diff options
| author | Rob Austein <sra@hactrn.net> | 2016-01-23 01:05:14 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2016-01-23 01:05:14 +0000 |
| commit | b13edb8b25ffa0d4252a42fadd13f0367f6d47bf (patch) | |
| tree | d30cba0d658f949bdc6e12dda866e762bbf8f85c /rpki | |
| parent | aa77e34c8cc1f675dd8f86f713c3ce8a06fece8a (diff) | |
Add multiple-URI TAL support to rcynicng.
Whack CA tools with a club until rcynicng works with our CA RRDP
implementation.
Add makemigrations target to top-level Makefile; this is a bit of a
kludge, but sure beats doing this by hand.
svn path=/branches/tk705/; revision=6230
Diffstat (limited to 'rpki')
| -rw-r--r-- | rpki/irdb/zookeeper.py | 8 | ||||
| -rw-r--r-- | rpki/pubd.py | 8 | ||||
| -rw-r--r-- | rpki/pubdb/models.py | 23 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0001_initial.py | 7 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0002_remove_cadetail_latest_manifest_cert.py | 18 | ||||
| -rw-r--r-- | rpki/rpkidb/migrations/0003_auto_20151111_1230.py | 37 |
6 files changed, 25 insertions, 76 deletions
diff --git a/rpki/irdb/zookeeper.py b/rpki/irdb/zookeeper.py index cf4dbda6..e7d9965c 100644 --- a/rpki/irdb/zookeeper.py +++ b/rpki/irdb/zookeeper.py @@ -414,6 +414,7 @@ class Zookeeper(object): if self.run_pubd: pubd = self.server_ca.ee_certificates.get(purpose = "pubd") writer(self.cfg.get("bpki-ta", section = pubd_section), self.server_ca.certificate) + writer(self.cfg.get("pubd-crl", section = pubd_section), self.server_ca.latest_crl) writer(self.cfg.get("pubd-key", section = pubd_section), pubd.private_key) writer(self.cfg.get("pubd-cert", section = pubd_section), pubd.certificate) writer(self.cfg.get("irbe-cert", section = pubd_section), @@ -423,10 +424,10 @@ class Zookeeper(object): try: rootd = rpki.irdb.models.ResourceHolderCA.objects.get(handle = self.handle).rootd writer(self.cfg.get("bpki-ta", section = rootd_section), self.server_ca.certificate) - writer(self.cfg.get("rootd-bpki-crl", section = rootd_section), self.server_ca.latest_crl) writer(self.cfg.get("rootd-bpki-key", section = rootd_section), rootd.private_key) writer(self.cfg.get("rootd-bpki-cert", section = rootd_section), rootd.certificate) writer(self.cfg.get("child-bpki-cert", section = rootd_section), rootd.issuer.certificate) + # rootd-bpki-crl is the same as pubd-crl, already written except rpki.irdb.models.ResourceHolderCA.DoesNotExist: self.log("rootd enabled but resource holding entity not yet configured, skipping rootd setup") except rpki.irdb.models.Rootd.DoesNotExist: @@ -844,15 +845,14 @@ class Zookeeper(object): port = self.cfg.get("pubd_server_port", section = myrpki_section), handle = client.handle) - rrdp_uri = self.cfg.get("publication_rrdp_notification_uri", section = myrpki_section, - default = "") or None + rrdp_uri = self.cfg.get("publication_rrdp_notification_uri", section = myrpki_section, default = "") e = Element(tag_oob_repository_response, nsmap = oob_nsmap, version = oob_version, service_uri = service_uri, publisher_handle = client.handle, sia_base = client.sia_base) - if rrdp_uri is not None: + if rrdp_uri: e.set("rrdp_notification_uri", rrdp_uri) B64Element(e, tag_oob_repository_bpki_ta, self.server_ca.certificate) diff --git a/rpki/pubd.py b/rpki/pubd.py index 3ae8645a..c8e812a8 100644 --- a/rpki/pubd.py +++ b/rpki/pubd.py @@ -112,11 +112,9 @@ class main(object): self.publication_base = self.cfg.get("publication-base", "publication/") - self.rrdp_uri_base = self.cfg.get("rrdp-uri-base", - "http://%s/rrdp/" % socket.getfqdn()) + self.rrdp_base_uri = self.cfg.get("rrdp-base-uri", "https://%s/rrdp/" % socket.getfqdn()) self.rrdp_expiration_interval = rpki.sundial.timedelta.parse(self.cfg.get("rrdp-expiration-interval", "6h")) - self.rrdp_publication_base = self.cfg.get("rrdp-publication-base", - "rrdp-publication/") + self.rrdp_publication_base = self.cfg.get("rrdp-publication-base", "rrdp-publication/") try: self.session = rpki.pubdb.models.Session.objects.get() @@ -286,7 +284,7 @@ class main(object): else: if delta is not None: - self.session.synchronize_rrdp_files(self.rrdp_publication_base, self.rrdp_uri_base) + self.session.synchronize_rrdp_files(self.rrdp_publication_base, self.rrdp_base_uri) delta.update_rsync_files(self.publication_base) request.send_cms_response(rpki.publication.cms_msg().wrap(r_msg, self.pubd_key, self.pubd_cert, self.pubd_crl)) diff --git a/rpki/pubdb/models.py b/rpki/pubdb/models.py index 43600a5e..9d614ceb 100644 --- a/rpki/pubdb/models.py +++ b/rpki/pubdb/models.py @@ -88,8 +88,16 @@ class Session(models.Model): # Debugging flag to prevent expiration of old RRDP files. # This simplifies debugging delta code. Need for this # may go away once RRDP is fully integrated into rcynic. + keep_all_rrdp_files = False + ## @var keep_these_files + # Filenames which should not be deleted during cleanup. + # Expected use is to allow us to store a root certificate + # in in the RRDP base directory. + + keep_these_files = set(["root.cer"]) + def new_delta(self, expires): """ Construct a new delta associated with this session. @@ -158,28 +166,28 @@ class Session(models.Model): @staticmethod - def _rrdp_filename_to_uri(fn, rrdp_uri_base): - return "%s/%s" % (rrdp_uri_base.rstrip("/"), fn) + def _rrdp_filename_to_uri(fn, rrdp_base_uri): + return "%s/%s" % (rrdp_base_uri.rstrip("/"), fn) - def _generate_update_xml(self, rrdp_uri_base): + def _generate_update_xml(self, rrdp_base_uri): xml = Element(rrdp_tag_notification, nsmap = rrdp_nsmap, version = rrdp_version, session_id = self.uuid, serial = str(self.serial)) SubElement(xml, rrdp_tag_snapshot, - uri = self._rrdp_filename_to_uri(self.snapshot_fn, rrdp_uri_base), + uri = self._rrdp_filename_to_uri(self.snapshot_fn, rrdp_base_uri), hash = self.hash) for delta in self.delta_set.all(): SubElement(xml, rrdp_tag_delta, - uri = self._rrdp_filename_to_uri(delta.fn, rrdp_uri_base), + uri = self._rrdp_filename_to_uri(delta.fn, rrdp_base_uri), hash = delta.hash, serial = str(delta.serial)) rpki.relaxng.rrdp.assertValid(xml) return ElementToString(xml, pretty_print = True) - def synchronize_rrdp_files(self, rrdp_publication_base, rrdp_uri_base): + def synchronize_rrdp_files(self, rrdp_publication_base, rrdp_base_uri): """ Write current RRDP files to disk, clean up old files and directories. """ @@ -193,11 +201,12 @@ class Session(models.Model): self._write_rrdp_file(self.snapshot_fn, self.snapshot, rrdp_publication_base) current_filenames.add(self.snapshot_fn) - self._write_rrdp_file(self.notification_fn, self._generate_update_xml(rrdp_uri_base), + self._write_rrdp_file(self.notification_fn, self._generate_update_xml(rrdp_base_uri), rrdp_publication_base, overwrite = True) current_filenames.add(self.notification_fn) if not self.keep_all_rrdp_files: + current_filenames |= self.keep_these_files for root, dirs, files in os.walk(rrdp_publication_base, topdown = False): for fn in files: fn = os.path.join(root, fn) diff --git a/rpki/rpkidb/migrations/0001_initial.py b/rpki/rpkidb/migrations/0001_initial.py index a313ba63..274775e3 100644 --- a/rpki/rpkidb/migrations/0001_initial.py +++ b/rpki/rpkidb/migrations/0001_initial.py @@ -27,10 +27,7 @@ class Migration(migrations.Migration): name='CA', fields=[ ('id', models.AutoField(verbose_name='ID', serialize=False, auto_created=True, primary_key=True)), - ('last_crl_sn', models.BigIntegerField(default=1)), - ('last_manifest_sn', models.BigIntegerField(default=1)), - ('next_manifest_update', rpki.fields.SundialField(null=True)), - ('next_crl_update', rpki.fields.SundialField(null=True)), + ('last_crl_manifest_number', models.BigIntegerField(default=1)), ('last_issued_sn', models.BigIntegerField(default=1)), ('sia_uri', models.TextField(null=True)), ('parent_resource_class', models.TextField(null=True)), @@ -47,9 +44,9 @@ class Migration(migrations.Migration): ('latest_ca_cert', rpki.fields.CertificateField(null=True)), ('manifest_private_key_id', rpki.fields.RSAPrivateKeyField(null=True)), ('manifest_public_key', rpki.fields.PublicKeyField(null=True)), - ('latest_manifest_cert', rpki.fields.CertificateField(null=True)), ('latest_manifest', rpki.fields.ManifestField(null=True)), ('manifest_published', rpki.fields.SundialField(null=True)), + ('next_crl_manifest_update', rpki.fields.SundialField(null=True)), ('state', rpki.fields.EnumField(choices=[(1, 'pending'), (2, 'active'), (3, 'deprecated'), (4, 'revoked')])), ('ca_cert_uri', models.TextField(null=True)), ('ca', models.ForeignKey(related_name='ca_details', to='rpkidb.CA')), diff --git a/rpki/rpkidb/migrations/0002_remove_cadetail_latest_manifest_cert.py b/rpki/rpkidb/migrations/0002_remove_cadetail_latest_manifest_cert.py deleted file mode 100644 index a96f1805..00000000 --- a/rpki/rpkidb/migrations/0002_remove_cadetail_latest_manifest_cert.py +++ /dev/null @@ -1,18 +0,0 @@ -# -*- coding: utf-8 -*- -from __future__ import unicode_literals - -from django.db import migrations, models - - -class Migration(migrations.Migration): - - dependencies = [ - ('rpkidb', '0001_initial'), - ] - - operations = [ - migrations.RemoveField( - model_name='cadetail', - name='latest_manifest_cert', - ), - ] diff --git a/rpki/rpkidb/migrations/0003_auto_20151111_1230.py b/rpki/rpkidb/migrations/0003_auto_20151111_1230.py deleted file mode 100644 index 8ed021e8..00000000 --- a/rpki/rpkidb/migrations/0003_auto_20151111_1230.py +++ /dev/null @@ -1,37 +0,0 @@ -# -*- coding: utf-8 -*- -from __future__ import unicode_literals - -from django.db import migrations, models -import rpki.fields - - -class Migration(migrations.Migration): - - dependencies = [ - ('rpkidb', '0002_remove_cadetail_latest_manifest_cert'), - ] - - operations = [ - migrations.RenameField( - model_name='ca', - old_name='last_crl_sn', - new_name='last_crl_manifest_number', - ), - migrations.RemoveField( - model_name='ca', - name='last_manifest_sn', - ), - migrations.RemoveField( - model_name='ca', - name='next_crl_update', - ), - migrations.RemoveField( - model_name='ca', - name='next_manifest_update', - ), - migrations.AddField( - model_name='cadetail', - name='next_crl_manifest_update', - field=rpki.fields.SundialField(null=True), - ), - ] |