3 # Copyright 1999-2005 Project Purple. Written by Jonathan McDowell
4 # See ACKNOWLEDGEMENTS file for full details of contributors.
5 # http://www.earth.li/projectpurple/progs/autodns.html
6 # Released under the GPL.
8 # $Id: autodns.pl,v 1.15 2005/06/15 10:26:25 noodles Exp $
15 use File::Temp qw(tempfile);
19 $ENV{'PATH'}="/usr/local/bin:/usr/bin:/bin:/usr/sbin";
21 my ($from, $subject, $gpguser, $gpggood, $priv);
22 my ($user, $server, $inprocess, $delcount, $addcount);
23 my ($domain, @MAIL, @GPGERROR, @COMMANDS, %zones, $VERSION);
25 use vars qw($me $ccreply $conffile $domainlistroot @cfgfiles $usersfile
26 $lockfile $reload_command $expiry $zonefiledir);
33 my $file = '/etc/bind/autodns.conf';
34 unless (my $ret = do $file) {
35 warn "Couldn't parse $file\n" if $@;
36 warn "Couldn't do $file\n" unless defined $ret;
37 warn "Couldn't run $file\n" unless $ret;
38 die "Problem reading config file!\n";
42 ### There should be no need to edit anything below (unless you're not
43 ### using BIND). This statement might even be true now - let me know if not.
47 # Try to figure out what zones we currently know about by parsing config
48 # files. Sets the item in %zones to 1 for each zone it finds.
50 # Call with the name of a config file to read:
52 # getzones("/etc/named.conf");
55 my $namedfile = shift;
57 open (NAMEDCONF, "< $namedfile") or
58 fatalerror("Can't open $namedfile");
61 if (/^\s*zone\s*"([^"]+)"/) {
70 # Check that a domain is only made up of valid characters.
72 # These are: a-z, 0-9, - or .
78 if ($domain =~ /^(?:[a-z0-9-]+\.)+[a-z]{2,6}$/) {
80 } elsif ($domain =~ /^(?:[0-9\/-]+\.)+in-addr.arpa$/) {
88 # Deal with a fatal error by printing an error message, closing the pipe to
89 # sendmail and exiting.
91 # fatalerror("I'm melting!");
99 flock(LOCKFILE, LOCK_UN);
108 # Get user details from usersfile based on a PGP ID.
110 # A users entry looks like:
112 # <username>:<keyid>:<privilege level>:<master server ip>
114 # Priviledge level is not currently used.
116 # ($user, $priv, $server) = getuserinfo("5B430367");
120 my ($user, $privilege, $server);
122 open (CONFIGFILE, "< $usersfile") or
123 fatalerror("Couldn't open user configuration file.");
125 foreach (<CONFIGFILE>) {
126 if (/^([^#.]+):$gpguser:(\d+):(.+)$/) {
134 if ($user !~ /^.+$/) {
136 fatalerror("Error in user configuration file: Can't get username.\n");
139 if ($server !~ /^(\d{1,3}\.){3}\d{1,3}$/) {
140 $server =~ s/\d\.]//g;
142 fatalerror("Error in user configuration file: Invalid primary server IP address ($server)\n");
150 fatalerror("User not found.\n");
153 return ($user, $privilege, $server);
157 # Add a new AutoDNS user.
159 # addautodnsuser($username, $keyid, $priv, $masterip);
160 # <username>:<keyid>:<privilege level>:<master server ip>
162 sub addautodnsuser($$$$) {
163 my $username = shift;
166 my $masterip = shift;
168 # Create domains file for the user.
169 open (DOMAINLIST, ">>$domainlistroot$username") or
170 fatalerror("Couldn't create domains file.\n");
173 # Make the directory for the zone files.
174 my @dirs = mkpath("$zonefiledir/$username", 0, 0775);
175 fatalerror("Couldn't create zone file directory.\n")
176 if scalar(@dirs) == 0;
178 # Actually add them to the users file.
