mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-03 20:40:08 -05:00
b3c7bd1c04
This patch is strictly the result of: $ black $(git ls-files '*.py' '*.py.in') There have been no manual changes.
761 lines
24 KiB
Python
761 lines
24 KiB
Python
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
import re
|
|
import ply.lex as lex
|
|
import ply.yacc as yacc
|
|
from string import *
|
|
from copy import copy
|
|
|
|
|
|
############################################################################
|
|
# PolicyLex: a lexer for the policy file syntax.
|
|
############################################################################
|
|
class PolicyLex:
|
|
reserved = (
|
|
"POLICY",
|
|
"ALGORITHM_POLICY",
|
|
"ZONE",
|
|
"ALGORITHM",
|
|
"DIRECTORY",
|
|
"KEYTTL",
|
|
"KEY_SIZE",
|
|
"ROLL_PERIOD",
|
|
"PRE_PUBLISH",
|
|
"POST_PUBLISH",
|
|
"COVERAGE",
|
|
"STANDBY",
|
|
"NONE",
|
|
)
|
|
|
|
tokens = reserved + (
|
|
"DATESUFFIX",
|
|
"KEYTYPE",
|
|
"ALGNAME",
|
|
"STR",
|
|
"QSTRING",
|
|
"NUMBER",
|
|
"LBRACE",
|
|
"RBRACE",
|
|
"SEMI",
|
|
)
|
|
reserved_map = {}
|
|
|
|
t_ignore = " \t"
|
|
t_ignore_olcomment = r"(//|\#).*"
|
|
|
|
t_LBRACE = r"\{"
|
|
t_RBRACE = r"\}"
|
|
t_SEMI = r";"
|
|
|
|
def t_newline(self, t):
|
|
r"\n+"
|
|
t.lexer.lineno += t.value.count("\n")
|
|
|
|
def t_comment(self, t):
|
|
r"/\*(.|\n)*?\*/"
|
|
t.lexer.lineno += t.value.count("\n")
|
|
|
|
def t_DATESUFFIX(self, t):
|
|
r"(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b"
|
|
t.value = (
|
|
re.match(r"(y|mo|w|d|h|mi|s)([a-z]*)", t.value, re.IGNORECASE)
|
|
.group(1)
|
|
.lower()
|
|
)
|
|
return t
|
|
|
|
def t_KEYTYPE(self, t):
|
|
r"\b(KSK|ZSK)\b"
|
|
t.value = t.value.upper()
|
|
return t
|
|
|
|
def t_ALGNAME(self, t):
|
|
r"\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b"
|
|
t.value = t.value.upper()
|
|
return t
|
|
|
|
def t_STR(self, t):
|
|
r"[A-Za-z._-][\w._-]*"
|
|
t.type = self.reserved_map.get(t.value, "STR")
|
|
return t
|
|
|
|
def t_QSTRING(self, t):
|
|
r'"([^"\n]|(\\"))*"'
|
|
t.type = self.reserved_map.get(t.value, "QSTRING")
|
|
t.value = t.value[1:-1]
|
|
return t
|
|
|
|
def t_NUMBER(self, t):
|
|
r"\d+"
|
|
t.value = int(t.value)
|
|
return t
|
|
|
|
def t_error(self, t):
|
|
print("Illegal character '%s'" % t.value[0])
|
|
t.lexer.skip(1)
|
|
|
|
def __init__(self, **kwargs):
|
|
if "maketrans" in dir(str):
|
|
trans = str.maketrans("_", "-")
|
|
else:
|
|
trans = maketrans("_", "-")
|
|
for r in self.reserved:
|
|
self.reserved_map[r.lower().translate(trans)] = r
|
|
self.lexer = lex.lex(object=self, reflags=re.VERBOSE | re.IGNORECASE, **kwargs)
|
|
|
|
def test(self, text):
|
|
self.lexer.input(text)
|
|
while True:
|
|
t = self.lexer.token()
|
|
if not t:
|
|
break
|
|
print(t)
