diff options
| -rw-r--r-- | rpkid/rpki-confgen.py | 150 | ||||
| -rw-r--r-- | rpkid/rpki-confgen.xml | 723 |
2 files changed, 873 insertions, 0 deletions
diff --git a/rpkid/rpki-confgen.py b/rpkid/rpki-confgen.py new file mode 100644 index 00000000..ea2fcaff --- /dev/null +++ b/rpkid/rpki-confgen.py @@ -0,0 +1,150 @@ +import sys +import getopt +import textwrap + +from lxml.etree import Element, SubElement, ElementTree + +text_wrapper = textwrap.TextWrapper() +item_wrapper = textwrap.TextWrapper(initial_indent = " ", subsequent_indent = " ") +conf_wrapper = textwrap.TextWrapper(initial_indent = "# ", subsequent_indent = "# ") + +class Option(object): + + def __init__(self, name, value, doc): + self.name = name + self.value = value + self.doc = doc + + @property + def width(self): + return len(self.name) + + def to_xml(self): + x = Element("option", name = self.name, value = self.value) + for d in self.doc: + SubElement(x, "doc").text = "\n" + text_wrapper.fill(d) + "\n" + return x + + def to_wiki(self, f): + f.write("\n%s::" % self.name) + for d in self.doc: + f.write("\n%s\n" % item_wrapper.fill(d)) + + def to_conf(self, f, width): + for d in self.doc: + f.write("\n%s\n" % conf_wrapper.fill(d)) + f.write("\n%-*s = %s\n" % (width, self.name, self.value)) + +class Section(object): + + def __init__(self, name): + self.name = name + self.doc = [] + self.options = [] + + @property + def width(self): + return max(o.width for o in self.options) + + @classmethod + def from_xml(cls, elt): + self = cls(name = elt.get("name")) + for x in elt.iterchildren("doc"): + self.doc.append(" ".join(x.text.split())) + for x in elt.iterchildren("option"): + self.options.append(Option(name = x.get("name"), value = x.get("value"), + doc = [" ".join(d.text.split()) + for d in x.iterchildren("doc")])) + return self + + def to_xml(self): + x = Element("section", name = self.name) + for d in self.doc: + SubElement(x, "doc").text = "\n" + text_wrapper.fill(d) + "\n" + x.extend(o.to_xml() for o in self.options) + return x + + def to_wiki(self, f): + f.write('''\ +{{{ +#!comment +THIS PAGE WAS GENERATED AUTOMATICALLY, DO NOT EDIT. + +Generated from ''' + ident + ''' +by $Id$ +}}} + += ![''' + self.name + '''] section = +''') + for d in self.doc: + f.write("\n%s\n" % text_wrapper.fill(d)) + for o in self.options: + o.to_wiki(f) + + def to_conf(self, f, width): + f.write(''' +################################################################################ + +[''' + self.name + '''] +''') + for d in self.doc: + f.write("\n%s\n" % conf_wrapper.fill(d)) + for o in self.options: + o.to_conf(f, width) + +sections = [] +index = None +ident = None + +opts, argv = getopt.getopt(sys.argv[1:], "", ["read-xml=", "write-xml=", "write-wiki=", "write-conf=", "set="]) +for o, a in opts: + + if o == "--read-xml": + index = None + root = ElementTree(file = a).getroot() + ident = root.get("ident") + sections.extend(Section.from_xml(x) for x in root) + index = {} + for section in sections: + for option in section.options: + name = (section.name, option.name) + if name in index: + sys.exit("Duplicate entry for section \"%s\" option \"%s\"" % name) + index[name] = option + + elif o == "--set": + try: + name, value = a.split("=", 1) + section, option = name.split(":") + except ValueError: + sys.exit("Couldn't parse --set specification \"%s\"" % a) + name = (section, option) + if name not in index: + sys.exit("Couldn't find section \"%s\" option \"%s\"" % name) + index[name].value = value + + elif o == "--write-xml": + x = Element("configuration", ident = ident) + x.extend(s.to_xml() for s in sections) + ElementTree(x).write(a, pretty_print = True, encoding = "us-ascii") + + elif o == "--write-wiki": + with open(a, "w") as f: + for i, section in enumerate(sections): + if i: + f.write("\f\n") + section.to_wiki(f) + + elif o == "--write-conf": + with open(a, "w") as f: + f.write('''\ +# Automatically generated. Edit if you like, but be careful of overwriting. +# Generated from ''' + ident + ''' +# by $Id +''') + width = max(s.width for s in sections) + for section in sections: + section.to_conf(f, width) + +if argv: + sys.exit("Unexpected arguments %s" % argv) diff --git a/rpkid/rpki-confgen.xml b/rpkid/rpki-confgen.xml new file mode 100644 index 00000000..b5eda66c --- /dev/null +++ b/rpkid/rpki-confgen.xml @@ -0,0 +1,723 @@ +<!