179 open(USERFILE, ">> $usersfile") or
180 fatalerror("Couldn't open user configuration file.");
181 print USERFILE "$username:$keyid:$priv:$masterip\n";
185 $delcount=$addcount=$inprocess=0;
187 # Read in the mail from stdin.
190 $subject = "Reply from AutoDNS";
191 # Now lets try to find out who it's from.
194 if (/^From: (.*)/i) { $from=$1; chomp $from;}
195 if (/^Subject:\s+(re:)?(.*)$/i) { $subject="Re: ".$2 if ($2);}
198 if ((! defined($from)) || $from =~ /^$/ ) {
199 die "Couldn't find a from address.";
200 } elsif ($from =~ /mailer-daemon@/i) {
201 die "From address is mailer-daemon, ignoring.";
204 if (! defined($subject)) { $subject="Reply from AutoDNS"; };
206 # We've got a from address. Start a reply.
208 open(REPLY, "|sendmail -t -oem -oi") or die "Couldn't spawn sendmail";
210 print REPLY "From: $me\n";
211 print REPLY "To: $from\n";
213 # Check to see if our CC address is the same as the from address and if so
216 if ($from ne $ccreply) {
217 print REPLY "Cc: $ccreply\n";
223 Copyright 1999-2004 Project Purple. Written by Jonathan McDowell.
224 Released under the GPL.
229 # Throw the mail at MIME::Parser and see if it accepts it.
231 my $parser = new MIME::Parser;
232 $parser->output_to_core(1); # No temporary files
233 my $entity = $parser->parse_data(\@MAIL);
236 # Make sure locale is set to C so we get messages in English as we expect.
240 if ($entity->parts) {
243 my ($got_sig, $got_text) = (0, 0);
244 my ($sig_name,$sig_fh,$text_name,$text_fh);
245 ($sig_fh, $sig_name) = tempfile();
246 ($text_fh, $text_name) = tempfile();
248 foreach my $subent ($entity->parts) {
249 if ($subent->effective_type eq "text/plain") {
250 @COMMANDS = split /\n/,$subent->bodyhandle->as_string;
252 my $str = $subent->as_string;
258 } elsif ($subent->effective_type eq
259 "application/pgp-signature") {
260 print $sig_fh $subent->as_string;
263 } elsif ($subent->effective_type eq "multipart/mixed") {
264 my $str = $subent->as_string;
269 foreach my $mixent ($subent->parts) {
270 if ($mixent->effective_type eq "text/plain") {
271 push @COMMANDS, (split /\n/,
272 $mixent->bodyhandle->as_string);
274 if ($mixent->effective_type eq
275 "application/pgp-keys") {
276 push @COMMANDS, (split /\n/,
277 $mixent->bodyhandle->as_string);
283 if ($got_sig && $got_text) {
284 my $pid = open3(\*GPGIN, \*GPGOUT, \*GPGERR,
285 "gpg --batch --verify ".
286 $sig_name." ".$text_name);
291 my @GPGOUTPUT=<GPGOUT>;
302 my $pid = open3(\*GPGIN, \*GPGOUT, \*GPGERR, "gpg --batch --verify");
305 print GPGIN $entity->bodyhandle->as_string;
308 # And grab what it has to say.
311 @COMMANDS = split /\n/,$entity->bodyhandle->as_string;
317 # Check who it's from and if the signature was a good one.
320 foreach (@GPGERROR) {
322 if (/Signature made (.*) using.*ID (.*)$/) {
323 $sigtime = str2time($1);
327 print REPLY "Some errors ocurred\n";
328 } elsif (/BAD signature/) {
330 print REPLY "BAD signature!\n";
331 } elsif (/public key not found/) {
333 print REPLY "Public Key not found\n";
337 # If we have an empty user it probably wasn't signed.
339 print REPLY "Message appears not to be GPG signed.\n";
344 # Check the signature we got was ok.
