diff options
| -rwxr-xr-x | rpkid/irdbd.py | 2 | ||||
| -rwxr-xr-x | rpkid/pubd.py | 4 | ||||
| -rwxr-xr-x | rpkid/rootd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/async.py | 34 | ||||
| -rw-r--r-- | rpkid/rpki/https.py | 21 | ||||
| -rw-r--r-- | rpkid/rpki/ipaddrs.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 9 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 55 | ||||
| -rw-r--r-- | rpkid/testbed.1.yaml | 4 | ||||
| -rw-r--r-- | rpkid/testbed.py | 298 |
10 files changed, 246 insertions, 185 deletions
diff --git a/rpkid/irdbd.py b/rpkid/irdbd.py index 45ae619a..8d7c7c2b 100755 --- a/rpkid/irdbd.py +++ b/rpkid/irdbd.py @@ -27,7 +27,7 @@ import tlslite.api, MySQLdb, lxml.etree import rpki.https, rpki.config, rpki.resource_set, rpki.relaxng import rpki.exceptions, rpki.left_right, rpki.log, rpki.x509 -def handler(query, path): +def handler(query, path, cb): try: db.ping() diff --git a/rpkid/pubd.py b/rpkid/pubd.py index f939b6cc..7882095e 100755 --- a/rpkid/pubd.py +++ b/rpkid/pubd.py @@ -54,7 +54,7 @@ class pubd_context(object): self.sql.sweep() return reply - def control_handler(self, query, path): + def control_handler(self, query, path, cb): """Process one PDU from the IRBE.""" rpki.log.trace() try: @@ -64,7 +64,7 @@ class pubd_context(object): rpki.log.error(traceback.format_exc()) return 500, "Unhandled exception %s" % data - def client_handler(self, query, path): + def client_handler(self, query, path, cb): """Process one PDU from a client.""" rpki.log.trace() try: diff --git a/rpkid/rootd.py b/rpkid/rootd.py index 61580956..c04a827c 100755 --- a/rpkid/rootd.py +++ b/rpkid/rootd.py @@ -182,7 +182,7 @@ class sax_handler(rpki.up_down.sax_handler): class cms_msg(rpki.up_down.cms_msg): saxify = sax_handler.saxify -def up_down_handler(query, path): +def up_down_handler(query, path, cb): try: q_msg = cms_msg.unwrap(query, (bpki_ta, child_bpki_cert)) except Exception, data: diff --git a/rpkid/rpki/async.py b/rpkid/rpki/async.py new file mode 100644 index 00000000..4dc56d41 --- /dev/null +++ b/rpkid/rpki/async.py @@ -0,0 +1,34 @@ +""" +Utilities for event-driven programming. + +$Id$ + +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. +""" + +class iterator(object): + """Iteration construct for event-driven code.""" + + def __init__(self, iterable, handler_cb, done_cb): + self.handler_cb = handler_cb + self.done_cb = done_cb + self.iterator = iter(iterable) + + def __call__(self, *ignored): + try: + self.handler_cb(self.iterator.next()) + except StopIteration: + if self.done_cb is not None: + self.done_cb() diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index 6dcf58be..1923a18f 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -225,16 +225,25 @@ class requestHandler(BaseHTTPServer.BaseHTTPRequestHandler): try: handler = self.rpki_find_handler() if self.headers["Content-Type"] != rpki_content_type: - rcode, rtext = 415, "Received Content-Type %s, expected %s" \ - % (self.headers["Content-Type"], rpki_content_type) + result = 415, "No handler for Content-Type %s" % self.headers["Content-Type"] elif handler is None: - rcode, rtext = 404, "No handler found for URL " + self.path + result = 404, "No handler found for URL " + self.path else: - rcode, rtext = handler(query = self.rfile.read(int(self.headers["Content-Length"])), - path = self.path) + self.called_back = False + result = handler(query = self.rfile.read(int(self.headers["Content-Length"])), + path = self.path, + cb = self.do_POST_cb) + assert result is not None or self.called_back, "Missing HTTPS server callback from %s" % repr(handler) except Exception, edata: rpki.log.error(traceback.format_exc()) - rcode, rtext = 500, "Unhandled exception %s" % edata + result = 500, "Unhandled exception %s" % edata + if result is not None: + self.do_POST_cb(result[0], result[1]) + + def do_POST_cb(self, rcode, rtext): + """Send result back to client.""" + rpki.log.info("HTTPS server callback") + self.called_back = True self.send_response(rcode) self.send_header("Content-Type", rpki_content_type) self.end_headers() diff --git a/rpkid/rpki/ipaddrs.py b/rpkid/rpki/ipaddrs.py index db6a5891..b79a8daa 100644 --- a/rpkid/rpki/ipaddrs.py +++ b/rpkid/rpki/ipaddrs.py @@ -12,7 +12,6 @@ once, here, thus avoiding a lot of duplicate code elsewhere. $Id$ - Copyright (C) 2009 Internet Systems Consortium ("ISC") Permission to use, copy, modify, and distribute this software for any @@ -27,7 +26,6 @@ LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 82bf93f4..4769cf0e 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -142,7 +142,7 @@ class self_elt(data_elt): """ return self.sql_fetch_all(self.gctx) - def client_poll(self): + def client_poll(self, cb): """Run the regular client poll cycle with each of this self's parents in turn.""" rpki.log.trace() @@ -164,7 +164,9 @@ class self_elt(data_elt): ca.delete(parent) # CA not listed by parent self.gctx.sql.sweep() - def update_children(self): + cb() + + def update_children(self, cb): """Check for updated IRDB data for all of this self's children and issue new certs as necessary. Must handle changes both in resources and in expiration date. @@ -205,6 +207,8 @@ class self_elt(data_elt): ca_detail.generate_manifest() repository.withdraw(child_cert.cert, child_cert.uri(ca)) + cb() + def regenerate_crls_and_manifests(self): """Generate new CRLs and manifests as necessary for all of this self's CAs. Extracting nextUpdate from a manifest is hard at the @@ -236,6 +240,7 @@ class self_elt(data_elt): for route_origin in self.route_origins(): route_origin.update_roa() + class bsc_elt(data_elt): """<bsc/> (Business Signing Context) element.""" diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index a49121c1..1a9a5026 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -19,7 +19,7 @@ PERFORMANCE OF THIS SOFTWARE. import traceback, os, time, getopt, sys, MySQLdb, lxml.etree import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql -import rpki.https, rpki.config, rpki.exceptions, rpki.relaxng, rpki.log +import rpki.https, rpki.config, rpki.exceptions, rpki.relaxng, rpki.log, rpki.async class rpkid_context(object): """A container for various global rpkid parameters.""" @@ -75,7 +75,7 @@ class rpkid_context(object): v6 = r_msg[0].ipv6, valid_until = r_msg[0].valid_until) - def left_right_handler(self, query, path): + def left_right_handler(self, query, path, cb): """Process one left-right PDU.""" rpki.log.trace() try: @@ -91,7 +91,7 @@ class rpkid_context(object): rpki.log.error(traceback.format_exc()) return 500, "Unhandled exception %s" % data - def up_down_handler(self, query, path): + def up_down_handler(self, query, path, cb): """Process one up-down PDU.""" rpki.log.trace() try: @@ -109,28 +109,39 @@ class rpkid_context(object): rpki.log.error(traceback.format_exc()) return 400, "Could not process PDU: %s" % data - def cronjob_handler(self, query, path): - """Periodic tasks. As simple as possible for now, may need to break - this up into separate handlers later. - """ + def cronjob_handler(self, query, path, cb): + """Periodic tasks. This will need another rewrite once we have internal timers.""" rpki.log.trace() - try: - self.sql.ping() - for s in rpki.left_right.self_elt.sql_fetch_all(self): - rpki.log.debug("Self %s polling parents" % s.self_id) - s.client_poll() - rpki.log.debug("Self %s updating children" % s.self_id) - s.update_children() - rpki.log.debug("Self %s updating ROAs" % s.self_id) - s.update_roas() - rpki.log.debug("Self %s regenerating CRLs and manifests" % s.self_id) - s.regenerate_crls_and_manifests() + self.sql.ping() + + def cronjob_done(): self.sql.sweep() - return 200, "OK" - except Exception, data: - rpki.log.error(traceback.format_exc()) - return 500, "Unhandled exception %s" % data + cb(200, "OK") + + self.cronjob_iterator = rpki.async.iterator(rpki.left_right.self_elt.sql_fetch_all(self), + self.cronjob_do_one, cronjob_done) + self.cronjob_iterator() + + def cronjob_do_one(self, s): + """Handle periodic tasks for one <self_elt/>.""" + + def client_poll(): + rpki.log.debug("Self %s polling