-- $Id$ --> + +<configuration ident = "$Id$"> + + <section name = "myrpki"> + + <option name = "handle" + value = "@HANDLE@"> + <doc> + Handle naming hosted resource-holding entity (<self/>) represented + by this myrpki instance. Syntax is an identifier (ASCII letters, + digits, hyphen, underscore -- no whitespace, non-ASCII characters, + or other punctuation). You need to set this. + </doc> + </option> + + <option name = "bpki_servers_directory" + value = "@DATAROOTDIR@/rpki"> + <doc> + Directory for BPKI files generated by rpkic and used by rpkid and pubd. + Default is where we expect autoconf to decide that our data files + belong, you might want or need to change this. In the long term + this should be handled by a setup wizard. + </doc> + </option> + + <option name = "run_rpkid" + value = "True"> + <doc> + Whether you want to run your own copy of rpkid (and irdbd). You + want this on unless somebody else is hosting rpkid service for you. + </doc> + </option> + + <option name = "rpkid_server_host" + value = "rpkid.example.org"> + <doc> + DNS hostname for rpkid. Must be publicly reachable to be useful. + </doc> + </option> + + <option name = "rpkid_server_port" + value = "4404"> + <doc> + Server port number for rpkid, can be any legal TCP port number + that you're not using for something else. + </doc> + </option> + + <option name = "irdbd_server_host" + value = "localhost"> + <doc> + DNS hostname for irdbd. This should be localhost unless you + really know what you are doing. + </doc> + </option> + + <option name = "irdbd_server_port" + value = "4403"> + <doc> + Server port number for irdbd, can be any legal TCP port number + that you're not using for something else. + </doc> + </option> + + <option name = "run_pubd" + value = "False"> + <doc> + Whether you want to run your own copy of pubd. In general, it's + best to use your parent's pubd if you can, to reduce the overall + number of publication sites that relying parties need to check, so + don't enable this unless you have a good reason. + </doc> + </option> + + <option name = "pubd_server_host" + value = "pubd.example.org"> + <doc> + DNS hostname for pubd, if you're running it. Must be publicly + reachable to be useful. + </doc> + </option> + + <option name = "pubd_server_port" + value = "4402"> + <doc> + Server port number for pubd, can be any legal TCP port number that + you're not using for something else. + </doc> + </option> + + <option name = "pubd_contact_info" + value = "repo-man@rpki.example.org"> + <doc> + Contact information to include in offers of repository service. + This only matters when we're running pubd. This should be a human + readable string, perhaps containing an email address or URL. + </doc> + </option> + + <option name = "run_rootd" + value = "False"> + <doc> + Whether you want to run your very own copy of rootd. Don't enable + this unless you really know what you're doing. + </doc> + </option> + + <option name = "rootd_server_host" + value = "localhost"> + <doc> + DNS hostname for rootd, if you're running it. This should be + localhost unless you really know what you are doing. + </doc> + </option> + + <option name = "rootd_server_port" + value = "4401"> + <doc> + Server port number for rootd, if you're running it. This can be any + legal TCP port number that you're not using for something else. + </doc> + </option> + + <option name = "publication_base_directory" + value = "@DATAROOTDIR@/rpki/publication"> + <doc> + Root of local directory tree where pubd should write out published + data. You need to configure this, and the configuration should + match up with the directory where you point rsyncd. Neither pubd + nor rsyncd much cares //where// you tell it to put this stuff, the + important thing is that the rsync URIs in generated + certificates match up with the published objects so that relying + parties can find and verify rpkid's published outputs. + </doc> + </option> + + <option name = "publication_root_cert_directory" + value = "${myrpki::publication_base_directory}.root"> + <doc> + Root of local directory tree where rootd (sigh) should write out + published data. This is just like publication_base_directory, but + rootd is too dumb to use pubd and needs its own directory in + which to write one certificate, one CRL, and one manifest. + Neither rootd nor rsyncd much cares //where// you tell them to put + this stuff, the important thing is that the rsync URIs in + generated certificates match up with the published objects so that + relying parties can find and verify rootd's published outputs. + </doc> + </option> + + <option name = "publication_rsync_module" + value = "rpki"> + <doc> + rsyncd module name corresponding to publication_base_directory. + This has to match the module you configured into rsyncd.conf. + Leave this alone unless you have some need to change it. + </doc> + </option> + + <option name = "publication_root_module" + value = "root"> + <doc> + rsyncd module name corresponding to publication_root_cert_directory. + This has to match the module you configured into rsyncd.conf. + Leave this alone unless you have some need to change it. + </doc> + </option> + + <option name = "publication_rsync_server" + value = "${myrpki::pubd_server_host}"> + <doc> + Hostname and optional port number for rsync URIs. In most cases + this should just be the same value as pubd_server_host. + </doc> + </option> + + <option name = "start_rpkid" + value = "${myrpki::run_rpkid}"> + <doc> + rpkid startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_rpkid controls whether + rpki-start-servers attempts to start rpkid on this machine. + </doc> + </option> + + <option name = "start_irdbd" + value = "${myrpki::run_rpkid}"> + <doc> + irdbd startup control. This should usually have the same value as + run_rpkid: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rpkid controls whether the back-end code is doing things to + manage rpkid, while start_irdbd controls whether + rpki-start-servers attempts to start irdbd on this machine. + </doc> + </option> + + <option name = "start_pubd" + value = "${myrpki::run_pubd}"> + <doc> + pubd startup control. This should usually have the same value as + run_pubd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_pubd controls whether the back-end code is doing things to + manage pubd, while start_pubd controls whether + rpki-start-servers attempts to start pubd on this machine. + </doc> + </option> + + <option name = "start_rootd" + value = "${myrpki::run_rootd}"> + <doc> + rootd startup control. This should usually have the same value as + run_rootd: the only case where you would want to change this is + when you are running the back-end code on a different machine from + one or more of the daemons, in which case you need finer control + over which daemons to start on which machines. In such cases, + run_rootd controls whether the back-end code is doing things to + manage rootd, while start_rootd controls whether + rpki-start-servers attempts to start rootd on this machine. + </doc> + </option> + + <option name = "shared_sql_username" + value = "rpki"> + <doc> + If you're comfortable with having all of the databases use the + same MySQL username, set that value here. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "shared_sql_password" + value = "fnord"> + <doc> + If you're comfortable with having all of the databases use the same + MySQL password, set that value here. You should use a locally + generated password either here or in the individual settings below. + </doc> + </option> + + <option name = "rpkid_sql_database" + value = "rpkid"> + <doc> + SQL database name for rpkid's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "rpkid_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for rpkid's database, + set it here. + </doc> + </option> + + <option name = "rpkid_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for rpkid's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_database" + value = "irdbd"> + <doc> + SQL database for irdbd's database. The default setting of this + variable should be fine. + </doc> + </option> + + <option name = "irdbd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for irdbd's database, + set it here. + </doc> + </option> + + <option name = "irdbd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for irdbd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_database" + value = "pubd"> + <doc> + SQL database name for pubd's database. The default setting of + this variable should be fine. + </doc> + </option> + + <option name = "pubd_sql_username" + value = "${myrpki::shared_sql_username}"> + <doc> + If you want to use a separate SQL username for pubd's database, + set it here. + </doc> + </option> + + <option name = "pubd_sql_password" + value = "${myrpki::shared_sql_password}"> + <doc> + If you want to use a separate SQL password for pubd's database, + set it here. + </doc> + </option> + + </section> + + <section name = "rpkid"> + + <option name = "sql-database" + value = "${myrpki::rpkid_sql_database}"> + <doc> + MySQL database name for rpkid. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::rpkid_sql_username}"> + <doc> + MySQL user name for rpkid. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::rpkid_sql_password}"> + <doc> + MySQL password for rpkid. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rpkid_server_host}"> + <doc> + Host on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rpkid_server_port}"> + <doc> + Port on which rpkid should listen for HTTP service requests. + </doc> + </option> + + <option name = "irdb-url" + value = "http://${myrpki::irdbd_server_host}:${myrpki::irdbd_server_port}/"> + <doc> + HTTP service URL rpkid should use to contact irdbd. If irdbd is + running on the same machine as rpkid, this can and probably should + be a loopback URL, since nobody but rpkid needs to talk to irdbd. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where rpkid should look for the BPKI trust anchor. Don't change + this unless you really know what you are doing. + </doc> + </option> + + <option name = "rpkid-cert" + value = "${myrpki::bpki_servers_directory}/rpkid.cer"> + <doc> + Where rpkid should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "rpkid-key" + value = "${myrpki::bpki_servers_directory}/rpkid.key"> + <doc> + Where rpkid should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "irdb-cert" + value = "${myrpki::bpki_servers_directory}/irdbd.cer"> + <doc> + Where rpkid should look for irdbd's BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where rpkid should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + </section> + + <section name = "irdbd"> + + <option name = "sql-database" + value = "${myrpki::irdbd_sql_database}"> + <doc> + MySQL database name for irdbd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::irdbd_sql_username}"> + <doc> + MySQL user name for irdbd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::irdbd_sql_password}"> + <doc> + MySQL password for irdbd. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::irdbd_server_host}"> + <doc> + Host on which irdbd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::irdbd_server_port}"> + <doc> + Port on which irdbd should listen for HTTP service requests. + </doc> + </option> + + </section> + + <section name = "pubd"> + + <option name = "sql-database" + value = "${myrpki::pubd_sql_database}"> + <doc> + MySQL database name for pubd. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::pubd_sql_username}"> + <doc> + MySQL user name for pubd. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::pubd_sql_password}"> + <doc> + MySQL password for pubd. + </doc> + </option> + + <option name = "publication-base" + value = "${myrpki::publication_base_directory}"> + <doc> + Root of directory tree where pubd should write out published data. + You need to configure this, and the configuration should match up + with the directory where you point rsyncd. Neither pubd nor rsyncd + much cares -where- you tell them to put this stuff, the important + thing is that the rsync URIs in generated certificates match up + with the published objects so that relying parties can find and + verify rpkid's published outputs. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::pubd_server_host}"> + <doc> + Host on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::pubd_server_port}"> + <doc> + Port on which pubd should listen for HTTP service requests. + </doc> + </option> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + Where pubd should look for the BPKI trust anchor. Don't change + this unless you really know what you are doing. + </doc> + </option> + + <option name = "pubd-cert" + value = "${myrpki::bpki_servers_directory}/pubd.cer"> + <doc> + Where pubd should look for its own BPKI EE certificate. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "pubd-key" + value = "${myrpki::bpki_servers_directory}/pubd.key"> + <doc> + Where pubd should look for the private key corresponding to its + own BPKI EE certificate. Don't change this unless you really know + what you are doing. + </doc> + </option> + + <option name = "irbe-cert" + value = "${myrpki::bpki_servers_directory}/irbe.cer"> + <doc> + Where pubd should look for the back-end control client's BPKI EE + certificate. Don't change this unless you really know what you + are doing. + </doc> + </option> + + </section> + + <section name = "rootd"> + <doc> + You don't need to run rootd unless you're IANA, are certifying + private address space, or are an RIR which refuses to accept IANA as + the root of the