diff options
| -rw-r--r-- | rpkid/left-right-schema.rnc | 26 | ||||
| -rw-r--r-- | rpkid/left-right-schema.rng | 41 | ||||
| -rw-r--r-- | rpkid/publication-schema.rnc | 14 | ||||
| -rw-r--r-- | rpkid/publication-schema.rng | 9 | ||||
| -rw-r--r-- | rpkid/rpki/irdb/zookeeper.py | 18 | ||||
| -rw-r--r-- | rpkid/rpki/left_right.py | 83 | ||||
| -rw-r--r-- | rpkid/rpki/publication.py | 23 | ||||
| -rw-r--r-- | rpkid/rpki/relaxng.py | 50 | ||||
| -rw-r--r-- | rpkid/rpki/rpkic.py | 14 |
9 files changed, 238 insertions, 40 deletions
diff --git a/rpkid/left-right-schema.rnc b/rpkid/left-right-schema.rnc index a2759f56..50b2401e 100644 --- a/rpkid/left-right-schema.rnc +++ b/rpkid/left-right-schema.rnc @@ -109,7 +109,8 @@ self_bool = (attribute rekey { "yes" }?, attribute revoke { "yes" }?, attribute run_now { "yes" }?, attribute publish_world_now { "yes" }?, - attribute revoke_forgotten { "yes" }?) + attribute revoke_forgotten { "yes" }?, + attribute clear_replay_protection { "yes" }?) self_payload = (attribute use_hsm { "yes" | "no" }?, attribute crl_interval { xsd:positiveInteger }?, @@ -142,16 +143,16 @@ bsc_handle = attribute bsc_handle { object_handle } bsc_payload = (element signing_cert { base64 }?, element signing_cert_crl { base64 }?) -bsc_pkcs10 = element pkcs10_request { base64 }? +bsc_readonly = element pkcs10_request { base64 }? bsc_query |= element bsc { ctl_create, self_handle, bsc_handle, bsc_bool, bsc_payload } -bsc_reply |= element bsc { ctl_create, self_handle, bsc_handle, bsc_pkcs10 } +bsc_reply |= element bsc { ctl_create, self_handle, bsc_handle, bsc_readonly } bsc_query |= element bsc { ctl_set, self_handle, bsc_handle, bsc_bool, bsc_payload } -bsc_reply |= element bsc { ctl_set, self_handle, bsc_handle, bsc_pkcs10 } +bsc_reply |= element bsc { ctl_set, self_handle, bsc_handle, bsc_readonly } bsc_query |= element bsc { ctl_get, self_handle, bsc_handle } -bsc_reply |= element bsc { ctl_get, self_handle, bsc_handle, bsc_payload, bsc_pkcs10 } +bsc_reply |= element bsc { ctl_get, self_handle, bsc_handle, bsc_payload, bsc_readonly } bsc_query |= element bsc { ctl_list, self_handle } -bsc_reply |= element bsc { ctl_list, self_handle, bsc_handle, bsc_payload, bsc_pkcs10 } +bsc_reply |= element bsc { ctl_list, self_handle, bsc_handle, bsc_payload, bsc_readonly } bsc_query |= element bsc { ctl_destroy, self_handle, bsc_handle } bsc_reply |= element bsc { ctl_destroy, self_handle, bsc_handle } @@ -162,7 +163,8 @@ parent_handle = attribute parent_handle { object_handle } parent_bool = (attribute rekey { "yes" }?, attribute reissue { "yes" }?, attribute revoke { "yes" }?, - attribute revoke_forgotten { "yes" }?) + attribute revoke_forgotten { "yes" }?, + attribute clear_replay_protection { "yes" }?) parent_payload = (attribute peer_contact_uri { uri }?, attribute sia_base { uri }?, @@ -188,7 +190,8 @@ parent_reply |= element parent { ctl_destroy, self_handle, parent_handle } child_handle = attribute child_handle { object_handle } -child_bool = attribute reissue { "yes" }? +child_bool = (attribute reissue { "yes" }?, + attribute clear_replay_protection { "yes" }?) child_payload = (bsc_handle?, element bpki_cert { base64 }?, @@ -209,14 +212,16 @@ child_reply |= element child { ctl_destroy, self_handle, child_handle } repository_handle = attribute repository_handle { object_handle } +repository_bool = attribute clear_replay_protection { "yes" }? + repository_payload = (attribute peer_contact_uri { uri }?, bsc_handle?