diff --git a/README b/README new file mode 100644 index 0000000000000000000000000000000000000000..8e5d53ce32bb765cee3507e1cb072ae2c551dc19 --- /dev/null +++ b/README @@ -0,0 +1,4 @@ +RNDC Protocol Library + +This library implements the RNDC protocol natively in Python, to allow direct +control of BIND instances from within your Python programs. diff --git a/rndc.py b/rndc.py new file mode 100644 index 0000000000000000000000000000000000000000..214b0fd9d0339060bb58d04f6fa07c001b0217a5 --- /dev/null +++ b/rndc.py @@ -0,0 +1,178 @@ +############################################################################ +# Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") +# +# Permission to use, copy, modify, and/or distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. +############################################################################ +# rndc.py +# This module implements the RNDC control protocol. +############################################################################ + +from collections import OrderedDict +from exceptions import TypeError +import time +import struct +import hashlib +import hmac +import base64 +import random +import socket + + +class rndc(object): + """RNDC protocol client library""" + __algos = {'md5': 157, + 'sha1': 161, + 'sha224': 162, + 'sha256': 163, + 'sha384': 164, + 'sha512': 165} + + def __init__(self, host, algo, secret): + """Creates a persistent connection to RNDC and logs in + host - (ip, port) tuple + algo - HMAC algorithm, one of md5, sha1, sha224, sha256, sha384, sha512 + secret - HMAC secret, base64 encoded""" + self.host = host + self.algo = algo + self.hlalgo = getattr(hashlib, algo) + self.secret = base64.b64decode(secret) + self.ser = random.randint(0, 1 << 24) + self.nonce = None + self.__connect_login() + + def call(self, cmd): + """Call a RNDC command, all parsing is done on the server side + cmd - a complete string with a command (eg 'reload zone example.com') + """ + return dict(self.__command(type=cmd)['_data']) + + def __serialize_dict(self, data, ignore_auth=False): + rv = '' + for k, v in data.iteritems(): + if ignore_auth and k == '_auth': + continue + rv += chr(len(k)) + rv += k + if type(v) == str: + rv += struct.pack('>BI', 1, len(v)) + v + elif type(v) == OrderedDict: + sd = self.__serialize_dict(v) + rv += struct.pack('>BI', 2, len(sd)) + sd + else: + raise NotImplementedError('Cannot serialize element of type %s' + % type(v)) + return rv + + def __prep_message(self, *args, **kwargs): + self.ser += 1 + now = int(time.time()) + data = OrderedDict(*args, **kwargs) + + d = OrderedDict() + d['_auth'] = OrderedDict() + d['_ctrl'] = OrderedDict() + d['_ctrl']['_ser'] = str(self.ser) + d['_ctrl']['_tim'] = str(now) + d['_ctrl']['_exp'] = str(now+60) + if self.nonce is not None: + d['_ctrl']['_nonce'] = self.nonce + d['_data'] = data + + msg = self.__serialize_dict(d, ignore_auth=True) + hash = hmac.new(self.secret, msg, self.hlalgo).digest() + bhash = base64.b64encode(hash) + if self.algo == 'md5': + d['_auth']['hmd5'] = struct.pack('22s', bhash) + else: + d['_auth']['hsha'] = struct.pack('B88s', + self.__algos[self.algo], bhash) + msg = self.__serialize_dict(d) + msg = struct.pack('>II', len(msg) + 4, 1) + msg + return msg + + def __verify_msg(self, msg): + if self.nonce is not None and msg['_ctrl']['_nonce'] != self.nonce: + return False + bhash = msg['_auth']['hmd5' if self.algo == 'md5' else 'hsha'] + bhash += '=' * (4 - (len(bhash) % 4)) + remote_hash = base64.b64decode(bhash) + my_msg = self.__serialize_dict(msg, ignore_auth=True) + my_hash = hmac.new(self.secret, my_msg, self.hlalgo).digest() + return (my_hash == remote_hash) + + def __command(self, *args, **kwargs): + msg = self.__prep_message(*args, **kwargs) + sent = self.socket.send(msg) + if sent != len(msg): + raise IOError("Cannot send the message") + + header = self.socket.recv(8) + if len(header) != 8: + # What should we throw here? Bad auth can cause this... + raise IOError("Can't read response header") + + length, version = struct.unpack('>II', header) + if version != 1: + raise NotImplementedError('Wrong message version %d' % version) + + # it includes the header + length -= 4 + data = self.socket.recv(length, socket.MSG_WAITALL) + if len(data) != length: + raise IOError("Can't read response data") + + msg = self.__parse_message(data) + if not self.__verify_msg(msg): + raise IOError("Authentication failure") + + return msg + + def __connect_login(self): + self.socket = socket.create_connection(self.host) + self.nonce = None + msg = self.__command(type='null') + self.nonce = msg['_ctrl']['_nonce'] + + def __parse_element(self, input): + pos = 0 + labellen = ord(input[pos]) + pos += 1 + label = input[pos:pos+labellen] + pos += labellen + type = ord(input[pos]) + pos += 1 + datalen = struct.unpack('>I', input[pos:pos+4])[0] + pos += 4 + data = input[pos:pos+datalen] + pos += datalen + rest = input[pos:] + + if type == 1: # raw binary value + return label, data, rest + elif type == 2: # dictionary + d = OrderedDict() + while len(data) > 0: + ilabel, value, data = self.__parse_element(data) + d[ilabel] = value + return label, d, rest + # TODO type 3 - list + else: + raise NotImplementedError('Unknown element type %d' % type) + + def __parse_message(self, input): + rv = OrderedDict() + hdata = None + while len(input) > 0: + label, value, input = self.__parse_element(input) + rv[label] = value + return rv diff --git a/setup.cfg b/setup.cfg new file mode 100644 index 0000000000000000000000000000000000000000..2a9acf13daa95e85642ea255d3e3bd1ef8252804 --- /dev/null +++ b/setup.cfg @@ -0,0 +1,2 @@ +[bdist_wheel] +universal = 1 diff --git a/setup.py b/setup.py new file mode 100755 index 0000000000000000000000000000000000000000..a112e8e32d19b27978f2cdd5258772866f509f29 --- /dev/null +++ b/setup.py @@ -0,0 +1,36 @@ +""" +Pythin RNDC protocol library + +A native python library that implements the RNDC protocol. +""" +from setuptools import setup, find_packages + +setup( + name="rndc", + version="0.0.1", + description="RNDC Protocol Library", + long_description=__doc__, + keywords="library DNS RNDC BIND", + + author="", + author_email="", + license="", + + classifiers=[ + 'Development Status :: 4 - Beta', + 'Intended Audience :: Developers', + 'Natural Language :: English', + 'Operating System :: POSIX', + 'Operating System :: Unix', + 'Programming Language :: Python', + 'Programming Language :: Python :: 2.7', + 'Programming Language :: Python :: 3.6', + 'Topic :: Internet :: Name Service (DNS)', + 'Topic :: Software Development :: Libraries', + 'Topic :: System :: Networking', + ], + + packages=find_packages(), + install_requires=[], + +)