diff options
| -rw-r--r-- | rpkid/Makefile | 6 | ||||
| -rwxr-xr-x | rpkid/rootd.py | 2 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 18 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 2 | ||||
| -rw-r--r-- | rpkid/testbed.5.yaml | 65 | ||||
| -rw-r--r-- | rpkid/testbed.py | 25 |
6 files changed, 102 insertions, 16 deletions
diff --git a/rpkid/Makefile b/rpkid/Makefile index 712c2ef8..3bdb46c4 100644 --- a/rpkid/Makefile +++ b/rpkid/Makefile @@ -91,6 +91,12 @@ all-tests:: all test all-tests:: all python testbed.py -y testbed.3.yaml +all-tests:: all + python testbed.py -y testbed.4.yaml + +all-tests:: all + python testbed.py -y testbed.5.yaml + # Documentation doc/irdbd.dot: irdbd.sql diff --git a/rpkid/rootd.py b/rpkid/rootd.py index d8dff884..cc5240d5 100755 --- a/rpkid/rootd.py +++ b/rpkid/rootd.py @@ -226,7 +226,7 @@ rpki_root_crl = cfg.get("rpki-root-crl", "Root.crl") rpki_subject_cert = cfg.get("rpki-subject-cert", "Subroot.cer") rpki_subject_pkcs10 = cfg.get("rpki-subject-pkcs10", "") -rpki_subject_lifetime = rpki.sundial.timedelta(days = int(cfg.get("rpki-subject-lifetime", "30"))) +rpki_subject_lifetime = rpki.sundial.timedelta.parse(cfg.get("rpki-subject-lifetime", "30d")) rpki.https.server(server_key = rootd_bpki_key, server_cert = rootd_bpki_cert, diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 7de8f8ab..55127bef 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -604,7 +604,7 @@ class route_origin_elt(data_elt): ca_detail = self.ca_detail() - if ca_detail.state != "active": + if ca_detail is None or ca_detail.state != "active": return self.regenerate_roa() regen_margin = rpki.sundial.timedelta(seconds = self.self().regen_margin) @@ -649,11 +649,8 @@ class route_origin_elt(data_elt): return # Ugly and expensive search for covering ca_detail, there has to - # be a better way. - # - # If we're reissuing (not handled yet) we can optimize this by - # first checking the ca_detail we used last time, but it may not - # be active, in which we have to check the ca_detail that replaced it. + # be a better way, but it would require the ability to test for + # resource subsets in SQL. v4 = self.ipv4.to_resource_set() if self.ipv4 is not None else rpki.resource_set.resource_set_ipv4() v6 = self.ipv6.to_resource_set() if self.ipv6 is not None else rpki.resource_set.resource_set_ipv6() @@ -676,6 +673,8 @@ class route_origin_elt(data_elt): rpki.log.warn("generate_roa() could not find a certificate covering %s %s" % (v4, v6)) return + ca = ca_detail.ca() + resources = rpki.resource_set.resource_bag(v4 = v4, v6 = v6) keypair = rpki.x509.RSA.generate() @@ -687,7 +686,7 @@ class route_origin_elt(data_elt): self.ca_detail_id = ca_detail.ca_detail_id self.sql_store() - repository = parent.repository() + repository = ca.parent().repository() repository.publish(self.roa, self.roa_uri(ca)) if self.publish_ee_separately: repository.publish(self.cert, self.ee_uri(ca)) @@ -725,7 +724,10 @@ class route_origin_elt(data_elt): def regenerate_roa(self): """Reissue ROA associated with this route_origin.""" - self.withdraw_roa(regenerate = True) + if self.ca_detail() is None: + self.generate_roa() + else: + self.withdraw_roa(regenerate = True) def roa_uri(self, ca, key = None): """Return the publication URI for this route_origin's ROA.""" diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index 416163ae..1e9f8518 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -420,7 +420,7 @@ class