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) -repository_query |= element repository { ctl_create, self_handle, repository_handle, repository_payload } +repository_query |= element repository { ctl_create, self_handle, repository_handle, repository_bool, repository_payload } repository_reply |= element repository { ctl_create, self_handle, repository_handle } -repository_query |= element repository { ctl_set, self_handle, repository_handle, repository_payload } +repository_query |= element repository { ctl_set, self_handle, repository_handle, repository_bool, repository_payload } repository_reply |= element repository { ctl_set, self_handle, repository_handle } repository_query |= element repository { ctl_get, self_handle, repository_handle } repository_reply |= element repository { ctl_get, self_handle, repository_handle, repository_payload } @@ -272,6 +277,7 @@ list_published_objects_query = element list_published_objects { list_published_objects_reply = element list_published_objects { tag, self_handle, attribute uri { uri }, + attribute child_handle { object_handle }?, base64 } diff --git a/rpkid/left-right-schema.rng b/rpkid/left-right-schema.rng index 0b0fa8d1..1a691845 100644 --- a/rpkid/left-right-schema.rng +++ b/rpkid/left-right-schema.rng @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: left-right-schema.rnc 4403 2012-03-19 21:14:48Z sra $ + $Id: left-right-schema.rnc 4346 2012-02-17 01:11:06Z sra $ RelaxNG Schema for RPKI left-right protocol. @@ -258,6 +258,11 @@ <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="self_payload"> <optional> @@ -399,7 +404,7 @@ </element> </optional> </define> - <define name="bsc_pkcs10"> + <define name="bsc_readonly"> <optional> <element name="pkcs10_request"> <ref name="base64"/> @@ -420,7 +425,7 @@ <ref name="ctl_create"/> <ref name="self_handle"/> <ref name="bsc_handle"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -437,7 +442,7 @@ <ref name="ctl_set"/> <ref name="self_handle"/> <ref name="bsc_handle"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -453,7 +458,7 @@ <ref name="self_handle"/> <ref name="bsc_handle"/> <ref name="bsc_payload"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -468,7 +473,7 @@ <ref name="self_handle"/> <ref name="bsc_handle"/> <ref name="bsc_payload"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -512,6 +517,11 @@ <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="parent_payload"> <optional> @@ -638,6 +648,11 @@ <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="child_payload"> <optional> @@ -735,6 +750,13 @@ <ref name="object_handle"/> </attribute> </define> + <define name="repository_bool"> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> + </define> <define name="repository_payload"> <optional> <attribute name="peer_contact_uri"> @@ -760,6 +782,7 @@ <ref name="ctl_create"/> <ref name="self_handle"/> <ref name="repository_handle"/> + <ref name="repository_bool"/> <ref name="repository_payload"/> </element> </define> @@ -775,6 +798,7 @@ <ref name="ctl_set"/> <ref name="self_handle"/> <ref name="repository_handle"/> + <ref name="repository_bool"/> <ref name="repository_payload"/> </element> </define> @@ -919,6 +943,11 @@ <attribute name="uri"> <ref name="uri"/> </attribute> + <optional> + <attribute name="child_handle"> + <ref name="object_handle"/> + </attribute> + </optional> <ref name="base64"/> </element> </define> diff --git a/rpkid/publication-schema.rnc b/rpkid/publication-schema.rnc index 18dd400e..4a4b71c7 100644 --- a/rpkid/publication-schema.rnc +++ b/rpkid/publication-schema.rnc @@ -73,20 +73,22 @@ object_handle = xsd:string { maxLength="255" pattern="[\-_A-Za-z0-9/]*" } config_payload = (element bpki_crl { base64 }?) -config_query |= element config { attribute action { "set" }, tag?, config_payload } -config_reply |= element config { attribute action { "set" }, tag? } -config_query |= element config { attribute action { "get" }, tag? } -config_reply |= element config { attribute action { "get" }, tag?, config_payload } +config_query |= element config { attribute action { "set" }, tag?, config_payload } +config_reply |= element config { attribute action { "set" }, tag? } +config_query |= element config { attribute action { "get" }, tag? } +config_reply |= element config { attribute action { "get" }, tag?, config_payload } # <client/> element (use restricted to repository operator) client_handle = attribute client_handle { object_handle } +client_bool = attribute clear_replay_protection { "yes" }? + client_payload = (attribute base_uri { uri_t }?, element bpki_cert { base64 }?, element bpki_glue { base64 }?) -client_query |= element client { attribute action { "create" }, tag?, client_handle, client_payload } +client_query |= element client { attribute action { "create" }, tag?, client_handle, client_bool, client_payload } client_reply |= element client { attribute action { "create" }, tag?, client_handle } -client_query |= element client { attribute action { "set" }, tag?, client_handle, client_payload } +client_query |= element client { attribute action { "set" }, tag?, client_handle, client_bool, client_payload } client_reply |= element client { attribute action { "set" }, tag?, client_handle } client_query |= element client { attribute action { "get" }, tag?, client_handle } client_reply |= element client { attribute action { "get" }, tag?, client_handle, client_payload } diff --git a/rpkid/publication-schema.rng b/rpkid/publication-schema.rng index 0f10c0ac..1a71b171 100644 --- a/rpkid/publication-schema.rng +++ b/rpkid/publication-schema.rng @@ -188,6 +188,13 @@ <ref name="object_handle"/> </attribute> </define> + <define name="client_bool"> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> + </define> <define name="client_payload"> <optional> <attribute name="base_uri"> @@ -214,6 +221,7 @@ <ref name="tag"/> </optional> <ref name="client_handle"/> + <ref name="client_bool"/> <ref name="client_payload"/> </element> </define> @@ -237,6 +245,7 @@ <ref name="tag"/> </optional> <ref name="client_handle"/> + <ref name="client_bool"/> <ref name="client_payload"/> </element> </define> diff --git a/rpkid/rpki/irdb/zookeeper.py b/rpkid/rpki/irdb/zookeeper.py index 844b50de..19bd55f7 100644 --- a/rpkid/rpki/irdb/zookeeper.py +++ b/rpkid/rpki/irdb/zookeeper.py @@ -992,6 +992,24 @@ class Zookeeper(object): action = "set", self_handle = self.handle, revoke_forgotten = "yes")) + def clear_all_sql_cms_replay_protection(self): + """ + Tell rpkid and pubd to clear replay protection for all SQL-based + entities. This is a fairly blunt instrument, but as we don't + expect this to be necessary except in the case of gross + misconfiguration, it should suffice + """ + + self.call_rpkid(*[rpki.left_right.self_elt.make_pdu(action = "set", self_handle = ca.handle, + clear_replay_protection = "yes") + for ca in rpki.irdb.ResourceHolderCA.objects.all()]) + if self.run_pubd: + self.call_pubd(*[rpki.publication.client_elt.make_pdu(action = "set", + client_handle = client.handle, + clear_replay_protection = "yes") + for client in self.server_ca.clients.all()]) + + def call_pubd(self, *pdus): """ Issue a call to pubd, return result. diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py index 4c8c6cd0..078b4066 100644 --- a/rpkid/rpki/left_right.py +++ b/rpkid/rpki/left_right.py @@ -135,7 +135,8 @@ class self_elt(data_elt): element_name = "self" attributes = ("action", "tag", "self_handle", "crl_interval", "regen_margin") elements = ("bpki_cert", "bpki_glue") - booleans = ("rekey", "reissue", "revoke", "run_now", "publish_world_now", "revoke_forgotten") + booleans = ("rekey", "reissue", "revoke", "run_now", "publish_world_now", "revoke_forgotten", + "clear_replay_protection") sql_template = rpki.sql.template("self", "self_id", "self_handle", "use_hsm", "crl_interval", "regen_margin", @@ -209,6 +210,8 @@ class self_elt(data_elt): actions.append(self.serve_publish_world_now) if q_pdu.run_now: actions.append(self.serve_run_now) + if q_pdu.clear_replay_protection: + actions.append(self.serve_clear_replay_protection) def