3

�Pi2g�@s:
dd
lZdd
l
jZdd
ljZddlTddlmZ
Gdd�d�ZGdd�d�ZGdd	�d	e	�Z
Gd
d�d�Zedk�
r6dd
l
Z
e
jd
dkr�ee
jd�
Zej�Zej�
ed
d�
Zeje�

nxe
jd
dk�
r6y4ee
jdddd�Zeejd�

eejd�
�

Wn2e	k
�
r4
Z
zeejd�

WYd
d
Z[XnXd
S)�N)
�
*)
�copyc
@s�eZ
dZd3Zed4ZiZdZdZdZdZ	dZ
dd�Zdd�Zd d!�Z
d"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2S)5�	PolicyLex�POLICY�ALGORITHM_POLICY�ZONE�	ALGORITHM�	DIRECTORY�KEYTTL�KEY_SIZE�ROLL_PERIOD�PRE_PUBLISH�POST_PUBLISH�COVERAGE�STANDBY�NONE�
DATESUFFIX�KEYTYPE�ALGNAME�STR�QSTRING�NUMBER�LBRACE�RBRACE�SEMIz 	z	(//|\#).*z\{z\}�
;cCs|
jj
|
jjd
�
7_
dS)z\n+�

N)�lexer�lineno�value�count)�self�
t�r#�/usr/lib/python3.6/policy.py�	t_newline7szPolicyLex.t_newlinecCs|
jj
|
jjd
�
7_
dS)z/\*(.|\n)*?\*/rN)rrrr )r!r"r#r#r$�	t_comment;szPolicyLex.t_commentcCstj
d
|
j�jd�
j�|
_|
S)z�(?i)(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\bz(?i)(y|mo|w|d|h|mi|s)([a-z]*)�
)�re�matchr�group�lower)r!r"r#r#r$�t_DATESUFFIX?s
zPolicyLex.t_DATESUFFIXcCs|
jj
�|
_|
S)
z(?i)\b(KSK|ZSK)\b)r�upper)r!r"r#r#r$�	t_KEYTYPEDs
zPolicyLex.t_KEYTYPEcCs|
jj
�|
_|
S)
z�(?i)\b(RSAMD5|DH|DSA|NSEC3DSA|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECCGOST|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b)rr-)r!r"r#r#r$�	t_ALGNAMEIs
zPolicyLex.t_ALGNAMEcCs|jj
|
jd
�|
_|
S)z[A-Za-z._-][\w._-]*r)�reserved_map�getr�type)r!r"r#r#r$�t_STRNs
zPolicyLex.t_STRcCs&|jj
|
jd
�|
_|
jdd�|
_|
S)z"([^"\n]|(\\"))*"rr'�����)r0r1rr2)r!r"r#r#r$�	t_QSTRINGSs

zPolicyLex.t_QSTRINGcCst|
j
�
|
_
|
S)
z\d+)�intr)r!r"r#r#r$�t_NUMBERYs
zPolicyLex.t_NUMBERcCs"td
|
j
d�

|
jjd�

dS)NzIllegal character '%s'r
r')�printrr�skip)r!r"r#r#r$�t_error^s

zPolicyLex.t_errorc
Ksbd
tt
�
krt
jdd�}n
tdd�}x"|jD]}||j|j�j|�
<q,Wtjfd|i
|
��
|_dS)N�	maketrans�
_�
-�object)	�dir�strr;�reservedr0r+�	translate�lexr)r!�kwargsZtrans�
rr#r#r$�__init__bs





zPolicyLex.__init__cCs.|jj
|
�

x|jj�}|sPt|�

qWdS)
N)r�input�tokenr8)r!�textr"r#r#r$�testks






zPolicyLex.testN)
rrrrr	r
rrr
rrrr)	rrrrrrrrr)�__name__�
__module__�__qualname__rA�tokensr0Zt_ignoreZt_ignore_olcommentZt_LBRACEZt_RBRACEZt_SEMIr%r&r,r.r/r3r5r7r:rFrJr#r#r#r$rsN
