346 print REPLY "Good GPG signature found. ($gpguser)\n";
348 print REPLY "Bad GPG signature!\n";
353 # Check if the signature is outside our acceptable range.
354 if (!defined($sigtime)) {
355 print REPLY "Couldn't parse signature time.\n";
358 } elsif ($sigtime > (time + $expiry)) {
359 print REPLY "Signature too far into the future.\n";
362 } elsif ($sigtime < (time - $expiry)) {
363 print REPLY "Signature too far into the past.\n";
368 # Now let's check if we know this person.
369 ($user, $priv, $server) = getuserinfo($gpguser);
371 if (! defined($user) || ! $user) {
372 print REPLY "Unknown user.\n";
377 print REPLY "Got user '$user'\n";
379 # Right. We know this is a valid user. Get a lock to ensure we have exclusive
380 # access to the configs from here on in.
381 open (LOCKFILE,">$lockfile") ||
382 fatalerror("Couldn't open lock file\n");
383 fatalerror("Couldn't get lock\n") unless(flock(LOCKFILE,LOCK_EX));
385 # Ok, now we should figure out what domains we already know about.
386 foreach my $cfgfile (@cfgfiles) {
390 # Force existance of the $domainlistroot$user file
391 if (! -e $domainlistroot.$user) {
392 open (DOMAINLIST, ">>$domainlistroot$user") or
393 fatalerror("Couldn't create domains file.\n");
397 foreach (@COMMANDS) {
398 # Remove trailing CRs and leading/trailing whitespace
405 print REPLY ">>>$_\n";
410 # Empty line, so ignore it.
414 } elsif (/^BEGIN$/) {
416 } elsif ($inprocess && /^ADD\s+(.*)$/) {
419 # Convert domain to lower case.
420 $domain =~ tr/[A-Z]/[a-z]/;
421 if (! valid_domain($domain)) {
422 $domain =~ s/[-a-z0-9.]//g;
423 print REPLY "Invalid character(s) in domain name: $domain\n";
424 } elsif (defined($zones{$domain}) && $zones{$domain}) {
425 print REPLY "We already secondary $domain\n";
427 print REPLY "Adding domain $domain\n";
433 open (DOMAINSFILE, ">>$conffile");
435 ### Domain added for '$user'
439 masters { $server; };
440 file \"secondary/$user/$df\";
441 allow-transfer { none; };
442 allow-query { any; };
446 open (DOMAINLIST, ">>$domainlistroot$user") or
447 fatalerror("Couldn't open file.\n");
448 print DOMAINLIST "$domain\n";
452 } elsif ($inprocess && /^DEL\s(.*)$/) {
455 # Convert domain to lower case.
456 $domain =~ tr/[A-Z]/[a-z]/;
457 if (!valid_domain($domain)) {
458 $domain =~ s/[-a-z0-9.]//g;
459 print REPLY "Invalid character(s) in domain name: $domain\n";
460 } elsif (!defined($zones{$domain}) || !$zones{$domain}) {
461 print REPLY "$domain does not exist!\n";
463 print REPLY "Deleting domain $domain\n";
466 open (DOMAINLIST, "<$domainlistroot$user") or
467 fatalerror("Couldn't open file $domainlistroot$user for reading: $!.\n");
468 my @cfg = <DOMAINLIST>;
470 @newcfg = grep { ! /^$domain$/ } @cfg;
471 if (scalar @cfg == scalar @newcfg) {
472 print REPLY "Didn't find $domain in $domainlistroot$user!\n";
473 print REPLY "You are only allowed to delete your own domains that exist.\n";
477 open (DOMAINLIST, ">$domainlistroot$user") or
478 fatalerror("Couldn't open file $domainlistroot$user for writing: $!.\n");
479 print DOMAINLIST @newcfg;
484 open (DOMAINSFILE, "<$conffile") or
485 fatalerror("Couldn't open file $conffile for reading: $!\n");
487 local $/ = ''; # eat whole paragraphs
