+SeenKey = 0;
+SeenDNS = 0;
+mailRBL = {}
+mailRHSBL = {}
+mailWhitelist = {}
+SeenList = {}
+DNS = {}
+
+SSHFingerprint = re.compile('^(\d+) ([0-9a-f\:]{47}) (.+)$')
+SSHRSA1Match = re.compile('^^(.* )?\d+ \d+ \d+')
+
+GenderTable = {"male": 1,
+ "1": 1,
+ "female": 2,
+ "2": 2,
+ "unspecified": 9,
+ "9": 9,
+};
+
+ArbChanges = {"c": "..",
+ "l": ".*",
+ "facsimileTelephoneNumber": ".*",
+ "telephoneNumber": ".*",
+ "postalAddress": ".*",
+ "postalCode": ".*",
+ "loginShell": ".*",
+ "emailForward": "^([^<>@]+@.+)?$",
+ "jabberJID": "^([^<>@]+@.+)?$",
+ "ircNick": ".*",
+ "icqUin": "^[0-9]*$",
+ "onVacation": ".*",
+ "labeledURI": ".*",
+ "birthDate": "^([0-9]{4})([01][0-9])([0-3][0-9])$",
+ "mailDisableMessage": ".*",
+ "mailGreylisting": "^(TRUE|FALSE)$",
+ "mailCallout": "^(TRUE|FALSE)$",
+ "VoIP": ".*",
+ "gender": "^(1|2|9|male|female|unspecified)$",
+};
+
+DelItems = {"c": None,
+ "l": None,
+ "facsimileTelephoneNumber": None,
+ "telephoneNumber": None,
+ "postalAddress": None,
+ "postalCode": None,
+ "emailForward": None,
+ "ircNick": None,
+ "onVacation": None,
+ "labeledURI": None,
+ "latitude": None,
+ "longitude": None,
+ "icqUin": None,
+ "jabberJID": None,
+ "jpegPhoto": None,
+ "dnsZoneEntry": None,
+ "sshRSAAuthKey": None,
+ "sshDSAAuthKey": None,
+ "birthDate" : None,
+ "mailGreylisting": None,
+ "mailCallout": None,
+ "mailRBL": None,
+ "mailRHSBL": None,
+ "mailWhitelist": None,
+ "mailDisableMessage": None,
+ "VoIP": None,
+ };
+
+# Decode a GPS location from some common forms
+def LocDecode(Str,Dir):
+ # Check for Decimal degrees, DGM, or DGMS
+ if re.match("^[+-]?[\d.]+$",Str) != None:
+ return Str;
+
+ Deg = '0'; Min = None; Sec = None; Dr = Dir[0];
+
+ # Check for DDDxMM.MMMM where x = [nsew]
+ Match = re.match("^(\d+)(["+Dir+"])([\d.]+)$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[2]; Dr = G[1];
+
+ # Check for DD.DD x
+ Match = re.match("^([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Dr = G[1];
+
+ # Check for DD:MM.MM x
+ Match = re.match("^(\d+):([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[1]; Dr = G[2];
+
+ # Check for DD:MM:SS.SS x
+ Match = re.match("^(\d+):(\d+):([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[1]; Sec = G[2]; Dr = G[3];
+
+ # Some simple checks
+ if float(Deg) > 180:
+ raise "Failed","Bad degrees";
+ if Min != None and float(Min) > 60:
+ raise "Failed","Bad minutes";
+ if Sec != None and float(Sec) > 60:
+ raise "Failed","Bad seconds";
+
+ # Pad on an extra leading 0 to disambiguate small numbers
+ if len(Deg) <= 1 or Deg[1] == '.':
+ Deg = '0' + Deg;
+ if Min != None and (len(Min) <= 1 or Min[1] == '.'):
+ Min = '0' + Min;
+ if Sec != None and (len(Sec) <= 1 or Sec[1] == '.'):
+ Sec = '0' + Sec;
+
+ # Construct a DGM/DGMS type value from the components.