	rc
@s�eZ
dZd
Zd
Zd
ZdZdZdZdZ	dZ
dZdZdZ
dZdZdZdZdZddgddgddgddgddgddgddgdddddd�Zddd�
Zd	d
�Zdd�Zd
d�Zdd�Zdd�ZdS)�PolicyFNiii)�DSA�NSEC3DSA�RSAMD5�RSASHA1�NSEC3RSASHA1�	RSASHA256�	RSASHA512�ECCGOST�ECDSAP256SHA256�ECDSAP384SHA384�ED25519�ED448cCs|
|_||_
||_dS)
N)�name�	algorithm�parent)r!r\r]r^r#r#r$rF�s



zPolicy.__init__c

CsF
d
|jrdp"|j
rdp"|jr dp"d|jp*d|jr8|jjp:d|jrRdt|j�
dpTd|jp\d|jrlt|j�
pnd|j	r~t|j	�
p�d|j
r�t|j
�
p�d|jr�t|j�
p�d|jr�t|j�
p�d|j
r�t|j
�
p�d|jr�t|j�
p�d|jr�t|j�
p�d|jr�t|j�
p�d|j�
rt|j�
�
pd|j�
r(t|j�
�
p*d|j�
r>t|j�
�
p@dfS)	Na
%spolicy %s:
	inherits %s
	directory %s
	algorithm %s
	coverage %s
	ksk_keysize %s
	zsk_keysize %s
	ksk_rollperiod %s
	zsk_rollperiod %s
	ksk_prepublish %s
	ksk_postpublish %s
	zsk_prepublish %s
	zsk_postpublish %s
	ksk_standby %s
	zsk_standby %s
	keyttl %s
zconstructed zzone z
algorithm �ZUNKNOWN�None�
")�is_constructed�is_zone�is_algr\r^�	directoryr@r]�coverage�ksk_keysize�zsk_keysize�ksk_rollperiod�zsk_rollperiod�ksk_prepublish�ksk_postpublish�zsk_prepublish�zsk_postpublish�ksk_standby�zsk_standby�keyttl)
r!r#r#r$�__repr__�s(




















zPolicy.__repr__cCs |d
|
k
o|dk
S
S)Nr
r'r#)r!Zkey_sizeZ
size_ranger#r#r$Z
__verify_size�s
zPolicy.__verify_sizec


Cs|jS)
N)
r\)
r!r#r#r$�get_name�s
zPolicy.get_namec


Cs|jS)
N)
rb)
r!r#r#r$�constructed�s
zPolicy.constructedc
Cs$|jr:|j
d
k	r:|j
|jkr:t|j�

dd|j
|jffS|jrj|jd
k	rj|j|jkrjdd|j|jffS|jr�|jd
k	r�|j|jkr�dd|j|jffS|jr�|jd
k	r�|j|jkr�dd|j|jffS|jo�|j
o�|jo�|j
|j|jk�
rdd|j
|j|jffS|j�
rL|j�
rL|j�
rL|j|j|jk�
rLdd|j|j|jffS|jd
k	�r |jj	|j�
}
|
d
k	�
r�|j
|j|
��
s�dd
|j|
ffS|j
|j|
��
s�dd|j|
ffS|jdk�
r�|jddk�
r�dd|jfS|jdk�r|jddk�rdd|jfS|jd k�r d
|_d
|_d!S)"zr Check if the values in the policy make sense
        :return: True/False if the policy passes validation
        NFz6KSK pre-publish period (%d) exceeds rollover period %dz7KSK post-publish period (%d) exceeds rollover period %dz6ZSK pre-publish period (%d) exceeds rollover period %dz7ZSK post-publish period (%d) exceeds rollover period %dz%KSK pre/post-publish periods (%d/%d) z"combined exceed rollover period %dz%ZSK pre/post-publish periods (%d/%d) z&KSK key size %d outside valid range %sz&ZSK key size %d outside valid range %srPrQ�@r
z$KSK key size %d not divisible by 64 zas required for DSAz$ZSK key size %d not divisible by 64 rWrXrYrZr[Tr_zGKSK pre/post-publish periods (%d/%d) combined exceed rollover period %dzGZSK pre/post-publish periods (%d/%d) combined exceed rollover period %d)rPrQz7KSK key size %d not divisible by 64 as required for DSA)rPrQz7ZSK key size %d not divisible by 64 as required for DSA)rWrXrYrZr[)Tr_)
rirkr8rlrjrmrnr]�valid_key_sz_per_algor1�_Policy__verify_sizergrh)r!Zkey_sz_ranger#r#r$�validate�s�





























































zPolicy.validate)NNN)rKrLrMrcrdrbrirjrkrmrlrnrgrhrorprqrfrervrFrrrwrsrtrxr#r#r#r$rOvsD




























