diff options
| author | Rob Austein <sra@hactrn.net> | 2011-07-06 17:27:59 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2011-07-06 17:27:59 +0000 |
| commit | cb1dd7232702f1cffdb171f9f59c3ff548b52e6a (patch) | |
| tree | 764be0afe10e22ea520f90b898400afc5e0dc324 | |
| parent | 0c86a2923e30ba5234c422a4f8053081a574774b (diff) | |
Start consolidating MIB counters and validation status
svn path=/rcynic-ng/rcynic.c; revision=3918
| -rw-r--r-- | rcynic-ng/rcynic.c | 143 | ||||
| -rw-r--r-- | rcynic-ng/rcynic.xsl | 6 | ||||
| -rw-r--r-- | rcynic-ng/validation_status.xsl | 45 |
3 files changed, 115 insertions, 79 deletions
diff --git a/rcynic-ng/rcynic.c b/rcynic-ng/rcynic.c index 5cc61a65..15c52504 100644 --- a/rcynic-ng/rcynic.c +++ b/rcynic-ng/rcynic.c @@ -869,6 +869,41 @@ static int oid_cmp(const ASN1_OBJECT *obj, const unsigned char *oid, const size_ } /** + * Add a validation status entry to internal log. + */ +static void log_validation_status(const rcynic_ctx_t *rc, + const uri_t *uri, + const mib_counter_t code) +{ + validation_status_t *v = NULL; + + assert(rc && uri); + + if (!rc->validation_status) + return; + + if ((v = validation_status_t_new()) == NULL) { + logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s); + goto punt; + } + + v->timestamp = time(0); + v->code = code; + v->uri = *uri; + + if (!sk_validation_status_t_push(rc->validation_status, v)) { + logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s); + goto punt; + } + + v = NULL; + + punt: + if (v) + free(v); +} + +/** * Host MIB counter comparision. */ static int host_mib_counter_cmp(const host_mib_counter_t * const *a, const host_mib_counter_t * const *b) @@ -881,13 +916,15 @@ static int host_mib_counter_cmp(const host_mib_counter_t * const *a, const host_ */ static void mib_increment(const rcynic_ctx_t *rc, const uri_t *uri, - const mib_counter_t counter) + const mib_counter_t code) { host_mib_counter_t *h = NULL, hn; char *s; assert(rc && uri); + log_validation_status(rc, uri, code); + if (!rc->host_counters) return; @@ -917,42 +954,7 @@ static void mib_increment(const rcynic_ctx_t *rc, } } - h->counters[counter]++; -} - -/** - * Add a validation status entry to internal log. - */ -static void log_validation_status(const rcynic_ctx_t *rc, - const uri_t *uri, - const mib_counter_t code) -{ - validation_status_t *v = NULL; - - assert(rc && uri); - - if (!rc->validation_status) - return; - - if ((v = validation_status_t_new()) == NULL) { - logmsg(rc, log_sys_err, "Couldn't allocate validation status entry for %s", uri->s); - goto punt; - } - - v->timestamp = time(0); - v->code = code; - v->uri = *uri; - - if (!sk_validation_status_t_push(rc->validation_status, v)) { - logmsg(rc, log_sys_err, "Couldn't store validation status entry for %s", uri->s); - goto punt; - } - - v = NULL; - - punt: - if (v) - free(v); + h->counters[code]++; } /** @@ -968,7 +970,7 @@ static void reject(const rcynic_ctx_t *rc, assert(fmt && strlen(fmt) + sizeof("Rejected %s") < sizeof(format)); snprintf(format, sizeof(format), "Rejected %s %s", uri->s, fmt); - log_validation_status(rc, uri, code); + mib_increment(rc, uri, code); va_start(ap, fmt); vlogmsg(rc, log_data_err, format, ap); va_end(ap); @@ -1034,7 +1036,8 @@ static int cp_ln(const rcynic_ctx_t *rc, const path_t *source, const path_t *tar */ static int install_object(const rcynic_ctx_t *rc, const uri_t *uri, - const path_t *source) + const path_t *source, + const mib_counter_t code) { path_t target; @@ -1050,7 +1053,7 @@ static int install_object(const rcynic_ctx_t *rc, if (!cp_ln(rc, source, &target)) return 0; - log_validation_status(rc, uri, validation_ok); + mib_increment(rc, uri, code); logmsg(rc, log_telemetry, "Accepted %s", uri->s); return 1; } @@ -2438,8 +2441,7 @@ static X509_CRL *check_crl(const rcynic_ctx_t *rc, if ((crl = check_crl_1(rc, uri, &path, &rc->unauthenticated, issuer, hash, hashlen))) { - install_object(rc, uri, &path); - mib_increment(rc, uri, current_crl_accepted); + install_object(rc, uri, &path, current_crl_accepted); return crl; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, current_crl_rejected); @@ -2447,8 +2449,7 @@ static X509_CRL *check_crl(const rcynic_ctx_t *rc, if ((crl = check_crl_1(rc, uri, &path, &rc->old_authenticated, issuer, hash, hashlen))) { - install_object(rc, uri, &path); - mib_increment(rc, uri, backup_crl_accepted); + install_object(rc, uri, &path, backup_crl_accepted); return crl; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, backup_crl_rejected); @@ -2540,9 +2541,9 @@ static int check_x509_cb(int ok, X509_STORE_CTX *ctx) } logmsg(rctx->rc, log_data_err, "Stale CRL %s", rctx->subject->crldp.s); if (ok) - mib_increment(rctx->rc, &rctx->subject->uri, stale_crl); + mib_increment(rctx->rc, &rctx->subject->crldp, stale_crl); else - reject(rctx->rc, &rctx->subject->uri, stale_crl, "due to stale CRL %s", rctx->subject->crldp.s); + reject(rctx->rc, &rctx->subject->crldp, stale_crl, "due to stale CRL %s", rctx->subject->crldp.s); return ok; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: @@ -2855,8 +2856,7 @@ static X509 *check_cert(rcynic_ctx_t *rc, return NULL; if ((x = check_cert_1(rc, uri, &path, prefix, certs, issuer, subject, hash, hashlen)) != NULL) { - install_object(rc, uri, &path); - mib_increment(rc, uri, accept_code); + install_object(rc, uri, &path, accept_code); if (w->state == walk_state_current) sk_OPENSSL_STRING_remove(rc->backup_cache, uri->s); else if (!sk_OPENSSL_STRING_push_strdup(rc->backup_cache, uri->s)) @@ -3027,8 +3027,7 @@ static Manifest *check_manifest_1(const rcynic_ctx_t *rc, /* * Redundant error message? */ - logmsg(rc, log_data_err, "Validation failure for manifest %s EE certificate", uri->s); - mib_increment(rc, uri, manifest_invalid_ee); + reject(rc, &uri->s, manifest_invalid_ee, "because manifest EE certificate is invalid"); goto done; } @@ -3088,22 +3087,20 @@ static Manifest *check_manifest(const rcynic_ctx_t *rc, if ((certs = walk_ctx_stack_certs(wsk)) == NULL) return NULL; - if (manifest == NULL && - (manifest = check_manifest_1(rc, uri, &path, - &rc->unauthenticated, certs))) { - install_object(rc, uri, &path); - mib_increment(rc, uri, current_manifest_accepted); - } else if (!access(path.s, F_OK)) { - mib_increment(rc, uri, current_manifest_rejected); + if (manifest == NULL) { + if ((manifest = check_manifest_1(rc, uri, &path, + &rc->unauthenticated, certs)) != NULL) + install_object(rc, uri, &path, current_manifest_accepted); + else if (!access(path.s, F_OK)) + mib_increment(rc, uri, current_manifest_rejected); } - if (manifest == NULL && - (manifest = check_manifest_1(rc, uri, &path, - &rc->old_authenticated, certs))) { - install_object(rc, uri, &path); - mib_increment(rc, uri, backup_manifest_accepted); - } else if (!access(path.s, F_OK)) { - mib_increment(rc, uri, backup_manifest_rejected); + if (manifest == NULL) { + if ((manifest = check_manifest_1(rc, uri, &path, + &rc->old_authenticated, certs)) != NULL) + install_object(rc, uri, &path, backup_manifest_accepted); + else if (!access(path.s, F_OK)) + mib_increment(rc, uri, backup_manifest_rejected); } sk_X509_free(certs); @@ -3365,8 +3362,7 @@ static int check_roa_1(const rcynic_ctx_t *rc, /* * Redundant error message? */ - logmsg(rc, log_data_err, "Validation failure for ROA %s EE certificate", uri->s); - mib_increment(rc, uri, roa_invalid_ee); + reject(rc, uri, roa_invalid_ee, "because