|
|
|
|
|
|
############################################################################
|
|
# Policy: this object holds a set of DNSSEC policy settings.
|
|
############################################################################
|
|
class Policy:
|
|
is_zone = False
|
|
is_alg = False
|
|
is_constructed = False
|
|
ksk_rollperiod = None
|
|
zsk_rollperiod = None
|
|
ksk_prepublish = None
|
|
zsk_prepublish = None
|
|
ksk_postpublish = None
|
|
zsk_postpublish = None
|
|
ksk_keysize = None
|
|
zsk_keysize = None
|
|
ksk_standby = None
|
|
zsk_standby = None
|
|
keyttl = None
|
|
coverage = None
|
|
directory = None
|
|
valid_key_sz_per_algo = {
|
|
"RSASHA1": [1024, 4096],
|
|
"NSEC3RSASHA1": [512, 4096],
|
|
"RSASHA256": [1024, 4096],
|
|
"RSASHA512": [1024, 4096],
|
|
"ECDSAP256SHA256": None,
|
|
"ECDSAP384SHA384": None,
|
|
"ED25519": None,
|
|
"ED448": None,
|
|
}
|
|
|
|
def __init__(self, name=None, algorithm=None, parent=None):
|
|
self.name = name
|
|
self.algorithm = algorithm
|
|
self.parent = parent
|
|
pass
|
|
|
|
def __repr__(self):
|
|
return (
|
|
"%spolicy %s:\n"
|
|
"\tinherits %s\n"
|
|
"\tdirectory %s\n"
|
|
"\talgorithm %s\n"
|
|
"\tcoverage %s\n"
|
|
"\tksk_keysize %s\n"
|
|
"\tzsk_keysize %s\n"
|
|
"\tksk_rollperiod %s\n"
|
|
"\tzsk_rollperiod %s\n"
|
|
"\tksk_prepublish %s\n"
|
|
"\tksk_postpublish %s\n"
|
|
"\tzsk_prepublish %s\n"
|
|
"\tzsk_postpublish %s\n"
|
|
"\tksk_standby %s\n"
|
|
"\tzsk_standby %s\n"
|
|
"\tkeyttl %s\n"
|
|
% (
|
|
(
|
|
self.is_constructed
|
|
and "constructed "
|
|
or self.is_zone
|
|
and "zone "
|
|
or self.is_alg
|
|
and "algorithm "
|
|
or ""
|
|
),
|
|
self.name or "UNKNOWN",
|
|
self.parent and self.parent.name or "None",
|
|
self.directory and ('"' + str(self.directory) + '"') or "None",
|
|
self.algorithm or "None",
|
|
self.coverage and str(self.coverage) or "None",
|
|
self.ksk_keysize and str(self.ksk_keysize) or "None",
|
|
self.zsk_keysize and str(self.zsk_keysize) or "None",
|
|
self.ksk_rollperiod and str(self.ksk_rollperiod) or "None",
|
|
self.zsk_rollperiod and str(self.zsk_rollperiod) or "None",
|
|
self.ksk_prepublish and str(self.ksk_prepublish) or "None",
|
|
self.ksk_postpublish and str(self.ksk_postpublish) or "None",
|
|
self.zsk_prepublish and str(self.zsk_prepublish) or "None",
|
|
self.zsk_postpublish and str(self.zsk_postpublish) or "None",
|
|
self.ksk_standby and str(self.ksk_standby) or "None",
|
|
self.zsk_standby and str(self.zsk_standby) or "None",
|
|
self.keyttl and str(self.keyttl) or "None",
|
|
)
|
|
)
|
|
|
|
def __verify_size(self, key_size, size_range):
|
|
return size_range[0] <= key_size <= size_range[1]
|
|
|
|
def get_name(self):
|
|
return self.name
|
|
|
|
def constructed(self):
|
|
return self.is_constructed
|
|
|
|
def validate(self):
|
|
"""Check if the values in the policy make sense
|