&rOc
@seZ
dZd
S)�PolicyExceptionN)rKrLrMr#r#r#r$ry)
s
ryc@s.
eZ
dZiZiZiZd
Zd
ZdZdEdd�
Z	dd�Z
dd�Zd	d
�Zdd�Z
d
d�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd �Zd!d"�Zd#d$�Zd%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Z d3d4�Z!d5d6�Z"d7d8�Z#d9d:�Z$d;d<�Z%d=d>�Z&d?d@�Z'dAdB�Z(dCdD�Z)d
S)F�
dnssec_policyNTcKs�t�|_
|j
j|_d
|kr"d|d
<d|kr2d|d<tjfd|i
|��
|_|jd�

t�}d|_d|_d|_	d|_
t|�
|jd<d|jd_d|jd_
d	|jd_	t|�
|jd
<d
|jd
_d
|jd
_
d	|jd
_	t|�
|jd<d|jd_d|jd_
t|�
|jd<d|jd_d|jd_
t|�
|jd
<d
|jd
_d
|jd
_
t|�
|jd<d|jd_d|jd_
t|�
|jd<d|jd_d|jd_
t|�
|jd<d|jd_d|jd_
t|�
|jd<d|jd_d|jd_
d|jd_	d|jd_
t|�
|jd<d|jd_d|jd_
d|jd_	d|jd_
t|�
|jd<d|jd_d|jd_
d|jd_	d|jd_
t|�
|jd<d|jd_d|jd_
d|jd_	d|jd_
|
�r�|j|
�

dS)N�debugF�write_tables�moduleapolicy global { algorithm rsasha256;
                                      key-size ksk 2048;
                                      key-size zsk 2048;
                                      roll-period ksk 0;
                                      roll-period zsk 1y;
                                      pre-publish ksk 1mo;
                                      pre-publish zsk 1mo;
                                      post-publish ksk 1mo;
                                      post-publish zsk 1mo;
                                      standby ksk 0;
                                      standby zsk 0;
                                      keyttl 1h;
                                      coverage 6mo; };
                      policy default { policy global; };TirPirQrRrSrTrUrVrWrXrYrZr[)r�plexrN�yacc�parser�setuprOr]rdrgrhr�
alg_policyr\�load)r!�filenamerD�
pr#r#r$rF4
s|















































zdnssec_policy.__init__c	CsH|
|_d
|_
t|
�
�$}|j�}d|jj_|jj|�

WdQRXd|_dS)NTr
)	r��initial�open�readr~rrr��parse)r!r��
frIr#r#r$r��
s







zdnssec_policy.loadcCs d
|_d|j
j_|jj|
�

dS)NTr
)r�r~rrr�r�)r!rIr#r#r$r��
s



zdnssec_policy.setupc	Ks`|
j�}d}||j
kr |j
|}|dkrBt|jd
�
}|
|_d|_|jdkr�|jpZ|jd
}x|rr|jrr|j}q^W|r~|jp�d|_|j|jkr�|j|j}nt	d�
�
|j
dkr�|jp�|jd
}x|dk	r�|j
r�|j}q�W|o�|j
|_
|jdk�
r:|j�
p|jd
}x|�
r"|j�
r"|j}�
qW|�
r2|j�
p6|j|_|jdk�
r�|j�
pV|jd
}x|j�
rv|j�
rv|j}�
qZW|�
r�|j�
p�|j|_|j
dk�
r�|j�
p�|jd
}x|j�
r�|j
�
r�|j}�
q�W|�
r�|j
�
p�|j
|_
|jdk�r6|j�
p�|jd
}x|j�r|j�r|j}�qW|�r.|j�p2|j|_|jdk�r�|j�pR|jd
}x|j�rr|j�rr|j}�qVW|�r�|j�p�|j|_|jdk�r�|j�p�|jd
}x|j�r�|j�r�|j}�q�W|�r�|j�p�|j|_|jdk�r2|j�p�|jd
}x|j�r|j�r|j}�q�W|�r*|j�p.|j|_|jdk�r�|j�pN|jd
}x|j�rn|j�rn|j}�qRW|�r~|j�p�|j|_|jdk�r�|j�p�|jd
}x|j�r�|j�r�|j}�q�W|�r�|j�p�|j|_|jdk�r(|j�p�|jd
}x |dk	�r|j�r|j}�q�W|�o$|j|_d|k�s>|d�r\|j�\}}|�s\t	|�
�
dS|S)N�defaultTzalgorithm not foundZ
novalidate)r+�zone_policyr�named_policyr\rbr]r^r�ryrerfrgrhrirjrkrmrlrnrqrx)	r!ZzonerD�
zr�r^ZapZvalid�msgr#r#r$�policy�
s�






































































