summaryrefslogtreecommitdiffstats
path: root/bin/python/isc/policy.py.in
diff options
context:
space:
mode:
Diffstat (limited to 'bin/python/isc/policy.py.in')
-rw-r--r--bin/python/isc/policy.py.in761
1 files changed, 761 insertions, 0 deletions
diff --git a/bin/python/isc/policy.py.in b/bin/python/isc/policy.py.in
new file mode 100644
index 0000000..0fa231c
--- /dev/null
+++ b/bin/python/isc/policy.py.in
@@ -0,0 +1,761 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import re
+import ply.lex as lex
+import ply.yacc as yacc
+from string import *
+from copy import copy
+
+
+############################################################################
+# PolicyLex: a lexer for the policy file syntax.
+############################################################################
+class PolicyLex:
+ reserved = (
+ "POLICY",
+ "ALGORITHM_POLICY",
+ "ZONE",
+ "ALGORITHM",
+ "DIRECTORY",
+ "KEYTTL",
+ "KEY_SIZE",
+ "ROLL_PERIOD",
+ "PRE_PUBLISH",
+ "POST_PUBLISH",
+ "COVERAGE",
+ "STANDBY",
+ "NONE",
+ )
+
+ tokens = reserved + (
+ "DATESUFFIX",
+ "KEYTYPE",
+ "ALGNAME",
+ "STR",
+ "QSTRING",
+ "NUMBER",
+ "LBRACE",
+ "RBRACE",
+ "SEMI",
+ )
+ reserved_map = {}
+
+ t_ignore = " \t"
+ t_ignore_olcomment = r"(//|\#).*"
+
+ t_LBRACE = r"\{"
+ t_RBRACE = r"\}"
+ t_SEMI = r";"
+
+ def t_newline(self, t):
+ r"\n+"
+ t.lexer.lineno += t.value.count("\n")
+
+ def t_comment(self, t):
+ r"/\*(.|\n)*?\*/"
+ t.lexer.lineno += t.value.count("\n")
+
+ def t_DATESUFFIX(self, t):
+ r"(?<=[0-9 \t])(y(?:ears|ear|ea|e)?|mo(?:nths|nth|nt|n)?|w(?:eeks|eek|ee|e)?|d(?:ays|ay|a)?|h(?:ours|our|ou|o)?|mi(?:nutes|nute|nut|nu|n)?|s(?:econds|econd|econ|eco|ec|e)?)\b"
+ t.value = (
+ re.match(r"(y|mo|w|d|h|mi|s)([a-z]*)", t.value, re.IGNORECASE)
+ .group(1)
+ .lower()
+ )
+ return t
+
+ def t_KEYTYPE(self, t):
+ r"\b(KSK|ZSK)\b"
+ t.value = t.value.upper()
+ return t
+
+ def t_ALGNAME(self, t):
+ r"\b(DH|ECC|RSASHA1|NSEC3RSASHA1|RSASHA256|RSASHA512|ECDSAP256SHA256|ECDSAP384SHA384|ED25519|ED448)\b"
+ t.value = t.value.upper()
+ return t
+
+ def t_STR(self, t):
+ r"[A-Za-z._-][\w._-]*"
+ t.type = self.reserved_map.get(t.value, "STR")
+ return t
+
+ def t_QSTRING(self, t):
+ r'"([^"\n]|(\\"))*"'
+ t.type = self.reserved_map.get(t.value, "QSTRING")
+ t.value = t.value[1:-1]
+ return t
+
+ def t_NUMBER(self, t):
+ r"\d+"
+ t.value = int(t.value)
+ return t
+
+ def t_error(self, t):
+ print("Illegal character '%s'" % t.value[0])
+ t.lexer.skip(1)
+
+ def __init__(self, **kwargs):
+ if "maketrans" in dir(str):
+ trans = str.maketrans("_", "-")
+ else:
+ trans = maketrans("_", "-")
+ for r in self.reserved:
+ self.reserved_map[r.lower().translate(trans)] = r
+ self.lexer = lex.lex(object=self, reflags=re.VERBOSE | re.IGNORECASE, **kwargs)
+
+ def test(self, text):
+ self.lexer.input(text)
+ while True:
+ t = self.lexer.token()
+ if not t:
+ break
+ print(t)
+
+
+############################################################################
+# Policy: this object holds a set of DNSSEC policy settings.
