diff options
| author | Rob Austein <sra@hactrn.net> | 2016-04-23 15:03:43 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-04-23 15:03:43 +0000 |
| commit | 5c624ffcb9cb6fbecf49ede4740a71f0c8135362 (patch) | |
| tree | 379fafaff407b04958e73795791d830428862ab8 | |
| parent | 784b20d33070a8450b23d846a0d936a356646739 (diff) | |
Remove a whole lotta rootd stuff.
svn path=/branches/tk705/; revision=6377
| -rwxr-xr-x | ca/rpki-start-servers | 1 | ||||
| -rw-r--r-- | ca/tests/yamlconf.py | 8 | ||||
| -rwxr-xr-x | ca/tests/yamltest.py | 67 | ||||
| -rw-r--r-- | rp/config/rpki-confgen.xml | 272 | ||||
| -rw-r--r-- | rpki/irdb/migrations/0003_remove_rootd.py | 25 | ||||
| -rw-r--r-- | rpki/irdb/models.py | 8 | ||||
| -rw-r--r-- | rpki/irdb/zookeeper.py | 106 | ||||
| -rw-r--r-- | rpki/rpkic.py | 23 |
8 files changed, 35 insertions, 475 deletions
diff --git a/ca/rpki-start-servers b/ca/rpki-start-servers index 26068bc7..1d7befb6 100755 --- a/ca/rpki-start-servers +++ b/ca/rpki-start-servers @@ -86,4 +86,3 @@ def run(name, old_flag = None): run("irdbd", "run_rpkid") run("rpkid") run("pubd") -run("rootd") diff --git a/ca/tests/yamlconf.py b/ca/tests/yamlconf.py index 08827acd..2963a61f 100644 --- a/ca/tests/yamlconf.py +++ b/ca/tests/yamlconf.py @@ -194,7 +194,6 @@ class allocation(object): rpkid_port = 4404 irdbd_port = 4403 pubd_port = 4402 - rootd_port = 4401 rsync_port = 873 @classmethod @@ -251,8 +250,6 @@ class allocation(object): if loopback and self.runs_pubd: self.pubd_port = self.allocate_port() self.rsync_port = self.allocate_port() - if loopback and self.is_root: - self.rootd_port = self.allocate_port() def closure(self): resources = self.base @@ -295,7 +292,6 @@ class allocation(object): if self.runs_pubd: s += " PPort: %s\n" % self.pubd_port if not self.is_hosted: s += " RPort: %s\n" % self.rpkid_port if self.runs_pubd: s += " SPort: %s\n" % self.rsync_port - if self.is_root: s += " TPort: %s\n" % self.rootd_port return s + " Until: %s\n" % self.resources.valid_until @property @@ -412,14 +408,12 @@ class allocation(object): handle = self.name, run_rpkid = str(not self.is_hosted), run_pubd = str(self.runs_pubd), - run_rootd = str(self.is_root), irdbd_sql_username = "irdb", rpkid_sql_username = "rpki", rpkid_server_host = self.hostname, rpkid_server_port = str(self.rpkid_port), irdbd_server_host = "localhost", irdbd_server_port = str(self.irdbd_port), - rootd_server_port = str(self.rootd_port), pubd_sql_username = "pubd", pubd_server_host = self.pubd.hostname, pubd_server_port = str(self.pubd.pubd_port), @@ -834,7 +828,7 @@ def body(): if not quiet: print "Creating RPKI root certificate and TAL" d.dump_root() - x = d.zoo.configure_rootd() + x = d.zoo.configure_root() else: with d.parent.irdb: diff --git a/ca/tests/yamltest.py b/ca/tests/yamltest.py index d413df5c..7b0c0c8d 100755 --- a/ca/tests/yamltest.py +++ b/ca/tests/yamltest.py @@ -82,7 +82,6 @@ rpki_dir = cleanpath(this_dir, "..", "..") prog_rpkid = cleanpath(ca_dir, "rpkid") prog_irdbd = cleanpath(ca_dir, "irdbd") prog_pubd = cleanpath(ca_dir, "pubd") -prog_rootd = cleanpath(ca_dir, "rootd") prog_rpki_confgen = cleanpath(rp_conf_dir, "rpki-confgen") class roa_request(object): @@ -202,13 +201,11 @@ class allocation(object): parent = None crl_interval = None regen_margin = None - rootd_port = None engine = -1 rpkid_port = -1 irdbd_port = -1 pubd_port = -1 rsync_port = -1 - rootd_port = -1 rrdp_port = -1 rpkic_counter = 0L @@ -277,8 +274,6 @@ class allocation(object): self.pubd_port = self.allocate_port() self.rsync_port = self.allocate_port() self.rrdp_port = self.allocate_port() - if self.is_root: - self.rootd_port = self.allocate_port() def closure(self): """ @@ -314,7 +309,6 @@ class allocation(object): if self.runs_pubd: s += " PPort: %s\n" % self.pubd_port if not self.is_hosted: s += " RPort: %s\n" % self.rpkid_port if self.runs_pubd: s += " SPort: %s\n" % self.rsync_port - if self.is_root: s += " TPort: %s\n" % self.rootd_port return s + " Until: %s\n" % self.resources.valid_until @property @@ -491,12 +485,10 @@ class allocation(object): handle = self.name, run_rpkid = str(not self.is_hosted), run_pubd = str(self.runs_pubd), - run_rootd = str(self.is_root), rpkid_server_host = "localhost", rpkid_server_port = str(self.rpkid_port), irdbd_server_host = "localhost", irdbd_server_port = str(self.irdbd_port), - rootd_server_port = str(self.rootd_port), pubd_server_host = "localhost", pubd_server_port = str(self.pubd.pubd_port), publication_rsync_server = "localhost:%s" % self.pubd.rsync_port, @@ -525,8 +517,7 @@ class allocation(object): cmd = [sys.executable, prog_rpki_confgen, "--read-xml", prog_rpki_confgen + ".xml", - "--autoconf", - "--set", "rootd::rpki_key_dir=${myrpki::bpki_servers_directory}"] + "--autoconf"] for k, v in r.iteritems(): cmd.extend(("--set", "myrpki::{}={}".format(k, v))) cmd.extend(("--write-conf", fn)) @@ -684,7 +675,7 @@ class allocation(object): basename = os.path.splitext(os.path.basename(prog))[0] cmd = [prog, "--foreground", "--log-level", "debug", "--log-file", self.path(basename + ".log")] - if args.profile and basename != "rootd": + if args.profile: cmd.extend(( "--profile", self.path(basename + ".prof"))) env = dict(os.environ, RPKI_CONF = self.path("rpki.conf")) @@ -713,13 +704,6 @@ class allocation(object): return self.run_python_daemon(prog_pubd) - def run_rootd(self): - """ - Run rootd. - """ - - return self.run_python_daemon(prog_rootd) - def run_rsyncd(self): """ Run rsyncd. @@ -783,45 +767,6 @@ class allocation(object): return p -def create_root_certificate(db_root): - - print "Creating rootd RPKI root certificate" - - root_resources = rpki.resource_set.resource_bag( - asn = "0-4294967295", - v4 = "0.0.0.0/0", - v6 = "::/0") - - root_key = rpki.x509.RSA.generate(quiet = True) - - rsync_uri = "rsync://localhost:%d/rpki/%s-root/root" % (db_root.pubd.rsync_port, db_root.name) - - https_uri = "https://localhost:%s/" % db.root.pubd.rrdp_port - - root_sia = (rsync_uri + "/", rsync_uri + "/root.mft", None, https_uri + "notify.xml") - - root_cert = rpki.x509.X509.self_certify( - keypair = root_key, - subject_key = root_key.get_public(), - serial = 1, - sia = root_sia, - notAfter = rpki.sundial.now() + rpki.sundial.timedelta(days = 365), - resources = root_resources) - - with open(db_root.path("root.cer"), "wb") as f: - f.write(root_cert.get_DER()) - - with open(db_root.path("root.key"), "wb") as f: - f.write(root_key.get_DER()) - - os.link(db_root.path("root.cer"), - db_root.path("publication.rrdp", "root.cer")) - - with open(os.path.join(test_dir, "root.tal"), "w") as f: - f.write(rsync_uri + ".cer\n") - f.write(https_uri + "root.cer\n") - f.write(root_key.get_public().get_Base64()) - logger = logging.getLogger(__name__) @@ -922,11 +867,7 @@ try: for d in db: d.run_rpkic("create_identity", d.name) - # Create RPKI root certificate. - - create_root_certificate(db.root) - - # Set up rootd. + # Set up root db.root.run_rpkic("configure_root") @@ -945,8 +886,6 @@ try: if not d.is_hosted: print print "Running daemons for", d.name - if d.is_root: - progs.append(d.run_rootd()) progs.append(d.run_irdbd()) progs.append(d.run_rpkid()) if d.runs_pubd: diff --git a/rp/config/rpki-confgen.xml b/rp/config/rpki-confgen.xml index e05d486c..5f641161 100644 --- a/rp/config/rpki-confgen.xml +++ b/rp/config/rpki-confgen.xml @@ -148,31 +148,6 @@ </doc> </option> - <option name = "run_rootd" - value = "no"> - <doc> - Whether you want to run your very own copy of rootd. Don't - enable this unless you really know what you're doing. - </doc> - </option> - - <option name = "rootd_server_host" - value = "localhost"> - <doc> - DNS hostname for rootd, if you're running it. This should be - localhost unless you really know what you are doing. - </doc> - </option> - - <option name = "rootd_server_port" - value = "4401"> - <doc> - Server port number for rootd, if you're running it. This can - be any legal TCP port number that you're not using for - something else. - </doc> - </option> - <option name = "publication_base_directory" value = "${autoconf::datarootdir}/rpki/publication"> <doc> @@ -275,20 +250,6 @@ </doc> </option> - <option name = "start_rootd" - value = "${myrpki::run_rootd}"> - <doc> - rootd startup control. This should usually have the same value as - run_rootd: the only case where you would want to change this is - when you are running the back-end code on a different machine from - one or more of the daemons, in which case you need finer control - over which daemons to start on which machines. In such cases, - run_rootd controls whether the back-end code is doing things to - manage rootd, while start_rootd controls whether - rpki-start-servers attempts to start rootd on this machine. - </doc> - </option> - <option name = "shared_sql_engine" value = "mysql"> <doc> @@ -805,239 +766,6 @@ </section> - <section name = "rootd"> - - <doc> - You don't need to run rootd unless you're IANA, are certifying - private address space, or are an RIR which refuses to accept IANA as - the root of the public address hierarchy. - </doc> - - <doc> - Ok, if that wasn't enough to scare you off: rootd is a mess, - needs to be rewritten, or, better, merged into rpkid, and - requires far too many configuration parameters. - </doc> - - <doc> - rootd was originally intended to be a very simple program which - simplified rpkid enormously by moving one specific task (acting - as the root CA of an RPKI certificate hierarchy) out of rpkid. - As the specifications and code (mostly the latter) have evolved, - however, this task has become more complicated, and rootd would - have to become much more complicated to keep up. - </doc> - - <doc> - Don't run rootd unless you're sure that you need to do so. - </doc> - - <doc> - Still think you need to run rootd? OK, but remember, you have - been warned.... - </doc> - - <doc> - rootd's default configuration file is the system `rpki.conf` - file. Start rootd with "`-c filename`" to choose a different - configuration file. All options are in the "`[rootd]`" section. - Certificates and keys may be in either DER or PEM format. - </doc> - - <option name = "bpki-ta" - value = "${myrpki::bpki_servers_directory}/ca.cer"> - <doc> - Where rootd should look for the BPKI trust anchor. All BPKI - certificate verification within rootd traces back to this - trust anchor. Don't change this unless you really know what - you are doing. - </doc> - </option> - - <option name = "rootd-bpki-crl" - value = "${myrpki::bpki_servers_directory}/ca.crl"> - <doc> - BPKI CRL. Don't change this unless you really know what you are - doing. - </doc> - </option> - - <option name = "rootd-bpki-cert" - value = "${myrpki::bpki_servers_directory}/rootd.cer"> - <doc> - rootd's own BPKI EE certificate. Don't change this unless you - really know what you are doing. - </doc> - </option> - - <option name = "rootd-bpki-key" - value = "${myrpki::bpki_servers_directory}/rootd.key"> - <doc> - Private key corresponding to rootd's own BPKI EE certificate. - Don't change this unless you really