|
:return: True/False if the policy passes validation
|
|
"""
|
|
if (
|
|
self.ksk_rollperiod
|
|
and self.ksk_prepublish is not None
|
|
and self.ksk_prepublish > self.ksk_rollperiod
|
|
):
|
|
print(self.ksk_rollperiod)
|
|
return (
|
|
False,
|
|
(
|
|
"KSK pre-publish period (%d) exceeds rollover period %d"
|
|
% (self.ksk_prepublish, self.ksk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if (
|
|
self.ksk_rollperiod
|
|
and self.ksk_postpublish is not None
|
|
and self.ksk_postpublish > self.ksk_rollperiod
|
|
):
|
|
return (
|
|
False,
|
|
(
|
|
"KSK post-publish period (%d) exceeds rollover period %d"
|
|
% (self.ksk_postpublish, self.ksk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if (
|
|
self.zsk_rollperiod
|
|
and self.zsk_prepublish is not None
|
|
and self.zsk_prepublish >= self.zsk_rollperiod
|
|
):
|
|
return (
|
|
False,
|
|
(
|
|
"ZSK pre-publish period (%d) exceeds rollover period %d"
|
|
% (self.zsk_prepublish, self.zsk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if (
|
|
self.zsk_rollperiod
|
|
and self.zsk_postpublish is not None
|
|
and self.zsk_postpublish >= self.zsk_rollperiod
|
|
):
|
|
return (
|
|
False,
|
|
(
|
|
"ZSK post-publish period (%d) exceeds rollover period %d"
|
|
% (self.zsk_postpublish, self.zsk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if (
|
|
self.ksk_rollperiod
|
|
and self.ksk_prepublish
|
|
and self.ksk_postpublish
|
|
and self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod
|
|
):
|
|
return (
|
|
False,
|
|
(
|
|
(
|
|
"KSK pre/post-publish periods (%d/%d) "
|
|
+ "combined exceed rollover period %d"
|
|
)
|
|
% (self.ksk_prepublish, self.ksk_postpublish, self.ksk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if (
|
|
self.zsk_rollperiod
|
|
and self.zsk_prepublish
|
|
and self.zsk_postpublish
|
|
and self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod
|
|
):
|
|
return (
|
|
False,
|
|
(
|
|
(
|
|
"ZSK pre/post-publish periods (%d/%d) "
|
|
+ "combined exceed rollover period %d"
|
|
)
|
|
% (self.zsk_prepublish, self.zsk_postpublish, self.zsk_rollperiod)
|
|
),
|
|
)
|
|
|
|
if self.algorithm is not None:
|
|
# Validate the key size
|
|
key_sz_range = self.valid_key_sz_per_algo.get(self.algorithm)
|
|
if key_sz_range is not None:
|
|
# Verify KSK
|
|
if not self.__verify_size(self.ksk_keysize, key_sz_range):
|
|
return False, "KSK key size %d outside valid range %s" % (
|
|
self.ksk_keysize,
|
|
key_sz_range,
|
|
)
|
|
|
|
# Verify ZSK
|
|
if not self.__verify_size(self.zsk_keysize, key_sz_range):
|
|
return False, "ZSK key size %d outside valid range %s" % (
|
|
self.zsk_keysize,
|
|
key_sz_range,
|
|
)
|
|
|
|
if self.algorithm in [
|
|
"ECDSAP256SHA256",
|
|
"ECDSAP384SHA384",
|
|
"ED25519",
|
|
"ED448",
|
|
]:
|
|
self.ksk_keysize = None
|
|
self.zsk_keysize = None
|
|
|
|
return True, ""