loop(iterator, action): action(iterator, eb) rpki.async.iterator(actions, loop, cb) @@ -249,6 +252,15 @@ class self_elt(data_elt): parent.serve_revoke_forgotten(iterator, eb) rpki.async.iterator(self.parents, loop, cb) + def serve_clear_replay_protection(self, cb, eb): + """ + Handle a left-right clear_replay_protection action for this self. + """ + rpki.log.trace() + def loop(iterator, obj): + obj.serve_clear_replay_protection(iterator, eb) + rpki.async.iterator(self.parents + self.children + self.repositories, loop, cb) + def serve_destroy_hook(self, cb, eb): """ Extra cleanup actions when destroying a self_elt. @@ -780,6 +792,7 @@ class repository_elt(data_elt): element_name = "repository" attributes = ("action", "tag", "self_handle", "repository_handle", "bsc_handle", "peer_contact_uri") elements = ("bpki_cert", "bpki_glue") + booleans = ("clear_replay_protection",) sql_template = rpki.sql.template("repository", "repository_id", "repository_handle", "self_id", "bsc_id", "peer_contact_uri", @@ -800,6 +813,25 @@ class repository_elt(data_elt): """ return parent_elt.sql_fetch_where(self.gctx, "repository_id = %s", (self.repository_id,)) + def serve_post_save_hook(self, q_pdu, r_pdu, cb, eb): + """ + Extra server actions for repository_elt. + """ + actions = [] + if q_pdu.clear_replay_protection: + actions.append(self.serve_clear_replay_protection) + def loop(iterator, action): + action(iterator, eb) + rpki.async.iterator(actions, loop, cb) + + def serve_clear_replay_protection(self, cb, eb): + """ + Handle a left-right clear_replay_protection action for this repository. + """ + self.last_cms_timestamp = None + self.sql_mark_dirty() + cb() + @staticmethod def default_pubd_handler(pdu): """ @@ -876,7 +908,7 @@ class parent_elt(data_elt): attributes = ("action", "tag", "self_handle", "parent_handle", "bsc_handle", "repository_handle", "peer_contact_uri", "sia_base", "sender_name", "recipient_name") elements = ("bpki_cms_cert", "bpki_cms_glue") - booleans = ("rekey", "reissue", "revoke", "revoke_forgotten") + booleans = ("rekey", "reissue", "revoke", "revoke_forgotten", "clear_replay_protection") sql_template = rpki.sql.template("parent", "parent_id", "parent_handle", "self_id", "bsc_id", "repository_id", @@ -919,6 +951,8 @@ class parent_elt(data_elt): actions.append(self.serve_reissue) if q_pdu.revoke_forgotten: actions.append(self.serve_revoke_forgotten) + if q_pdu.clear_replay_protection: + actions.append(self.serve_clear_replay_protection) def loop(iterator, action): action(iterator, eb) rpki.async.iterator(actions, loop, cb) @@ -947,6 +981,14 @@ class parent_elt(data_elt): ca.reissue(cb = iterator, eb = eb) rpki.async.iterator(self.cas, loop, cb) + def serve_clear_replay_protection(self, cb, eb): + """ + Handle a left-right clear_replay_protection action for this parent. + """ + self.last_cms_timestamp = None + self.sql_mark_dirty() + cb() + def get_skis(self, cb, eb): """ @@ -1099,7 +1141,7 @@ class child_elt(data_elt): element_name = "child" attributes = ("action", "tag", "self_handle", "child_handle", "bsc_handle") elements = ("bpki_cert", "bpki_glue") - booleans = ("reissue", ) + booleans = ("reissue", "clear_replay_protection") sql_template = rpki.sql.template("child", "child_id", "child_handle", "self_id", "bsc_id", @@ -1137,10 +1179,14 @@ class child_elt(data_elt): """ Extra server actions for child_elt. """ + actions = [] if q_pdu.reissue: - self.serve_reissue(cb, eb) - else: - cb() + actions.append(self.serve_reissue) + if q_pdu.clear_replay_protection: + actions.append(self.serve_clear_replay_protection) + def loop(iterator, action): + action(iterator, eb) + rpki.async.iterator(actions, loop, cb) def serve_reissue(self, cb, eb): """ @@ -1151,6 +1197,14 @@ class child_elt(data_elt): child_cert.reissue(child_cert.ca_detail, publisher, force = True) publisher.call_pubd(cb, eb) + def