know what you are doing. - </doc> - </option> - - <option name = "child-bpki-cert" - value = "${myrpki::bpki_servers_directory}/child.cer"> - <doc> - BPKI certificate for rootd's one and only up-down child (RPKI - engine to which rootd issues an RPKI certificate). Don't - change this unless you really know what you are doing. - </doc> - </option> - - <option name = "pubd-bpki-cert"> - <doc> - BPKI certificate for pubd. Don't set this unless you really - know what you are doing. - </doc> - </option> - - <option name = "server-host" - value = "${myrpki::rootd_server_host}"> - <doc> - Server host on which rootd should listen. - </doc> - </option> - - <option name = "server-port" - value = "${myrpki::rootd_server_port}"> - <doc> - Server port on which rootd should listen. - </doc> - </option> - - <option name = "rpki_data_dir" - value = "${myrpki::bpki_servers_directory}"> - <doc> - Directory where rootd should store its RPKI data files. This - is only used to construct other variables, rootd itself - doesn't read it. - </doc> - </option> - - <option name = "rpki_key_dir" - value = "${autoconf::datarootdir}/rpki"> - <doc> - Directory where rootd's root rpki key and certificate are - stored. rootd only reads these files, doesn't write them. - This variable is only used to construct other variables, rootd - itself doesn't read it. - </doc> - </option> - - <option name = "rpki_base_uri" - value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/${myrpki::handle}-root/root"> - <doc> - rsync URI corresponding to directory containing rootd's - outputs. This is only used to construct other variables, - rootd itself doesn't read it. - </doc> - </option> - - <option name = "rpki-root-cert-uri" - value = "${rootd::rpki_base_uri}.cer"> - <doc> - rsync URI for rootd's root (self-signed) RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-cert-file" - value = "${rootd::rpki_key_dir}/root.cer"> - <doc> - Filename of rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-key-file" - value = "${rootd::rpki_key_dir}/root.key"> - <doc> - Private key corresponding to rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-crl-uri" - value = "${rootd::rpki_base_uri}/root.crl"> - <doc> - URI of the CRL for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-crl-file" - value = "${rootd::rpki_data_dir}/root.crl"> - <doc> - Filename of the CRL for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-manifest-uri" - value = "${rootd::rpki_base_uri}/root.mft"> - <doc> - URI of the manifest for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-root-manifest-file" - value = "${rootd::rpki_data_dir}/root.mft"> - <doc> - Filename of the manifest for rootd's root RPKI certificate. - </doc> - </option> - - <option name = "rpki-subject-pkcs10-file" - value = "${rootd::rpki_data_dir}/subject.pkcs10"> - <doc> - Where rootd should stash a copy of the PKCS #10 request it gets - from its one (and only) child - </doc> - </option> - - <option name = "rpki-subject-lifetime" - value = "30d"> - <doc> - Lifetime of the one and only RPKI certificate rootd issues. - </doc> - </option> - - <option name = "rpki-class-name" - value = "${myrpki::handle}"> - <doc> - Up-down protocol class name for RPKI certificate rootd issues to its - one (and only) child. - </doc> - </option> - - <option name = "rpki-subject-cert-uri" - value = "${rootd::rpki_base_uri}/${myrpki::handle}.cer"> - <doc> - URI of the one (and only) RPKI certificate rootd issues. - </doc> - </option> - - <option name = "rpki-subject-cert-file" - value = "${rootd::rpki_data_dir}/${myrpki::handle}.cer"> - <doc> - Filename of the one (and only) RPKI certificate rootd issues. - </doc> - </option> - - <option