public address hierarchy. + </doc> + <doc> + Ok, if that wasn't enough to scare you off: rootd is a kludge, and + needs to be rewritten, or, better, merged into rpkid. It does a + number of things wrong, and requires far too many configuration + parameters. You have been warned.... + </doc> + + <option name = "bpki-ta" + value = "${myrpki::bpki_servers_directory}/ca.cer"> + <doc> + BPKI trust anchor. Don't change this unless you really know what + you are doing. + </doc> + </option> + + <option name = "rootd-bpki-crl" + value = "${myrpki::bpki_servers_directory}/ca.crl"> + <doc> + BPKI CRL. Don't change this unless you really know what you are + doing. + </doc> + </option> + + <option name = "rootd-bpki-cert" + value = "${myrpki::bpki_servers_directory}/rootd.cer"> + <doc> + rootd's own BPKI EE certificate. Don't change this unless you + really know what you are doing. + </doc> + </option> + + <option name = "rootd-bpki-key" + value = "${myrpki::bpki_servers_directory}/rootd.key"> + <doc> + Private key corresponding to rootd's own BPKI EE certificate. + Don't change this unless you really know what you are doing. + </doc> + </option> + + <option name = "child-bpki-cert" + value = "${myrpki::bpki_servers_directory}/child.cer"> + <doc> + BPKI certificate for rootd's one and only up-down child. Don't + change this unless you really know what you are doing. + </doc> + </option> + + <option name = "server-host" + value = "${myrpki::rootd_server_host}"> + <doc> + Server host on which rootd should listen. + </doc> + </option> + + <option name = "server-port" + value = "${myrpki::rootd_server_port}"> + <doc> + Server port on which rootd should listen. + </doc> + </option> + + <option name = "rpki-root-dir" + value = "${myrpki::publication_base_directory}"> + <doc> + Where rootd should write its output. Yes, rootd should be using + pubd instead of publishing directly, but it doesn't. + </doc> + </option> + + <option name = "rpki-base-uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/"> + <doc> + rsync URI corresponding to directory containing rootd's outputs. + </doc> + </option> + + <option name = "rpki-root-cert-uri" + value = "rsync://${myrpki::publication_rsync_server}/${myrpki::publication_root_module}/root.cer"> + <doc> + rsync URI for rootd's root (self-signed) RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-key" + value = "${myrpki::bpki_servers_directory}/root.key"> + <doc> + Private key corresponding to rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-cert" + value = "${myrpki::publication_root_cert_directory}/root.cer"> + <doc> + Filename (as opposed to rsync URI) of rootd's root RPKI + certificate. + </doc> + </option> + + <option name = "rpki-subject-pkcs10" + value = "${myrpki::bpki_servers_directory}/rootd.subject.pkcs10"> + <doc> + Where rootd should stash a copy of the PKCS #10 request it gets + from its one (and only) child + </doc> + </option> + + <option name = "rpki-subject-lifetime" + value = "30d"> + <doc> + Lifetime of the one and only RPKI certificate rootd issues. + </doc> + </option> + + <option name = "rpki-root-crl" + value = "root.crl"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the CRL + for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-root-manifest" + value = "root.mft"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the + manifest for rootd's root RPKI certificate. + </doc> + </option> + + <option name = "rpki-class-name" + value = "${myrpki::handle}"> + <doc> + Up-down protocol class name for RPKI certificate rootd issues to its + one (and only) child. + </doc> + </option> + + <option name = "rpki-subject-cert" + value = "${myrpki::handle}.cer"> + <doc> + Filename (relative to rootd-base-uri and rpki-root-dir) of the one + (and only) RPKI certificate rootd issues. + </doc> + </option> + + </section> + + <section name = "web_portal"> + <doc> + Glue to allow the Django application to pull user configuration + from this file rather than directly editing settings.py. + </doc> + + <option name = "sql-database" + value = "${myrpki::irdbd_sql_database}"> + <doc> + SQL database name the web portal should use. + </doc> + </option> + + <option name = "sql-username" + value = "${myrpki::irdbd_sql_username}"> + <doc> + SQL user name the web portal should use. + </doc> + </option> + + <option name = "sql-password" + value = "${myrpki::irdbd_sql_password}"> + <doc> + SQL password the web portal should use. + </doc> + </option> + + </section> + +</configuration> |