aboutsummaryrefslogtreecommitdiff
path: root/rpkid
diff options
context:
space:
mode:
Diffstat (limited to 'rpkid')
-rwxr-xr-xrpkid/rootd.py8
-rw-r--r--rpkid/rpki/gctx.py161
-rw-r--r--rpkid/rpki/left_right.py357
-rw-r--r--rpkid/rpki/sql.py326
-rw-r--r--rpkid/rpki/up_down.py58
-rwxr-xr-xrpkid/rpkid.py87
6 files changed, 511 insertions, 486 deletions
diff --git a/rpkid/rootd.py b/rpkid/rootd.py
index feae6e91..8f113938 100755
--- a/rpkid/rootd.py
+++ b/rpkid/rootd.py
@@ -66,12 +66,12 @@ def compose_response(r_msg):
rc.certs[0].cert = rpki_subject
class list_pdu(rpki.up_down.list_pdu):
- def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ def serve_pdu(self, q_msg, r_msg, ignored):
r_msg.payload = rpki.up_down.list_response_pdu()
compose_response(r_msg)
class issue_pdu(rpki.up_down.issue_pdu):
- def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ def serve_pdu(self, q_msg, r_msg, ignored):
stash_subject_pkcs10(self.pkcs10)
self.pkcs10.check_valid_rpki()
r_msg.payload = rpki.up_down.issue_response_pdu()
@@ -104,7 +104,7 @@ class issue_pdu(rpki.up_down.issue_pdu):
compose_response(r_msg)
class revoke_pdu(rpki.up_down.revoke_pdu):
- def serve_pdu(self, xxx1, q_msg, r_msg, xxx2):
+ def serve_pdu(self, q_msg, r_msg, ignored):
rpki_subject = get_subject_cert()
if rpki_subject is None or rpki_subject.gSKI() != self.ski:
raise rpki.exceptions.NotInDatabase
@@ -137,7 +137,7 @@ def up_down_handler(query, path):
rpki.log.error(traceback.format_exc())
return 400, "Could not process PDU: %s" % data
try:
- r_msg = q_msg.serve_top_level(None, None)
+ r_msg = q_msg.serve_top_level(None)
r_elt = r_msg.toXML()
try:
rpki.relaxng.up_down.assertValid(r_elt)
diff --git a/rpkid/rpki/gctx.py b/rpkid/rpki/gctx.py
new file mode 100644
index 00000000..33bded85
--- /dev/null
+++ b/rpkid/rpki/gctx.py
@@ -0,0 +1,161 @@
+# $Id$
+
+# Copyright (C) 2007--2008 American Registry for Internet Numbers ("ARIN")
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ARIN DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL ARIN BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+"""
+Global context for rpkid. Probably should be renamed rpkid.py, but
+the identifier gctx is scattered all through the code at the moment.
+"""
+
+import traceback, os, time, getopt, sys, MySQLdb, lxml.etree
+import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql
+import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng, rpki.log
+
+class global_context(object):
+ """A container for various global parameters."""
+
+ def __init__(self, cfg):
+
+ self.db = MySQLdb.connect(user = cfg.get("sql-username"),
+ db = cfg.get("sql-database"),
+ passwd = cfg.get("sql-password"))
+ self.cur = self.db.cursor()
+
+ self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb"))
+ self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe"))
+ self.cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
+ self.cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
+
+ self.https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
+ self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
+ self.https_ta_irdb = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irdb"))
+ self.https_ta_irbe = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irbe"))
+
+ self.irdb_url = cfg.get("irdb-url")
+
+ self.https_server_host = cfg.get("server-host", "")
+ self.https_server_port = int(cfg.get("server-port", "4433"))
+
+ self.publication_kludge_base = cfg.get("publication-kludge-base", "publication/")
+
+ self.sql_cache = {}
+ self.sql_dirty = set()
+
+ def irdb_query(self, self_id, child_id = None):
+ """Perform an IRDB callback query. In the long run this should not
+ be a blocking routine, it should instead issue a query and set up a
+ handler to receive the response. For the moment, though, we are
+ doing simple lock step and damn the torpedos. Not yet doing
+ anything useful with subject name. Most likely this function should
+ really be wrapped up in a class that carries both the query result
+ and also the intermediate state needed for the event-driven code
+ that this function will need to become.
+ """
+
+ rpki.log.trace()
+
+ q_msg = rpki.left_right.msg()
+ q_msg.append(rpki.left_right.list_resources_elt())
+ q_msg[0].type = "query"
+ q_msg[0].self_id = self_id
+ q_msg[0].child_id = child_id
+ q_elt = q_msg.toXML()
+ rpki.relaxng.left_right.assertValid(q_elt)
+ q_cms = rpki.cms.xml_sign(q_elt, self.cms_key, self.cms_certs)
+ r_cms = rpki.https.client(
+ privateKey = self.https_key,
+ certChain = self.https_certs,
+ x509TrustList = self.https_ta_irdb,
+ url = self.irdb_url,
+ msg = q_cms)
+ r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta_irdb)
+ rpki.relaxng.left_right.assertValid(r_elt)
+ r_msg = rpki.left_right.sax_handler.saxify(r_elt)
+ if len(r_msg) == 0 or not isinstance(r_msg[0], rpki.left_right.list_resources_elt) or r_msg[0].type != "reply":
+ raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii")
+ return rpki.resource_set.resource_bag(
+ as = r_msg[0].as,
+ v4 = r_msg[0].ipv4,
+ v6 = r_msg[0].ipv6,
+ valid_until = r_msg[0].valid_until)
+
+ def sql_cache_clear(self):
+ """Clear the object cache."""
+ self.sql_cache.clear()
+
+ def sql_assert_pristine(self):
+ """Assert that there are no dirty objects in the cache."""
+ assert not self.sql_dirty, "Dirty objects in SQL cache: %s" % self.sql_dirty
+
+ def sql_sweep(self):
+ """Write any dirty objects out to SQL."""
+ for s in self.sql_dirty.copy():
+ rpki.log.debug("Sweeping %s" % repr(s))
+ if s.sql_deleted:
+ s.sql_delete()
+ else:
+ s.sql_store()
+ self.sql_assert_pristine()
+
+ def left_right_handler(self, query, path):
+ """Process one left-right PDU."""
+ rpki.log.trace()
+ try:
+ q_elt = rpki.cms.xml_verify(query, self.cms_ta_irbe)
+ rpki.relaxng.left_right.assertValid(q_elt)
+ q_msg = rpki.left_right.sax_handler.saxify(q_elt)
+ r_msg = q_msg.serve_top_level(self)
+ r_elt = r_msg.toXML()
+ rpki.relaxng.left_right.assertValid(r_elt)
+ reply = rpki.cms.xml_sign(r_elt, self.cms_key, self.cms_certs)
+ self.sql_sweep()
+ return 200, reply
+ except lxml.etree.DocumentInvalid:
+ rpki.log.warn("Received reply document does not pass schema check: " + lxml.etree.tostring(r_elt, pretty_print = True))
+ rpki.log.warn(traceback.format_exc())
+ return 500, "Schema violation"
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 500, "Unhandled exception %s" % data
+
+ def up_down_handler(self, query, path):
+ """Process one up-down PDU."""
