diff options
| -rwxr-xr-x | scripts/rp-sqlite | 148 |
1 files changed, 110 insertions, 38 deletions
diff --git a/scripts/rp-sqlite b/scripts/rp-sqlite index 56f0c440..4926bb93 100755 --- a/scripts/rp-sqlite +++ b/scripts/rp-sqlite @@ -29,7 +29,10 @@ import os import sys +import yaml +import base64 import sqlite3 +import weakref import rpki.POW import rpki.x509 import rpki.resource_set @@ -43,13 +46,18 @@ sqlite3.register_converter("RangeVal", def main(): rpdb = RPDB() + rpdb.load() test(rpdb) rpdb.close() - def test(rpdb): fn2s = [None] + rpdb.fn2map.keys() + print + print "Testing YAML parsing" + parse_yaml(rpdb) + + print print "Testing range functions" for fn2 in fn2s: if fn2 is not None: @@ -84,11 +92,82 @@ def test(rpdb): print "Trying", expr for r in rpdb.find_by_resource_bag(rpki.resource_set.resource_bag.from_str(expr), fn2): print r, r.uris - + + +def parse_xki(s): + """ + Parse text form of an SKI or AKI. We accept two encodings: + colon-delimited hexadecimal, and URL-safe Base64. The former is + what OpenSSL prints in its text representation of SKI and AKI + extensions; the latter is the g(SKI) value that some RPKI CA engines + (including rpkid) use when constructing filenames. + + In either case, we check that the decoded result contains the right + number of octets to be a SHA-1 hash. + """ + + if ":" in s: + b = "".join(chr(int(c, 16)) for c in s.split(":")) + else: + b = base64.urlsafe_b64decode(s + ("=" * (4 - len(s) % 4))) + if len(b) != 20: + raise RuntimeError("Bad length for SHA1 xKI value: %r" % s) + return b + + +def parse_yaml(rpdb, fn = "rp-sqlite.yaml"): + yy = yaml.safe_load(open(fn, "r")) + for y in yy: + + ski = None + uri = None + obj = set() + + print + + if "ski" in y: + ski = parse_xki(y["ski"]) + obj.update(rpdb.find_by_ski(ski)) + if "uri" in y: + uri = y["uri"] + obj.update(rpdb.find_by_uri(uri)) + if len(obj) == 1: + obj = obj.pop() + else: + raise RuntimeError("Policy entry must name a unique object using SKI, URI, or both (%r, %r, %r)" % ( + ski, uri, obj)) + + print "URI:", uri + print "SKI:", " ".join("%02X" % ord(c) for c in ski), "(" + y["ski"] + ")" + + new_resources = old_resources = obj.get_3779resources() + + if "set" in y: + new_resources = rpki.resource_set.resource_bag.from_str(y["set"]) + + if "add" in y: + new_resources = new_resources | rpki.resource_set.resource_bag.from_str(y["add"]) + + if "sub" in y: + new_resources = new_resources - rpki.resource_set.resource_bag.from_str(y["sub"]) + + if new_resources == old_resources: + print "No resource change, skipping" + continue + + print "Old:", old_resources + print "New:", new_resources + print "Add:", new_resources - old_resources + print "Sub:", old_resources - new_resources + class RPDB(object): """ Relying party database. + + For now just wire in the database name and rcynic root, fix this + later if overall approach seems usable. Might even end up just + being an in-memory SQL database, who knows? """ fn2map = dict(cer = rpki.x509.X509, @@ -97,16 +176,7 @@ class RPDB(object): roa = rpki.x509.ROA, gbr = rpki.x509.Ghostbuster) - def __init__(self, - db_name = "rp-sqlite.db", - rcynic_root = os.path.expanduser("~/rpki/subvert-rpki.hactrn.net/trunk/" - "rcynic/rcynic-data/unauthenticated"), - delete_old_db = True, - spinner = 100): - - # For now just wire in the database name and rcynic root, fix this - # later if overall approach seems usable. Might even end up just - # being an in-memory SQL database, who knows? + def __init__(self, db_name = "rp-sqlite.db", delete_old_db = True): if delete_old_db: try: @@ -114,10 +184,17 @@ class RPDB(object): except: pass + exists = os.path.exists(db_name) + self.db = sqlite3.connect(db_name, detect_types = sqlite3.PARSE_DECLTYPES) self.db.text_factory = str - self.cur = self.db.cursor() + + self.cache = weakref.WeakValueDictionary() + + if exists: + return + self.cur.executescript(''' PRAGMA foreign_keys = on; @@ -152,6 +229,11 @@ class RPDB(object): CREATE INDEX range_index ON range(min, max); ''') + def load(self, + rcynic_root = os.path.expanduser("~/rpki/subvert-rpki.hactrn.net/trunk/" + "rcynic/rcynic-data/unauthenticated"), + spinner = 100): + nobj = 0 for root, dirs, files in os.walk(rcynic_root): @@ -224,25 +306,13 @@ class RPDB(object): def find_by_ski(self, ski, fn2 = None): - return self._find_results( - fn2, - """ - SELECT id, fn2, der - FROM object - WHERE ski = ? - """, - [buffer(ski)]) - + return self._find_results(fn2, "SELECT id, fn2, der FROM object WHERE ski = ?", [buffer(ski)]) def find_by_aki(self, aki, fn2 = None): - return self._find_results( - fn2, - """ - SELECT id, fn2, der - FROM object - WHERE aki = ? - """, - [buffer(aki)]) + return self._find_results(fn2, "SELECT id, fn2, der FROM object WHERE aki = ?", [buffer(aki)]) + + def find_by_uri(self, uri): + return self._find_results(None, "SELECT object.id, fn2, der FROM object, uri WHERE uri.uri = ? AND object.id = uri.id", [uri]) # It's easiest to understand overlap conditions by understanding @@ -262,8 +332,7 @@ class RPDB(object): return self._find_results( fn2, """ - SELECT object.id, fn2, der - FROM object, range + SELECT object.id, fn2, der FROM object, range WHERE ? <= max AND ? >= min AND object.id = range.id """, [range_min, range_max]) @@ -282,8 +351,7 @@ class RPDB(object): return self._find_results( fn2, """ - SELECT object.id, fn2, der - FROM object, range + SELECT object.id, fn2, der FROM object, range WHERE object.id = range.id AND (%s) """ % (" OR ".join(qset)), aset) @@ -299,10 +367,14 @@ class RPDB(object): self.cur.execute(query, args) selections = self.cur.fetchall() for rowid, fn2, der in selections: - obj = self.fn2map[fn2](DER = der) - self.cur.execute("SELECT uri FROM uri WHERE id = ?", (rowid,)) - obj.uris = [u[0] for u in self.cur.fetchall()] - obj.uri = obj.uris[0] if len(obj.uris) == 1 else None + if rowid in self.cache: + obj = self.cache[rowid] + else: + obj = self.fn2map[fn2](DER = der) + self.cur.execute("SELECT uri FROM uri WHERE id = ?", (rowid,)) + obj.uris = [u[0] for u in self.cur.fetchall()] + obj.uri = obj.uris[0] if len(obj.uris) == 1 else None + self.cache[rowid] = obj results.append(obj) return results |