a 4i` @s@ddlZddlmZddlmZddlTddlmZGdddZGdddZGdd d e Z Gd d d Z e d krt|jp@dfS) Na%spolicy %s: inherits %s directory %s algorithm %s coverage %s ksk_keysize %s zsk_keysize %s ksk_rollperiod %s zsk_rollperiod %s ksk_prepublish %s ksk_postpublish %s zsk_prepublish %s zsk_postpublish %s ksk_standby %s zsk_standby %s keyttl %s z constructed zzone z algorithm ZUNKNOWNNone")is_constructedis_zoneis_algrOrQ directoryr5rPcoverage ksk_keysize zsk_keysizeksk_rollperiodzsk_rollperiodksk_prepublishksk_postpublishzsk_prepublishzsk_postpublish ksk_standby zsk_standbykeyttlrrrr__repr__s<zPolicy.__repr__cCs |d|ko|dkSS)Nrrr)rZkey_sizeZ size_rangerrrZ __verify_sizeszPolicy.__verify_sizecCs|jSr=)rOrerrrget_nameszPolicy.get_namecCs|jSr=)rUrerrr constructedszPolicy.constructedcCs|jr:|jdur:|j|jkr:t|jdd|j|jffS|jrj|jdurj|j|jkrjdd|j|jffS|jr|jdur|j|jkrdd|j|jffS|jr|jdur|j|jkrdd|j|jffS|jr|jr|jr|j|j|jkrdd|j|j|jffS|jrR|jrR|jrR|j|j|jkrRdd|j|j|jffS|jdur|j |j}|dur| |j |sdd |j |ffS| |j |sdd |j |ffS|jd vrd|_ d|_ d S) zqCheck if the values in the policy make sense :return: True/False if the policy passes validation NFz6KSK pre-publish period (%d) exceeds rollover period %dz7KSK post-publish period (%d) exceeds rollover period %dz6ZSK pre-publish period (%d) exceeds rollover period %dz7ZSK post-publish period (%d) exceeds rollover period %dzGKSK pre/post-publish periods (%d/%d) combined exceed rollover period %dzGZSK pre/post-publish periods (%d/%d) combined exceed rollover period %dz&KSK key size %d outside valid range %sz&ZSK key size %d outside valid range %s)rKrLrMrN)TrR) r\r^r-r_r]r`rarPvalid_key_sz_per_algor&_Policy__verify_sizerZr[)rZ key_sz_rangerrrvalidates                 zPolicy.validate)NNN)rBrCrDrVrWrUr\r]r^r`r_rarZr[rbrcrdrYrXrir<rfrjrgrhrkrrrrrFs> /rFc@s eZdZdS)PolicyExceptionN)rBrCrDrrrrrlXsrlc@s.eZdZiZiZiZdZdZdZdEddZ ddZ ddZ d d Z d d Z d dZddZddZddZddZddZddZddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Z d3d4Z!d5d6Z"d7d8Z#d9d:Z$d;d<Z%d=d>Z&d?d@Z'dAdBZ(dCdDZ)dS)F dnssec_policyNTcKst|_|jj|_d|vr"d|d<d|vr2d|d<tjfd|i||_|dt}d|_d|_d|_ d|_ t ||j d<d|j d_d|j d_ t ||j d <d |j d _d |j d _ t ||j d <d |j d _d |j d _ t ||j d <d |j d _d |j d _ t ||j d <d |j d _d |j d _ d|j d _ d|j d _ t ||j d <d |j d _d |j d _ d|j d _ d|j d _ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ t ||j d<d|j d_d|j d_ d|j d_ d|j d_ |r||dS)NdebugF write_tablesmoduleapolicy global { algorithm rsasha256; key-size ksk 2048; key-size zsk 2048; roll-period ksk 0; roll-period zsk 1y; pre-publish ksk 1mo; pre-publish zsk 1mo; post-publish ksk 1mo; post-publish zsk 1mo; standby ksk 0; standby zsk 0; keyttl 1h; coverage 6mo; }; policy default { policy global; };TirGrHrIrJrKrLrMrN)rplexrEyaccparsersetuprFrPrWrZr[r alg_policyrOload)rfilenamer:prrrr<dsb                         zdnssec_policy.