+ rpki.log.trace()
+ try:
+ child_id = path.partition("/up-down/")[2]
+ if not child_id.isdigit():
+ raise rpki.exceptions.BadContactURL, "Bad path: %s" % path
+ child = rpki.left_right.child_elt.sql_fetch(self, long(child_id))
+ if child is None:
+ raise rpki.exceptions.ChildNotFound, "Could not find child %s" % child_id
+ reply = child.serve_up_down(query)
+ self.sql_sweep()
+ return 200, reply
+ except Exception, data:
+ rpki.log.error(traceback.format_exc())
+ return 400, "Could not process PDU: %s" % data
+
+ def cronjob_handler(self, query, path):
+ """Periodic tasks. As simple as possible for now, may need to break
+ this up into separate handlers later.
+ """
+
+ rpki.log.trace()
+ for s in rpki.left_right.self_elt.sql_fetch_all(self):
+ s.client_poll()
+ s.update_children()
+ s.regenerate_crls_and_manifests()
+ self.sql_sweep()
+ return 200, "OK"
diff --git a/rpkid/rpki/left_right.py b/rpkid/rpki/left_right.py
index 4ace0bca..462f5e65 100644
--- a/rpkid/rpki/left_right.py
+++ b/rpkid/rpki/left_right.py
@@ -75,13 +75,13 @@ class base_elt(object):
class data_elt(base_elt, rpki.sql.sql_persistant):
"""Virtual class for top-level left-right protocol data elements."""
- def self(this, gctx):
+ def self(this):
"""Fetch self object to which this object links."""
- return self_elt.sql_fetch(gctx, this.self_id)
+ return self_elt.sql_fetch(this.gctx, this.self_id)
- def bsc(self, gctx):
+ def bsc(self):
"""Return BSC object to which this object links."""
- return bsc_elt.sql_fetch(gctx, self.bsc_id)
+ return bsc_elt.sql_fetch(self.gctx, self.bsc_id)
@classmethod
def make_pdu(cls, **kargs):
@@ -105,68 +105,68 @@ class data_elt(base_elt, rpki.sql.sql_persistant):
r_pdu.tag = self.tag
return r_pdu
- def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
"""Overridable hook."""
pass
- def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
"""Overridable hook."""
pass
- def serve_create(self, gctx, r_msg):
+ def serve_create(self, r_msg):
"""Handle a create action."""
r_pdu = self.make_reply()
- self.serve_pre_save_hook(gctx, self, r_pdu)
- self.sql_store(gctx)
+ self.serve_pre_save_hook(self, r_pdu)
+ self.sql_store()
setattr(r_pdu, self.sql_template.index, getattr(self, self.sql_template.index))
- self.serve_post_save_hook(gctx, self, r_pdu)
+ self.serve_post_save_hook(self, r_pdu)
r_msg.append(r_pdu)
- def serve_fetch_one(self, gctx):
+ def serve_fetch_one(self):
"""Find the object on which a get, set, or destroy method should
- operate. This is a separate method because the self object needs
- to override it.
+ operate. This is a separate method because the self_elt object
+ needs to override it.
"""
where = self.sql_template.index + " = %s AND self_id = %s"
args = (getattr(self, self.sql_template.index), self.self_id)
- r = self.sql_fetch_where1(gctx, where, args)
+ r = self.sql_fetch_where1(self.gctx, where, args)
if r is None:
raise rpki.exceptions.NotFound, "Lookup failed where %s" + (where % args)
return r
- def serve_set(self, gctx, r_msg):
+ def serve_set(self, r_msg):
"""Handle a set action."""
- db_pdu = self.serve_fetch_one(gctx)
+ db_pdu = self.serve_fetch_one()
r_pdu = self.make_reply()
for a in db_pdu.sql_template.columns[1:]:
v = getattr(self, a)
if v is not None:
setattr(db_pdu, a, v)
db_pdu.sql_mark_dirty()
- db_pdu.serve_pre_save_hook(gctx, self, r_pdu)
- db_pdu.sql_store(gctx)
- db_pdu.serve_post_save_hook(gctx, self, r_pdu)
+ db_pdu.serve_pre_save_hook(self, r_pdu)
+ db_pdu.sql_store()
+ db_pdu.serve_post_save_hook(self, r_pdu)
r_msg.append(r_pdu)
- def serve_get(self, gctx, r_msg):
+ def serve_get(self, r_msg):
"""Handle a get action."""
- r_pdu = self.serve_fetch_one(gctx)
+ r_pdu = self.serve_fetch_one()
self.make_reply(r_pdu)
r_msg.append(r_pdu)
- def serve_list(self, gctx, r_msg):
+ def serve_list(self, r_msg):
"""Handle a list action for non-self objects."""
- for r_pdu in self.sql_fetch_where(gctx, "self_id = %s", (self.self_id,)):
+ for r_pdu in self.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,)):
self.make_reply(r_pdu)
r_msg.append(r_pdu)
- def serve_destroy(self, gctx, r_msg):
+ def serve_destroy(self, r_msg):
"""Handle a destroy action."""
- db_pdu = self.serve_fetch_one(gctx)
- db_pdu.sql_delete(gctx)
+ db_pdu = self.serve_fetch_one()
+ db_pdu.sql_delete()
r_msg.append(self.make_reply())
- def serve_dispatch(self, gctx, r_msg):
+ def serve_dispatch(self, r_msg):
"""Action dispatch handler."""
dispatch = { "create" : self.serve_create,
"set" : self.serve_set,
@@ -175,7 +175,7 @@ class data_elt(base_elt, rpki.sql.sql_persistant):
"destroy" : self.serve_destroy }
if self.type != "query" or self.action not in dispatch:
raise rpki.exceptions.BadQuery, "Unexpected query: type %s, action %s" % (self.type, self.action)
- dispatch[self.action](gctx, r_msg)
+ dispatch[self.action](r_msg)
def unimplemented_control(self, *controls):
"""Uniform handling for unimplemented control operations."""
@@ -223,46 +223,46 @@ class self_elt(data_elt):
"""Initialize a self_elt."""
self.prefs = []
- def sql_fetch_hook(self, gctx):
+ def sql_fetch_hook(self):
"""Extra SQL fetch actions for self_elt -- handle extension preferences."""
- gctx.cur.execute("SELECT pref_name, pref_value FROM self_pref WHERE self_id = %s", (self.self_id,))
- for name, value in gctx.cur.fetchall():
+ self.gctx.cur.execute("SELECT pref_name, pref_value FROM self_pref WHERE self_id = %s", (self.self_id,))
+ for name, value in self.gctx.cur.fetchall():
e = extension_preference_elt()
e.name = name
e.value = value
self.prefs.append(e)
- def sql_insert_hook(self, gctx):
+ def sql_insert_hook(self):
"""Extra SQL insert actions for self_elt -- handle extension preferences."""
if self.prefs:
- gctx.cur.executemany("INSERT self_pref (self_id, pref_name, pref_value) VALUES (%s, %s, %s)",
- ((e.name, e.value, self.self_id) for e in self.prefs))
+ self.gctx.cur.executemany("INSERT self_pref (self_id, pref_name, pref_value) VALUES (%s, %s, %s)",
+ ((e.name, e.value, self.self_id) for e in self.prefs))
- def sql_delete_hook(self, gctx):
+ def sql_delete_hook(self):
"""Extra SQL delete actions for self_elt -- handle extension preferences."""