ca_detail_obj(rpki.sql.sql_persistant): for child_cert in self.child_certs(): repository.withdraw(child_cert.cert, child_cert.uri(ca)) child_cert.sql_delete() - for revoked__cert in self.revoked_certs(): + for revoked_cert in self.revoked_certs(): revoked_cert.sql_delete() for route_origin in self.route_origins(): route_origin.withdraw_roa() diff --git a/rpkid/testbed.5.yaml b/rpkid/testbed.5.yaml new file mode 100644 index 00000000..3d1498a6 --- /dev/null +++ b/rpkid/testbed.5.yaml @@ -0,0 +1,65 @@ +# $Id$ + +# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN") +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH +# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT, +# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +# PERFORMANCE OF THIS SOFTWARE. + +rootd: + lifetime: 2m +name: RIR +crl_interval: 90s +regen_margin: 1m +valid_for: 2m +kids: + - name: R0 + kids: + - name: Alice + ipv4: 192.0.2.1-192.0.2.33 + asn: 64533 + route_origin: + - asn: 42 + ipv4: 192.0.2.32/32 + - name: Bob + ipv4: 192.0.2.44-192.0.2.100 + ipv4: 10.3.0.0/16 + route_origin: + - asn: 666 + ipv4: 10.3.0.44/32 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 +--- +- sleep 30 diff --git a/rpkid/testbed.py b/rpkid/testbed.py index f56467dc..f3afa2d5 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -139,17 +139,28 @@ def main(): irdb_sql = mangle_sql(irdb_sql_file) pubd_sql = mangle_sql(pub_sql_file) + rpki.log.info("Initializing test directory") + + # Connect to test directory, creating it if necessary try: os.chdir(testbed_dir) except: os.makedirs(testbed_dir) os.chdir(testbed_dir) - rpki.log.info("Cleaning up old state") - subprocess.check_call(("rm", "-rf", "publication", "rcynic-data", "rootd.subject.pkcs10", "rootd.req")) + # Discard everything but keys, which take a while to generate + for root, dirs, files in os.walk(".", topdown = False): + for file in files: + if not file.endswith(".key"): + os.remove(os.path.join(root, file)) + for dir in dirs: + os.rmdir(os.path.join(root, dir)) rpki.log.info("Reading master YAML configuration") - db = allocation_db(yaml_script.pop(0)) + y = yaml_script.pop(0) + + rpki.log.info("Constructing internal allocation database") + db = allocation_db(y) rpki.log.info("Constructing BPKI keys and certs for rootd") setup_bpki_cert_chain(rootd_name, ee = ("RPKI",)) @@ -161,7 +172,7 @@ def main(): a.setup_bpki_certs() setup_publication(pubd_sql) - setup_rootd(db.root.name, "SELF-1") + setup_rootd(db.root.name, "SELF-1", y.get("rootd", {})) setup_rsyncd() setup_rcynic() @@ -758,7 +769,7 @@ def setup_bpki_cert_chain(name, ee = (), ca = ()): s += bpki_cert_fmt_6 % d subprocess.check_call(s, shell = True) -def setup_rootd(rpkid_name, rpkid_tag): +def setup_rootd(rpkid_name, rpkid_tag, rootd_yaml): """Write the config files for rootd.""" rpki.log.info("Writing config files for %s" % rootd_name) d = { "rootd_name" : rootd_name, @@ -767,7 +778,8 @@ def setup_rootd(rpkid_name, rpkid_tag): "rpkid_tag" : rpkid_tag, "rootd_sia" : rootd_sia, "rsyncd_dir" : rsyncd_dir, - "openssl" : prog_openssl } + "openssl" : prog_openssl, + "lifetime" : rootd_yaml.get("lifetime", "30d") } f = open(rootd_name + ".conf", "w") f.write(rootd_fmt_1 % d) f.close() @@ -1035,6 +1047,7 @@ rpki-root-key = %(rootd_name)s.key rpki-root-cert = %(rootd_name)s.cer rpki-subject-pkcs10 = %(rootd_name)s.subject.pkcs10 +rpki-subject-lifetime = %(lifetime)s rpki-root-crl = Bandicoot.crl rpki-root-manifest = Bandicoot.mnf |