#!/usr/bin/env python
# -*- mode: python -*-
import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os;
-import string, pwd
+import pwd
from userdir_gpg import *;
from userdir_ldap import *;
EX_TEMPFAIL = 75;
EX_PERMFAIL = 65; # EX_DATAERR
Error = 'Message Error';
-SeenRSA = 0;
-SeenDSA = 0;
+SeenKey = 0;
SeenDNS = 0;
+mailRBL = {}
+mailRHSBL = {}
+mailWhitelist = {}
+SeenList = {}
+DNS = {}
ArbChanges = {"c": "..",
"l": ".*",
- "facsimiletelephonenumber": ".*",
- "telephonenumber": ".*",
- "postaladdress": ".*",
- "postalcode": ".*",
- "loginshell": ".*",
- "emailforward": "^([^<>@]+@.+)?$",
- "ircnick": ".*",
- "icquin": "^[0-9]*$",
- "onvacation": ".*",
- "labeledurl": ".*"};
+ "facsimileTelephoneNumber": ".*",
+ "telephoneNumber": ".*",
+ "postalAddress": ".*",
+ "postalCode": ".*",
+ "loginShell": ".*",
+ "emailForward": "^([^<>@]+@.+)?$",
+ "jabberJID": "^([^<>@]+@.+)?$",
+ "ircNick": ".*",
+ "icqUin": "^[0-9]*$",
+ "onVacation": ".*",
+ "labeledURI": ".*",
+ "birthDate": "^([0-9]{4})([01][0-9])([0-3][0-9])$",
+ "mailDisableMessage": ".*",
+ "mailGreylisting": "^(TRUE|FALSE)$",
+ "mailCallout": "^(TRUE|FALSE)$",
+};
DelItems = {"c": None,
"l": None,
- "facsimiletelephonenumber": None,
- "telephonenumber": None,
- "postaladdress": None,
- "postalcode": None,
- "emailforward": None,
- "ircnick": None,
- "onvacation": None,
- "labeledurl": None,
+ "facsimileTelephoneNumber": None,
+ "telephoneNumber": None,
+ "postalAddress": None,
+ "postalCode": None,
+ "emailForward": None,
+ "ircNick": None,
+ "onVacation": None,
+ "labeledURI": None,
"latitude": None,
"longitude": None,
- "icquin": None,
- "sshrsaauthkey": None,
- "sshdsaauthkey": None};
+ "icqUin": None,
+ "jabberJID": None,
+ "jpegPhoto": None,
+ "dnsZoneEntry": None,
+ "sshRSAAuthKey": None,
+ "sshDSAAuthKey": None,
+ "birthDate" : None,
+ "mailGreylisting": None,
+ "mailCallout": None,
+ "mailRBL": None,
+ "mailRHSBL": None,
+ "mailWhitelist": None,
+ "mailDisableMessage": None,
+ };
# Decode a GPS location from some common forms
def LocDecode(Str,Dir):
if Match == None:
return None;
G = Match.groups();
-
- if ArbChanges.has_key(G[0]) == 0:
+
+ attrName = G[0].lower();
+ for i in ArbChanges.keys():
+ if i.lower() == attrName:
+ attrName = i;
+ break;
+ if ArbChanges.has_key(attrName) == 0:
return None;
-
- if re.match(ArbChanges[G[0]],G[1]) == None:
- raise Error, "Item does not match the required format"+ArbChanges[G[0]];
- Attrs.append((ldap.MOD_REPLACE,G[0],G[1]));
- return "Changed entry %s to %s"%(G[0],G[1]);
+ if re.match(ArbChanges[attrName],G[1]) == None:
+ raise Error, "Item does not match the required format"+ArbChanges[attrName];
+
+# if attrName == 'birthDate':
+# (re.match("^([0-9]{4})([01][0-9])([0-3][0-9])$",G[1]) {
+# $bd_yr = $1; $bd_mo = $2; $bd_day = $3;
+# if ($bd_mo > 0 and $bd_mo <= 12 and $bd_day > 0) {
+# if ($bd_mo == 2) {
+# if ($bd_day == 29 and ($bd_yr == 0 or ($bd_yr % 4 == 0 && ($bd_yr % 100 != 0 || $bd_yr % 400 == 0)))) {
+# $bd_ok = 1;
+# } elsif ($bd_day <= 28) {
+# $bd_ok = 1;
+# }