488 while (<DOMAINSFILE>) {
489 unless (/^\s*zone\s+"$domain"/) {
493 if ($newcfg[-1] =~ /^###/) {
494 # remove comment and \n
499 } # end of paragraph eating
502 print REPLY "Didn't find $domain in $conffile!\n";
506 open (DOMAINSFILE, ">$conffile") or
507 fatalerror("Couldn't open $conffile for writing: $!\n");
508 print DOMAINSFILE @newcfg;
513 } elsif ($inprocess && /^LIST$/) {
514 print REPLY "Listing domains for user $user\n";
515 print REPLY "------\n";
516 if (open (DOMAINLIST, "<$domainlistroot$user")) {
518 while (<DOMAINLIST>) {
523 print REPLY "------\n";
524 print REPLY "Total of $count domains.\n";
526 print REPLY "Couldn't open $domainlistroot$user: $!\n";
528 } elsif ($inprocess && /^MASTER\s(.*)$/) {
529 if (($priv & 1) != 1) {
530 print REPLY "You're not authorised to use the MASTER ",
532 } elsif ($1 =~ /^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/) {
534 print REPLY "Set master IP address to $1\n";
536 print REPLY "$1 doesn't look like a valid IPv4 ",
539 } elsif ($inprocess && /^ADDUSER\s(.*)$/) {
540 if (($priv & 2) != 2) {
541 print REPLY "You're not authorised to use the ",
542 "ADDUSER command.\n";
543 } elsif ($1 =~ /^([a-z0-9]+) ([A-Fa-f0-9]{8}) (\d+) (\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/) {
544 addautodnsuser($1, $2, $3, $4);
546 print REPLY "Attempting to import new key:\n";
548 # Feed our command mail to GPG so we can pull the
549 # (hopefully included) new GPG key out from it.
550 my $pid = open3(\*GPGIN, \*GPGOUT, \*GPGERR,
551 "gpg --batch --import");
554 print GPGIN join("\n", @COMMANDS);
557 # And grab what it has to say.
559 my @GPGOUTPUT=<GPGOUT>;
564 print REPLY @GPGERROR;
566 print REPLY "ADDUSER parameter error.\n";
568 } elsif ($inprocess && /^HELP$/) {
569 print REPLY "In order to use the service, you will need to send GPG signed\n";
570 print REPLY "messages.\n\n";
571 print REPLY "The format of the text in these messages is important, as they represent\n";
572 print REPLY "commands to autodns. Commands are formatted one per line, and enclosed\n";
573 print REPLY "by \"BEGIN\" and \"END\" commands (without the quotes).\n";
574 print REPLY "Current valid commands are:\n";
575 print REPLY "BEGIN - begin processing.\n";
576 print REPLY "END - end processing.\n";
577 print REPLY "HELP - display this message.\n";
578 print REPLY "LIST - show all the zones currently held by you.\n";
579 print REPLY "ADD <domain> - adds the domain <domain> for processing.\n";
580 print REPLY "DEL <domain> - removes the domain <domain> if you own it.\n";
581 if (($priv & 1) == 1) {
582 print REPLY "MASTER <ip address> - set the nameserver".
583 " we should slave off for subsequent ADD\ncommands.\n";
585 if (($priv & 2) == 2) {
586 print REPLY "ADDUSER <username> <keyid> <privilege> ",
587 "<masterip> - add a new user. Imports any key",
588 "\nattached to the message into the keyring.\n";
590 } elsif ($inprocess) {
591 print REPLY "Unknown command!\n";
594 flock(LOCKFILE, LOCK_UN);
598 print REPLY "Added $addcount domains.\n" if $addcount;
599 print REPLY "Removed $delcount domains.\n" if $delcount;
600 if ($addcount || $delcount) {
601 print REPLY "Reloading nameserver config.\n";
602 print REPLY `$reload_command`;