ROA EE certificate is invalid"); goto error; } @@ -3414,8 +3410,7 @@ static void check_roa(const rcynic_ctx_t *rc, if (check_roa_1(rc, uri, &path, &rc->unauthenticated, certs, hash, hashlen)) { - install_object(rc, uri, &path); - mib_increment(rc, uri, current_roa_accepted); + install_object(rc, uri, &path, current_roa_accepted); goto done; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, current_roa_rejected); @@ -3423,8 +3418,7 @@ static void check_roa(const rcynic_ctx_t *rc, if (check_roa_1(rc, uri, &path, &rc->old_authenticated, certs, hash, hashlen)) { - install_object(rc, uri, &path); - mib_increment(rc, uri, backup_roa_accepted); + install_object(rc, uri, &path, backup_roa_accepted); goto done; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, backup_roa_rejected); @@ -3554,8 +3548,7 @@ static int check_ghostbuster_1(const rcynic_ctx_t *rc, /* * Redundant error message? */ - logmsg(rc, log_data_err, "Validation failure for Ghostbuster record %s EE certificate", uri->s); - mib_increment(rc, uri, ghostbuster_invalid_ee); + reject(rc, uri, ghostbuster_invalid_ee, "because Ghostbuster EE certificate is invalid"); goto error; } @@ -3600,8 +3593,7 @@ static void check_ghostbuster(const rcynic_ctx_t *rc, if (check_ghostbuster_1(rc, uri, &path, &rc->unauthenticated, certs, hash, hashlen)) { - install_object(rc, uri, &path); - mib_increment(rc, uri, current_ghostbuster_accepted); + install_object(rc, uri, &path, current_ghostbuster_accepted); goto done; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, current_ghostbuster_rejected); @@ -3609,8 +3601,7 @@ static void check_ghostbuster(const rcynic_ctx_t *rc, if (check_ghostbuster_1(rc, uri, &path, &rc->old_authenticated, certs, hash, hashlen)) { - install_object(rc, uri, &path); - mib_increment(rc, uri, backup_ghostbuster_accepted); + install_object(rc, uri, &path, backup_ghostbuster_accepted); goto done; } else if (!access(path.s, F_OK)) { mib_increment(rc, uri, backup_ghostbuster_rejected); diff --git a/rcynic-ng/rcynic.xsl b/rcynic-ng/rcynic.xsl index 25aa7b2c..4e18c806 100644 --- a/rcynic-ng/rcynic.xsl +++ b/rcynic-ng/rcynic.xsl @@ -54,9 +54,9 @@ <xsl:param name="suppress-zero-columns" select="1"/> <xsl:param name="show-total" select="1"/> <xsl:param name="use-colors" select="1"/> - <xsl:param name="show-detailed-status" select="0"/> - <xsl:param name="show-problems" select="1"/> - <xsl:param name="show-summary" select="1"/> + <xsl:param name="show-detailed-status" select="1"/> + <xsl:param name="show-problems" select="0"/> + <xsl:param name="show-summary" select="0"/> <xsl:variable name="sums"> <xsl:for-each select="rcynic-summary/labels/*"> diff --git a/rcynic-ng/validation_status.xsl b/rcynic-ng/validation_status.xsl new file mode 100644 index 00000000..6154e70a --- /dev/null +++ b/rcynic-ng/validation_status.xsl @@ -0,0 +1,45 @@ +<?xml version="1.0"?> +<!-- + - Copyright (C) 2010-2011 Internet Systems Consortium, Inc. ("ISC") + - + - Permission to use, copy, modify, and/or distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. + --> + +<!-- $Id$ --> + +<!-- + - XSL stylesheet to render rcynic's xml-summary output as tab-delimited text. + --> + +<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"> + + <xsl:output method="text" encoding="US-ASCII"/> + + <xsl:template match="/"> + <xsl:for-each select="rcynic-summary/validation_status"> + <xsl:value-of select="@timestamp"/> + <xsl:text>	</xsl:text> + <xsl:value-of select="@status"/> + <xsl:text>	</xsl:text> + <xsl:value-of select="."/> + <xsl:text> </xsl:text> + </xsl:for-each> + </xsl:template> + +</xsl:stylesheet> + +<!-- + - Local variables: + - mode: sgml + - End: + --> |