- gctx.cur.execute("DELETE FROM self_pref WHERE self_id = %s", (self.self_id,))
+ self.gctx.cur.execute("DELETE FROM self_pref WHERE self_id = %s", (self.self_id,))
- def bscs(self, gctx):
+ def bscs(self):
"""Fetch all BSC objects that link to this self object."""
- return bsc_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return bsc_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def repositories(self, gctx):
+ def repositories(self):
"""Fetch all repository objects that link to this self object."""
- return repository_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return repository_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def parents(self, gctx):
+ def parents(self):
"""Fetch all parent objects that link to this self object."""
- return parent_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return parent_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def children(self, gctx):
+ def children(self):
"""Fetch all child objects that link to this self object."""
- return child_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return child_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def route_origins(self, gctx):
+ def route_origins(self):
"""Fetch all route_origin objects that link to this self object."""
- return route_origin_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return route_origin_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for self_elt -- handle extension preferences."""
rpki.log.trace()
if self is not q_pdu:
@@ -270,42 +270,42 @@ class self_elt(data_elt):
self.prefs = []
self.prefs.extend(q_pdu.prefs)
- def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for self_elt."""
rpki.log.trace()
if q_pdu.rekey:
- self.serve_rekey(gctx)
+ self.serve_rekey()
if q_pdu.revoke:
- self.serve_revoke(gctx)
+ self.serve_revoke()
self.unimplemented_control("reissue", "run_now", "publish_world_now")
- def serve_rekey(self, gctx):
+ def serve_rekey(self):
"""Handle a left-right rekey action for this self."""
rpki.log.trace()
- for parent in self.parents(gctx):
- parent.serve_rekey(gctx)
+ for parent in self.parents():
+ parent.serve_rekey()
- def serve_revoke(self, gctx):
+ def serve_revoke(self):
"""Handle a left-right revoke action for this self."""
rpki.log.trace()
- for parent in self.parents(gctx):
- parent.serve_revoke(gctx)
+ for parent in self.parents():
+ parent.serve_revoke()
- def serve_fetch_one(self, gctx):
+ def serve_fetch_one(self):
"""Find the self object on which a get, set, or destroy method
should operate.
"""
- r = self.sql_fetch(gctx, self.self_id)
+ r = self.sql_fetch(self.gctx, self.self_id)
if r is None:
raise rpki.exceptions.NotFound
return r
- def serve_list(self, gctx, r_msg):
+ def serve_list(self, r_msg):
"""Handle a list action for self objects. This is different from
the list action for all other objects, where list only works
within a given self_id context.
"""
- for r_pdu in self.sql_fetch_all(gctx):
+ for r_pdu in self.sql_fetch_all(self.gctx):
self.make_reply(r_pdu)
r_msg.append(r_pdu)
@@ -331,29 +331,29 @@ class self_elt(data_elt):
elt.extend([i.toXML() for i in self.prefs])
return elt
- def client_poll(self, gctx):
+ def client_poll(self):
"""Run the regular client poll cycle with each of this self's parents in turn."""
rpki.log.trace()
- for parent in self.parents(gctx):
+ for parent in self.parents():
# This will need a callback when we go event-driven
- r_msg = rpki.up_down.list_pdu.query(gctx, parent)
+ r_msg = rpki.up_down.list_pdu.query(parent)
- ca_map = dict((ca.parent_resource_class, ca) for ca in parent.cas(gctx))
+ ca_map = dict((ca.parent_resource_class, ca) for ca in parent.cas())
for rc in r_msg.payload.classes:
if rc.class_name in ca_map:
ca = ca_map[rc.class_name]
del ca_map[rc.class_name]
- ca.check_for_updates(gctx, parent, rc)
+ ca.check_for_updates(parent, rc)
else:
- rpki.sql.ca_obj.create(gctx, parent, rc)
+ rpki.sql.ca_obj.create(parent, rc)
for ca in ca_map.values():
- ca.delete(gctx, parent) # CA not listed by parent
- rpki.sql.sql_sweep(gctx)
+ ca.delete(parent) # CA not listed by parent
+ self.gctx.sql_sweep()
- def update_children(self, gctx):
+ def update_children(self):
"""Check for updated IRDB data for all of this self's children and
issue new certs as necessary. Must handle changes both in
resources and in expiration date.
@@ -363,16 +363,16 @@ class self_elt(data_elt):
now = rpki.sundial.now()
- for child in self.children(gctx):
- child_certs = child.child_certs(gctx)
+ for child in self.children():
+ child_certs = child.child_certs()
if not child_certs:
continue
# This will require a callback when we go event-driven
- irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+ irdb_resources = self.gctx.irdb_query(child.self_id, child.child_id)
for child_cert in child_certs:
- ca_detail = child_cert.ca_detail(gctx)
+ ca_detail = child_cert.ca_detail()
if ca_detail.state != "active":
continue
old_resources = child_cert.cert.get_3779resources()
@@ -380,17 +380,16 @@ class self_elt(data_elt):
if old_resources != new_resources:
rpki.log.debug("Need to reissue %s" % repr(child_cert))
child_cert.reissue(
- gctx = gctx,
ca_detail = ca_detail,
resources = new_resources)
elif old_resources.valid_until < now:
- parent = ca.parent(gctx)
- repository = parent.repository(gctx)
- child_cert.sql_delete(gctx)
- ca_detail.generate_manifest(gctx)
- repository.withdraw(gctx, child_cert.cert, child_cert.uri(ca))
+ parent = ca.parent()
+ repository = parent.repository()
+ child_cert.sql_delete()
+ ca_detail.generate_manifest()
+ repository.withdraw(child_cert.cert, child_cert.uri(ca))
- def regenerate_crls_and_manifests(self, gctx):
+ def regenerate_crls_and_manifests(self):
"""Generate new CRLs and manifests as necessary for all of this
self's CAs. Extracting nextUpdate from a manifest is hard at the
moment due to implementation silliness, so for now we generate a
@@ -404,16 +403,16 @@ class self_elt(data_elt):
rpki.log.trace()
now = rpki.sundial.now()
- for parent in self.parents(gctx):
- repository = parent.repository(gctx)
- for ca in parent.cas(gctx):
- for ca_detail in ca.fetch_revoked(gctx):
+ for parent in self.parents():
+ repository = parent.repository()
+ for ca in parent.cas():
+ for ca_detail in ca.fetch_revoked():
if now > ca_detail.latest_crl.getNextUpdate():
- ca_detail.delete(gctx, ca, repository)
- ca_detail = ca.fetch_active(gctx)
+ ca_detail.delete(ca, repository)
+ ca_detail = ca.fetch_active()
if now > ca_detail.latest_crl.getNextUpdate():
- ca_detail.generate_crl(gctx)
- ca_detail.generate_manifest(gctx)
+ ca_detail.generate_crl()
+ ca_detail.generate_manifest()
class bsc_elt(data_elt):
"""<bsc/> (Business Signing Context) element."""