+############################################################################
+class Policy:
+ is_zone = False
+ is_alg = False
+ is_constructed = False
+ ksk_rollperiod = None
+ zsk_rollperiod = None
+ ksk_prepublish = None
+ zsk_prepublish = None
+ ksk_postpublish = None
+ zsk_postpublish = None
+ ksk_keysize = None
+ zsk_keysize = None
+ ksk_standby = None
+ zsk_standby = None
+ keyttl = None
+ coverage = None
+ directory = None
+ valid_key_sz_per_algo = {
+ "RSASHA1": [1024, 4096],
+ "NSEC3RSASHA1": [512, 4096],
+ "RSASHA256": [1024, 4096],
+ "RSASHA512": [1024, 4096],
+ "ECDSAP256SHA256": None,
+ "ECDSAP384SHA384": None,
+ "ED25519": None,
+ "ED448": None,
+ }
+
+ def __init__(self, name=None, algorithm=None, parent=None):
+ self.name = name
+ self.algorithm = algorithm
+ self.parent = parent
+ pass
+
+ def __repr__(self):
+ return (
+ "%spolicy %s:\n"
+ "\tinherits %s\n"
+ "\tdirectory %s\n"
+ "\talgorithm %s\n"
+ "\tcoverage %s\n"
+ "\tksk_keysize %s\n"
+ "\tzsk_keysize %s\n"
+ "\tksk_rollperiod %s\n"
+ "\tzsk_rollperiod %s\n"
+ "\tksk_prepublish %s\n"
+ "\tksk_postpublish %s\n"
+ "\tzsk_prepublish %s\n"
+ "\tzsk_postpublish %s\n"
+ "\tksk_standby %s\n"
+ "\tzsk_standby %s\n"
+ "\tkeyttl %s\n"
+ % (
+ (
+ self.is_constructed
+ and "constructed "
+ or self.is_zone
+ and "zone "
+ or self.is_alg
+ and "algorithm "
+ or ""
+ ),
+ self.name or "UNKNOWN",
+ self.parent and self.parent.name or "None",
+ self.directory and ('"' + str(self.directory) + '"') or "None",
+ self.algorithm or "None",
+ self.coverage and str(self.coverage) or "None",
+ self.ksk_keysize and str(self.ksk_keysize) or "None",
+ self.zsk_keysize and str(self.zsk_keysize) or "None",
+ self.ksk_rollperiod and str(self.ksk_rollperiod) or "None",
+ self.zsk_rollperiod and str(self.zsk_rollperiod) or "None",
+ self.ksk_prepublish and str(self.ksk_prepublish) or "None",
+ self.ksk_postpublish and str(self.ksk_postpublish) or "None",
+ self.zsk_prepublish and str(self.zsk_prepublish) or "None",
+ self.zsk_postpublish and str(self.zsk_postpublish) or "None",
+ self.ksk_standby and str(self.ksk_standby) or "None",
+ self.zsk_standby and str(self.zsk_standby) or "None",
+ self.keyttl and str(self.keyttl) or "None",
+ )
+ )
+
+ def __verify_size(self, key_size, size_range):
+ return size_range[0] <= key_size <= size_range[1]
+
+ def get_name(self):
+ return self.name
+
+ def constructed(self):
+ return self.is_constructed
+
+ def validate(self):
+ """Check if the values in the policy make sense
+ :return: True/False if the policy passes validation
+ """
+ if (
+ self.ksk_rollperiod
+ and self.ksk_prepublish is not None
+ and self.ksk_prepublish > self.ksk_rollperiod
+ ):
+ print(self.ksk_rollperiod)
+ return (
+ False,
+ (
+ "KSK pre-publish period (%d) exceeds rollover period %d"
+ % (self.ksk_prepublish, self.ksk_rollperiod)
+ ),
+ )
+
+ if (
+ self.ksk_rollperiod
+ and self.ksk_postpublish is not None
+ and self.ksk_postpublish > self.ksk_rollperiod
+ ):
+ return (
+ False,
+ (
+ "KSK post-publish period (%d) exceeds rollover period %d"
