4 files changed, 76 insertions, 42 deletions

diff --git a/myrpki.rototill/examples/myrpki.conf b/myrpki.rototill/examples/myrpki.conf
index 8ce59498..7cf80eb6 100644
--- a/myrpki.rototill/examples/myrpki.conf
+++ b/myrpki.rototill/examples/myrpki.conf
@@ -37,9 +37,9 @@ repository_bpki_certificate	= repository-ta.cer
 # "handle", with the addition of "/" characters as an allowed
 # delimiter.  You need to set this.
 
-repository_handle		= Me
+repository_handle		= ${myrpki::handle}
 
-# Names of various input and output files.  Don't change these without
+# Names of various files and directories.  Don't change these without
 # a good reason.
 
 roa_csv				= roas.csv
@@ -48,8 +48,8 @@ parents_csv			= parents.csv
 prefix_csv			= prefixes.csv
 asn_csv				= asns.csv
 xml_filename			= myrpki.xml
-
 bpki_resources_directory	= bpki/resources
+bpki_servers_directory		= bpki/servers
 
 # Whether you want to run your own copy of rpkid (and irdbd).  In
 # general, if you're running myirbe.py at all, you want this on.
@@ -108,20 +108,6 @@ run_rootd			= true
 
 rootd_server_port		= 4401
 
-# Resource class name for rootd.  rootd uses this for several
-# different things: it's used along with pubd_server_host to construct
-# the rsync URI for the root of the publication tree; it's used by
-# rootd as a resource class name in the up-down protocol; and it's
-# used to construct the filename for the one and only RPKI certificate
-# that rootd issues.  You need to configure this.
-
-rootd_resource_class_name	= Me
-
-# Where to put BPKI stuff for the IRBE operator (entity that operates
-# rpkid etc).  Don't change this without a reason.
-
-bpki_servers_directory		= bpki/servers
-
 # Root of local directory tree where pubd (and rootd, sigh) should
 # write out published data.  You need to configure this, and the
 # configuration should match up with the directory where you point
@@ -132,6 +118,21 @@ bpki_servers_directory		= bpki/servers
 
 publication_base_directory     	= publication/
 
+# rsyncd module name corresponding to publication_base_directory, or
+# empty string if you want publication_base_directory to correspond to
+# the parent of multiple rsyncd modules populated by pubd.  The latter
+# is "multimodule mode" and is useful if you have strong opinions
+# about what the rsync URLs should look like; it requires the rsyncd
+# module definitions to line up with the directory names under
+# publication_base_directory.
+
+publication_rsync_module	= ${myrpki::handle}
+
+# Hostname and optional port number for rsync:// URIs.  In most cases
+# this should just be the same value as pubd_server_name.
+
+publication_rsync_server	= ${myrpki::pubd_server_host}
+
 # Don't touch these, they're here because I haven't yet updated all of
 # the myrpki tools to use the latest config file variables.  These
 # will go away eventually, for now just leave them alone.
@@ -293,11 +294,11 @@ rpki-root-dir           	= ${myrpki::publication_base_directory}
 
 # rsync URI for directory containing rootd's outputs
 
-rpki-base-uri           	= rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/
+rpki-base-uri           	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
 
 # rsync URI for rootd's root (self-signed) RPKI certificate
 
-rpki-root-cert-uri      	= rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/root.cer
+rpki-root-cert-uri      	= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.cer
 
 # Private key corresponding to rootd's root RPKI certificate
 
@@ -329,12 +330,12 @@ rpki-root-manifest      	= root.mnf
 # Up-down protocol class name for RPKI certificate rootd issues to its
 # one (and only) child
 
-rpki-class-name         	= ${myrpki::rootd_resource_class_name}
+rpki-class-name         	= ${myrpki::handle}
 
 # Filename (relative to rootd-base-uri and rpki-root-dir) of the one
 # (and only) RPKI certificate rootd issues
 
-rpki-subject-cert       	= ${myrpki::rootd_resource_class_name}.cer
+rpki-subject-cert       	= ${myrpki::handle}.cer
 