|
|
|
|
|
|
############################################################################
|
|
# dnssec_policy:
|
|
# This class reads a dnssec.policy file and creates a dictionary of
|
|
# DNSSEC policy rules from which a policy for a specific zone can
|
|
# be generated.
|
|
############################################################################
|
|
class PolicyException(Exception):
|
|
pass
|
|
|
|
|
|
class dnssec_policy:
|
|
alg_policy = {}
|
|
named_policy = {}
|
|
zone_policy = {}
|
|
current = None
|
|
filename = None
|
|
initial = True
|
|
|
|
def __init__(self, filename=None, **kwargs):
|
|
self.plex = PolicyLex()
|
|
self.tokens = self.plex.tokens
|
|
if "debug" not in kwargs:
|
|
kwargs["debug"] = False
|
|
if "write_tables" not in kwargs:
|
|
kwargs["write_tables"] = False
|
|
self.parser = yacc.yacc(module=self, **kwargs)
|
|
|
|
# set defaults
|
|
self.setup(
|
|
"""policy global { algorithm rsasha256;
|
|
key-size ksk 2048;
|
|
key-size zsk 2048;
|
|
roll-period ksk 0;
|
|
roll-period zsk 1y;
|
|
pre-publish ksk 1mo;
|
|
pre-publish zsk 1mo;
|
|
post-publish ksk 1mo;
|
|
post-publish zsk 1mo;
|
|
standby ksk 0;
|
|
standby zsk 0;
|
|
keyttl 1h;
|
|
coverage 6mo; };
|
|
policy default { policy global; };"""
|
|
)
|
|
|
|
p = Policy()
|
|
p.algorithm = None
|
|
p.is_alg = True
|
|
p.ksk_keysize = 2048
|
|
p.zsk_keysize = 2048
|
|
|
|
# set default algorithm policies
|
|
|
|
# these can use default settings
|
|
self.alg_policy["RSASHA1"] = copy(p)
|
|
self.alg_policy["RSASHA1"].algorithm = "RSASHA1"
|
|
self.alg_policy["RSASHA1"].name = "RSASHA1"
|
|
|
|
self.alg_policy["NSEC3RSASHA1"] = copy(p)
|
|
self.alg_policy["NSEC3RSASHA1"].algorithm = "NSEC3RSASHA1"
|
|
self.alg_policy["NSEC3RSASHA1"].name = "NSEC3RSASHA1"
|
|
|
|
self.alg_policy["RSASHA256"] = copy(p)
|
|
self.alg_policy["RSASHA256"].algorithm = "RSASHA256"
|
|
self.alg_policy["RSASHA256"].name = "RSASHA256"
|
|
|
|
self.alg_policy["RSASHA512"] = copy(p)
|
|
self.alg_policy["RSASHA512"].algorithm = "RSASHA512"
|
|
self.alg_policy["RSASHA512"].name = "RSASHA512"
|
|
|
|
self.alg_policy["ECDSAP256SHA256"] = copy(p)
|
|
self.alg_policy["ECDSAP256SHA256"].algorithm = "ECDSAP256SHA256"
|
|
self.alg_policy["ECDSAP256SHA256"].name = "ECDSAP256SHA256"
|
|
self.alg_policy["ECDSAP256SHA256"].ksk_keysize = None
|
|
self.alg_policy["ECDSAP256SHA256"].zsk_keysize = None
|
|
|
|
self.alg_policy["ECDSAP384SHA384"] = copy(p)
|
|
self.alg_policy["ECDSAP384SHA384"].algorithm = "ECDSAP384SHA384"
|
|
self.alg_policy["ECDSAP384SHA384"].name = "ECDSAP384SHA384"
|
|
self.alg_policy["ECDSAP384SHA384"].ksk_keysize = None
|
|
self.alg_policy["ECDSAP384SHA384"].zsk_keysize = None
|
|
|
|
self.alg_policy["ED25519"] = copy(p)
|
|
self.alg_policy["ED25519"].algorithm = "ED25519"
|
|
self.alg_policy["ED25519"].name = "ED25519"
|
|
self.alg_policy["ED25519"].ksk_keysize = None
|
|
self.alg_policy["ED25519"].zsk_keysize = None
|
|
|
|
self.alg_policy["ED448"] = copy(p)
|
|