+ Res = "+"
+ if Dr == Dir[1]:
+ Res = "-";
+ Res = Res + Deg;
+ if Min != None:
+ Res = Res + Min;
+ if Sec != None:
+ Res = Res + Sec;
+ return Res;
+
+# Handle changing a set of arbitary fields
+# <field>: value
+def DoArbChange(Str,Attrs):
+ Match = re.match("^([^ :]+): (.*)$",Str);
+ if Match == None:
+ return None;
+ G = Match.groups();
+
+ attrName = G[0].lower();
+ for i in ArbChanges.keys():
+ if i.lower() == attrName:
+ attrName = i;
+ break;
+ if ArbChanges.has_key(attrName) == 0:
+ return None;
+
+ if re.match(ArbChanges[attrName],G[1]) == None:
+ raise Error, "Item does not match the required format"+ArbChanges[attrName];
+
+ value = G[1];
+ if attrName == 'gender':
+ if G[1] not in GenderTable:
+ raise Error, "Gender not found in table"
+ value = GenderTable[G[1]]
+
+# if attrName == 'birthDate':
+# (re.match("^([0-9]{4})([01][0-9])([0-3][0-9])$",G[1]) {
+# $bd_yr = $1; $bd_mo = $2; $bd_day = $3;
+# if ($bd_mo > 0 and $bd_mo <= 12 and $bd_day > 0) {
+# if ($bd_mo == 2) {
+# if ($bd_day == 29 and ($bd_yr == 0 or ($bd_yr % 4 == 0 && ($bd_yr % 100 != 0 || $bd_yr % 400 == 0)))) {
+# $bd_ok = 1;
+# } elsif ($bd_day <= 28) {
+# $bd_ok = 1;
+# }
+# } elsif ($bd_mo == 4 or $bd_mo == 6 or $bd_mo == 9 or $bd_mo == 11) {
+# if ($bd_day <= 30) {
+# $bd_ok = 1;
+# }
+# } else {
+# if ($bd_day <= 31) {
+# $bd_ok = 1;
+# }
+# }
+# }
+# } elsif (not defined($query->param('birthdate')) or $query->param('birthdate') =~ /^\s*$/) {
+# $bd_ok = 1;
+# }
+ Attrs.append((ldap.MOD_REPLACE,attrName,value));
+ return "Changed entry %s to %s"%(attrName,value);
+
+# Handle changing a set of arbitary fields
+# <field>: value
+def DoDel(Str,Attrs):
+ Match = re.match("^del (.*)$",Str);
+ if Match == None:
+ return None;
+ G = Match.groups();
+
+ attrName = G[0].lower();
+ for i in DelItems.keys():
+ if i.lower() == attrName:
+ attrName = i;
+ break;
+ if DelItems.has_key(attrName) == 0:
+ return "Cannot erase entry %s"%(attrName);
+
+ Attrs.append((ldap.MOD_DELETE,attrName,None));
+ return "Removed entry %s"%(attrName);
+
+# Handle a position change message, the line format is:
+# Lat: -12412.23 Long: +12341.2342
+def DoPosition(Str,Attrs):
+ Match = re.match("^lat: ([+\-]?[\d:.ns]+(?: ?[ns])?) long: ([+\-]?[\d:.ew]+(?: ?[ew])?)$", Str.lower())
+ if Match == None:
+ return None;
+
+ G = Match.groups();
+ try:
+ sLat = LocDecode(G[0],"ns");
+ sLong = LocDecode(G[1],"ew");
+ Lat = DecDegree(sLat,1);
+ Long = DecDegree(sLong,1);
+ except:
+ raise Error, "Positions were found, but they are not correctly formed";
+
+ Attrs.append((ldap.MOD_REPLACE,"latitude",sLat));
+ Attrs.append((ldap.MOD_REPLACE,"longitude",sLong));
+ return "Position set to %s/%s (%s/%s decimal degrees)"%(sLat,sLong,Lat,Long);
+
+# Load bad ssh fingerprints
+def LoadBadSSH():
+ f = open(SSHFingerprintFile, "r")
+ bad = []
+ FingerprintLine = re.compile('^([0-9a-f\:]{47}).*$')
+ for line in f.readlines():
+ Match = FingerprintLine.match(line)
+ if Match is not None:
+ g = Match.groups()
+ bad.append(g[0])
+ return bad
+
+# Handle an SSH authentication key, the line format is:
+# [options] 1024 35 13188913666680[..] [comment]
+def DoSSH(Str, Attrs, badkeys, uid):
+ Match = SSH2AuthSplit.match(Str);
+ if Match == None:
+ return None;
+ g = Match.groups()
+ typekey = g[1]
+ if Match == None:
+ Match = SSHRSA1Match.match(Str)
+ if Match is not None:
+ return "RSA1 keys not supported anymore"
+ return None;
+
+ (fd, path) = tempfile.mkstemp(".pub", "sshkeytry", "/tmp")
+ f = open(path, "w")
+ f.write("%s\n" % (Str))
+ f.close()
+ cmd = "/usr/bin/ssh-keygen -l -f %s < /dev/null" % (path)
+ (result, output) = commands.getstatusoutput(cmd)
+ os.remove(path)
+ if (result != 0):
+ raise Error, "ssh-keygen -l invocation failed!\n%s\n" % (output)
+
+
+ # Head
+ Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()))
+ ErrReplyHead = "From: %s\nCc: %s\nReply-To: %s\nDate: %s\n" % (os.environ['SENDER'],os.environ['SENDER'],ReplyTo,Date)
+ Subst = {}
+ Subst["__ADMIN__"] = ReplyTo
+ Subst["__USER__"] = uid
+
+ Match = SSHFingerprint.match(output)
+ g = Match.groups()
+
+ if int(g[0]) < 1024:
+ try:
+ # Body
+ Subst["__ERROR__"] = "SSH keysize %s is below limit 1024" % (g[0])
+ ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
+
+ Child = os.popen("/usr/sbin/sendmail -t","w")
+ Child.write(ErrReplyHead)
+ Child.write(ErrReply)
+ if Child.close() != None:
+ raise Error, "Sendmail gave a non-zero return code"
+ except:
+ sys.exit(EX_TEMPFAIL)
+
+ # And now break and stop processing input, which sends a reply to the user.
