#!/usr/bin/env python
# -*- mode: python -*-
-import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, posix;
+import userdir_gpg, userdir_ldap, sys, traceback, time, ldap, os;
import string, pwd
from userdir_gpg import *;
from userdir_ldap import *;
ReplyTo = ConfModule.replyto;
PingFrom = ConfModule.pingfrom;
ChPassFrom = ConfModule.chpassfrom;
+ChangeFrom = ConfModule.changefrom;
ReplayCacheFile = ConfModule.replaycachefile;
EX_TEMPFAIL = 75;
EX_PERMFAIL = 65; # EX_DATAERR
Error = 'Message Error';
+SeenKey = 0;
+SeenDNS = 0;
+DNS = {}
+ArbChanges = {"c": "..",
+ "l": ".*",
+ "facsimiletelephonenumber": ".*",
+ "telephonenumber": ".*",
+ "postaladdress": ".*",
+ "postalcode": ".*",
+ "loginshell": ".*",
+ "emailforward": "^([^<>@]+@.+)?$",
+ "ircnick": ".*",
+ "icquin": "^[0-9]*$",
+ "onvacation": ".*",
+ "labeledurl": ".*"};
+
+DelItems = {"c": None,
+ "l": None,
+ "facsimiletelephonenumber": None,
+ "telephonenumber": None,
+ "postaladdress": None,
+ "postalcode": None,
+ "emailforward": None,
+ "ircnick": None,
+ "onvacation": None,
+ "labeledurl": None,
+ "latitude": None,
+ "longitude": None,
+ "icquin": None,
+ "sshrsaauthkey": None,
+ "sshdsaauthkey": None};
+
+# Decode a GPS location from some common forms
+def LocDecode(Str,Dir):
+ # Check for Decimal degrees, DGM, or DGMS
+ if re.match("^[+-]?[\d.]+$",Str) != None:
+ return Str;
+
+ Deg = '0'; Min = None; Sec = None; Dr = Dir[0];
+
+ # Check for DDDxMM.MMMM where x = [nsew]
+ Match = re.match("^(\d+)(["+Dir+"])([\d.]+)$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[2]; Dr = G[1];
+
+ # Check for DD.DD x
+ Match = re.match("^([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Dr = G[1];
+
+ # Check for DD:MM.MM x
+ Match = re.match("^(\d+):([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[1]; Dr = G[2];
+
+ # Check for DD:MM:SS.SS x
+ Match = re.match("^(\d+):(\d+):([\d.]+) ?(["+Dir+"])$",Str);
+ if Match != None:
+ G = Match.groups();
+ Deg = G[0]; Min = G[1]; Sec = G[2]; Dr = G[3];
+
+ # Some simple checks
+ if float(Deg) > 180:
+ raise "Failed","Bad degrees";
+ if Min != None and float(Min) > 60:
+ raise "Failed","Bad minutes";
+ if Sec != None and float(Sec) > 60:
+ raise "Failed","Bad seconds";
+
+ # Pad on an extra leading 0 to disambiguate small numbers
+ if len(Deg) <= 1 or Deg[1] == '.':
+ Deg = '0' + Deg;
+ if Min != None and (len(Min) <= 1 or Min[1] == '.'):
+ Min = '0' + Min;
+ if Sec != None and (len(Sec) <= 1 or Sec[1] == '.'):
+ Sec = '0' + Sec;
+
+ # Construct a DGM/DGMS type value from the components.