zdnssec_policy.policyc
Csd
S)zBpolicylist : init policy
                      | policylist policyNr#)r!r�r#r#r$�p_policylist
szdnssec_policy.p_policylistcCs
d
|_dS)zinit :FN)
r�)r!r�r#r#r$�p_initszdnssec_policy.p_initc
Csd
S)zTpolicy : alg_policy
                  | zone_policy
                  | named_policyNr#)r!r�r#r#r$�p_policyszdnssec_policy.p_policycCs|
d
|
d<dS)zAname : STR
                | KEYTYPE
                | DATESUFFIXr'r
Nr#)r!r�r#r#r$�p_names
zdnssec_policy.p_namecCs,|
d
j�|
d<t
jd|
d�s(td�
�
dS)zcdomain : STR
                  | QSTRING
                  | KEYTYPE
                  | DATESUFFIXr'r
z^[\w.-][\w.-]*$zinvalid domainN)�stripr(r)ry)r!r�r#r#r$�p_domain s


zdnssec_policy.p_domaincCst�|_
d
S)znew_policy :N)rO�current)r!r�r#r#r$�p_new_policy*szdnssec_policy.p_new_policycCs(|
d
|j_
d|j_|j|j|
d
<dS)zFalg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMI�TN)r�r\rdr�)r!r�r#r#r$�p_alg_policy.s


zdnssec_policy.p_alg_policycCs8|
d
jd�
|j
_d|j
_|j
|j|
d
jd�
j�<dS)z=zone_policy : ZONE domain new_policy policy_option_group SEMIr��
.TN)�rstripr�r\rcr�r+)r!r�r#r#r$�
p_zone_policy5s


zdnssec_policy.p_zone_policycCs$|
d
|j_
|j|j|
d
j�<dS)z>named_policy : POLICY name new_policy policy_option_group SEMIr�N)r�r\r�r+)r!r�r#r#r$�p_named_policy<s

zdnssec_policy.p_named_policycCs|
d
|
d<dS)zduration : NUMBERr'r
Nr#)r!r�r#r#r$�p_duration_1Bs
zdnssec_policy.p_duration_1cCsd
|
d<d
S)zduration : NONENr
r#)r!r�r#r#r$�p_duration_2Gs
zdnssec_policy.p_duration_2cCs�|
d
dkr|
dd|
d<n�|
d
dkr<|
dd|
d<n�|
d
dkrZ|
dd	|
d<n||
d
d
krx|
dd|
d<n^|
d
dkr�|
dd
|
d<n@|
d
dkr�|
dd|
d<n"|
d
dkr�|
d|
d<ntd�
�
dS)zduration : NUMBER DATESUFFIXr��
yr'i�3�
r
�moi�'�
wi�:	�
di�Q
�
hiZmi�<�
szinvalid durationN)
ry)r!r�r#r#r$�p_duration_3Ls