+ raise Error, "SSH keys must have at least 1024 bits, processing halted, NOTHING MODIFIED AT ALL"
+ elif g[1] in badkeys:
+ try:
+ # Body
+ Subst["__ERROR__"] = "SSH key with fingerprint %s known as bad key" % (g[1])
+ ErrReply = TemplateSubst(Subst,open(TemplatesDir+"admin-info","r").read())
+
+ Child = os.popen("/usr/sbin/sendmail -t","w")
+ Child.write(ErrReplyHead)
+ Child.write(ErrReply)
+ if Child.close() != None:
+ raise Error, "Sendmail gave a non-zero return code"
+ except:
+ sys.exit(EX_TEMPFAIL)
+
+ # And now break and stop processing input, which sends a reply to the user.
+ raise Error, "Submitted SSH Key known to be bad and insecure, processing halted, NOTHING MODIFIED AT ALL"
+
+ if (typekey == "dss"):
+ return "DSA keys not accepted anymore"
+
+ global SeenKey;
+ if SeenKey:
+ Attrs.append((ldap.MOD_ADD,"sshRSAAuthKey",Str));
+ return "SSH Key added "+FormatSSHAuth(Str);
+
+ Attrs.append((ldap.MOD_REPLACE,"sshRSAAuthKey",Str));
+ SeenKey = 1;
+ return "SSH Keys replaced with "+FormatSSHAuth(Str);
+
+# Handle changing a dns entry
+# host IN A 12.12.12.12
+# host IN AAAA 1234::5678
+# host IN CNAME foo.bar. <- Trailing dot is required
+# host IN MX foo.bar. <- Trailing dot is required
+def DoDNS(Str,Attrs,DnRecord):
+ cnamerecord = re.match("^[-\w]+\s+IN\s+CNAME\s+([-\w.]+\.)$",Str,re.IGNORECASE)
+ arecord = re.match('^[-\w]+\s+IN\s+A\s+(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$',Str,re.IGNORECASE)
+ mxrecord = re.match("^[-\w]+\s+IN\s+MX\s+(\d{1,3})\s+([-\w.]+\.)$",Str,re.IGNORECASE)
+ #aaaarecord = re.match('^[-\w]+\s+IN\s+AAAA\s+((?:[0-9a-f]{1,4})(?::[0-9a-f]{1,4})*(?::(?:(?::[0-9a-f]{1,4})*|:))?)$',Str,re.IGNORECASE)
+ aaaarecord = re.match('^[-\w]+\s+IN\s+AAAA\s+([A-F0-9:]{2,39})$',Str,re.IGNORECASE)
+
+ if cnamerecord == None and\
+ arecord == None and\
+ mxrecord == None and\
+ aaaarecord == None:
+ return None;
+
+ # Check if the name is already taken
+ G = re.match('^([-\w+]+)\s',Str)
+ if G == None:
+ raise Error, "Hostname not found although we already passed record syntax checks"
+ hostname = G.group(1)
+
+ # Check for collisions
+ global l;
+ # [JT 20070409 - search for both tab and space suffixed hostnames
+ # since we accept either. It'd probably be better to parse the
+ # incoming string in order to construct what we feed LDAP rather
+ # than just passing it through as is.]
+ filter = "(|(dnsZoneEntry=%s *)(dnsZoneEntry=%s *))" % (hostname, hostname)
+ Rec = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,filter,["uid"]);
+ for x in Rec:
+ if GetAttr(x,"uid") != GetAttr(DnRecord,"uid"):
+ return "DNS entry is already owned by " + GetAttr(x,"uid")
+
+ global SeenDNS;
+ global DNS;
+
+ if cnamerecord:
+ if DNS.has_key(hostname):
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[hostname] = 2
+ else:
+ if DNS.has_key(hostname) and DNS[hostname] == 2:
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[hostname] = 1