 # The last four paramters in this section are really parameters for
 # myirbe.py to use when constructing rootd's root RPKI certificate,
@@ -353,11 +354,11 @@ root_cert_addrs			= IPv4:0.0.0.0/0,IPv6:0::/0
 
 # Whatever you put in rpki-base-uri, earlier in this section
 
-root_cert_sia			= rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/
+root_cert_sia			= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/
 
 # root_cert_sia + rpki-root-manifest
 
-root_cert_manifest		= rsync://${myrpki::pubd_server_host}/${myrpki::rootd_resource_class_name}/root.mnf
+root_cert_manifest		= rsync://${myrpki::publication_rsync_server}/${myrpki::publication_rsync_module}/root.mnf
 
 #################################################################
 
diff --git a/myrpki.rototill/setup.py b/myrpki.rototill/setup.py
index 131c6ef9..6a8cadcf 100644
--- a/myrpki.rototill/setup.py
+++ b/myrpki.rototill/setup.py
@@ -79,6 +79,8 @@ class main(rpki.cli.Cmd):
 
     self.pubd_contact_info = self.cfg.get("pubd_contact_info", "")
 
+    self.rsync_module = self.cfg.get("publication_rsync_module")
+    self.rsync_server = self.cfg.get("publication_rsync_server")
 
   def entitydb(self, *args):
     return os.path.join(self.entitydb_dir, *args)
@@ -108,6 +110,8 @@ class main(rpki.cli.Cmd):
     if arg:
       raise RuntimeError, "This command takes no arguments"
 
+    print "This may take a little while, have to generate RSA keys..."
+
     self.bpki_resources.setup(self.cfg.get("bpki_resources_ta_dn",
                                            "/CN=%s BPKI Resource Trust Anchor" % self.handle))
     if self.run_rpkid or self.run_pubd or self.run_rootd:
@@ -318,6 +322,7 @@ class main(rpki.cli.Cmd):
     else:
       raise RuntimeError, "Support for hints not available yet"
 
+
   def do_answer_repository_client(self, arg):
 
     if not self.disable_parent_offers_and_hints:
@@ -325,37 +330,64 @@ class main(rpki.cli.Cmd):
 
     self.load_xml()
 
-    client_handle = None
+    sia_base = None
 
-    opts, argv = getopt.getopt(arg.split(), "", ["client_handle="])
+    opts, argv = getopt.getopt(arg.split(), "", ["sia_base="])
     for o, a in opts:
-      if o == "--client_handle":
-        client_handle = a
+      if o == "--sia_base":
+        sia_base = a
     
     if len(argv) != 1 or not os.path.exists(argv[0]):
       raise RuntimeError, "Need to specify filename for client.xml"
 
     c = myrpki.etree_read(argv[0])
 
-    # Checking of signed referalls goes somewhere around here.  Must
-    # be after reading client's XML, but (probably) before deciding
-    # what the client's handle will be.
-
-    if client_handle is None:
-      client_handle = c.get("handle")
+    # Critical thing at this point is to figure out what client's
+    # sia_base value should be.  Three cases:
+    #
+    # - client has no particular relationship to any other client:
+    #   sia_base is top-level, or as close as we can make it taking
+    #   rsyncd module into account (maybe homed under us, hmm, how do
+    #   we detect case where we are talking to ourself?)
+    #
+    # - client is a direct child of ours to whom we (in our parent
+    #   role) made an offer of publication service.  client homes
+    #   under us, presumably.
+    #
+    # - client is a child of a client of ours who referred the new
+    #   client to us, along with a signed referral.  signed referral
+    #   includes sia_base of referring client, new client homes under
+    #   that per referring client's wishes.
+
+    # client_handle is sia_base with "rsync://hostname:port/" stripped
+    # off the front, "/" stripped off the end, and (perhaps, to
+    # simplify XML file naming) all remaining "/" characters
+    # translated to ".".  This will require minor tweaks to
+    # publication protocol schema, or perhaps we just do it in XML
+    # land and leave publication protocol alone (for now?).
+
+    # Checking of signed referrals goes somewhere around here.  Must
+    # be after reading client's XML, but before deciding what the
+    # client's sia_base and handle will be.
+
+    if sia_base is None:
+      sia_base = "rsync://%s/%s/%s/" % (self.rsync_server, self.rsync_module, c.get("handle"))
+
+    client_handle = "/".join(sia_base.rstrip("/").split("/")[3:])
 
     print "Client calls itself %r, we call it %r" % (c.get("handle"), client_handle)
 
     self.bpki_servers.fxcert(c.findtext("bpki_ca_certificate"))
 
