBERrrrN)rrorp)r!rr#r#r$p_standby_options zdnssec_policy.p_standby_optioncCs|d|j_dS)zkeyttl_option : KEYTTL durationrN)rrq)r!rr#r#r$p_keyttl_optionszdnssec_policy.p_keyttl_optioncCs|d|j_dS)z$algorithm_option : ALGORITHM ALGNAMErN)rr])r!rr#r#r$p_algorithm_optionsz dnssec_policy.p_algorithm_optioncCsd|r.td|jpd|jrdnd|j|jfn2|js`td|jp@d|jrJdnd|rV|jpXdfdS)Nz%s%s%d:syntax error near '%s'r_:z%s%s%d:unexpected end of inputr)r8rrrrry)r!rr#r#r$p_errorszdnssec_policy.p_error)N)*rKrLrMrrrrrrrFrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr#r#r#r$rz,sN _ h   rz__main__r'rCr)r{rT)r|r{rznonexistent.zone)r(Zply.lexrCZply.yaccrstringrrrO ExceptionryrzrKsysargvrfilerrIcloser~rJZppr8rreargsr#r#r#r$ s6   `4!