self.alg_policy["ED448"].algorithm = "ED448"
|
|
self.alg_policy["ED448"].name = "ED448"
|
|
self.alg_policy["ED448"].ksk_keysize = None
|
|
self.alg_policy["ED448"].zsk_keysize = None
|
|
|
|
if filename:
|
|
self.load(filename)
|
|
|
|
def load(self, filename):
|
|
self.filename = filename
|
|
self.initial = True
|
|
with open(filename) as f:
|
|
text = f.read()
|
|
self.plex.lexer.lineno = 0
|
|
self.parser.parse(text)
|
|
|
|
self.filename = None
|
|
|
|
def setup(self, text):
|
|
self.initial = True
|
|
self.plex.lexer.lineno = 0
|
|
self.parser.parse(text)
|
|
|
|
def policy(self, zone, **kwargs):
|
|
z = zone.lower()
|
|
p = None
|
|
|
|
if z in self.zone_policy:
|
|
p = self.zone_policy[z]
|
|
|
|
if p is None:
|
|
p = copy(self.named_policy["default"])
|
|
p.name = zone
|
|
p.is_constructed = True
|
|
|
|
if p.algorithm is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent and not parent.algorithm:
|
|
parent = parent.parent
|
|
p.algorithm = parent and parent.algorithm or None
|
|
|
|
if p.algorithm in self.alg_policy:
|
|
ap = self.alg_policy[p.algorithm]
|
|
else:
|
|
raise PolicyException("algorithm not found")
|
|
|
|
if p.directory is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent is not None and not parent.directory:
|
|
parent = parent.parent
|
|
p.directory = parent and parent.directory
|
|
|
|
if p.coverage is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent and not parent.coverage:
|
|
parent = parent.parent
|
|
p.coverage = parent and parent.coverage or ap.coverage
|
|
|
|
if p.ksk_keysize is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.ksk_keysize:
|
|
parent = parent.parent
|
|
p.ksk_keysize = parent and parent.ksk_keysize or ap.ksk_keysize
|
|
|
|
if p.zsk_keysize is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.zsk_keysize:
|
|
parent = parent.parent
|
|
p.zsk_keysize = parent and parent.zsk_keysize or ap.zsk_keysize
|
|
|
|
if p.ksk_rollperiod is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.ksk_rollperiod:
|
|
parent = parent.parent
|
|
p.ksk_rollperiod = parent and parent.ksk_rollperiod or ap.ksk_rollperiod
|
|
|
|
if p.zsk_rollperiod is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.zsk_rollperiod:
|
|
parent = parent.parent
|
|
p.zsk_rollperiod = parent and parent.zsk_rollperiod or ap.zsk_rollperiod
|
|
|
|
if p.ksk_prepublish is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.ksk_prepublish:
|
|
parent = parent.parent
|
|
p.ksk_prepublish = parent and parent.ksk_prepublish or ap.ksk_prepublish
|
|
|
|
if p.zsk_prepublish is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.zsk_prepublish:
|
|
parent = parent.parent
|
|
p.zsk_prepublish = parent and parent.zsk_prepublish or ap.zsk_prepublish
|
|
|
|
if p.ksk_postpublish is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.ksk_postpublish:
|
|
parent = parent.parent
|
|
p.ksk_postpublish = parent and parent.ksk_postpublish or ap.ksk_postpublish
|
|
|
|