@@ -435,34 +434,34 @@ class bsc_elt(data_elt):
"""Initialize bsc_elt."""
self.signing_cert = rpki.x509.X509_chain()
- def sql_fetch_hook(self, gctx):
+ def sql_fetch_hook(self):
"""Extra SQL fetch actions for bsc_elt -- handle signing certs."""
- gctx.cur.execute("SELECT cert FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
- self.signing_cert[:] = [rpki.x509.X509(DER = x) for (x,) in gctx.cur.fetchall()]
+ self.gctx.cur.execute("SELECT cert FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
+ self.signing_cert[:] = [rpki.x509.X509(DER = x) for (x,) in self.gctx.cur.fetchall()]
- def sql_insert_hook(self, gctx):
+ def sql_insert_hook(self):
"""Extra SQL insert actions for bsc_elt -- handle signing certs."""
if self.signing_cert:
- gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)",
- ((x.get_DER(), self.bsc_id) for x in self.signing_cert))
+ self.gctx.cur.executemany("INSERT bsc_cert (cert, bsc_id) VALUES (%s, %s)",
+ ((x.get_DER(), self.bsc_id) for x in self.signing_cert))
- def sql_delete_hook(self, gctx):
+ def sql_delete_hook(self):
"""Extra SQL delete actions for bsc_elt -- handle signing certs."""
- gctx.cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
+ self.gctx.cur.execute("DELETE FROM bsc_cert WHERE bsc_id = %s", (self.bsc_id,))
- def repositories(self, gctx):
+ def repositories(self):
"""Fetch all repository objects that link to this BSC object."""
- return repository_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+ return repository_elt.sql_fetch_where(self.gctx, "bsc_id = %s", (self.bsc_id,))
- def parents(self, gctx):
+ def parents(self):
"""Fetch all parent objects that link to this BSC object."""
- return parent_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+ return parent_elt.sql_fetch_where(self.gctx, "bsc_id = %s", (self.bsc_id,))
- def children(self, gctx):
+ def children(self):
"""Fetch all child objects that link to this BSC object."""
- return child_elt.sql_fetch_where(gctx, "bsc_id = %s", (self.bsc_id,))
+ return child_elt.sql_fetch_where(self.gctx, "bsc_id = %s", (self.bsc_id,))
- def serve_pre_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_pre_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for bsc_elt -- handle signing certs and key generation."""
if self is not q_pdu:
if q_pdu.clear_signing_certs:
@@ -528,31 +527,31 @@ class parent_elt(data_elt):
cms_ta = None
https_ta = None
- def repository(self, gctx):
+ def repository(self):
"""Fetch repository object to which this parent object links."""
- return repository_elt.sql_fetch(gctx, self.repository_id)
+ return repository_elt.sql_fetch(self.gctx, self.repository_id)
- def cas(self, gctx):
+ def cas(self):
"""Fetch all CA objects that link to this parent object."""
- return rpki.sql.ca_obj.sql_fetch_where(gctx, "parent_id = %s", (self.parent_id,))
+ return rpki.sql.ca_obj.sql_fetch_where(self.gctx, "parent_id = %s", (self.parent_id,))
- def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for parent_elt."""
if q_pdu.rekey:
- self.serve_rekey(gctx)
+ self.serve_rekey()
if q_pdu.revoke:
- self.serve_revoke(gctx)
+ self.serve_revoke()
self.unimplemented_control("reissue")
- def serve_rekey(self, gctx):
+ def serve_rekey(self):
"""Handle a left-right rekey action for this parent."""
- for ca in self.cas(gctx):
- ca.rekey(gctx)
+ for ca in self.cas():
+ ca.rekey()
- def serve_revoke(self, gctx):
+ def serve_revoke(self):
"""Handle a left-right revoke action for this parent."""
- for ca in self.cas(gctx):
- ca.revoke(gctx)
+ for ca in self.cas():
+ ca.revoke()
def startElement(self, stack, name, attrs):
"""Handle <parent/> element."""
@@ -579,7 +578,7 @@ class parent_elt(data_elt):
self.make_b64elt(elt, "https_ta", self.https_ta.get_DER())
return elt
- def query_up_down(self, gctx, q_pdu):
+ def query_up_down(self, q_pdu):
"""Client code for sending one up-down query PDU to this parent.
I haven't figured out yet whether this method should do something
@@ -595,7 +594,7 @@ class parent_elt(data_elt):
rpki.log.trace()
- bsc = self.bsc(gctx)
+ bsc = self.bsc()
if bsc is None:
raise rpki.exceptions.BSCNotFound, "Could not find BSC %s" % self.bsc_id
q_msg = rpki.up_down.message_pdu.make_query(
@@ -609,9 +608,13 @@ class parent_elt(data_elt):
rpki.log.error("Message does not pass schema check: " + lxml.etree.tostring(q_elt, pretty_print = True))
raise
q_cms = rpki.cms.xml_sign(q_elt, bsc.private_key_id, bsc.signing_cert, encoding = "UTF-8")
+
+ # The following certs look wrong for what we're doing here.
+ # We should be using a bsc, shouldn't we?
+
r_cms = rpki.https.client(x509TrustList = rpki.x509.X509_chain(self.https_ta),
- privateKey = gctx.https_key,
- certChain = gctx.https_certs,
+ privateKey = self.gctx.https_key,
+ certChain = self.gctx.https_certs,
msg = q_cms,
url = self.peer_contact_uri)
r_elt = rpki.cms.xml_verify(r_cms, self.cms_ta)
@@ -633,25 +636,25 @@ class child_elt(data_elt):
cms_ta = None
- def child_certs(self, gctx, ca_detail = None, ski = None, unique = False):
+ def child_certs(self, ca_detail = None, ski = None, unique = False):
"""Fetch all child_cert objects that link to this child object."""
- return rpki.sql.child_cert_obj.fetch(gctx, self, ca_detail, ski, unique)
+ return rpki.sql.child_cert_obj.fetch(self.gctx, self, ca_detail, ski, unique)
- def parents(self, gctx):
+ def parents(self):
"""Fetch all parent objects that link to self object to which this child object links."""