serve_clear_replay_protection(self, cb, eb): + """ + Handle a left-right clear_replay_protection action for this child. + """ + self.last_cms_timestamp = None + self.sql_mark_dirty() + cb() + def ca_from_class_name(self, class_name): """ Fetch the CA corresponding to an up-down class_name. @@ -1289,10 +1343,11 @@ class list_published_objects_elt(rpki.xml_utils.text_elt, left_right_namespace): """ element_name = "list_published_objects" - attributes = ("self_handle", "tag", "uri") + attributes = ("self_handle", "tag", "uri", "child_handle") text_attribute = "obj" obj = None + child_handle = None def serve_dispatch(self, r_msg, cb, eb): """ @@ -1306,16 +1361,20 @@ class list_published_objects_elt(rpki.xml_utils.text_elt, left_right_namespace): if ca_detail is not None: r_msg.append(self.make_reply(ca_detail.crl_uri, ca_detail.latest_crl)) r_msg.append(self.make_reply(ca_detail.manifest_uri, ca_detail.latest_manifest)) - r_msg.extend(self.make_reply(c.uri, c.cert) for c in ca_detail.child_certs) - r_msg.extend(self.make_reply(r.uri, r.roa) for r in ca_detail.roas if r.roa is not None) - r_msg.extend(self.make_reply(g.uri, g.ghostbuster) for g in ca_detail.ghostbusters) + r_msg.extend(self.make_reply(c.uri, c.cert, c.child.child_handle) + for c in ca_detail.child_certs) + r_msg.extend(self.make_reply(r.uri, r.roa) + for r in ca_detail.roas if r.roa is not None) + r_msg.extend(self.make_reply(g.uri, g.ghostbuster) + for g in ca_detail.ghostbusters) cb() - def make_reply(self, uri, obj): + def make_reply(self, uri, obj, child_handle = None): """ Generate one reply PDU. """ - r_pdu = self.make_pdu(tag = self.tag, self_handle = self.self_handle, uri = uri) + r_pdu = self.make_pdu(tag = self.tag, self_handle = self.self_handle, + uri = uri, child_handle = child_handle) r_pdu.obj = obj.get_Base64() return r_pdu diff --git a/rpkid/rpki/publication.py b/rpkid/rpki/publication.py index 7cdb3167..07905601 100644 --- a/rpkid/rpki/publication.py +++ b/rpkid/rpki/publication.py @@ -118,6 +118,7 @@ class client_elt(control_elt): element_name = "client" attributes = ("action", "tag", "client_handle", "base_uri") elements = ("bpki_cert", "bpki_glue") + booleans = ("clear_replay_protection",) sql_template = rpki.sql.template("client", "client_id", "client_handle", "base_uri", ("bpki_cert", rpki.x509.X509), @@ -129,6 +130,25 @@ class client_elt(control_elt): bpki_glue = None last_cms_timestamp = None + def serve_post_save_hook(self, q_pdu, r_pdu, cb, eb): + """ + Extra server actions for client_elt. + """ + actions = [] + if q_pdu.clear_replay_protection: + actions.append(self.serve_clear_replay_protection) + def loop(iterator, action): + action(iterator, eb) + rpki.async.iterator(actions, loop, cb) + + def serve_clear_replay_protection(self, cb, eb): + """ + Handle a clear_replay_protection action for this client. + """ + self.last_cms_timestamp = None + self.sql_mark_dirty() + cb() + def serve_fetch_one_maybe(self): """ Find the client object on which a get, set, or destroy method @@ -143,6 +163,9 @@ class client_elt(control_elt): return self.sql_fetch_all(self.gctx) def check_allowed_uri(self, uri): + """ + Make sure that a target URI is within this client's allowed URI space. + """ if not uri.startswith(self.base_uri): raise rpki.exceptions.ForbiddenURI diff --git a/rpkid/rpki/relaxng.py b/rpkid/rpki/relaxng.py index e017d54d..948fe417 100644 --- a/rpkid/rpki/relaxng.py +++ b/rpkid/rpki/relaxng.py @@ -6,7 +6,7 @@ import lxml.etree ## Parsed RelaxNG left_right schema left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" encoding="UTF-8"?> <!