+ Res = "+"
+ if Dr == Dir[1]:
+ Res = "-";
+ Res = Res + Deg;
+ if Min != None:
+ Res = Res + Min;
+ if Sec != None:
+ Res = Res + Sec;
+ return Res;
+
+# Handle changing a set of arbitary fields
+# <field>: value
+def DoArbChange(Str,Attrs):
+ Match = re.match("^([^ :]+): (.*)$",Str);
+ if Match == None:
+ return None;
+ G = Match.groups();
+
+ if ArbChanges.has_key(G[0]) == 0:
+ return None;
+
+ if re.match(ArbChanges[G[0]],G[1]) == None:
+ raise Error, "Item does not match the required format"+ArbChanges[G[0]];
+
+ Attrs.append((ldap.MOD_REPLACE,G[0],G[1]));
+ return "Changed entry %s to %s"%(G[0],G[1]);
+
+# Handle changing a set of arbitary fields
+# <field>: value
+def DoDel(Str,Attrs):
+ Match = re.match("^del (.*)$",Str);
+ if Match == None:
+ return None;
+ G = Match.groups();
+
+ if DelItems.has_key(G[0]) == 0:
+ return "Cannot erase entry %s"%(G[0]);
+
+ Attrs.append((ldap.MOD_DELETE,G[0],None));
+ return "Removed entry %s"%(G[0]);
+
+# Handle a position change message, the line format is:
+# Lat: -12412.23 Long: +12341.2342
+def DoPosition(Str,Attrs):
+ Match = re.match("^lat: ([+\-]?[\d:.ns]+(?: ?[ns])?) long: ([+\-]?[\d:.ew]+(?: ?[ew])?)$",string.lower(Str));
+ if Match == None:
+ return None;
+
+ G = Match.groups();
+ try:
+ sLat = LocDecode(G[0],"ns");
+ sLong = LocDecode(G[1],"ew");
+ Lat = DecDegree(sLat,1);
+ Long = DecDegree(sLong,1);
+ except:
+ raise Error, "Positions were found, but they are not correctly formed";
+
+ Attrs.append((ldap.MOD_REPLACE,"latitude",sLat));
+ Attrs.append((ldap.MOD_REPLACE,"longitude",sLong));
+ return "Position set to %s/%s (%s/%s decimal degrees)"%(sLat,sLong,Lat,Long);
+
+# Handle an SSH authentication key, the line format is:
+# [options] 1024 35 13188913666680[..] [comment]
+def DoSSH(Str,Attrs):
+ Match = SSHAuthSplit.match(Str);
+ if Match == None:
+ Match = SSH2AuthSplit.match(Str);
+ if Match == None:
+ return None;
+
+ global SeenKey;
+ if SeenKey:
+ Attrs.append((ldap.MOD_ADD,"sshrsaauthkey",Str));
+ return "SSH Key added "+FormatSSHAuth(Str);
+
+ Attrs.append((ldap.MOD_REPLACE,"sshrsaauthkey",Str));
+ SeenKey = 1;
+ return "SSH Keys replaced with "+FormatSSHAuth(Str);
+
+# Handle changing a dns entry
+# host in a 12.12.12.12
+# host in cname foo.bar. <- Trailing dot is required
+def DoDNS(Str,Attrs,DnRecord):
+ cname = re.match("^[-\w]+\s+in\s+cname\s+[-\w.]+\.$",Str,re.IGNORECASE);
+ if re.match('^[-\w]+\s+in\s+a\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$',\
+ Str,re.IGNORECASE) == None and cname == None and \
+ re.match("^[-\w]+\s+in\s+mx\s+\d{1,3}\s+[-\w.]+\.$",Str,re.IGNORECASE) == None:
+ return None;
+
+ # Check if the name is already taken
+ G = re.match('^([-\w+]+)\s',Str).groups();
+
+ # Check for collisions
+ global l;
+ Rec = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"dnszoneentry="+G[0]+" *",["uid"]);
+ for x in Rec:
+ if GetAttr(x,"uid") != GetAttr(DnRecord,"uid"):
+ return "DNS entry is already owned by " + GetAttr(x,"uid")
+
+ global SeenDNS;
+ global DNS;
+
+ if cname:
+ if DNS.has_key(G[0]):
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 2
+ else:
+ if DNS.has_key(G[0]) and DNS[G[0]] == 2:
+ return "CNAME and other RR types not allowed: "+Str
+ else:
+ DNS[G[0]] = 1
+
+ if SeenDNS:
+ Attrs.append((ldap.MOD_ADD,"dnszoneentry",Str));
+ return "DNS Entry added "+Str;
+
+ Attrs.append((ldap.MOD_REPLACE,"dnszoneentry",Str));
+ SeenDNS = 1;
+ return "DNS Entry replaced with "+Str;
+
+# Handle an [almost] arbitary change
+def HandleChange(Reply,DnRecord,Key):
+ global PlainText;
+ Lines = re.split("\n *\r?",PlainText);
+
+ Result = "";
+ Attrs = [];
+ Show = 0;
+ for Line in Lines:
+ Line = string.strip(Line);
+ if Line == "":
+ continue;
+
+ # Try to process a command line
+ Result = Result + "> "+Line+"\n";
+ try:
+ if Line == "show":
+ Show = 1;
+ Res = "OK";
+ else:
+ Res = DoPosition(Line,Attrs) or DoDNS(Line,Attrs,DnRecord) or \
+ DoArbChange(Line,Attrs) or DoSSH(Line,Attrs) or \
+ DoDel(Line,Attrs);
+ except:
+ Res = None;
+ Result = Result + "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
+
+ # Fail, if someone tries to send someone elses signed email to the
+ # daemon then we want to abort ASAP.