- return parent_elt.sql_fetch_where(gctx, "self_id = %s", (self.self_id,))
+ return parent_elt.sql_fetch_where(self.gctx, "self_id = %s", (self.self_id,))
- def ca_from_class_name(self, gctx, class_name):
+ def ca_from_class_name(self, class_name):
"""Fetch the CA corresponding to an up-down class_name."""
if not class_name.isdigit():
raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % class_name
- ca = rpki.sql.ca_obj.sql_fetch(gctx, long(class_name))
- parent = ca.parent(gctx)
+ ca = rpki.sql.ca_obj.sql_fetch(self.gctx, long(class_name))
+ parent = ca.parent()
if self.self_id != parent.self_id:
raise rpki.exceptions.ClassNameMismatch, "child.self_id = %d, parent.self_id = %d" % (self.self_id, parent.self_id)
return ca
- def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for child_elt."""
self.unimplemented_control("reissue")
@@ -676,21 +679,22 @@ class child_elt(data_elt):
self.make_b64elt(elt, "cms_ta", self.cms_ta.get_DER())
return elt
- def serve_up_down(self, gctx, query):
+ def serve_up_down(self, query):
"""Outer layer of server handling for one up-down PDU from this child."""
rpki.log.trace()
- bsc = self.bsc(gctx)
+ bsc = self.bsc()
if bsc is None:
raise rpki.exceptions.BSCNotFound, "Could not find BSC %s" % self.bsc_id
q_elt = rpki.cms.xml_verify(query, self.cms_ta)
rpki.relaxng.up_down.assertValid(q_elt)
q_msg = rpki.up_down.sax_handler.saxify(q_elt)
+ q_msg.payload.gctx = self.gctx
#if q_msg.sender != str(self.child_id):
# raise rpki.exceptions.BadSender, "Unexpected XML sender %s" % q_msg.sender
try:
- r_msg = q_msg.serve_top_level(gctx, self)
+ r_msg = q_msg.serve_top_level(self)
except Exception, data:
rpki.log.error(traceback.format_exc())
r_msg = q_msg.serve_error(data)
@@ -722,9 +726,9 @@ class repository_elt(data_elt):
cms_ta = None
https_ta = None
- def parents(self, gctx):
+ def parents(self):
"""Fetch all parent objects that link to this repository object."""
- return parent_elt.sql_fetch_where(gctx, "repository_id = %s", (self.repository_id,))
+ return parent_elt.sql_fetch_where(self.gctx, "repository_id = %s", (self.repository_id,))
def startElement(self, stack, name, attrs):
"""Handle <repository/> element."""
@@ -779,17 +783,17 @@ class repository_elt(data_elt):
rpki.log.trace()
os.remove(cls.uri_to_filename(base, uri))
- def publish(self, gctx, obj, uri):
+ def publish(self, obj, uri):
"""Placeholder for publication operation. [TEMPORARY]"""
rpki.log.trace()
rpki.log.info("Publishing %s to repository %s at %s" % (repr(obj), repr(self), repr(uri)))
- self.object_write(gctx.publication_kludge_base, uri, obj)
+ self.object_write(self.gctx.publication_kludge_base, uri, obj)
- def withdraw(self, gctx, obj, uri):
+ def withdraw(self, obj, uri):
"""Placeholder for publication withdrawal operation. [TEMPORARY]"""
rpki.log.trace()
rpki.log.info("Withdrawing %s from repository %s at %s" % (repr(obj), repr(self), repr(uri)))
- self.object_delete(gctx.publication_kludge_base, uri)
+ self.object_delete(self.gctx.publication_kludge_base, uri)
class route_origin_elt(data_elt):
"""<route_origin/> element."""
@@ -806,34 +810,34 @@ class route_origin_elt(data_elt):
cert = None
roa = None
- def sql_fetch_hook(self, gctx):
+ def sql_fetch_hook(self):
"""Extra SQL fetch actions for route_origin_elt -- handle address ranges."""
- self.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(gctx.cur, """
+ self.ipv4 = rpki.resource_set.resource_set_ipv4.from_sql(self.gctx.cur, """
SELECT start_ip, end_ip FROM route_origin_range
WHERE route_origin_id = %s AND start_ip NOT LIKE '%:%'
""", (self.route_origin_id,))
- self.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(gctx.cur, """
+ self.ipv6 = rpki.resource_set.resource_set_ipv6.from_sql(self.gctx.cur, """
SELECT start_ip, end_ip FROM route_origin_range
WHERE route_origin_id = %s AND start_ip LIKE '%:%'
""", (self.route_origin_id,))
- def sql_insert_hook(self, gctx):
+ def sql_insert_hook(self):
"""Extra SQL insert actions for route_origin_elt -- handle address ranges."""
if self.ipv4 + self.ipv6:
- gctx.cur.executemany("""
+ self.gctx.cur.executemany("""
INSERT route_origin_range (route_origin_id, start_ip, end_ip)
VALUES (%s, %s, %s)""",
((self.route_origin_id, x.min, x.max) for x in self.ipv4 + self.ipv6))
- def sql_delete_hook(self, gctx):
+ def sql_delete_hook(self):
"""Extra SQL delete actions for route_origin_elt -- handle address ranges."""
- gctx.cur.execute("DELETE FROM route_origin_range WHERE route_origin_id = %s", (self.route_origin_id,))
+ self.gctx.cur.execute("DELETE FROM route_origin_range WHERE route_origin_id = %s", (self.route_origin_id,))
- def ca_detail(self, gctx):
+ def ca_detail(self):
"""Fetch all ca_detail objects that link to this route_origin object."""
- return rpki.sql.ca_detail_obj.sql_fetch(gctx, self.ca_detail_id)
+ return rpki.sql.ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
- def serve_post_save_hook(self, gctx, q_pdu, r_pdu):
+ def serve_post_save_hook(self, q_pdu, r_pdu):
"""Extra server actions for route_origin_elt."""
self.unimplemented_control("suppress_publication")
@@ -857,7 +861,7 @@ class route_origin_elt(data_elt):
"""Generate <route_origin/> element."""
return self.make_elt()
- def generate_roa(self, gctx):
+ def generate_roa(self):
"""Generate a ROA based on this <route_origin/> object.
At present this does not support ROAs with multiple signatures
@@ -884,9 +888,9 @@ class route_origin_elt(data_elt):
# first checking the ca_detail we used last time, but it may not
# be active, in which we have to check the ca_detail that replaced it.
- for parent in self.self(gctx).parents(gctx):
- for ca in parent.cas(gctx):
- ca_detail = ca.fetch_active(gctx)
+ for parent in self.self().parents():
+ for ca in parent.cas():
+ ca_detail = ca.fetch_active()
if ca_detail is not None:
resources = ca_detail.latest_ca_cert.get_3779resources()
if self.v4.issubset(resources.v4) and self.v6.issubset(resources.v6):
@@ -915,14 +919,14 @@ class route_origin_elt(data_elt):
self.cert = ca_detail.issue_ee(ca, resources, sia)
self.roa = rpki.cms.sign(payload.toString(), keypair, (self.cert,))
self.ca_detail_id = ca_detail.ca_detail_id
- self.sql_store(gctx)
+ self.sql_store()
- repository = parent.repository(gctx)
+ repository = parent.repository()
- repository.publish(gctx, self.roa, self.roa_uri(ca))
- repository.publish(gctx, self.cert, self.ee_uri(ca))
+ repository.publish(self.roa, self.roa_uri(ca))
+ repository.publish(self.cert, self.ee_uri(ca))
- ca_detail.generate_manifest(gctx)
+ ca_detail.generate_manifest()
raise rpki.exceptions.NotImplementedYet
@@ -1031,7 +1035,8 @@ class msg(list):
"""Serve one msg PDU."""
r_msg = self.__class__()
for q_pdu in self:
- q_pdu.serve_dispatch(gctx, r_msg)
+ q_pdu.gctx = gctx
+ q_pdu.serve_dispatch(r_msg)
return r_msg
class sax_handler(rpki.sax_utils.handler):
@@ -1045,41 +1050,3 @@ class sax_handler(rpki.sax_utils.handler):
"""Top-level PDU for this protocol is <msg/>."""
assert name == "msg" and attrs["version"] == "1"
return self.pdu()
-
-def irdb_query(gctx, self_id, child_id = None):
- """Perform an IRDB callback query. In the long run this should not
- be a blocking routine, it should instead issue a query and set up a
- handler to receive the response. For the moment, though, we are
- doing simple lock step and damn the torpedos. Not yet doing
- anything useful with subject name. Most likely this function should
- really be wrapped up in a class that carries both the query result
- and also the intermediate state needed for the event-driven code
- that this function will need to become.