if p.zsk_postpublish is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent.parent and not parent.zsk_postpublish:
|
|
parent = parent.parent
|
|
p.zsk_postpublish = parent and parent.zsk_postpublish or ap.zsk_postpublish
|
|
|
|
if p.keyttl is None:
|
|
parent = p.parent or self.named_policy["default"]
|
|
while parent is not None and not parent.keyttl:
|
|
parent = parent.parent
|
|
p.keyttl = parent and parent.keyttl
|
|
|
|
if "novalidate" not in kwargs or not kwargs["novalidate"]:
|
|
(valid, msg) = p.validate()
|
|
if not valid:
|
|
raise PolicyException(msg)
|
|
return None
|
|
|
|
return p
|
|
|
|
def p_policylist(self, p):
|
|
"""policylist : init policy
|
|
| policylist policy"""
|
|
pass
|
|
|
|
def p_init(self, p):
|
|
"init :"
|
|
self.initial = False
|
|
|
|
def p_policy(self, p):
|
|
"""policy : alg_policy
|
|
| zone_policy
|
|
| named_policy"""
|
|
pass
|
|
|
|
def p_name(self, p):
|
|
"""name : STR
|
|
| KEYTYPE
|
|
| DATESUFFIX"""
|
|
p[0] = p[1]
|
|
pass
|
|
|
|
def p_domain(self, p):
|
|
"""domain : STR
|
|
| QSTRING
|
|
| KEYTYPE
|
|
| DATESUFFIX"""
|
|
p[0] = p[1].strip()
|
|
if not re.match(r"^[\w.-][\w.-]*$", p[0]):
|
|
raise PolicyException("invalid domain")
|
|
pass
|
|
|
|
def p_new_policy(self, p):
|
|
"new_policy :"
|
|
self.current = Policy()
|
|
|
|
def p_alg_policy(self, p):
|
|
"alg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMI"
|
|
self.current.name = p[2]
|
|
self.current.is_alg = True
|
|
self.alg_policy[p[2]] = self.current
|
|
pass
|
|
|
|
def p_zone_policy(self, p):
|
|
"zone_policy : ZONE domain new_policy policy_option_group SEMI"
|
|
self.current.name = p[2].rstrip(".")
|
|
self.current.is_zone = True
|
|
self.zone_policy[p[2].rstrip(".").lower()] = self.current
|
|
pass
|
|
|
|
def p_named_policy(self, p):
|
|
"named_policy : POLICY name new_policy policy_option_group SEMI"
|
|
self.current.name = p[2]
|
|
self.named_policy[p[2].lower()] = self.current
|
|
pass
|
|
|
|
def p_duration_1(self, p):
|
|
"duration : NUMBER"
|
|
p[0] = p[1]
|
|
pass
|
|
|
|
def p_duration_2(self, p):
|
|
"duration : NONE"
|
|
p[0] = None
|
|
pass
|
|
|
|
def p_duration_3(self, p):
|
|
"duration : NUMBER DATESUFFIX"
|
|
if p[2] == "y":
|
|
p[0] = p[1] * 31536000 # year
|
|
elif p[2] == "mo":
|
|
p[0] = p[1] * 2592000 # month
|
|
elif p[2] == "w":
|
|
p[0] = p[1] * 604800 # week
|
|
elif p[2] == "d":
|
|
p[0] = p[1] * 86400 # day
|
|
elif p[2] == "h":
|
|
p[0] = p[1] * 3600 # hour
|
|
elif p[2] == "mi":
|
|
p[0] = p[1] * 60 # minute
|
|
elif p[2] == "s":
|
|
p[0] = p[1] # second
|
|
else:
|
|
raise PolicyException("invalid duration")
|
|
|
|
def p_policy_option_group(self, p):
|
|
"policy_option_group : LBRACE policy_option_list RBRACE"
|
|
pass
|
|
|
|
def p_policy_option_list(self, p):
|
|
"""policy_option_list : policy_option SEMI
|
|
| policy_option_list policy_option SEMI"""
|
|
pass
|
|
|
|
def p_policy_option(self, p):
|
|
"""policy_option : parent_option
|
|
| directory_option
|
|
| coverage_option
|
|
| rollperiod_option
|
|
| prepublish_option
|
|