name = "pubd-contact-uri" - value = "http://${myrpki::pubd_server_host}:${myrpki::pubd_server_port}/client/${myrpki::handle}-root"> - <doc> - URI at which rootd should contact pubd for service. - </doc> - </option> - - <option name = "rrdp-notification-uri" - value = "${myrpki::publication_rrdp_notification_uri"> - <doc> - RRDP URI for inclusion in generated objects. - </doc> - </option> - - </section> - <section name = "web_portal"> <doc> diff --git a/rpki/irdb/migrations/0003_remove_rootd.py b/rpki/irdb/migrations/0003_remove_rootd.py new file mode 100644 index 00000000..aef4c5ab --- /dev/null +++ b/rpki/irdb/migrations/0003_remove_rootd.py @@ -0,0 +1,25 @@ +# -*- coding: utf-8 -*- +from __future__ import unicode_literals + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('irdb', '0002_root'), + ] + + operations = [ + migrations.RemoveField( + model_name='rootd', + name='issuer', + ), + migrations.RemoveField( + model_name='rootd', + name='turtle_ptr', + ), + migrations.DeleteModel( + name='Rootd', + ), + ] diff --git a/rpki/irdb/models.py b/rpki/irdb/models.py index ab81aa84..e2373d1f 100644 --- a/rpki/irdb/models.py +++ b/rpki/irdb/models.py @@ -345,14 +345,6 @@ class Referral(EECertificate): class Turtle(django.db.models.Model): service_uri = django.db.models.CharField(max_length = 255) -class Rootd(EECertificate, Turtle): - issuer = django.db.models.OneToOneField(ResourceHolderCA, related_name = "rootd") - objects = ResourceHolderEEManager() - - @property - def subject_name(self): - return rpki.x509.X501DN.from_cn("%s BPKI rootd EE" % self.issuer.handle) - class BSC(Certificate): issuer = django.db.models.ForeignKey(ResourceHolderCA, related_name = "bscs") handle = HandleField() diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index 1f6fb6c2..1eb950f4 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -80,7 +80,6 @@ myrpki_section = "myrpki" irdbd_section = "irdbd" rpkid_section = "rpkid" pubd_section = "pubd" -rootd_section = "rootd" # A whole lot of exceptions @@ -89,7 +88,6 @@ class MissingHandle(Exception): "Missing handle." class CouldntTalkToDaemon(Exception): "Couldn't talk to daemon." class BadXMLMessage(Exception): "Bad XML message." class PastExpiration(Exception): "Expiration date has already passed." -class CantRunRootd(Exception): "Can't run rootd." class CouldntFindRepoParent(Exception): "Couldn't find repository's parent." @@ -222,10 +220,6 @@ class Zookeeper(object): self.run_rpkid = cfg.getboolean("run_rpkid", section = myrpki_section) self.run_pubd = cfg.getboolean("run_pubd", section = myrpki_section) - self.run_rootd = cfg.getboolean("run_rootd", section = myrpki_section) - - if self.run_rootd and (not self.run_pubd or not self.run_rpkid): - raise CantRunRootd("Can't run rootd unless also running rpkid and pubd") self.default_repository = cfg.get("default_repository", "", section = myrpki_section) self.pubd_contact_info = cfg.get("pubd_contact_info", "", section = myrpki_section) @@ -414,19 +408,6 @@ class Zookeeper(object): writer(self.cfg.get("irbe-cert", section = pubd_section), self.server_ca.ee_certificates.get(purpose = "irbe").certificate) - if self.run_rootd: - try: - rootd = rpki.irdb.models.ResourceHolderCA.objects.get(handle = self.handle).rootd - writer(self.cfg.get("bpki-ta", section = rootd_section), self.server_ca.certificate) - writer(self.cfg.get("rootd-bpki-key", section = rootd_section), rootd.private_key) - writer(self.cfg.get("rootd-bpki-cert", section = rootd_section), rootd.certificate) - writer(self.cfg.get("child-bpki-cert", section = rootd_section), rootd.issuer.certificate) - # rootd-bpki-crl is the same as pubd-crl, already written - except rpki.irdb.models.ResourceHolderCA.DoesNotExist: - self.log("rootd enabled but resource holding entity not yet configured, skipping rootd setup") - except rpki.irdb.models.Rootd.DoesNotExist: - self.log("rootd enabled but not yet configured, skipping rootd setup") - @django.db.transaction.atomic def update_bpki(self): @@ -446,7 +427,6 @@ class Zookeeper(object): rpki.irdb.models.ResourceHolderCA, rpki.irdb.models.ServerEE, rpki.irdb.models.Referral, - rpki.irdb.models.Rootd, rpki.irdb.models.HostedCA, rpki.irdb.models.BSC, rpki.irdb.models.Child, @@ -533,14 +513,6 @@ class Zookeeper(object): parent_handle = parent.handle) SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = parent.certificate.get_Base64() - for rootd in rpki.irdb.models.Rootd.objects.all(): - q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, - action = "set", - tag = "%s__rootd" % rootd.issuer.handle, - tenant_handle = rootd.issuer.handle, - parent_handle = rootd.issuer.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = rootd.certificate.get_Base64() - for child in rpki.irdb.models.Child.objects.all(): q_pdu = SubElement(q_msg, rpki.left_right.tag_child, action = "set", @@ -736,15 +708,6 @@ class Zookeeper(object): @django.db.transaction.atomic - def delete_rootd(self): - """ - Delete rootd associated with this RPKI entity. - """ - - self.resource_ca.rootd.delete() - - - @django.db.transaction.atomic def configure_publication_client(self, xml_file, sia_base = None, flat = False): """ Configure publication server to know about a new client, given the @@ -801,12 +764,7 @@ class Zookeeper(object): except rpki.irdb.models.Repository.DoesNotExist: self.log("Found client's parent, but repository isn't set, this shouldn't happen!") except rpki.irdb.models.ResourceHolderCA.DoesNotExist: - try: - rpki.irdb.models.Rootd.objects.get(issuer__certificate = client_ta) - self.log("This client's parent is rootd") - sia_base = default_sia_base - except rpki.irdb.models.Rootd.DoesNotExist: - self.log("We don't host this client's parent, so we didn't make an offer") + self.log("We don't host this client's parent, so we didn't make an offer") if sia_base is None: self.log("Don't know where else to nest this client, so defaulting to top-level") @@ -882,11 +840,8 @@ class Zookeeper(object): if parent_handle is not None: self.log("Explicit parent_handle given") try: - if parent_handle == self.handle: - turtle = self.resource_ca.rootd - else: - turtle = self.resource_ca.parents.get(handle = parent_handle) - except (rpki.irdb.models.Parent.DoesNotExist, rpki.irdb.models.Rootd.DoesNotExist): + turtle = self.resource_ca.parents.get(handle = parent_handle) + except rpki.irdb.models.Parent.DoesNotExist: self.log("Could not find parent %r in our database" % parent_handle) raise CouldntFindRepoParent @@ -898,20 +853,11 @@ class Zookeeper(object): _ = parent.repository # pylint: disable=W0612 except rpki.irdb.models.Repository.DoesNotExist: turtles.append(parent) - try: - _ = self.resource_ca.rootd.repository # pylint: disable=W0612 - except rpki.irdb.models.Repository.DoesNotExist: - turtles.append(self.resource_ca.rootd) - except rpki.irdb.models.Rootd.DoesNotExist: - pass if len(turtles) != 1: self.log("No explicit parent_handle given and unable to guess") raise CouldntFindRepoParent turtle = turtles[0] - if isinstance(turtle, rpki.irdb.models.Rootd): - parent_handle = self.handle - else: - parent_handle = turtle.handle + parent_handle = turtle.handle self.log("No explicit parent_handle given, guessing parent {}".format(parent_handle)) rpki.irdb.models.Repository.objects.get_or_certify( @@ -1523,33 +1469,6 @@ class Zookeeper(object): except