Handle past-expiration IRDB entries properly

svn path=/rpkid/rpki/left_right.py; revision=3746

3 files changed, 75 insertions, 26 deletions

diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 2c61b5ac..16679f4f 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -431,21 +431,21 @@ class self_elt(data_elt):
               new_resources = irdb_resources.intersection(old_resources).intersection(ca_detail.latest_ca_cert.get_3779resources())
 
               if new_resources.empty():
-                rpki.log.debug("Resources shrank to the null set, revoking and withdrawing child certificate SKI %s" % child_cert.cert.gSKI())
+                rpki.log.debug("Resources shrank to the null set, revoking and withdrawing child %s certificate SKI %s" % (child.child_handle, child_cert.cert.gSKI()))
                 child_cert.revoke(publisher = publisher)
                 ca_detail.generate_crl(publisher = publisher)
                 ca_detail.generate_manifest(publisher = publisher)
 
               elif old_resources != new_resources or (old_resources.valid_until < rsn and irdb_resources.valid_until > now):
-                rpki.log.debug("Need to reissue child certificate SKI %s" % child_cert.cert.gSKI())
+                rpki.log.debug("Need to reissue child %s certificate SKI %s" % (child.child_handle, child_cert.cert.gSKI()))
                 child_cert.reissue(
                   ca_detail = ca_detail,
                   resources = new_resources,
                   publisher = publisher)
 
               elif old_resources.valid_until < now:
-                rpki.log.debug("Child certificate SKI %s has expired: cert.valid_until %s, irdb.valid_until %s"
-                               % (child_cert.cert.gSKI(), old_resources.valid_until, irdb_resources.valid_until))
+                rpki.log.debug("Child %s certificate SKI %s has expired: cert.valid_until %s, irdb.valid_until %s"
+                               % (child.child_handle, child_cert.cert.gSKI(), old_resources.valid_until, irdb_resources.valid_until))
                 child_cert.sql_delete()
                 publisher.withdraw(cls = rpki.publication.certificate_elt, uri = child_cert.uri, obj = child_cert.cert, repository = ca.parent.repository)
                 ca_detail.generate_manifest(publisher = publisher)
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
index 37c27983..009818cb 100644
--- a/rpkid/rpki/up_down.py
+++ b/rpkid/rpki/up_down.py
@@ -251,25 +251,27 @@ class list_pdu(base_elt):
 
       r_msg.payload = list_response_pdu()
 
-      for parent in child.parents:
-        for ca in parent.cas:
-          ca_detail = ca.active_ca_detail
-          if not ca_detail:
-            continue
-          resources = ca_detail.latest_ca_cert.get_3779resources().intersection(irdb_resources)
-          if resources.empty():
-            continue
-          rc = class_elt()
-          rc.class_name = str(ca.ca_id)
-          rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
-          rc.from_resource_bag(resources)
-          for child_cert in child.fetch_child_certs(ca_detail = ca_detail):
-            c = certificate_elt()
-            c.cert_url = multi_uri(child_cert.uri)
-            c.cert = child_cert.cert
-            rc.certs.append(c)
-          rc.issuer = ca_detail.latest_ca_cert
-          r_msg.payload.classes.append(rc)
+      if irdb_resources.valid_until > rpki.sundial.now():
+        for parent in child.parents:
+          for ca in parent.cas:
+            ca_detail = ca.active_ca_detail
+            if not ca_detail:
+              continue
+            resources = ca_detail.latest_ca_cert.get_3779resources().intersection(irdb_resources)
+            if resources.empty():
+              continue
+            rc = class_elt()
+            rc.class_name = str(ca.ca_id)
+            rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
+            rc.from_resource_bag(resources)
+            for child_cert in child.fetch_child_certs(ca_detail = ca_detail):
+              c = certificate_elt()
+              c.cert_url = multi_uri(child_cert.uri)
+              c.cert = child_cert.cert
+              rc.certs.append(c)
+            rc.issuer = ca_detail.latest_ca_cert
+            r_msg.payload.classes.append(rc)
+
       callback()
 
     self.gctx.irdb_query_child_resources(child.self.self_handle, child.child_handle, handle, errback)
@@ -375,6 +377,9 @@ class issue_pdu(base_elt):
 
     def got_resources(irdb_resources):
 
+      if irdb_resources.valid_until < rpki.sundial.now():
+        raise rpki.exceptions.IRDBExpired, "IRDB entry for child %s expired %s" % (child.child_handle, irdb_resources.valid_until)
+
       resources = irdb_resources.intersection(ca_detail.latest_ca_cert.get_3779resources())
       req_key = self.pkcs10.getPublicKey()
       req_sia = self.pkcs10.get_SIA()
diff --git a/rpkid/tests/smoketest.4.yaml b/rpkid/tests/smoketest.4.yaml
index ee447daa..c0d446bc 100644
--- a/rpkid/tests/smoketest.4.yaml
+++ b/rpkid/tests/smoketest.4.yaml
@@ -1,6 +1,20 @@
 # $Id$
 
-# Copyright (C) 2007--2008  American Registry for Internet Numbers ("ARIN")
+# Copyright (C) 2011  Internet Systems Consortium ("ISC")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+#
+# Portions copyright (C) 2007--2008  American Registry for Internet Numbers ("ARIN")
 #
 # Permission to use, copy, modify, and distribute this software for any
 # purpose with or without fee is hereby granted, provided that the above
@@ -14,15 +28,45 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# This is a test of what happens when certificates go missing in action.
+# This is a test of what happens when certificates go missing in
+# action, IRDB data expires, etc.  Expected result:
+#
+# - RIR, R0, and Alice get certs
+# - Bob gets no cert at all
+# - RO and Alice have short-lived certs, which go away
+# - Test ends with only RIR having a cert
+#
+# If run on a very slow machine, the 60 second expiration may have
+# already passed by the time everything is up and running, in which
+# case nobody but RIR will ever get any certs.
+#
+# The extra cycles with no sleep are deliberate, at one point we had a
+# cycle where parent would issue a cert that had already expired,
+# which led to a tight loop of revocation and reissuance every cycle;
+# we're checking to make sure that doesn't happen anymore, although
+# things should never get to that point because list_response should
+# discourage the child from ever asking for a cert in the first place.
 
 name:           RIR
-valid_for:      -10
+valid_for:      60
 kids:
   - name: R0
     kids:
       - name: Alice
         ipv4: 192.0.2.1-192.0.2.33
         asn:  64533
+      - name: Bob
+        ipv4: 192.0.2.34-192.0.2.65
+        valid_for: -10
+---
+---
+---
+---
+---
+---
+- sleep 30
+---
+- sleep 30
+---
 ---
 ---