__init__cCs\||_d|_t|.}|}d|jj_|j|Wdn1sH0Yd|_dSNTr) rwinitialopenreadrqrrrsparse)rrwfr@rrrrvs  *zdnssec_policy.loadcCs d|_d|jj_|j|dSry)rzrqrrrsr})rr@rrrrts zdnssec_policy.setupc Ks|}d}||jvr |j|}|durBt|jd}||_d|_|jdur~|jpZ|jd}|rn|jsn|j}q\|rx|jpzd|_|j|jvr|j|j}nt d|j dur|jp|jd}|dur|j s|j}q|o|j |_ |j dur$|jp|jd}|r|j s|j}q|r|j p |j |_ |j durr|jp@|jd}|jr\|j s\|j}qB|rj|j pn|j |_ |j dur|jp|jd}|jr|j s|j}q|r|j p|j |_ |jdur|jp|jd}|jr|js|j}q|r|jp |j|_|jdur\|jp*|jd}|jrF|jsF|j}q,|rT|jpX|j|_|jdur|jpx|jd}|jr|js|j}qz|r|jp|j|_|jdur|jp|jd}|jr|js|j}q|r|jp|j|_|jdurF|jp|jd}|jr0|js0|j}q|r>|jpB|j|_|jdur|jpb|jd}|jr~|js~|j}qd|r|jp|j|_|jdur|jp|jd}|dur|js|j}q|o|j|_d|vs|ds|\}}|st |dS|S)NdefaultTzalgorithm not foundZ novalidate)r zone_policyr named_policyrOrUrPrQrurlrXrYrZr[r\r]r^r`r_rardrk) rZzoner:zrxrQZapZvalidmsgrrrpolicys                           zdnssec_policy.policycCsdS)z4policylist : init policy | policylist policyNrrrxrrr p_policylist#szdnssec_policy.p_policylistcCs d|_dS)zinit :FN)rzrrrrp_init(szdnssec_policy.p_initcCsdS)z@policy : alg_policy | zone_policy | named_policyNrrrrrp_policy,szdnssec_policy.p_policycCs|d|d<dS)z1name : STR | KEYTYPE | DATESUFFIXrrNrrrrrp_name2s zdnssec_policy.p_namecCs,|d|d<td|ds(tddS)zEdomain : STR | QSTRING | KEYTYPE | DATESUFFIXrrz^[\w.-][\w.-]*$zinvalid domainN)striprrrlrrrrp_domain9szdnssec_policy.p_domaincCs t|_dS)z new_policy :N)rFcurrentrrrr p_new_policyCszdnssec_policy.p_new_policycCs(|d|j_d|j_|j|j|d<dS)zFalg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMITN)rrOrWrurrrr p_alg_policyGs zdnssec_policy.p_alg_policycCs8|dd|j_d|j_|j|j|dd<dS)z=zone_policy : ZONE domain new_policy policy_option_group SEMIr.TN)rstriprrOrVrrrrrr p_zone_policyNszdnssec_policy.p_zone_policycCs$|d|j_|j|j|d<dS)z>named_policy : POLICY name new_policy policy_option_group SEMIrN)rrOrrrrrrp_named_policyUs zdnssec_policy.p_named_policycCs|d|d<dS)zduration : NUMBERrrNrrrrr p_duration_1[s zdnssec_policy.p_duration_1cCs d|d<dS)zduration : NONENrrrrrr p_duration_2`szdnssec_policy.p_duration_2cCs|ddkr|dd|d<n|ddkr<|dd|d<n|ddkrZ|dd |d<n||dd krx|dd |d<n^|dd kr|dd |d<n@|ddkr|dd|d<n"|ddkr|d|d<ntddS)zduration : NUMBER DATESUFFIXryri3rZmoi'wi: diQhimi<szinvalid durationN)rlrrrr p_duration_3es       zdnssec_policy.p_duration_3cCsdS)z6policy_option_group : LBRACE policy_option_list