+ % (self.ksk_postpublish, self.ksk_rollperiod)
+ ),
+ )
+
+ if (
+ self.zsk_rollperiod
+ and self.zsk_prepublish is not None
+ and self.zsk_prepublish >= self.zsk_rollperiod
+ ):
+ return (
+ False,
+ (
+ "ZSK pre-publish period (%d) exceeds rollover period %d"
+ % (self.zsk_prepublish, self.zsk_rollperiod)
+ ),
+ )
+
+ if (
+ self.zsk_rollperiod
+ and self.zsk_postpublish is not None
+ and self.zsk_postpublish >= self.zsk_rollperiod
+ ):
+ return (
+ False,
+ (
+ "ZSK post-publish period (%d) exceeds rollover period %d"
+ % (self.zsk_postpublish, self.zsk_rollperiod)
+ ),
+ )
+
+ if (
+ self.ksk_rollperiod
+ and self.ksk_prepublish
+ and self.ksk_postpublish
+ and self.ksk_prepublish + self.ksk_postpublish >= self.ksk_rollperiod
+ ):
+ return (
+ False,
+ (
+ (
+ "KSK pre/post-publish periods (%d/%d) "
+ + "combined exceed rollover period %d"
+ )
+ % (self.ksk_prepublish, self.ksk_postpublish, self.ksk_rollperiod)
+ ),
+ )
+
+ if (
+ self.zsk_rollperiod
+ and self.zsk_prepublish
+ and self.zsk_postpublish
+ and self.zsk_prepublish + self.zsk_postpublish >= self.zsk_rollperiod
+ ):
+ return (
+ False,
+ (
+ (
+ "ZSK pre/post-publish periods (%d/%d) "
+ + "combined exceed rollover period %d"
+ )
+ % (self.zsk_prepublish, self.zsk_postpublish, self.zsk_rollperiod)
+ ),
+ )
+
+ if self.algorithm is not None:
+ # Validate the key size
+ key_sz_range = self.valid_key_sz_per_algo.get(self.algorithm)
+ if key_sz_range is not None:
+ # Verify KSK
+ if not self.__verify_size(self.ksk_keysize, key_sz_range):
+ return False, "KSK key size %d outside valid range %s" % (
+ self.ksk_keysize,
+ key_sz_range,
+ )
+
+ # Verify ZSK
+ if not self.__verify_size(self.zsk_keysize, key_sz_range):
+ return False, "ZSK key size %d outside valid range %s" % (
+ self.zsk_keysize,
+ key_sz_range,
+ )
+
+ if self.algorithm in [
+ "ECDSAP256SHA256",
+ "ECDSAP384SHA384",
+ "ED25519",
+ "ED448",
+ ]:
+ self.ksk_keysize = None
+ self.zsk_keysize = None
+
+ return True, ""
+
+
+############################################################################
+# dnssec_policy:
+# This class reads a dnssec.policy file and creates a dictionary of
+# DNSSEC policy rules from which a policy for a specific zone can
+# be generated.
+############################################################################
+class PolicyException(Exception):
+ pass
+
+
+class dnssec_policy:
+ alg_policy = {}
+ named_policy = {}
+ zone_policy = {}
+ current = None
+ filename = None
+ initial = True
+
+ def __init__(self, filename=None, **kwargs):
+ self.plex = PolicyLex()
+ self.tokens = self.plex.tokens
+ if "debug" not in kwargs:
+ kwargs["debug"] = False
+ if "write_tables" not in kwargs:
+ kwargs["write_tables"] = False
+ self.parser = yacc.yacc(module=self, **kwargs)
+
+ # set defaults
+ self.setup(
+ """policy global { algorithm rsasha256;
+ key-size ksk 2048;
+ key-size zsk 2048;
+ roll-period ksk 0;
+ roll-period zsk 1y;
+ pre-publish ksk 1mo;
+ pre-publish zsk 1mo;
+ post-publish ksk 1mo;
+ post-publish zsk 1mo;