+ if Res == None:
+ Result = Result + "Command is not understood. Halted\n";
+ break;
+ Result = Result + Res + "\n";
+
+ # Connect to the ldap server
+ l = ldap.open(LDAPServer);
+ F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
+ AccessPass = string.split(string.strip(F.readline())," ");
+ F.close();
+
+ # Modify the record
+ l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
+ Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
+ l.modify_s(Dn,Attrs);
+
+ Attribs = "";
+ if Show == 1:
+ Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid"));
+ if len(Attrs) == 0:
+ raise Error, "User not found"
+ Attribs = GPGEncrypt(PrettyShow(Attrs[0])+"\n","0x"+Key[1],Key[4]);
+
+ Subst = {};
+ Subst["__FROM__"] = ChangeFrom;
+ Subst["__EMAIL__"] = EmailAddress(DnRecord);
+ Subst["__ADMIN__"] = ReplyTo;
+ Subst["__RESULT__"] = Result;
+ Subst["__ATTR__"] = Attribs;
+
+ return Reply + TemplateSubst(Subst,open(TemplatesDir+"change-reply","r").read());
+
# Handle ping handles an email sent to the 'ping' address (ie this program
# called with a ping argument) It replies with a dump of the public records.
def HandlePing(Reply,DnRecord,Key):
Subst = {};
Subst["__FROM__"] = PingFrom;
Subst["__EMAIL__"] = EmailAddress(DnRecord);
- Subst["__LDAPFIELDS__"] = PrettyShow(Attrs[0]);
+ Subst["__LDAPFIELDS__"] = PrettyShow(DnRecord);
Subst["__ADMIN__"] = ReplyTo;
return Reply + TemplateSubst(Subst,open(TemplatesDir+"ping-reply","r").read());
# Connect to the ldap server
l = ldap.open(LDAPServer);
- F = open(PassDir+"/pass-"+pwd.getpwuid(posix.getuid())[0],"r");
+ F = open(PassDir+"/pass-"+pwd.getpwuid(os.getuid())[0],"r");
AccessPass = string.split(string.strip(F.readline())," ");
F.close();
+ l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
+
+ # Check for a locked account
+ Attrs = l.search_s(BaseDn,ldap.SCOPE_ONELEVEL,"uid="+GetAttr(DnRecord,"uid"));
+ if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
+ raise Error, "This account is locked";
# Modify the password
- l.simple_bind_s("uid="+AccessPass[0]+","+BaseDn,AccessPass[1]);
Rec = [(ldap.MOD_REPLACE,"userPassword","{crypt}"+Pass)];
Dn = "uid=" + GetAttr(DnRecord,"uid") + "," + BaseDn;
l.modify_s(Dn,Rec);
-
+
return Reply;
# Start of main program
+
+# Drop messages from a mailer daemon.