- """
-
- rpki.log.trace()
-
- q_msg = msg()
- q_msg.append(list_resources_elt())
- q_msg[0].type = "query"
- q_msg[0].self_id = self_id
- q_msg[0].child_id = child_id
- q_elt = q_msg.toXML()
- rpki.relaxng.left_right.assertValid(q_elt)
- q_cms = rpki.cms.xml_sign(q_elt, gctx.cms_key, gctx.cms_certs)
- r_cms = rpki.https.client(
- privateKey = gctx.https_key,
- certChain = gctx.https_certs,
- x509TrustList = gctx.https_ta_irdb,
- url = gctx.irdb_url,
- msg = q_cms)
- r_elt = rpki.cms.xml_verify(r_cms, gctx.cms_ta_irdb)
- rpki.relaxng.left_right.assertValid(r_elt)
- r_msg = rpki.left_right.sax_handler.saxify(r_elt)
- if len(r_msg) == 0 or not isinstance(r_msg[0], list_resources_elt) or r_msg[0].type != "reply":
- raise rpki.exceptions.BadIRDBReply, "Unexpected response to IRDB query: %s" % lxml.etree.tostring(r_msg.toXML(), pretty_print = True, encoding = "us-ascii")
- return rpki.resource_set.resource_bag(
- as = r_msg[0].as,
- v4 = r_msg[0].ipv4,
- v6 = r_msg[0].ipv6,
- valid_until = r_msg[0].valid_until)
diff --git a/rpkid/rpki/sql.py b/rpkid/rpki/sql.py
index ddddbe9f..fe6c0f0a 100644
--- a/rpkid/rpki/sql.py
+++ b/rpkid/rpki/sql.py
@@ -48,34 +48,6 @@ class template(object):
index_column, index_column)
self.delete = "DELETE FROM %s WHERE %s = %%s" % (table_name, index_column)
-## @var sql_cache
-# Cache of objects pulled from SQL.
-
-sql_cache = {}
-
-## @var sql_dirty
-# Set of objects that need to be written back to SQL.
-
-sql_dirty = set()
-
-def sql_cache_clear():
- """Clear the object cache."""
- sql_cache.clear()
-
-def sql_assert_pristine():
- """Assert that there are no dirty objects in the cache."""
- assert not sql_dirty, "Dirty objects in SQL cache: %s" % sql_dirty
-
-def sql_sweep(gctx):
- """Write any dirty objects out to SQL."""
- for s in sql_dirty.copy():
- rpki.log.debug("Sweeping %s" % repr(s))
- if s.sql_deleted:
- s.sql_delete(gctx)
- else:
- s.sql_store(gctx)
- sql_assert_pristine()
-
class sql_persistant(object):
"""Mixin for persistant class that needs to be stored in SQL.
"""
@@ -96,8 +68,8 @@ class sql_persistant(object):
SQL lookup entirely.
"""
key = (cls, id)
- if key in sql_cache:
- return sql_cache[key]
+ if key in gctx.sql_cache:
+ return gctx.sql_cache[key]
else:
return cls.sql_fetch_where1(gctx, "%s = %s", (cls.sql_template.index, id))
@@ -129,8 +101,8 @@ class sql_persistant(object):
results = []
for row in gctx.cur.fetchall():
key = (cls, row[0])
- if key in sql_cache:
- results.append(sql_cache[key])
+ if key in gctx.sql_cache:
+ results.append(gctx.sql_cache[key])
else:
results.append(cls.sql_init(gctx, row, key))
return results
@@ -139,52 +111,53 @@ class sql_persistant(object):
def sql_init(cls, gctx, row, key):
"""Initialize one Python object from the result of a SQL query."""
self = cls()
+ self.gctx = gctx
self.sql_decode(dict(zip(cls.sql_template.columns, row)))
- sql_cache[key] = self
+ gctx.sql_cache[key] = self
self.sql_in_db = True
- self.sql_fetch_hook(gctx)
+ self.sql_fetch_hook()
return self
def sql_mark_dirty(self):
"""Mark this object as needing to be written back to SQL."""
- sql_dirty.add(self)
+ self.gctx.sql_dirty.add(self)
def sql_mark_clean(self):
"""Mark this object as not needing to be written back to SQL."""
- sql_dirty.discard(self)
+ self.gctx.sql_dirty.discard(self)
def sql_is_dirty(self):
"""Query whether this object needs to be written back to SQL."""
- return self in sql_dirty
+ return self in self.gctx.sql_dirty
def sql_mark_deleted(self):
"""Mark this object as needing to be deleted in SQL."""
self.sql_deleted = True
- def sql_store(self, gctx):
+ def sql_store(self):
"""Store this object to SQL."""
if not self.sql_in_db:
- gctx.cur.execute(self.sql_template.insert, self.sql_encode())
- setattr(self, self.sql_template.index, gctx.cur.lastrowid)
- sql_cache[(self.__class__, gctx.cur.lastrowid)] = self
- self.sql_insert_hook(gctx)
+ self.gctx.cur.execute(self.sql_template.insert, self.sql_encode())
+ setattr(self, self.sql_template.index, self.gctx.cur.lastrowid)
+ self.gctx.sql_cache[(self.__class__, self.gctx.cur.lastrowid)] = self
+ self.sql_insert_hook()
else:
- gctx.cur.execute(self.sql_template.update, self.sql_encode())
- self.sql_update_hook(gctx)
+ self.gctx.cur.execute(self.sql_template.update, self.sql_encode())
+ self.sql_update_hook()
key = (self.__class__, getattr(self, self.sql_template.index))
- assert key in sql_cache and sql_cache[key] == self
+ assert key in self.gctx.sql_cache and self.gctx.sql_cache[key] == self
self.sql_mark_clean()
self.sql_in_db = True
- def sql_delete(self, gctx):
+ def sql_delete(self):
"""Delete this object from SQL."""
if self.sql_in_db:
id = getattr(self, self.sql_template.index)
- gctx.cur.execute(self.sql_template.delete, id)
- self.sql_delete_hook(gctx)
+ self.gctx.cur.execute(self.sql_template.delete, id)
+ self.sql_delete_hook()
key = (self.__class__, id)
- if sql_cache.get(key) == self:
- del sql_cache[key]
+ if self.gctx.sql_cache.get(key) == self:
+ del self.gctx.sql_cache[key]
self.sql_in_db = False
self.sql_mark_clean()
@@ -212,20 +185,20 @@ class sql_persistant(object):
else:
setattr(self, a, vals[a])
- def sql_fetch_hook(self, gctx):
+ def sql_fetch_hook(self):
"""Customization hook."""
pass
- def sql_insert_hook(self, gctx):
+ def sql_insert_hook(self):
"""Customization hook."""
pass
- def sql_update_hook(self, gctx):
+ def sql_update_hook(self):
"""Customization hook."""
