diff options
| -rw-r--r-- | rpkid/rpki/https.py | 8 | ||||
| -rw-r--r-- | rpkid/rpki/rpki_engine.py | 4 | ||||
| -rw-r--r-- | rpkid/testbed.2.yaml | 2 | ||||
| -rw-r--r-- | rpkid/testbed.py | 46 | ||||
| -rw-r--r-- | rpkid/testpoke.py | 15 |
5 files changed, 44 insertions, 31 deletions
diff --git a/rpkid/rpki/https.py b/rpkid/rpki/https.py index f1e4cece..fd13b3d8 100644 --- a/rpkid/rpki/https.py +++ b/rpkid/rpki/https.py @@ -50,7 +50,7 @@ rpki_content_type = "application/x-rpki" # ================================================================ -debug = True +debug = False want_persistent_client = True want_persistent_server = True @@ -563,7 +563,8 @@ def client(msg, client_key, client_cert, server_ta, url, callback, errback): hostport = (u.hostname or "localhost", u.port or 80) - rpki.log.debug("Created request %r for %r" % (request, hostport)) + if debug: + rpki.log.debug("Created request %r for %r" % (request, hostport)) if hostport not in queues: queues[hostport] = http_queue(hostport) queues[hostport].request(request) @@ -571,7 +572,8 @@ def client(msg, client_key, client_cert, server_ta, url, callback, errback): # Defer connection attempt until after we've had time to process any # pending I/O events, in case connections have closed. - rpki.log.debug("Scheduling connection startup for %r" % request) + if debug: + rpki.log.debug("Scheduling connection startup for %r" % request) rpki.async.timer(queues[hostport].restart, errback).set(None) def server(handlers, server_key, server_cert, port, host ="", client_ta = None, dynamic_https_trust_anchor = None): diff --git a/rpkid/rpki/rpki_engine.py b/rpkid/rpki/rpki_engine.py index 33be7ca6..110ce8b7 100644 --- a/rpkid/rpki/rpki_engine.py +++ b/rpkid/rpki/rpki_engine.py @@ -139,7 +139,7 @@ class rpkid_context(object): rpki.log.trace() self.sql.ping() - def each(iterator, s): + def loop(iterator, s): def one(): rpki.log.debug("Self %s polling parents" % s.self_id) @@ -163,7 +163,7 @@ class rpkid_context(object): self.sql.sweep() cb(200, "OK") - rpki.async.iterator(rpki.left_right.self_elt.sql_fetch_all(self), each, done) + rpki.async.iterator(rpki.left_right.self_elt.sql_fetch_all(self), loop, done) ## @var https_ta_cache # HTTPS trust anchor cache, to avoid regenerating it for every TLS connection. diff --git a/rpkid/testbed.2.yaml b/rpkid/testbed.2.yaml index 76f8d44d..44c1db8f 100644 --- a/rpkid/testbed.2.yaml +++ b/rpkid/testbed.2.yaml @@ -45,7 +45,7 @@ kids: asn: 64534-64540 - name: Harry asn: 666-677 - #hosted_by: R1 + hosted_by: R1 - name: R4 kids: - name: Ilse diff --git a/rpkid/testbed.py b/rpkid/testbed.py index 8c0ca96d..715a1f9d 100644 --- a/rpkid/testbed.py +++ b/rpkid/testbed.py @@ -664,9 +664,10 @@ class allocation(object): cur = db.cursor() for sql in irdb_sql: cur.execute(sql) - for kid in self.kids: - cur.execute("INSERT registrant (IRBE_mapped_id, subject_name, valid_until) VALUES (%s, %s, %s)", - (kid.name, kid.name, kid.resources.valid_until.to_sql())) + for s in [self] + self.hosts: + for kid in s.kids: + cur.execute("INSERT registrant (IRBE_mapped_id, subject_name, valid_until) VALUES (%s, %s, %s)", + (kid.name, kid.name, kid.resources.valid_until.to_sql())) db.close() def sync_sql(self): @@ -680,16 +681,17 @@ class allocation(object): cur = db.cursor() cur.execute("DELETE FROM asn") cur.execute("DELETE FROM net") - for kid in self.kids: - cur.execute("SELECT registrant_id FROM registrant WHERE IRBE_mapped_id = %s", (kid.name,)) - registrant_id = cur.fetchone()[0] - for as_range in kid.resources.asn: - cur.execute("INSERT asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", (as_range.min, as_range.max, registrant_id)) - for v4_range in kid.resources.v4: - cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id)) - for v6_range in kid.resources.v6: - cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id)) - cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until.to_sql(), registrant_id)) + for s in [self] + self.hosts: + for kid in s.kids: + cur.execute("SELECT registrant_id FROM registrant WHERE IRBE_mapped_id = %s", (kid.name,)) + registrant_id = cur.fetchone()[0] + for as_range in kid.resources.asn: + cur.execute("INSERT asn (start_as, end_as, registrant_id) VALUES (%s, %s, %s)", (as_range.min, as_range.max, registrant_id)) + for v4_range in kid.resources.v4: + cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 4, %s)", (v4_range.min, v4_range.max, registrant_id)) + for v6_range in kid.resources.v6: + cur.execute("INSERT net (start_ip, end_ip, version, registrant_id) VALUES (%s, %s, 6, %s)", (v6_range.min, v6_range.max, registrant_id)) + cur.execute("UPDATE registrant SET valid_until = %s WHERE registrant_id = %s", (kid.resources.valid_until.to_sql(), registrant_id)) db.close() def run_daemons(self): @@ -829,7 +831,9 @@ class allocation(object): tag = str(i), crl_interval = s.crl_interval, regen_margin = s.regen_margin, - bpki_cert = rpki.x509.X509(Auto_file = s.name + "-SELF.cer")) + bpki_cert = (s.cross_certify(s.hosted_by.name + "-TA", reverse = True) + if s.is_hosted() else + rpki.x509.X509(Auto_file = s.name + "-SELF.cer"))) for i, s in enumerate(selves)], cb = got_self_id) @@ -863,6 +867,7 @@ class allocation(object): raise RuntimeError, "Couldn't issue BSC EE certificate" s.bsc_ee = rpki.x509.X509(PEM = signed[0]) s.bsc_crl = rpki.x509.CRL(PEM_file = s.name + "-SELF.crl") + rpki.log.info("BSC EE cert for %s SKI %s" % (s.name, s.bsc_ee.hSKI())) rpki.log.info("Installing BSC EE certs for %s" % self.name) self.call_rpkid([rpki.left_right.bsc_elt.make_pdu(action = "set", @@ -1009,11 +1014,17 @@ class allocation(object): def setup_yaml_leaf(self): """ Generate certificates and write YAML scripts for leaf nodes. + We're cheating a bit here: properly speaking, we can't generate issue or revoke requests without knowing the class, which is generated on the fly, but at the moment the test case is simplistic enough that the class will always be "1", so we just wire in that value for now. + + Well, ok, we just broke that assumption. Now we do something even + nastier, just to eke a bit more life out of this kludge. This + really needs to be rewritten, but it may require a different tool + than testpoke. """ if not os.path.exists(self.name + ".key"): @@ -1031,7 +1042,8 @@ class allocation(object): "child_id" : self.child_id, "parent_name" : self.parent.name, "my_name" : self.name, - "https_port" : self.parent.rpki_port, + "https_port" : self.parent.hosted_by.rpki_port if self.parent.is_hosted() else self.parent.rpki_port, + "class_name" : 2 if self.parent.is_hosted() else 1, "sia" : self.sia_base, "ski" : ski }) f.close() @@ -1321,13 +1333,13 @@ requests: type: list issue: type: issue - class: 1 + class: %(class_name)s sia: - %(sia)s cert-request-key-file: %(my_name)s.key revoke: type: revoke - class: 1 + class: %(class_name)s ski: %(ski)s ''' diff --git a/rpkid/testpoke.py b/rpkid/testpoke.py index e770101e..4725b0b4 100644 --- a/rpkid/testpoke.py +++ b/rpkid/testpoke.py @@ -108,11 +108,6 @@ def query_up_down(q_pdu): fail(edata) rpki.async.exit_event_loop() - def fail(e): - if debug: - raise e - print "Failed:", e - rpki.https.client( server_ta = [https_ta] + https_ca_certs, client_key = https_key, @@ -142,6 +137,12 @@ def do_revoke(): dispatch = { "list" : do_list, "issue" : do_issue, "revoke" : do_revoke } +def fail(e): + if debug: + raise e + print "Testpoke failed:", e + sys.exit(1) + cms_ta = get_PEM("cms-ca-cert", rpki.x509.X509) cms_cert = get_PEM("cms-cert", rpki.x509.X509) cms_key = get_PEM("cms-key", rpki.x509.RSA) @@ -159,6 +160,4 @@ try: dispatch[yaml_req["type"]]() rpki.async.event_loop() except Exception, edata: - if debug: - raise - print "Failed:", edata + fail(edata) |