| postpublish_option
|
|
| keysize_option
|
|
| algorithm_option
|
|
| keyttl_option
|
|
| standby_option"""
|
|
pass
|
|
|
|
def p_alg_option_group(self, p):
|
|
"alg_option_group : LBRACE alg_option_list RBRACE"
|
|
pass
|
|
|
|
def p_alg_option_list(self, p):
|
|
"""alg_option_list : alg_option SEMI
|
|
| alg_option_list alg_option SEMI"""
|
|
pass
|
|
|
|
def p_alg_option(self, p):
|
|
"""alg_option : coverage_option
|
|
| rollperiod_option
|
|
| prepublish_option
|
|
| postpublish_option
|
|
| keyttl_option
|
|
| keysize_option
|
|
| standby_option"""
|
|
pass
|
|
|
|
def p_parent_option(self, p):
|
|
"parent_option : POLICY name"
|
|
self.current.parent = self.named_policy[p[2].lower()]
|
|
|
|
def p_directory_option(self, p):
|
|
"directory_option : DIRECTORY QSTRING"
|
|
self.current.directory = p[2]
|
|
|
|
def p_coverage_option(self, p):
|
|
"coverage_option : COVERAGE duration"
|
|
self.current.coverage = p[2]
|
|
|
|
def p_rollperiod_option(self, p):
|
|
"rollperiod_option : ROLL_PERIOD KEYTYPE duration"
|
|
if p[2] == "KSK":
|
|
self.current.ksk_rollperiod = p[3]
|
|
else:
|
|
self.current.zsk_rollperiod = p[3]
|
|
|
|
def p_prepublish_option(self, p):
|
|
"prepublish_option : PRE_PUBLISH KEYTYPE duration"
|
|
if p[2] == "KSK":
|
|
self.current.ksk_prepublish = p[3]
|
|
else:
|
|
self.current.zsk_prepublish = p[3]
|
|
|
|
def p_postpublish_option(self, p):
|
|
"postpublish_option : POST_PUBLISH KEYTYPE duration"
|
|
if p[2] == "KSK":
|
|
self.current.ksk_postpublish = p[3]
|
|
else:
|
|
self.current.zsk_postpublish = p[3]
|
|
|
|
def p_keysize_option(self, p):
|
|
"keysize_option : KEY_SIZE KEYTYPE NUMBER"
|
|
if p[2] == "KSK":
|
|
self.current.ksk_keysize = p[3]
|
|
else:
|
|
self.current.zsk_keysize = p[3]
|
|
|
|
def p_standby_option(self, p):
|
|
"standby_option : STANDBY KEYTYPE NUMBER"
|
|
if p[2] == "KSK":
|
|
self.current.ksk_standby = p[3]
|
|
else:
|
|
self.current.zsk_standby = p[3]
|
|
|
|
def p_keyttl_option(self, p):
|
|
"keyttl_option : KEYTTL duration"
|
|
self.current.keyttl = p[2]
|
|
|
|
def p_algorithm_option(self, p):
|
|
"algorithm_option : ALGORITHM ALGNAME"
|
|
self.current.algorithm = p[2]
|
|
|
|
def p_error(self, p):
|
|
if p:
|
|
print(
|
|
"%s%s%d:syntax error near '%s'"
|
|
% (self.filename or "", ":" if self.filename else "", p.lineno, p.value)
|
|
)
|
|
else:
|
|
if not self.initial:
|
|
raise PolicyException(
|
|
"%s%s%d:unexpected end of input"
|
|
% (
|
|
self.filename or "",
|
|
":" if self.filename else "",
|
|
p and p.lineno or 0,
|
|
)
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
import sys
|
|
|
|
if sys.argv[1] == "lex":
|
|
file = open(sys.argv[2])
|
|
text = file.read()
|
|
file.close()
|
|
plex = PolicyLex(debug=1)
|
|
plex.test(text)
|
|
elif sys.argv[1] == "parse":
|
|
try:
|
|
pp = dnssec_policy(sys.argv[2], write_tables=True, debug=True)
|
|
print(pp.named_policy["default"])
|
|
print(pp.policy("nonexistent.zone"))
|
|
except Exception as e:
|
|
print(e.args[0])
|