rpki.irdb.models.Repository.DoesNotExist: pass - try: - parent_pdu = parent_pdus.pop(ca.handle, None) - - if (parent_pdu is None or - parent_pdu.get("bsc_handle") != bsc_handle or - parent_pdu.get("repository_handle") != ca.handle or - parent_pdu.get("peer_contact_uri") != ca.rootd.service_uri or - parent_pdu.get("sia_base") != ca.rootd.repository.sia_base or - parent_pdu.get("sender_name") != ca.handle or - parent_pdu.get("recipient_name") != ca.handle or - parent_pdu.findtext(rpki.left_right.tag_bpki_cert).decode("base64") != ca.rootd.certificate.get_DER()): - q_pdu = SubElement(q_msg, rpki.left_right.tag_parent, - action = "create" if parent_pdu is None else "set", - tag = ca.handle, - tenant_handle = ca.handle, - parent_handle = ca.handle, - bsc_handle = bsc_handle, - repository_handle = ca.handle, - peer_contact_uri = ca.rootd.service_uri, - sia_base = ca.rootd.repository.sia_base, - sender_name = ca.handle, - recipient_name = ca.handle) - SubElement(q_pdu, rpki.left_right.tag_bpki_cert).text = ca.rootd.certificate.get_Base64() - - except rpki.irdb.models.Rootd.DoesNotExist: - pass - for parent_handle in parent_pdus: SubElement(q_msg, rpki.left_right.tag_parent, action = "destroy", tenant_handle = ca.handle, parent_handle = parent_handle) @@ -1632,23 +1551,6 @@ class Zookeeper(object): base_uri = client.sia_base) SubElement(q_pdu, rpki.publication_control.tag_bpki_cert).text = client.certificate.get_Base64() - # rootd instances are also a weird sort of client - - for rootd in rpki.irdb.models.Rootd.objects.all(): - - client_handle = rootd.issuer.handle + "-root" - client_pdu = client_pdus.pop(client_handle, None) - sia_base = "rsync://%s/%s/%s/" % (self.rsync_server, self.rsync_module, client_handle) - - if (client_pdu is None or - client_pdu.get("base_uri") != sia_base or - client_pdu.findtext(rpki.publication_control.tag_bpki_cert, "").decode("base64") != rootd.issuer.certificate.get_DER()): - q_pdu = SubElement(q_msg, rpki.publication_control.tag_client, - action = "create" if client_pdu is None else "set", - client_handle = client_handle, - base_uri = sia_base) - SubElement(q_pdu, rpki.publication_control.tag_bpki_cert).text = rootd.issuer.certificate.get_Base64() - # Delete any unknown clients for client_handle in client_pdus: diff --git a/rpki/rpkic.py b/rpki/rpkic.py index e8cb8362..2d49a1e7 100644 --- a/rpki/rpkic.py +++ b/rpki/rpkic.py @@ -258,18 +258,9 @@ class main(Cmd): RPKI installation. """ - rootd_case = self.zoo.run_rootd and self.zoo.handle == self.zoo.cfg.get("handle") - r = self.zoo.initialize() with swap_uids(): - r.save("%s.identity.xml" % self.zoo.handle, - None if rootd_case else sys.stdout) - - if rootd_case: - r = self.zoo.configure_rootd() - if r is not None: - with swap_uids(): - r.save("%s.%s.repository-request.xml" % (self.zoo.handle, self.zoo.handle), sys.stdout) + r.save("%s.identity.xml" % self.zoo.handle, sys.stdout) self.zoo.write_bpki_files() @@ -425,7 +416,6 @@ class main(Cmd): """ Configure the current resource holding identity as a root. - This configures rpkid to talk to rootd as (one of) its parent(s). Returns repository request XML file like configure_parent does. """ @@ -442,18 +432,9 @@ class main(Cmd): def do_delete_root(self, args): """ Delete local RPKI root as parent of the current entity. - - This tells the current rpkid identity (<tenant/>) to stop talking to - rootd. """ - try: - self.zoo.delete_rootd() - self.zoo.synchronize_ca() - except rpki.irdb.models.ResourceHolderCA.DoesNotExist: - print "No such resource holder \"%s\"" % self.zoo.handle - except rpki.irdb.models.Rootd.DoesNotExist: - print "No associated rootd" + raise NotImplementedError @parsecmd(argsubparsers, |