- self.sql_delete_hook(gctx)
- self.sql_insert_hook(gctx)
+ self.sql_delete_hook()
+ self.sql_insert_hook()
- def sql_delete_hook(self, gctx):
+ def sql_delete_hook(self):
"""Customization hook."""
pass
@@ -246,36 +219,36 @@ class ca_obj(sql_persistant):
last_issued_sn = 0
last_manifest_sn = 0
- def parent(self, gctx):
+ def parent(self):
"""Fetch parent object to which this CA object links."""
- return rpki.left_right.parent_elt.sql_fetch(gctx, self.parent_id)
+ return rpki.left_right.parent_elt.sql_fetch(self.gctx, self.parent_id)
- def ca_details(self, gctx):
+ def ca_details(self):
"""Fetch all ca_detail objects that link to this CA object."""
- return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s", (self.ca_id,))
+ return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s", (self.ca_id,))
- def fetch_pending(self, gctx):
+ def fetch_pending(self):
"""Fetch the pending ca_details for this CA, if any."""
- return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'pending'", (self.ca_id,))
+ return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND state = 'pending'", (self.ca_id,))
- def fetch_active(self, gctx):
+ def fetch_active(self):
"""Fetch the active ca_detail for this CA, if any."""
- return ca_detail_obj.sql_fetch_where1(gctx, "ca_id = %s AND state = 'active'", (self.ca_id,))
+ return ca_detail_obj.sql_fetch_where1(self.gctx, "ca_id = %s AND state = 'active'", (self.ca_id,))
- def fetch_deprecated(self, gctx):
+ def fetch_deprecated(self):
"""Fetch deprecated ca_details for this CA, if any."""
- return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'deprecated'", (self.ca_id,))
+ return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND state = 'deprecated'", (self.ca_id,))
- def fetch_revoked(self, gctx):
+ def fetch_revoked(self):
"""Fetch revoked ca_details for this CA, if any."""
- return ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state = 'revoked'", (self.ca_id,))
+ return ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND state = 'revoked'", (self.ca_id,))
- def construct_sia_uri(self, gctx, parent, rc):
+ def construct_sia_uri(self, parent, rc):
"""Construct the sia_uri value for this CA given configured
information and the parent's up-down protocol list_response PDU.
"""
- repository = parent.repository(gctx)
+ repository = parent.repository()
sia_uri = rc.suggested_sia_head and rc.suggested_sia_head.rsync()
if not sia_uri or not sia_uri.startswith(parent.sia_base):
sia_uri = parent.sia_base
@@ -283,14 +256,14 @@ class ca_obj(sql_persistant):
raise rpki.exceptions.BadURISyntax, "SIA URI must end with a slash: %s" % sia_uri
return sia_uri + str(self.ca_id) + "/"
- def check_for_updates(self, gctx, parent, rc):
+ def check_for_updates(self, parent, rc):
"""Parent has signaled continued existance of a resource class we
already knew about, so we need to check for an updated
certificate, changes in resource coverage, revocation and reissue
with the same key, etc.
"""
- sia_uri = self.construct_sia_uri(gctx, parent, rc)
+ sia_uri = self.construct_sia_uri(parent, rc)
sia_uri_changed = self.sia_uri != sia_uri
if sia_uri_changed:
self.sia_uri = sia_uri
@@ -299,7 +272,7 @@ class ca_obj(sql_persistant):
rc_resources = rc.to_resource_bag()
cert_map = dict((c.cert.get_SKI(), c) for c in rc.certs)
- for ca_detail in ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL AND state != 'revoked'", (self.ca_id,)):
+ for ca_detail in ca_detail_obj.sql_fetch_where(self.gctx, "ca_id = %s AND latest_ca_cert IS NOT NULL AND state != 'revoked'", (self.ca_id,)):
ski = ca_detail.latest_ca_cert.get_SKI()
if ca_detail.state in ("pending", "active"):
current_resources = ca_detail.latest_ca_cert.get_3779resources()
@@ -308,7 +281,6 @@ class ca_obj(sql_persistant):
current_resources.undersized(rc_resources) or \
current_resources.oversized(rc_resources):
ca_detail.update(
- gctx = gctx,
parent = parent,
ca = self,
rc = rc,
@@ -318,28 +290,28 @@ class ca_obj(sql_persistant):
assert not cert_map, "Certificates in list_response missing from our database, SKIs %s" % ", ".join(c.cert.hSKI() for c in cert_map.values())
@classmethod
- def create(cls, gctx, parent, rc):
+ def create(cls, parent, rc):
"""Parent has signaled existance of a new resource class, so we
need to create and set up a corresponding CA object.
"""
self = cls()
+ self.gctx = parent.gctx
self.parent_id = parent.parent_id
self.parent_resource_class = rc.class_name
- self.sql_store(gctx)
- self.sia_uri = self.construct_sia_uri(gctx, parent, rc)
- ca_detail = ca_detail_obj.create(gctx, self)
+ self.sql_store()
+ self.sia_uri = self.construct_sia_uri(parent, rc)
+ ca_detail = ca_detail_obj.create(self)
# This will need a callback when we go event-driven
- issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, ca_detail)
+ issue_response = rpki.up_down.issue_pdu.query(parent, self, ca_detail)
ca_detail.activate(
- gctx = gctx,
ca = self,
cert = issue_response.payload.classes[0].certs[0].cert,
uri = issue_response.payload.classes[0].certs[0].cert_url)
- def delete(self, gctx, parent):
+ def delete(self, parent):
"""The list of current resource classes received from parent does
not include the class corresponding to this CA, so we need to
delete it (and its little dog too...).
@@ -350,10 +322,10 @@ class ca_obj(sql_persistant):
CA, then finally delete this CA itself.
"""
- repository = parent.repository(gctx)
- for ca_detail in self.ca_details(gctx):
- ca_detail.delete(gctx, ca, repository)
- self.sql_delete(gctx)
+ repository = parent.repository()
+ for ca_detail in self.ca_details():
+ ca_detail.delete(ca, repository)
+ self.sql_delete()
def next_serial_number(self):
"""Allocate a certificate serial number."""
@@ -373,7 +345,7 @@ class ca_obj(sql_persistant):
self.sql_mark_dirty()
return self.last_crl_sn
- def rekey(self, gctx):
+ def rekey(self):
"""Initiate a rekey operation for this ca.