+ standby ksk 0;
+ standby zsk 0;
+ keyttl 1h;
+ coverage 6mo; };
+ policy default { policy global; };"""
+ )
+
+ p = Policy()
+ p.algorithm = None
+ p.is_alg = True
+ p.ksk_keysize = 2048
+ p.zsk_keysize = 2048
+
+ # set default algorithm policies
+
+ # these can use default settings
+ self.alg_policy["RSASHA1"] = copy(p)
+ self.alg_policy["RSASHA1"].algorithm = "RSASHA1"
+ self.alg_policy["RSASHA1"].name = "RSASHA1"
+
+ self.alg_policy["NSEC3RSASHA1"] = copy(p)
+ self.alg_policy["NSEC3RSASHA1"].algorithm = "NSEC3RSASHA1"
+ self.alg_policy["NSEC3RSASHA1"].name = "NSEC3RSASHA1"
+
+ self.alg_policy["RSASHA256"] = copy(p)
+ self.alg_policy["RSASHA256"].algorithm = "RSASHA256"
+ self.alg_policy["RSASHA256"].name = "RSASHA256"
+
+ self.alg_policy["RSASHA512"] = copy(p)
+ self.alg_policy["RSASHA512"].algorithm = "RSASHA512"
+ self.alg_policy["RSASHA512"].name = "RSASHA512"
+
+ self.alg_policy["ECDSAP256SHA256"] = copy(p)
+ self.alg_policy["ECDSAP256SHA256"].algorithm = "ECDSAP256SHA256"
+ self.alg_policy["ECDSAP256SHA256"].name = "ECDSAP256SHA256"
+ self.alg_policy["ECDSAP256SHA256"].ksk_keysize = None
+ self.alg_policy["ECDSAP256SHA256"].zsk_keysize = None
+
+ self.alg_policy["ECDSAP384SHA384"] = copy(p)
+ self.alg_policy["ECDSAP384SHA384"].algorithm = "ECDSAP384SHA384"
+ self.alg_policy["ECDSAP384SHA384"].name = "ECDSAP384SHA384"
+ self.alg_policy["ECDSAP384SHA384"].ksk_keysize = None
+ self.alg_policy["ECDSAP384SHA384"].zsk_keysize = None
+
+ self.alg_policy["ED25519"] = copy(p)
+ self.alg_policy["ED25519"].algorithm = "ED25519"
+ self.alg_policy["ED25519"].name = "ED25519"
+ self.alg_policy["ED25519"].ksk_keysize = None
+ self.alg_policy["ED25519"].zsk_keysize = None
+
+ self.alg_policy["ED448"] = copy(p)
+ self.alg_policy["ED448"].algorithm = "ED448"
+ self.alg_policy["ED448"].name = "ED448"
+ self.alg_policy["ED448"].ksk_keysize = None
+ self.alg_policy["ED448"].zsk_keysize = None
+
+ if filename:
+ self.load(filename)
+
+ def load(self, filename):
+ self.filename = filename
+ self.initial = True
+ with open(filename) as f:
+ text = f.read()
+ self.plex.lexer.lineno = 0
+ self.parser.parse(text)
+
+ self.filename = None
+
+ def setup(self, text):
+ self.initial = True
+ self.plex.lexer.lineno = 0
+ self.parser.parse(text)
+
+ def policy(self, zone, **kwargs):
+ z = zone.lower()
+ p = None
+
+ if z in self.zone_policy:
+ p = self.zone_policy[z]
+
+ if p is None:
+ p = copy(self.named_policy["default"])
+ p.name = zone
+ p.is_constructed = True
+
+ if p.algorithm is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent and not parent.algorithm:
+ parent = parent.parent
+ p.algorithm = parent and parent.algorithm or None
+
+ if p.algorithm in self.alg_policy:
+ ap = self.alg_policy[p.algorithm]
+ else:
+ raise PolicyException("algorithm not found")
+
+ if p.directory is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent is not None and not parent.directory:
+ parent = parent.parent
+ p.directory = parent and parent.directory
+
