strictly enforce non-overlapping resource ranges in AddressRange and Asn object trees.

add cert member to Roa class to hold a pointer to the resource cert from which all prefixes in the roa derive

svn path=/portal-gui/rpkigui/myrpki/forms.py; revision=3418

3 files changed, 32 insertions, 70 deletions

diff --git a/portal-gui/rpkigui/myrpki/forms.py b/portal-gui/rpkigui/myrpki/forms.py
index e66d8f6d..959d5a20 100644
--- a/portal-gui/rpkigui/myrpki/forms.py
+++ b/portal-gui/rpkigui/myrpki/forms.py
@@ -60,70 +60,28 @@ def PrefixSplitForm(parent, *args, **kwargs):
             except ValueError, err:
                 print err
                 raise forms.ValidationError, 'invalid prefix or range'
+            # we get AssertionError is the range is misordered (hi before lo)
+            except AssertionError, err:
+                print err
+                raise forms.ValidationError, 'invalid prefix or range'
             pr = parent.as_resource_range()
             if r.min < pr.min or r.max > pr.max:
                 raise forms.ValidationError, \
                         'range is outside parent range'
+            if r.min == pr.min and r.max == pr.max:
+                raise forms.ValidationError, \
+                        'range is equal to parent'
             if parent.allocated:
-                raise forms.ValidationError, 'Prefix is assigned to child'
+                raise forms.ValidationError, 'prefix is assigned to child'
+            for p in parent.children.all():
+                c = p.as_resource_range()
+                if c.min <= r.min <= c.max or c.min <= r.max <= c.max:
+                    raise forms.ValidationError, \
+                            'overlap with another child prefix: %s' % (c,)
+
             return self.cleaned_data
     return _wrapper(*args, **kwargs)
 
-#def PrefixSplitForm(prefix, *args, **kwargs):
-#    class _wrapper(forms.Form):
-#        lo = forms.IPAddressField()
-#        hi = forms.IPAddressField()
-#
-#        def clean_lo(self):
-#            lo = self.cleaned_data.get('lo')
-#            # convert from string to long representation
-#            try:
-#                loaddr = rpki.ipaddrs.parse(lo)
-#            except socket.error:
-#                raise forms.ValidationError, 'Invalid IP address string'
-#            pfx_loaddr = rpki.ipaddrs.parse(prefix.lo)
-#            pfx_hiaddr = rpki.ipaddrs.parse(prefix.hi)
-#            if type(loaddr) != type(pfx_hiaddr):
-#                raise forms.ValidationError, \
-#                        'Not the same IP address type as parent'
-#            if loaddr < pfx_loaddr or loaddr > pfx_hiaddr:
-#                raise forms.ValidationError, \
-#                        'Value out of range of parent prefix'
-#            return lo
-#
-#        def clean_hi(self):
-#            hi = self.cleaned_data.get('hi')
-#            # convert from string to long representation
-#            try:
-#                hiaddr = rpki.ipaddrs.parse(hi)
-#            except socket.error:
-#                raise forms.ValidationError, 'Invalid IP address string'
-#            pfx_loaddr = rpki.ipaddrs.parse(prefix.lo)
-#            pfx_hiaddr = rpki.ipaddrs.parse(prefix.hi)
-#            if type(hiaddr) != type(pfx_loaddr):
-#                raise forms.ValidationError, \
-#                        'Not the same IP address type as parent'
-#            if hiaddr < pfx_loaddr or hiaddr > pfx_hiaddr:
-#                raise forms.ValidationError, \
-#                        'Value out of range of parent prefix'
-#            return hi
-#
-#        def clean(self):
-#            hi = self.cleaned_data.get('hi')
-#            lo = self.cleaned_data.get('lo')
-#            # hi or lo may be None if field validation failed
-#            if hi and lo:
-#                # convert from string to long representation
-#                hiaddr = rpki.ipaddrs.parse(hi)
-#                loaddr = rpki.ipaddrs.parse(lo)
-#                if hiaddr < loaddr:
-#                    raise forms.ValidationError, 'Hi value is smaller than Lo'
-#                if prefix.allocated:
-#                    raise forms.ValidationError, 'Prefix is assigned to child'
-#            return self.cleaned_data
-#
-#    return _wrapper(*args, **kwargs)
-
 def PrefixAllocateForm(iv, child_set, *args, **kwargs):
     class _wrapper(forms.Form):
         child = forms.ModelChoiceField(initial=iv, queryset=child_set,
diff --git a/portal-gui/rpkigui/myrpki/models.py b/portal-gui/rpkigui/myrpki/models.py
index fc8d4a6d..e2f9cb81 100644
--- a/portal-gui/rpkigui/myrpki/models.py
+++ b/portal-gui/rpkigui/myrpki/models.py
@@ -194,6 +194,9 @@ class Roa(models.Model):
     asn = models.IntegerField()
     active = models.BooleanField()
 
+    # the resource cert from which all prefixes for this roa are derived
+    cert = models.ForeignKey(ResourceCert, related_name='roas')
+
     def __unicode__(self):
 	return u"%s's ROA for %d" % (self.conf, self.asn)
 
diff --git a/portal-gui/rpkigui/myrpki/views.py b/portal-gui/rpkigui/myrpki/views.py
index fa9f27e3..7827f706 100644
--- a/portal-gui/rpkigui/myrpki/views.py
+++ b/portal-gui/rpkigui/myrpki/views.py
@@ -360,16 +360,6 @@ class PrefixAllocateView(PrefixView):
 def prefix_allocate_view(request, pk):
     return PrefixAllocateView(request, pk)()
 
-def find_roa(handle, prefix, asid):
-    '''Find a roa with prefixes from the same resource cert.'''
-    roa_set = handle.roas.filter(asn=asid)
-    for c in misc.top_parent(prefix).from_cert.all():
-        for r in roa_set:
-            for req in r.from_roa_request.all():
-                if c in misc.top_parent(req.prefix).from_cert.all():
-                    return r
-    return None
-
 def add_roa_requests(handle, prefix, asns, max_length):
     for asid in asns:
         if debug:
@@ -378,15 +368,26 @@ def add_roa_requests(handle, prefix, asns, max_length):
         if not req_set:
             if debug:
                 print 'no roa for AS %d containing %s-%d' % (asid, prefix, max_length)
-            roa = find_roa(handle, prefix, asid)
-            if not roa:
+
+            # find ROAs for prefixes derived from the same resource cert
+            # as this prefix
+            certs = misc.top_parent(prefix).from_cert.all()
+            roa_set = handle.roas.filter(asn=asid, cert__in=certs)
+
+            # FIXME: currently only creates a ROA/request for the first
+            # resource cert, not all of them
+            if roa_set:
+                roa = roa_set[0]
+            else:
                 if debug:
                     print 'creating new roa for AS %d containg %s-%d' % (asid, prefix, max_length)
                 # no roa is present for this ASN, create a new one
-                roa = models.Roa.objects.create(asn=asid, conf=handle, active=False)
+                roa = models.Roa.objects.create(asn=asid, conf=handle,
+                        active=False, cert=certs[0])
                 roa.save()
 
-            req = models.RoaRequest.objects.create(prefix=prefix, roa=roa, max_length=max_length)
+            req = models.RoaRequest.objects.create(prefix=prefix, roa=roa,
+                    max_length=max_length)
             req.save()
 
 class PrefixRoaView(PrefixView):