Still more method cleanup, including access control the absence of

which had been lost in the SQL noise. svn path=/scripts/README; revision=1324
author: Rob Austein <sra@hactrn.net> 2007-11-19 08:07:00 +0000
committer: Rob Austein <sra@hactrn.net> 2007-11-19 08:07:00 +0000
commit: 8ad3e4f7768ffb0defae8cdea241a4f4f27d8f37 (patch)
tree: 096c7b47e49698e470356bb78bfc682543f22956 /scripts/rpki
parent: 91dc432c04482d32f887cfdc03a67ab09823e53a (diff)
4 files changed, 18 insertions, 11 deletions
diff --git a/scripts/rpki/exceptions.py b/scripts/rpki/exceptions.py
index b5f0010f..43b7ab4d 100644
--- a/scripts/rpki/exceptions.py
+++ b/scripts/rpki/exceptions.py
@@ -55,3 +55,6 @@ class BSCNotFound(Exception):
 
 class BadSender(Exception):
   """Unexpected XML sender value."""
+
+class ClassNameMismatch(Exception):
+  """class_name does not match child context."""
diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index c817f08e..ac77342f 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -562,6 +562,16 @@ class child_elt(data_elt):
     """Fetch all parent objects that link to self object to which this child object links."""
     return parent_elt.sql_fetch_where(gctx, "self_id = %s" % self.self_id)
 
+  def ca_from_class_name(self, gctx, class_name):
+    """Fetch the CA corresponding to an up-down class_name."""
+    if not class_name.isdigit():
+      raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % class_name
+    ca = rpki.sql.ca_obj.sql_fetch(gctx, long(class_name))
+    parent = ca.parent(gctx)
+    if self.self_id != parent.self_id:
+      raise rpki.exceptions.ClassNameMismatch, "child.self_id = %d, parent.self_id = %d" % (self.self_id, parent.self_id)
+    return ca
+
   def serve_post_save_hook(self, q_pdu, r_pdu):
     """Extra server actions for child_elt."""
     if self.reissue:
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index e34673e8..055e4476 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -220,7 +220,7 @@ class ca_obj(sql_persistant):
     return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s" % self.ca_id)
 
   def fetch_active(self, gctx):
-    """Return the active ca_detail for this CA, if any."""
+    """Fetch the active ca_detail for this CA, if any."""
     return ca_detail_obj.sql_fetch_where1(gctx, "ca_id = %s AND state = 'active'" % self.ca_id)
 
   def construct_sia_uri(self, gctx, parent, rc):
@@ -252,7 +252,7 @@ class ca_obj(sql_persistant):
     rc_resources = rc.to_resource_bag()
     cert_map = dict((c.cert.get_SKI(), c) for c in rc.certs)
 
-    for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL AND state != 'revoked'" % self.ca_id):
+    for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL" % self.ca_id):
       ski = ca_detail.latest_ca_cert.get_SKI()
       if ca_detail.state != "deprecated":
         current_resources = ca_detail.latest_ca_cert.get_3779resources()
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 3b196d9d..e4285257 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -249,12 +249,8 @@ class issue_pdu(base_elt):
     """Serve one issue request PDU."""
 
     # Check the request
-    if not self.class_name.isdigit():
-      raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % self.class_name
-    ca = rpki.sql.ca_obj.sql_fetch(gctx, long(self.class_name))
+    ca = child.ca_from_class_name(gctx, self.class_name)
     ca_detail = ca.fetch_active(gctx)
-    if ca is None or ca_detail is None:
-      raise rpki.exceptions.NotInDatabase
     self.pkcs10.check_valid_rpki()
 
     # Check current cert, if any
@@ -302,7 +298,7 @@ class issue_pdu(base_elt):
   @classmethod
   def query(cls, gctx, parent, ca, ca_detail):
     """Send an "issue" request to parent associated with ca."""
-    assert ca_detail is not None and ca_detail.state not in ("deprecated", "revoked")
+    assert ca_detail is not None and ca_detail.state != "deprecated"
     sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
            (rpki.oids.name2oid["id-ad-rpkiManifest"], ("uri", ca_detail.manifest_uri(ca))))
     self = cls()
@@ -341,9 +337,7 @@ class revoke_pdu(revoke_syntax):
 
   def serve_pdu(self, gctx, q_msg, r_msg, child):
     """Serve one revoke request PDU."""
-    if not self.class_name.isdigit():
-      raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % self.class_name
-    for ca_detail in rpki.sql.ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state != 'revoked'" % long(self.class_name)):
+    for ca_detail in child.ca_from_class_name(gctx, self.class_name).ca_details(gctx):
       for child_cert in child.child_certs(gctx, ca_detail = ca_detail, ski = self.get_SKI()):
         child_cert.revoke()
     rpki.sql.sql_sweep(gctx)
author	Rob Austein <sra@hactrn.net>	2007-11-19 08:07:00 +0000
committer	Rob Austein <sra@hactrn.net>	2007-11-19 08:07:00 +0000
commit	8ad3e4f7768ffb0defae8cdea241a4f4f27d8f37 (patch)
tree	096c7b47e49698e470356bb78bfc682543f22956 /scripts/rpki
parent	91dc432c04482d32f887cfdc03a67ab09823e53a (diff)