zdnssec_policy.p_duration_3c
Csd
S)z6policy_option_group : LBRACE policy_option_list RBRACENr#)r!r�r#r#r$�p_policy_option_group_sz#dnssec_policy.p_policy_option_groupc
Csd
S)zmpolicy_option_list : policy_option SEMI
                              | policy_option_list policy_option SEMINr#)r!r�r#r#r$�p_policy_option_listcsz"dnssec_policy.p_policy_option_listc
Csd
S)a�
policy_option : parent_option
                         | directory_option
                         | coverage_option
                         | rollperiod_option
                         | prepublish_option
                         | postpublish_option
                         | keysize_option
                         | algorithm_option
                         | keyttl_option
                         | standby_optionNr#)r!r�r#r#r$�p_policy_optionhszdnssec_policy.p_policy_optionc
Csd
S)z0alg_option_group : LBRACE alg_option_list RBRACENr#)r!r�r#r#r$�p_alg_option_groupusz dnssec_policy.p_alg_option_groupc
Csd
S)z^alg_option_list : alg_option SEMI
                           | alg_option_list alg_option SEMINr#)r!r�r#r#r$�p_alg_option_listyszdnssec_policy.p_alg_option_listc
Csd
S)a
alg_option : coverage_option
                      | rollperiod_option
                      | prepublish_option
                      | postpublish_option
                      | keyttl_option
                      | keysize_option
                      | standby_optionNr#)r!r�r#r#r$�p_alg_option~szdnssec_policy.p_alg_optioncCs|j|
d
j
�|j_dS)zparent_option : POLICY namer�N)r�r+r�r^)r!r�r#r#r$�p_parent_option�szdnssec_policy.p_parent_optioncCs|
d
|j_
dS)z$directory_option : DIRECTORY QSTRINGr�N)r�re)r!r�r#r#r$�p_directory_option�sz dnssec_policy.p_directory_optioncCs|
d
|j_
dS)z#coverage_option : COVERAGE durationr�N)r�rf)r!r�r#r#r$�p_coverage_option�szdnssec_policy.p_coverage_optioncCs*|
d
dkr|
d|j_
n|
d|j_dS)z0rollperiod_option : ROLL_PERIOD KEYTYPE durationr��KSK�N)r�rirj)r!r�r#r#r$�p_rollperiod_option�s
z!dnssec_policy.p_rollperiod_optioncCs*|
d
dkr|
d|j_
n|
d|j_dS)z0prepublish_option : PRE_PUBLISH KEYTYPE durationr�r�r�N)r�rkrm)r!r�r#r#r$�p_prepublish_option�s
z!dnssec_policy.p_prepublish_optioncCs*|
d
dkr|
d|j_
n|
d|j_dS)z2postpublish_option : POST_PUBLISH KEYTYPE durationr�r�r�N)r�rlrn)r!r�r#r#r$�p_postpublish_option�s
z"dnssec_policy.p_postpublish_optioncCs*|
d
dkr|
d|j_
n|
d|j_dS)z(keysize_option : KEY_SIZE KEYTYPE NUMBERr�r�r�N)r�rgrh)r!r�r#r#r$�p_keysize_option�s
zdnssec_policy.p_keysize_optioncCs*|
d
dkr|
d|j_
n|
d|j_dS)z'standby_option : STANDBY KEYTYPE NUMBERr�r�r�N)r�rorp)r!r�r#r#r$�p_standby_option�s
zdnssec_policy.p_standby_optioncCs|
d
|j_
dS)zkeyttl_option : KEYTTL durationr�N)r�rq)r!r�r#r#r$�p_keyttl_option�szdnssec_policy.p_keyttl_optioncCs|
d
|j_
dS)z$algorithm_option : ALGORITHM ALGNAMEr�N)r�r])r!r�r#r#r$�p_algorithm_option�sz dnssec_policy.p_algorithm_optioncCsd|
r.td
|j
pd|j
rdnd|
j|
jf�

n2|js`td|j
p@d|j
rJdnd|
rV|
jpXdf�
�
dS)Nz%s%s%d:syntax error near '%s'r_�
:z%s%s%d:unexpected end of inputr
)r8r�rrr�ry)r!r�r#r#r$�p_error�s






zdnssec_policy.p_error)
N)*rKrLrMr�r�r�r�r�r�rFr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r#r#r#r$rz,
sN






_
h


rz�__main__r'rCr�)
r{r�T)r|r{r�znonexistent.zone)r(Zply.lexrCZply.yaccr�stringrrrO�	ExceptionryrzrK�sys�argvr��filer�rI�closer~rJZppr8r�r��
e�argsr#r#r#r$�<module>s6





`4!