+# } elsif ($bd_mo == 4 or $bd_mo == 6 or $bd_mo == 9 or $bd_mo == 11) {
+# if ($bd_day <= 30) {
+# $bd_ok = 1;
+# }
+# } else {
+# if ($bd_day <= 31) {
+# $bd_ok = 1;
+# }
+# }
+# }
+# } elsif (not defined($query->param('birthdate')) or $query->param('birthdate') =~ /^\s*$/) {
+# $bd_ok = 1;
+# }
+ Attrs.append((ldap.MOD_REPLACE,attrName,G[1]));
+ return "Changed entry %s to %s"%(attrName,G[1]);
# Handle changing a set of arbitary fields
# <field>: value
if Match == None:
return None;
G = Match.groups();
-
- if DelItems.has_key(G[0]) == 0:
- return "Cannot erase entry %s"%(G[0]);
- Attrs.append((ldap.MOD_DELETE,G[0],None));
- return "Removed entry %s"%(G[0]);
+ attrName = G[0].lower();
+ for i in DelItems.keys():
+ if i.lower() == attrName:
+ attrName = i;
+ break;
+ if DelItems.has_key(attrName) == 0:
+ return "Cannot erase entry %s"%(attrName);
+
+ Attrs.append((ldap.MOD_DELETE,attrName,None));
+ return "Removed entry %s"%(attrName);
# Handle a position change message, the line format is:
# Lat: -12412.23 Long: +12341.2342
def DoPosition(Str,Attrs):
- Match = re.match("^lat: ([+\-]?[\d:.ns]+(?: ?[ns])?) long: ([+\-]?[\d:.ew]+(?: ?[ew])?)$",string.lower(Str));
+ Match = re.match("^lat: ([+\-]?[\d:.ns]+(?: ?[ns])?) long: ([+\-]?[\d:.ew]+(?: ?[ew])?)$", Str.lower())
if Match == None:
return None;
Attrs.append((ldap.MOD_REPLACE,"longitude",sLong));
return "Position set to %s/%s (%s/%s decimal degrees)"%(sLat,sLong,Lat,Long);
-# Handle a SSH RSA authentication key, the line format is:
+# Handle an SSH authentication key, the line format is:
# [options] 1024 35 13188913666680[..] [comment]
def DoSSH(Str,Attrs):
- Match = SSHAuthSplit.match(Str);
+ Match = SSH2AuthSplit.match(Str);
if Match == None:
+ Match = re.compile('^1024 (\d+) ').match(Str)
+ if Match is not None:
+ return "SSH1 keys not supported anymore"
return None;
- global SeenRSA;
- if SeenRSA:
- Attrs.append((ldap.MOD_ADD,"sshrsaauthkey",Str));
+ global SeenKey;
+ if SeenKey:
+ Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str));
return "SSH Key added "+FormatSSHAuth(Str);
- Attrs.append((ldap.MOD_REPLACE,"sshrsaauthkey",Str));
- SeenRSA = 1;
+ Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str));
+ SeenKey = 1;
return "SSH Keys replaced with "+FormatSSHAuth(Str);
-# Handle a SSH DSA authentication key, the line format is:
-# ssh-dss [key] [comment]
-def DoSSH2(Str,Attrs):
- Match = SSHDSAAuthSplit.match(Str);
- if Match == None:
- return None;
-
- global SeenDSA;
- if SeenDSA:
- Attrs.append((ldap.MOD_ADD,"sshdsaauthkey",Str));
- return "SSH2 Key added "+FormatSSH2Auth(Str);
-
- Attrs.append((ldap.MOD_REPLACE,"sshdsaauthkey",Str));
- SeenDSA = 1;
- return "SSH2 Keys replaced with "+FormatSSH2Auth(Str);
-
# Handle changing a dns entry
# host in a 12.12.12.12
# host in cname foo.bar. <- Trailing dot is required
def DoDNS(Str,Attrs,DnRecord):
- if re.match('^[\w-]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
- Str,re.IGNORECASE) == None and \
- re.match("^[\w-]+\s+in\s+cname\s+[\w.\-]+\.$",Str,re.IGNORECASE) == None and \