+ if p.coverage is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent and not parent.coverage:
+ parent = parent.parent
+ p.coverage = parent and parent.coverage or ap.coverage
+
+ if p.ksk_keysize is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.ksk_keysize:
+ parent = parent.parent
+ p.ksk_keysize = parent and parent.ksk_keysize or ap.ksk_keysize
+
+ if p.zsk_keysize is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.zsk_keysize:
+ parent = parent.parent
+ p.zsk_keysize = parent and parent.zsk_keysize or ap.zsk_keysize
+
+ if p.ksk_rollperiod is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.ksk_rollperiod:
+ parent = parent.parent
+ p.ksk_rollperiod = parent and parent.ksk_rollperiod or ap.ksk_rollperiod
+
+ if p.zsk_rollperiod is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.zsk_rollperiod:
+ parent = parent.parent
+ p.zsk_rollperiod = parent and parent.zsk_rollperiod or ap.zsk_rollperiod
+
+ if p.ksk_prepublish is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.ksk_prepublish:
+ parent = parent.parent
+ p.ksk_prepublish = parent and parent.ksk_prepublish or ap.ksk_prepublish
+
+ if p.zsk_prepublish is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.zsk_prepublish:
+ parent = parent.parent
+ p.zsk_prepublish = parent and parent.zsk_prepublish or ap.zsk_prepublish
+
+ if p.ksk_postpublish is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.ksk_postpublish:
+ parent = parent.parent
+ p.ksk_postpublish = parent and parent.ksk_postpublish or ap.ksk_postpublish
+
+ if p.zsk_postpublish is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent.parent and not parent.zsk_postpublish:
+ parent = parent.parent
+ p.zsk_postpublish = parent and parent.zsk_postpublish or ap.zsk_postpublish
+
+ if p.keyttl is None:
+ parent = p.parent or self.named_policy["default"]
+ while parent is not None and not parent.keyttl:
+ parent = parent.parent
+ p.keyttl = parent and parent.keyttl
+
+ if "novalidate" not in kwargs or not kwargs["novalidate"]:
+ (valid, msg) = p.validate()
+ if not valid:
+ raise PolicyException(msg)
+ return None
+
+ return p
+
+ def p_policylist(self, p):
+ """policylist : init policy
+ | policylist policy"""
+ pass
+
+ def p_init(self, p):
+ "init :"
+ self.initial = False
+
+ def p_policy(self, p):
+ """policy : alg_policy
+ | zone_policy
+ | named_policy"""
+ pass
+
+ def p_name(self, p):
+ """name : STR
+ | KEYTYPE
+ | DATESUFFIX"""
+ p[0] = p[1]
+ pass
+
+ def p_domain(self, p):
+ """domain : STR
+ | QSTRING
+ | KEYTYPE
+ | DATESUFFIX"""
+ p[0] = p[1].strip()
+ if not re.match(r"^[\w.-][\w.-]*$", p[0]):
+ raise PolicyException("invalid domain")
+ pass
+
+ def p_new_policy(self, p):
+ "new_policy :"
+ self.current = Policy()
+
+ def p_alg_policy(self, p):
+ "alg_policy : ALGORITHM_POLICY ALGNAME new_policy alg_option_group SEMI"
+ self.current.name = p[2]
+ self.current.is_alg = True
+ self.alg_policy[p[2]] = self.current
+ pass
+
+ def p_zone_policy(self, p):
+ "zone_policy : ZONE domain new_policy policy_option_group SEMI"
+ self.current.name = p[2].rstrip(".")