parents" % s.self_id) + s.client_poll(update_children) + + def update_children(): + rpki.log.debug("Self %s updating children" % s.self_id) + s.update_children(update_roas_crls_and_manifests) + + def update_roas_crls_and_manifests(): + rpki.log.debug("Self %s updating ROAs" % s.self_id) + s.update_roas() + rpki.log.debug("Self %s regenerating CRLs and manifests" % s.self_id) + s.regenerate_crls_and_manifests() + self.cronjob_iterator() + + client_poll() ## @var https_ta_cache # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. diff --git a/rpkid/testbed.1.yaml b/rpkid/testbed.1.yaml index e53b63b6..d8afc3de 100644 --- a/rpkid/testbed.1.yaml +++ b/rpkid/testbed.1.yaml @@ -34,6 +34,8 @@ kids: - asn: 666 ipv4: 10.3.0.44/32 --- +- shell set -x; cd ../../rtr-origin && python rtr-origin.py --cronjob ../rpkid/testbed.dir/rcynic-data/authenticated && python rtr-origin.py --show +--- - name: R0 rekey: --- @@ -47,6 +49,8 @@ kids: - asn: 17 ipv4: 10.3.0.1/32, 10.0.0.44/32 --- +- shell set -x; cd ../../rtr-origin && python rtr-origin.py --cronjob ../rpkid/testbed.dir/rcynic-data/authenticated && python rtr-origin.py --show +--- - sleep 30 --- - sleep 30 diff --git a/rpkid/testbed.py b/rpkid/testbed.py index 16cf2b7c..2b3957c7 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -19,7 +19,21 @@ things that don't belong in yaml_script. $Id$ -Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +Copyright (C) 2009 Internet Systems Consortium ("ISC") + +Permission to use, copy, modify, and distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. + +Portions copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above @@ -36,7 +50,7 @@ PERFORMANCE OF THIS SOFTWARE. import os, yaml, MySQLdb, subprocess, signal, time, re, getopt, sys, lxml, traceback import rpki.resource_set, rpki.sundial, rpki.x509, rpki.https -import rpki.log, rpki.left_right, rpki.config, rpki.publication +import rpki.log, rpki.left_right, rpki.config, rpki.publication, rpki.async os.environ["TZ"] = "UTC" time.tzset() @@ -126,24 +140,6 @@ pub_sql_file = cfg.get("pub_sql_file", "pubd.sql") startup_delay = int(cfg.get("startup_delay", "10")) -class async_iterator(object): - """Experimental iteration construct for event-driven code. This - belongs in the library eventually, but it's easier to debug the - initial version here. - """ - - def __init__(self, iterable, handler_cb, done_cb): - self.handler_cb = handler_cb - self.done_cb = done_cb - self.iterator = iter(iterable) - - def __call__(self): - try: - self.handler_cb(self.iterator.next()) - except StopIteration: - if self.done_cb is not None: - self.done_cb() - class main(object): """Main program, implemented as a class to handle asynchronous I/O in underlying libraries. @@ -229,12 +225,14 @@ class main(object): time.sleep(startup_delay) assert not hasattr(self, "iterator") - self.iterator = async_iterator(self.db.engines, self.create_rpki_objects, self.created_rpki_objects) + self.iterator = rpki.async.iterator(self.db.engines, self.create_rpki_objects, self.created_rpki_objects) self.iterator() # At this point we have gone into (pseudo) event-driven code. # See comments above about cleanup of this try/finally code + rpki.log.info("All done") + # Clean up finally: @@ -253,8 +251,7 @@ class main(object): def create_rpki_objects(self, a): """Create objects in RPKI engines""" - a.create_rpki_objects() - self.iterator() + a.create_rpki_objects(self.iterator) def created_rpki_objects(self): del self.iterator @@ -273,14 +270,11 @@ class main(object): # Run cron in all RPKI instances assert not hasattr(self, "iterator") - self.iterator = async_iterator(self.db.engines, self.run_cron, self.run_yaml) + self.iterator = rpki.async.iterator(self.db.engines, self.run_cron, self.run_yaml) self.iterator() def run_cron(self, a): - a.run_cron(self.run_cron_cb) - - def run_cron_cb(self, *ignored): - self.iterator() + a.run_cron(self.iterator) def run_yaml(self): del self.iterator @@ -294,11 +288,8 @@ class main(object): # If we've run out of deltas to apply, we're done if not yaml_script: - rpki.log.info("No more deltas to apply, done") - else: - rpki.log.info("Applying deltas") self.db.apply_delta(yaml_script.pop(0), self.apply_delta_done) @@ -404,7 +395,7 @@ class allocation_db(list): else: self.cb = cb assert not hasattr(self, "iterator") - self.iterator = async_iterator(delta, self.apply_one_delta, self.apply_delta_done) + self.iterator = rpki.async.iterator(delta, self.apply_one_delta, self.apply_delta_done) self.iterator() def apply_one_delta(self, d): @@ -478,7 +469,7 @@ class allocation(object): rpki.log.info("Applying delta: %s" % yaml) self.apply_delta_caller_cb = cb assert not hasattr(self, "iterator") - self.iterator = async_iterator(yaml.items(), self.apply_one_delta, self.apply_delta_done) + self.iterator = rpki.async.iterator(yaml.items(), self.apply_one_delta, self.apply_delta_done) self.iterator() def apply_one_delta(self, kv): @@ -734,7 +725,7 @@ class allocation(object): raise RuntimeError, msg return rpki.x509.X509(Auto_file = certfile) - def create_rpki_objects(self): + def create_rpki_objects(self, cb): """Create RPKI engine objects for this engine. Parent and child objects are tricky: @@ -750,128 +741,137 @@ class allocation(object): Root node of the engine tree is special, it too has a parent but that one is the magic self-signed micro engine. - """ - self_ca = rpki.x509.X509(Auto_file = self.name + "-SELF-1.cer") - rpki.log.info("Creating rpkid self object for %s" % self.name) - self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "create", crl_interval = self.crl_interval, regen_margin = self.regen_margin, bpki_cert = self_ca), - cb = self.create_rpki_objects_1) - - def create_rpki_objects_1(self, val): - self.self_id = val.self_id - - rpki.log.info("Creating rpkid BSC object for %s" % self.name) - self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self.self_id, generate_keypair = True), - cb = self.create_rpki_objects_2) - - def create_rpki_objects_2(self, val): - self.bsc_id = val.bsc_id - - rpki.log.info("Issuing BSC EE cert for %s" % self.name) - cmd = (prog_openssl, "x509", "-req", "-sha256", "-extfile", self.name + "-RPKI.conf", "-extensions", "req_x509_ext", "-days", "30", - "-CA", self.name + "-SELF-1.cer", "-CAkey", self.name + "-SELF-1.key", "-CAcreateserial", "-text") - signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE) - signed = signer.communicate(input = val.pkcs10_request.get_PEM()) - if not signed[0]: - rpki.log.error(signed[1]) - raise RuntimeError, "Couldn't issue BSC EE certificate" - bsc_ee = rpki.x509.X509(PEM = signed[0]) - bsc_crl = rpki.x509.CRL(PEM_file = self.name + "-SELF-1.crl") - - rpki.log.info("Installing BSC EE cert for %s" % self.name) - self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = bsc_ee, signing_cert_crl = bsc_crl), - cb = self.create_rpki_objects_3) - - def create_rpki_objects_3(self, val): - - rpki.log.info("Creating pubd client object for %s" % self.name) - client_cert = self.cross_certify(pubd_name + "-TA", reverse = True) - call_pubd(rpki.publication.client_elt.make_pdu(action = "create", base_uri = self.sia_base, bpki_cert = client_cert), - cb = self.create_rpki_objects_4) - - def create_rpki_objects_4(self, val): - client_id = val.client_id - - rpki.log.info("Creating rpkid repository object for %s" % self.name) - repository_cert = self.cross_certify(pubd_name + "-TA") - self.call_rpkid(rpki.left_right.repository_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, - bpki_cms_cert = repository_cert, bpki_https_cert = repository_cert, - peer_contact_uri = "https://localhost:%d/client/%d" % (pubd_port, client_id)), - cb = self.create_rpki_objects_5) - - def create_rpki_objects_5(self, val): - self.repository_id = val.repository_id - - rpki.log.info("Creating rpkid parent object for %s" % self.name) - if self.is_root(): - rootd_cert = self.cross_certify(rootd_name + "-TA") - self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, - repository_id = self.repository_id, sia_base = self.sia_base, - bpki_cms_cert = rootd_cert, bpki_https_cert = rootd_cert, sender_name = self.name, recipient_name = "Walrus", - peer_contact_uri = "https://localhost:%s/" % rootd_port), - cb = self.create_rpki_objects_6) - else: - parent_cms_cert = self.cross_certify(self.parent.name + "-SELF-1") - parent_https_cert = self.cross_certify(self.parent.name + "-TA") - self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, - repository_id = self.repository_id, sia_base = self.sia_base, - bpki_cms_cert = parent_cms_cert, bpki_https_cert = parent_https_cert, - sender_name = self.name, recipient_name = self.parent.name, - peer_contact_uri = "https://localhost:%s/up-down/%s" % (self.parent.rpki_port, self.child_id)), - cb = self.create_rpki_objects_6) - - def create_rpki_objects_6(self, val): - self.parent_id = val.parent_id - - rpki.log.info("Creating rpkid child objects for %s" % self.name) - self.sql_db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass) - self.sql_cur = self.sql_db.cursor() - assert not hasattr(self, "iterator") - self.iterator = async_iterator(self.kids, self.create_rpki_objects_7, self.create_rpki_objects_8) - self.iterator() + The rest of this is straightforward, just nasty because of all the + protocol callbacks. + """ - def create_rpki_objects_7(self, kid): - self.kid = kid - if kid.is_leaf(): - bpki_cert = self.cross_certify(kid.name + "-TA") - else: - bpki_cert = self.cross_certify(kid.name + "-SELF-1") - rpki.log.info("Creating rpkid child object for %s as child of %s" % (kid.name, self.name)) - self.call_rpkid(rpki.left_right.child_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, bpki_cert = bpki_cert), - cb = self.create_rpki_objects_7_cb) - - def create_rpki_objects_7_cb(self, val): - self.kid.child_id = val.child_id - self.sql_cur.execute("UPDATE registrant SET rpki_self_id = %s, rpki_child_id = %s WHERE IRBE_mapped_id = %s", (self.self_id, self.kid.child_id, self.kid.name)) - self.iterator() + def start(): + self_ca = rpki.x509.X509(Auto_file = self.name + "-SELF-1.cer") + + rpki.log.info("Creating rpkid self object for %s" % self.name) + self.call_rpkid(rpki.left_right.self_elt.make_pdu(action = "create", crl_interval = self.crl_interval, regen_margin = self.regen_margin, bpki_cert = self_ca), + cb = got_self_id) + + def got_self_id(val): + self.self_id = val.self_id + + rpki.log.info("Creating rpkid BSC object for %s" % self.name) + self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "create", self_id = self.self_id, generate_keypair = True), + cb = got_bsc_id) + + def got_bsc_id(val): + self.bsc_id = val.bsc_id + + rpki.log.info("Issuing BSC EE cert for %s" % self.name) + cmd = (prog_openssl, "x509", "-req", "-sha256", "-extfile", self.name + "-RPKI.conf", "-extensions", "req_x509_ext", "-days", "30", + "-CA", self.name + "-SELF-1.cer", "-CAkey", self.name + "-SELF-1.key", "-CAcreateserial", "-text") + signer = subprocess.Popen(cmd, stdin = subprocess.PIPE, stdout = subprocess.PIPE, stderr = subprocess.PIPE) + signed = signer.communicate(input = val.pkcs10_request.get_PEM()) + if not signed[0]: + rpki.log.error(signed[1]) + raise RuntimeError, "Couldn't issue BSC EE certificate" + bsc_ee = rpki.x509.X509(PEM = signed[0]) + bsc_crl = rpki.x509.CRL(PEM_file = self.name + "-SELF-1.crl") + + rpki.log.info("Installing BSC EE cert for %s" % self.name) + self.call_rpkid(rpki.left_right.bsc_elt.make_pdu(action = "set", self_id = self.self_id, bsc_id = self.bsc_id, signing_cert = bsc_ee, signing_cert_crl = bsc_crl), + cb = bsc_ee_set) + + def bsc_ee_set(val): + + rpki.log.info("Creating pubd client object for %s" % self.name) + client_cert = self.cross_certify(pubd_name + "-TA", reverse = True) + call_pubd(rpki.publication.client_elt.make_pdu(action = "create", base_uri = self.sia_base, bpki_cert = client_cert), + cb = got_client_id) + + def got_client_id(val): + client_id = val.client_id + + rpki.log.info("Creating rpkid repository object for %s" % self.name) + repository_cert = self.cross_certify(pubd_name + "-TA") + self.call_rpkid(rpki.left_right.repository_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, + bpki_cms_cert = repository_cert, bpki_https_cert = repository_cert, + peer_contact_uri = "https://localhost:%d/client/%d" % (pubd_port, client_id)), + cb = got_repository_id) + + def got_repository_id(val): + self.repository_id = val.repository_id + + rpki.log.info("Creating rpkid parent object for %s" % self.name) + if self.is_root(): + rootd_cert = self.cross_certify(rootd_name + "-TA") + self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, + repository_id = self.repository_id, sia_base = self.sia_base, + bpki_cms_cert = rootd_cert, bpki_https_cert = rootd_cert, sender_name = self.name, recipient_name = "Walrus", + peer_contact_uri = "https://localhost:%s/" % rootd_port), + cb = got_parent_id) + else: + parent_cms_cert = self.cross_certify(self.parent.name + "-SELF-1") + parent_https_cert = self.cross_certify(self.parent.name + "-TA") + self.call_rpkid(rpki.left_right.parent_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, + repository_id = self.repository_id, sia_base = self.sia_base, + bpki_cms_cert = parent_cms_cert, bpki_https_cert = parent_https_cert, + sender_name = self.name, recipient_name = self.parent.name, + peer_contact_uri = "https://localhost:%s/up-down/%s" % (self.parent.rpki_port, self.child_id)), + cb = got_parent_id) + + def got_parent_id(val): + self.parent_id = val.parent_id + + rpki.log.info("Creating rpkid child objects for %s" % self.name) + self.sql_db = MySQLdb.connect(user = "irdb", db = self.irdb_db_name, passwd = irdb_db_pass) + self.sql_cur = self.sql_db.cursor() + assert not hasattr(self, "iterator") + self.iterator = rpki.async.iterator(self.kids, do_one_kid, kids_done) + self.iterator() - def create_rpki_objects_8(self): - self.sql_db.close() - del self.iterator - del self.sql_cur - del self.sql_db - if hasattr(self, "kid"): - del self.kid + def do_one_kid(kid): + self.kid = kid + if kid.is_leaf(): + bpki_cert = self.cross_certify(kid.name + "-TA") + else: + bpki_cert = self.cross_certify(kid.name + "-SELF-1") + rpki.log.info("Creating rpkid child object for %s as child of %s" % (kid.name, self.name)) + + def do_one_kid_cb(val): + self.kid.child_id = val.child_id + self.sql_cur.execute("UPDATE registrant SET rpki_self_id = %s, rpki_child_id = %s WHERE IRBE_mapped_id = %s", (self.self_id, self.kid.child_id, self.kid.name)) + self.iterator() + + self.call_rpkid(rpki.left_right.child_elt.make_pdu(action = "create", self_id = self.self_id, bsc_id = self.bsc_id, bpki_cert = bpki_cert), + cb = do_one_kid_cb) + + def kids_done(): + self.sql_db.close() + del self.iterator + del self.sql_cur + del self.sql_db + if hasattr(self, "kid"): + del self.kid + + rpki.log.info("Creating rpkid route_origin objects for %s" % self.name) + assert not hasattr(self, "iterator") + self.iterator = rpki.async.iterator(self.route_origins, do_one_ro, cleanup) + self.iterator() - rpki.log.info("Creating rpkid route_origin objects for %s" % self.name) - assert not hasattr(self, "iterator") - self.iterator = async_iterator(self.route_origins, self.create_rpki_objects_9, self.create_rpki_objects_10) - self.iterator() + def do_one_ro(ro): + self.ro = ro + self.call_rpkid(rpki.left_right.route_origin_elt.make_pdu(action = "create", self_id = self.self_id, + as_number = ro.asn, ipv4 = ro.v4, ipv6 = ro.v6), + cb = do_one_ro_cb) - def create_rpki_objects_9(self, ro): - self.ro = ro - self.call_rpkid(rpki.left_right.route_origin_elt.make_pdu(action = "create", self_id = self.self_id, - as_number = ro.asn, ipv4 = ro.v4, ipv6 = ro.v6), - cb = self.create_rpki_objects_9_cb) + def do_one_ro_cb(val): + self.ro.route_origin_id = val.route_origin_id + self.iterator() - def create_rpki_objects_9_cb(self, val): - self.ro.route_origin_id = val.route_origin_id - self.iterator() + def cleanup(): + if hasattr(self, "ro"): + del self.ro + del self.iterator + cb() - def create_rpki_objects_10(self): - if hasattr(self, "ro"): - del self.ro - del self.iterator + start() def setup_yaml_leaf(self): """Generate certificates and write YAML scripts for leaf nodes. |