-    e = Element("repository", repository_handle = self.handle, client_handle = client_handle,
+    e = Element("repository", repository_handle = self.handle,
+                client_handle = client_handle, sia_base = sia_base,
                 service_url = "https://%s:%s/client/%s" % (self.cfg.get("pubd_server_host"),
                                                            self.cfg.get("pubd_server_port"),
                                                            client_handle))
 
     myrpki.PEMElement(e, "bpki_server_ca",   self.bpki_servers.cer)
 
-    myrpki.etree_write(e, self.entitydb("pubclients", "%s.xml" % client_handle))
+    myrpki.etree_write(e, self.entitydb("pubclients", "%s.xml" % client_handle.replace("/", ".")))
 
 
   def do_process_repository_answer(self, arg):
diff --git a/myrpki.rototill/yamltest.py b/myrpki.rototill/yamltest.py
index a8a41b95..ad64420c 100644
--- a/myrpki.rototill/yamltest.py
+++ b/myrpki.rototill/yamltest.py
@@ -134,10 +134,7 @@ class allocation_db(list):
         a.crl_interval = a.parent.crl_interval
       if a.regen_margin is None:
         a.regen_margin = a.parent.regen_margin
-      i = 0
-      for j in xrange(3):
-        i = a.sia_base.index("/", i) + 1
-      a.client_handle = a.sia_base[i:].rstrip("/")
+      a.client_handle = "/".join(a.sia_base.rstrip("/").split("/")[3:])
     self.root.closure()
     self.map = dict((a.name, a) for a in self)
     for a in self:
@@ -406,7 +403,6 @@ class allocation(object):
 
     if self.is_root():
       r["myrpki", "rootd_server_port"] = str(self.rootd_port)
-      r["myrpki", "rootd_resource_class_name"] = self.name
 
     if self.runs_pubd():
       r["pubd", "sql-database"] = "pubd%d" % self.engine
@@ -416,6 +412,7 @@ class allocation(object):
     r["myrpki", "pubd_server_port"] = str(s.pubd_port)
     r["myrpki", "repository_bpki_certificate"] = s.path("bpki/servers/ca.cer")
     r["myrpki", "repository_handle"] = self.client_handle
+    r["myrpki", "publication_rsync_server"] = "localhost:%s" % s.rsync_port
 
     if rpkid_password:
       r["rpkid", "sql-password"] = rpkid_password
@@ -631,7 +628,7 @@ for d in db:
     p = d.find_pubd()
     p.run_setup("answer_repository_client", d.path("entitydb", "identity.xml"))
     print
-    d.run_setup("process_repository_answer", p.path("entitydb", "pubclients", "%s.xml" % d.name))
+    d.run_setup("process_repository_answer", p.path("entitydb", "pubclients", "%s.%s.xml" % (p.name, d.name)))
     print
 
 print
diff --git a/rpkid/pubd.py b/rpkid/pubd.py
index 386d2f06..8d58b002 100644
--- a/rpkid/pubd.py
+++ b/rpkid/pubd.py
@@ -61,7 +61,11 @@ class pubd_context(object):
     self.https_server_port = int(cfg.get("server-port", "4434"))
 
     self.publication_base = cfg.get("publication-base", "publication/")
-    self.publication_multimodule = cfg.getboolean("publication-multimodule", False)
+
+    if cfg.has_option("publication-multimodule"):
+      self.publication_multimodule = cfg.getboolean("publication-multimodule")
+    else:
+      self.publication_multimodule = cfg.get("publication-module", "-") == ""
 
   def handler_common(self, query, client, cb, certs, crl = None):
     """