RBRACENrrrrrp_policy_option_groupxsz#dnssec_policy.p_policy_option_groupcCsdS)zWpolicy_option_list : policy_option SEMI | policy_option_list policy_option SEMINrrrrrp_policy_option_list|sz"dnssec_policy.p_policy_option_listcCsdS)a policy_option : parent_option | directory_option | coverage_option | rollperiod_option | prepublish_option | postpublish_option | keysize_option | algorithm_option | keyttl_option | standby_optionNrrrrrp_policy_options zdnssec_policy.p_policy_optioncCsdS)z0alg_option_group : LBRACE alg_option_list RBRACENrrrrrp_alg_option_groupsz dnssec_policy.p_alg_option_groupcCsdS)zKalg_option_list : alg_option SEMI | alg_option_list alg_option SEMINrrrrrp_alg_option_listszdnssec_policy.p_alg_option_listcCsdS)zalg_option : coverage_option | rollperiod_option | prepublish_option | postpublish_option | keyttl_option | keysize_option | standby_optionNrrrrr p_alg_optionszdnssec_policy.p_alg_optioncCs|j|d|j_dS)zparent_option : POLICY namerN)rrrrQrrrrp_parent_optionszdnssec_policy.p_parent_optioncCs|d|j_dS)z$directory_option : DIRECTORY QSTRINGrN)rrXrrrrp_directory_optionsz dnssec_policy.p_directory_optioncCs|d|j_dS)z#coverage_option : COVERAGE durationrN)rrYrrrrp_coverage_optionszdnssec_policy.p_coverage_optioncCs*|ddkr|d|j_n |d|j_dS)z0rollperiod_option : ROLL_PERIOD KEYTYPE durationrKSKN)rr\r]rrrrp_rollperiod_options z!dnssec_policy.p_rollperiod_optioncCs*|ddkr|d|j_n |d|j_dS)z0prepublish_option : PRE_PUBLISH KEYTYPE durationrrrN)rr^r`rrrrp_prepublish_options z!dnssec_policy.p_prepublish_optioncCs*|ddkr|d|j_n |d|j_dS)z2postpublish_option : POST_PUBLISH KEYTYPE durationrrrN)rr_rarrrrp_postpublish_options z"dnssec_policy.p_postpublish_optioncCs*|ddkr|d|j_n |d|j_dS)z(keysize_option : KEY_SIZE KEYTYPE NUMBERrrrN)rrZr[rrrrp_keysize_options zdnssec_policy.p_keysize_optioncCs*|ddkr|d|j_n |d|j_dS)z'standby_option : STANDBY KEYTYPE NUMBERrrrN)rrbrcrrrrp_standby_options zdnssec_policy.p_standby_optioncCs|d|j_dS)zkeyttl_option : KEYTTL durationrN)rrdrrrrp_keyttl_optionszdnssec_policy.p_keyttl_optioncCs|d|j_dS)z$algorithm_option : ALGORITHM ALGNAMErN)rrPrrrrp_algorithm_optionsz dnssec_policy.p_algorithm_optioncCsd|r.td|jpd|jrdnd|j|jfn2|js`td|jp@d|jrJdnd|rV|jpXdfdS)Nz%s%s%d:syntax error near '%s'rR:z%s%s%d:unexpected end of inputr)r-rwrrrzrlrrrrp_errors  zdnssec_policy.p_error)N)*rBrCrDrurrrrwrzr<rvrtrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrm\sN O a   rm__main__rr8r)rnr}T)rornrznonexistent.zone)rZply.lexr8Zply.yaccrrstringrrrF ExceptionrlrmrBsysargvr{filer|r@closerqrAZppr-rreargsrrrr s6   iZ