- re.match("^[\w-]+\s+in\s+mx\s+\d{1,3}\s+[\w.\-]+\.$",Str,re.IGNORECASE) == None:
+ cname = re.match("^[-\w]+\s+in\s+cname\s+[-\w.]+\.$",Str,re.IGNORECASE);
+ if re.match('^[-\w]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
+ Str,re.IGNORECASE) == None and cname == None and \
+ re.match("^[-\w]+\s+in\s+mx\s+\d{1,3}\s+[-\w.]+\.$",Str,re.IGNORECASE) == None:
return None;
# Check if the name is already taken
- G = re.match('^([\w-+]+)\s',Str).groups();
+ G = re.match('^([-\w+]+)\s',Str).groups();
# Check for collisions
global l;
- Rec = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"dnszoneentry="+G[0]+" *",["uid"]);
+ # [JT 20070409 - search for both tab and space suffixed hostnames
+ # since we accept either. It'd probably be better to parse the
+ # incoming string in order to construct what we feed LDAP rather
+ # than just passing it through as is.]
+ filter = "(|(dnsZoneEntry=%s *)(dnsZoneEntry=%s *))" % (G[0], G[0])
+ Rec = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,filter,["uid"]);
for x in Rec:
if GetAttr(x,"uid") != GetAttr(DnRecord,"uid"):
return "DNS entry is already owned by " + GetAttr(x,"uid")
global SeenDNS;
+ global DNS;
+
+ if cname:
+ if DNS.has_key(G[0]):
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 2
+ else:
+ if DNS.has_key(G[0]) and DNS[G[0]] == 2:
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 1
+
if SeenDNS:
- Attrs.append((ldap.MOD_ADD,"dnszoneentry",Str));
+ Attrs.append((ldap.MOD_ADD,"dnsZoneEntry",Str));
return "DNS Entry added "+Str;
- Attrs.append((ldap.MOD_REPLACE,"dnszoneentry",Str));
+ Attrs.append((ldap.MOD_REPLACE,"dnsZoneEntry",Str));
SeenDNS = 1;
return "DNS Entry replaced with "+Str;
+# Handle an RBL list (mailRBL, mailRHSBL, mailWhitelist)
+def DoRBL(Str,Attrs):
+ Match = re.compile('^mail(rbl|rhsbl|whitelist) ([-a-z0-9.]+)$').match(Str.lower())
+ if Match == None:
+ return None
+
+ if Match.group(1) == "rbl":
+ Key = "mailRBL"
+ if Match.group(1) == "rhsbl":
+ Key = "mailRHSBL"
+ if Match.group(1) == "whitelist":
+ Key = "mailWhitelist"
+ Host = Match.group(2)
+
+ global SeenList
+ if SeenList.has_key(Key):
+ Attrs.append((ldap.MOD_ADD,Key,Host))
+ return "%s added %s" % (Key,Host)
+
+ Attrs.append((ldap.MOD_REPLACE,Key,Host))
+ SeenList[Key] = 1;
+ return "%s replaced with %s" % (Key,Host)
+
# Handle an [almost] arbitary change
def HandleChange(Reply,DnRecord,Key):
global PlainText;
Attrs = [];
Show = 0;
for Line in Lines:
- Line = string.strip(Line);
+ Line = Line.strip()
if Line == "":
continue;
else:
Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \
DoArbChange(Line,Attrs) or DoSSH(Line,Attrs) or \
- DoSSH2(Line,Attrs) or DoDel(Line,Attrs);
+ DoDel(Line,Attrs) or DoRBL(Line,Attrs);
except:
Res = None;
Result = Result + "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
# Connect to the ldap server
l = ldap.open(LDAPServer);
F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
- AccessPass = string.split(string.strip(F.readline())," ");
+ AccessPass = F.readline().strip().split(" ")
F.close();
# Modify the record
l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
+ oldAttrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid"));
+ if ((GetAttr(oldAttrs[0],"userPassword").find("*LK*") != -1)
+ or GetAttr(oldAttrs[0],"userPassword").startswith("!")):
+ raise Error, "This account is locked";
Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
l.modify_s(Dn,Attrs);
# Connect to the ldap server
l = ldap.open(LDAPServer);
F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
- AccessPass = string.split(string.strip(F.readline())," ");
+ AccessPass = F.readline().strip().split(" ")
F.close();
l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
# Check for a locked account
Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid"));
- if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
+ if (GetAttr(Attrs[0],"userPassword").find("*LK*") != -1) \
+ or GetAttr(Attrs[0],"userPassword").startswith("!"):
raise Error, "This account is locked";
# Modify the password
Msg = GetClearSig(Email);
ErrMsg = "Message is not PGP signed:"
- if string.find(Msg[0],"-----BEGIN PGP SIGNED MESSAGE-----") == -1:
+ if Msg[0].find("-----BEGIN PGP SIGNED MESSAGE-----") == -1 and \
+ Msg[0].find("-----BEGIN PGP MESSAGE-----") == -1:
raise Error, "No PGP signature";
# Check the signature
ErrMsg = "Problem stripping MIME headers from the decoded message"
if Msg[1] == 1:
try:
- Index = string.index(Res[3],"\n\n") + 2;
+ Index = Res[3].index("\n\n") + 2;
except ValueError:
- Index = string.index(Res[3],"\n\r\n") + 3;
+ Index = Res[3].index("\n\r\n") + 3;
PlainText = Res[3][Index:];
else:
PlainText = Res[3];
Rply = RC.Check(Res[1]);
if Rply != None:
raise Error, Rply;
- RC.Add(Res[1]);
# Connect to the ldap server
ErrType = EX_TEMPFAIL;
l.simple_bind_s("","");
# Search for the matching key fingerprint
- Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyfingerprint=" + Res[2][1]);
+ Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"keyFingerPrint=" + Res[2][1]);
+
+ ErrType = EX_PERMFAIL;
if len(Attrs) == 0:
raise Error, "Key not found"
if len(Attrs) != 1:
raise Error, "Oddly your key fingerprint is assigned to more than one account.."
+ RC.Add(Res[1]);
+
# Determine the sender address
- ErrType = EX_PERMFAIL;
ErrMsg = "A problem occured while trying to formulate the reply";
Sender = Email.getheader("Reply-To");
if Sender == None:
if Sender == None:
raise Error, "Unable to determine the sender's address";
- if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
- raise Error, "This account is locked";
-
# Formulate a reply
Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
Reply = "To: %s\nReply-To: %s\nDate: %s\n" % (Sender,ReplyTo,Date);
if sys.argv[1] == "ping":
Reply = HandlePing(Reply,Attrs[0],Res[2]);
elif sys.argv[1] == "chpass":
- if string.find(string.strip(PlainText),"Please change my Debian password") != 0:
+ if PlainText.strip().find("Please change my Debian password") != 0:
raise Error,"Please send a signed message where the first line of text is the string 'Please change my Debian password'";
Reply = HandleChPass(Reply,Attrs[0],Res[2]);
elif sys.argv[1] == "change":