+ self.current.is_zone = True
+ self.zone_policy[p[2].rstrip(".").lower()] = self.current
+ pass
+
+ def p_named_policy(self, p):
+ "named_policy : POLICY name new_policy policy_option_group SEMI"
+ self.current.name = p[2]
+ self.named_policy[p[2].lower()] = self.current
+ pass
+
+ def p_duration_1(self, p):
+ "duration : NUMBER"
+ p[0] = p[1]
+ pass
+
+ def p_duration_2(self, p):
+ "duration : NONE"
+ p[0] = None
+ pass
+
+ def p_duration_3(self, p):
+ "duration : NUMBER DATESUFFIX"
+ if p[2] == "y":
+ p[0] = p[1] * 31536000 # year
+ elif p[2] == "mo":
+ p[0] = p[1] * 2592000 # month
+ elif p[2] == "w":
+ p[0] = p[1] * 604800 # week
+ elif p[2] == "d":
+ p[0] = p[1] * 86400 # day
+ elif p[2] == "h":
+ p[0] = p[1] * 3600 # hour
+ elif p[2] == "mi":
+ p[0] = p[1] * 60 # minute
+ elif p[2] == "s":
+ p[0] = p[1] # second
+ else:
+ raise PolicyException("invalid duration")
+
+ def p_policy_option_group(self, p):
+ "policy_option_group : LBRACE policy_option_list RBRACE"
+ pass
+
+ def p_policy_option_list(self, p):
+ """policy_option_list : policy_option SEMI
+ | policy_option_list policy_option SEMI"""
+ pass
+
+ def p_policy_option(self, p):
+ """policy_option : parent_option
+ | directory_option
+ | coverage_option
+ | rollperiod_option
+ | prepublish_option
+ | postpublish_option
+ | keysize_option
+ | algorithm_option
+ | keyttl_option
+ | standby_option"""
+ pass
+
+ def p_alg_option_group(self, p):
+ "alg_option_group : LBRACE alg_option_list RBRACE"
+ pass
+
+ def p_alg_option_list(self, p):
+ """alg_option_list : alg_option SEMI
+ | alg_option_list alg_option SEMI"""
+ pass
+
+ def p_alg_option(self, p):
+ """alg_option : coverage_option
+ | rollperiod_option
+ | prepublish_option
+ | postpublish_option
+ | keyttl_option
+ | keysize_option
+ | standby_option"""
+ pass
+
+ def p_parent_option(self, p):
+ "parent_option : POLICY name"
+ self.current.parent = self.named_policy[p[2].lower()]
+
+ def p_directory_option(self, p):
+ "directory_option : DIRECTORY QSTRING"
+ self.current.directory = p[2]
+
+ def p_coverage_option(self, p):
+ "coverage_option : COVERAGE duration"
+ self.current.coverage = p[2]
+
+ def p_rollperiod_option(self, p):
+ "rollperiod_option : ROLL_PERIOD KEYTYPE duration"
+ if p[2] == "KSK":
+ self.current.ksk_rollperiod = p[3]
+ else:
+ self.current.zsk_rollperiod = p[3]
+
+ def p_prepublish_option(self, p):
+ "prepublish_option : PRE_PUBLISH KEYTYPE duration"
+ if p[2] == "KSK":
+ self.current.ksk_prepublish = p[3]
+ else:
+ self.current.zsk_prepublish = p[3]
+
+ def p_postpublish_option(self, p):
+ "postpublish_option : POST_PUBLISH KEYTYPE duration"
+ if p[2] == "KSK":
+ self.current.ksk_postpublish = p[3]
+ else:
+ self.current.zsk_postpublish = p[3]
+
+ def p_keysize_option(self, p):
+ "keysize_option : KEY_SIZE KEYTYPE NUMBER"
+ if p[2] == "KSK":
+ self.current.ksk_keysize = p[3]
+ else:
+ self.current.zsk_keysize = p[3]
+
+ def p_standby_option(self, p):
+ "standby_option : STANDBY KEYTYPE NUMBER"
+ if p[2] == "KSK":
+ self.current.ksk_standby = p[3]
+ else:
+ self.current.zsk_standby = p[3]
+
+ def p_keyttl_option(self, p):
+ "keyttl_option : KEYTTL duration"
+ self.current.keyttl = p[2]
+
+ def p_algorithm_option(self, p):
+ "algorithm_option : ALGORITHM ALGNAME"
+ self.current.algorithm = p[2]
+
+ def p_error(self, p):
+ if p:
+ print(
+ "%s%s%d:syntax error near '%s'"
+ % (self.filename or "", ":" if self.filename else "", p.lineno, p.value)
+ )
+ else:
+ if not self.initial:
+ raise PolicyException(
+ "%s%s%d:unexpected end of input"
+ % (
+ self.filename or "",
+ ":" if self.filename else "",
+ p and p.lineno or 0,
+ )
+ )
+
+
+if __name__ == "__main__":
+ import sys
+
+ if sys.argv[1] == "lex":
+ file = open(sys.argv[2])
+ text = file.read()
+ file.close()
+ plex = PolicyLex(debug=1)
+ plex.test(text)
+ elif sys.argv[1] == "parse":
+ try:
+ pp = dnssec_policy(sys.argv[2], write_tables=True, debug=True)
+ print(pp.named_policy["default"])
+ print(pp.policy("nonexistent.zone"))
+ except Exception as e:
+ print(e.args[0])