-- - $Id: left-right-schema.rnc 4403 2012-03-19 21:14:48Z sra $ + $Id: left-right-schema.rnc 4346 2012-02-17 01:11:06Z sra $ RelaxNG Schema for RPKI left-right protocol. @@ -264,6 +264,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="self_payload"> <optional> @@ -405,7 +410,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc </element> </optional> </define> - <define name="bsc_pkcs10"> + <define name="bsc_readonly"> <optional> <element name="pkcs10_request"> <ref name="base64"/> @@ -426,7 +431,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="ctl_create"/> <ref name="self_handle"/> <ref name="bsc_handle"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -443,7 +448,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="ctl_set"/> <ref name="self_handle"/> <ref name="bsc_handle"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -459,7 +464,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="self_handle"/> <ref name="bsc_handle"/> <ref name="bsc_payload"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -474,7 +479,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="self_handle"/> <ref name="bsc_handle"/> <ref name="bsc_payload"/> - <ref name="bsc_pkcs10"/> + <ref name="bsc_readonly"/> </element> </define> <define name="bsc_query" combine="choice"> @@ -518,6 +523,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="parent_payload"> <optional> @@ -644,6 +654,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <value>yes</value> </attribute> </optional> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> </define> <define name="child_payload"> <optional> @@ -741,6 +756,13 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="object_handle"/> </attribute> </define> + <define name="repository_bool"> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> + </define> <define name="repository_payload"> <optional> <attribute name="peer_contact_uri"> @@ -766,6 +788,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="ctl_create"/> <ref name="self_handle"/> <ref name="repository_handle"/> + <ref name="repository_bool"/> <ref name="repository_payload"/> </element> </define> @@ -781,6 +804,7 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <ref name="ctl_set"/> <ref name="self_handle"/> <ref name="repository_handle"/> + <ref name="repository_bool"/> <ref name="repository_payload"/> </element> </define> @@ -925,6 +949,11 @@ left_right = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" enc <attribute name="uri"> <ref name="uri"/> </attribute> + <optional> + <attribute name="child_handle"> + <ref name="object_handle"/> + </attribute> + </optional> <ref name="base64"/> </element> </define> @@ -1450,6 +1479,13 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en <ref name="object_handle"/> </attribute> </define> + <define name="client_bool"> + <optional> + <attribute name="clear_replay_protection"> + <value>yes</value> + </attribute> + </optional> + </define> <define name="client_payload"> <optional> <attribute name="base_uri"> @@ -1476,6 +1512,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en <ref name="tag"/> </optional> <ref name="client_handle"/> + <ref name="client_bool"/> <ref name="client_payload"/> </element> </define> @@ -1499,6 +1536,7 @@ publication = lxml.etree.RelaxNG(lxml.etree.fromstring('''<?xml version="1.0" en <ref name="tag"/> </optional> <ref name="client_handle"/> + <ref name="client_bool"/> <ref name="client_payload"/> </element> </define> diff --git a/rpkid/rpki/rpkic.py b/rpkid/rpki/rpkic.py index 6b860200..3ea44689 100644 --- a/rpkid/rpki/rpkic.py +++ b/rpkid/rpki/rpkic.py @@ -605,3 +605,17 @@ class main(rpki.cli.Cmd): raise BadCommandSyntax("Unexpected argument(s): %r" % arg) self.zoo.revoke_forgotten() + + + def do_clear_all_sql_cms_replay_protection(self, arg): + """ + Tell rpkid and pubd to clear replay protection for all SQL-based + entities. This is a fairly blunt instrument, but as we don't + expect this to be necessary except in the case of gross + misconfiguration, it should suffice + """ + + if arg: + raise BadCommandSyntax("Unexpected argument(s): %r" % arg) + + self.zoo.clear_all_sql_cms_replay_protection() |