+if os.environ.has_key('SENDER') == 0 or len(os.environ['SENDER']) == 0:
+ sys.exit(0);
+
ErrMsg = "Indeterminate Error";
ErrType = EX_TEMPFAIL;
try:
Email = mimetools.Message(sys.stdin,0);
Msg = GetClearSig(Email);
- # Check the signature
+ ErrMsg = "Message is not PGP signed:"
+ if string.find(Msg[0],"-----BEGIN PGP SIGNED MESSAGE-----") == -1:
+ raise Error, "No PGP signature";
+
+ # Check the signature
ErrMsg = "Unable to check the signature or the signature was invalid:";
Res = GPGCheckSig(Msg[0]);
raise Error, "Null signature text";
# Extract the plain message text in the event of mime encoding
+ global PlainText;
ErrMsg = "Problem stripping MIME headers from the decoded message"
if Msg[1] == 1:
try:
# Connect to the ldap server
ErrType = EX_TEMPFAIL;
ErrMsg = "An error occured while performing the LDAP lookup";
+ global l;
l = ldap.open(LDAPServer);
l.simple_bind_s("","");
if Sender == None:
raise Error, "Unable to determine the sender's address";
+ if (string.find(GetAttr(Attrs[0],"userpassword"),"*LK*") != -1):
+ raise Error, "This account is locked";
+
# Formulate a reply
Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
Reply = "To: %s\nReply-To: %s\nDate: %s\n" % (Sender,ReplyTo,Date);
if string.find(string.strip(PlainText),"Please change my Debian password") != 0:
raise Error,"Please send a signed message where the first line of text is the string 'Please change my Debian password'";
Reply = HandleChPass(Reply,Attrs[0],Res[2]);
+ elif sys.argv[1] == "change":
+ Reply = HandleChange(Reply,Attrs[0],Res[2]);
else:
print sys.argv;
raise Error, "Incorrect Invokation";
# Send the message through sendmail
ErrMsg = "A problem occured while trying to send the reply";
- Child = posix.popen("/usr/sbin/sendmail -t","w");
-# Child = posix.popen("cat","w");
+ Child = os.popen("/usr/sbin/sendmail -t","w");
+# Child = os.popen("cat","w");
Child.write(Reply);
if Child.close() != None:
raise Error, "Sendmail gave a non-zero return code";
except:
- print ErrMsg;
- print "==> %s: %s" %(sys.exc_type,sys.exc_value);
+ # Error Reply Header
+ Date = time.strftime("%a, %d %b %Y %H:%M:%S +0000",time.gmtime(time.time()));
+ ErrReplyHead = "To: %s\nReply-To: %s\nDate: %s\n" % (os.environ['SENDER'],ReplyTo,Date);
+
+ # Error Body
+ Subst = {};
+ Subst["__ERROR__"] = ErrMsg;
+ Subst["__ADMIN__"] = ReplyTo;
+
+ Trace = "==> %s: %s\n" %(sys.exc_type,sys.exc_value);
List = traceback.extract_tb(sys.exc_traceback);
if len(List) > 1:
- print "Trace: ";
+ Trace = Trace + "Python Stack Trace:\n";
for x in List:
- print " %s %s:%u: %s" %(x[2],x[0],x[1],x[3]);
- sys.exit(ErrType);
+ Trace = Trace + " %s %s:%u: %s\n" %(x[2],x[0],x[1],x[3]);
+
+ Subst["__TRACE__"] = Trace;
+
+ # Try to send the bounce
+ try:
+ ErrReply = TemplateSubst(Subst,open(TemplatesDir+"error-reply","r").read());
+
+ Child = os.popen("/usr/sbin/sendmail -t","w");
+ Child.write(ErrReplyHead);
+ Child.write(ErrReply);
+ if Child.close() != None:
+ raise Error, "Sendmail gave a non-zero return code";
+ except:
+ sys.exit(EX_TEMPFAIL);
+
+ if ErrType != EX_PERMFAIL:
+ sys.exit(ErrType);
+ sys.exit(0);