Tasks:
@@ -389,27 +361,26 @@ class ca_obj(sql_persistant):
rpki.log.trace()
- parent = self.parent(gctx)
- old_detail = self.fetch_active(gctx)
- new_detail = ca_detail_obj.create(gctx, self)
+ parent = self.parent()
+ old_detail = self.fetch_active()
+ new_detail = ca_detail_obj.create(self)
# This will need a callback when we go event-driven
- issue_response = rpki.up_down.issue_pdu.query(gctx, parent, self, new_detail)
+ issue_response = rpki.up_down.issue_pdu.query(parent, self, new_detail)
new_detail.activate(
- gctx = gctx,
ca = self,
cert = issue_response.payload.classes[0].certs[0].cert,
uri = issue_response.payload.classes[0].certs[0].cert_url,
predecessor = old_detail)
- def revoke(self, gctx):
+ def revoke(self):
"""Revoke deprecated ca_detail objects associated with this ca."""
rpki.log.trace()
- for ca_detail in self.fetch_deprecated(gctx):
- ca_detail.revoke(gctx)
+ for ca_detail in self.fetch_deprecated():
+ ca_detail.revoke()
class ca_detail_obj(sql_persistant):
"""Internal CA detail object."""
@@ -437,21 +408,21 @@ class ca_detail_obj(sql_persistant):
assert (self.manifest_public_key is None and self.manifest_private_key_id is None) or \
self.manifest_public_key.get_DER() == self.manifest_private_key_id.get_public_DER()
- def ca(self, gctx):
+ def ca(self):
"""Fetch CA object to which this ca_detail links."""
- return ca_obj.sql_fetch(gctx, self.ca_id)
+ return ca_obj.sql_fetch(self.gctx, self.ca_id)
- def child_certs(self, gctx, child = None, ski = None, unique = False):
+ def child_certs(self, child = None, ski = None, unique = False):
"""Fetch all child_cert objects that link to this ca_detail."""
- return rpki.sql.child_cert_obj.fetch(gctx, child, self, ski, unique)
+ return rpki.sql.child_cert_obj.fetch(self.gctx, child, self, ski, unique)
- def revoked_certs(self, gctx):
+ def revoked_certs(self):
"""Fetch all revoked_cert objects that link to this ca_detail."""
- return revoked_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s", (self.ca_detail_id,))
+ return revoked_cert_obj.sql_fetch_where(self.gctx, "ca_detail_id = %s", (self.ca_detail_id,))
- def route_origins(self, gctx):
+ def route_origins(self):
"""Fetch all route_origin objects that link to this ca_detail."""
- return rpki.left_right.route_origin_elt.sql_fetch_where(gctx, "ca_detail_id = %s", (self.ca_detail_id,))
+ return rpki.left_right.route_origin_elt.sql_fetch_where(self.gctx, "ca_detail_id = %s", (self.ca_detail_id,))
def crl_uri(self, ca):
"""Return publication URI for this ca_detail's CRL."""
@@ -461,40 +432,40 @@ class ca_detail_obj(sql_persistant):
"""Return publication URI for this ca_detail's manifest."""
return ca.sia_uri + self.public_key.gSKI() + ".mnf"
- def activate(self, gctx, ca, cert, uri, predecessor = None):
+ def activate(self, ca, cert, uri, predecessor = None):
"""Activate this ca_detail."""
self.latest_ca_cert = cert
self.ca_cert_uri = uri.rsync()
self.generate_manifest_cert(ca)
- self.generate_crl(gctx)
- self.generate_manifest(gctx)
+ self.generate_crl()
+ self.generate_manifest()
self.state = "active"
self.sql_mark_dirty()
if predecessor is not None:
predecessor.state = "deprecated"
predecessor.sql_mark_dirty()
- for child_cert in predecessor.child_certs(gctx):
- child_cert.reissue(gctx, self)
- for route_origin in predecessor.route_origins(gctx):
+ for child_cert in predecessor.child_certs():
+ child_cert.reissue(self)
+ for route_origin in predecessor.route_origins():
raise rpki.exceptions.NotImplementedYet, "Don't (yet) know how to reissue ROAs"
- def delete(self, gctx, ca, repository):
+ def delete(self, ca, repository):
"""Delete this ca_detail and all of the certs it issued."""
- for child_cert in self.child_certs(gctx):
- repository.withdraw(gctx, child_cert.cert, child_cert.uri(ca))
- child_cert.sql_delete(gctx)
- for revoked__cert in self.revoked_certs(gctx):
- revoked_cert.sql_delete(gctx)
- for route_origin in self.route_origins(gctx):
+ for child_cert in self.child_certs():
+ repository.withdraw(child_cert.cert, child_cert.uri(ca))
+ child_cert.sql_delete()
+ for revoked__cert in self.revoked_certs():
+ revoked_cert.sql_delete()
+ for route_origin in self.route_origins():
raise rpki.exceptions.NotImplementedYet, "Don't (yet) know how to withdraw ROAs"
- repository.withdraw(gctx, self.latest_manifest, self.manifest_uri(ca))
- repository.withdraw(gctx, self.latest_crl, self.crl_uri())
- self.sql_delete(gctx)
+ repository.withdraw(self.latest_manifest, self.manifest_uri(ca))
+ repository.withdraw(self.latest_crl, self.crl_uri())
+ self.sql_delete()
- def revoke(self, gctx):
+ def revoke(self):
"""Request revocation of all certificates whose SKI matches the key for this ca_detail.
Tasks:
@@ -513,14 +484,14 @@ class ca_detail_obj(sql_persistant):
"""
# This will need a callback when we go event-driven
- r_msg = rpki.up_down.revoke_pdu.query(gctx, self)
+ r_msg = rpki.up_down.revoke_pdu.query(self)
if r_msg.payload.ski != self.latest_ca_cert.gSKI():
raise rpki.exceptions.SKIMismatch
- ca = self.ca(gctx)
- parent = ca.parent(gctx)
- crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+ ca = self.ca()
+ parent = ca.parent()
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self().crl_interval)
nextUpdate = rpki.sundial.now()
@@ -530,14 +501,14 @@ class ca_detail_obj(sql_persistant):
if self.latest_crl is not None:
nextUpdate = nextUpdate.later(self.latest_crl.getNextUpdate())
- for child_cert in self.child_certs(gctx):
+ for child_cert in self.child_certs():
nextUpdate = nextUpdate.later(child_cert.cert.getNotAfter())
- child_cert.revoke(gctx)
+ child_cert.revoke()
nextUpdate += crl_interval
- self.generate_crl(gctx, nextUpdate)
- self.generate_manifest(gctx, nextUpdate)
+ self.generate_crl(nextUpdate)
+ self.generate_manifest(nextUpdate)
self.private_key_id = None
self.manifest_private_key_id = None
@@ -546,30 +517,30 @@ class ca_detail_obj(sql_persistant):
self.state = "revoked"
self.sql_mark_dirty()
- def update(self, gctx, parent, ca, rc, sia_uri_changed, old_resources):
+ def update(self, parent, ca, rc, sia_uri_changed, old_resources):
"""Need to get a new certificate for this ca_detail and perhaps
frob children of this ca_detail.
"""
# This will need a callback when we go event-driven
- issue_response = rpki.up_down.issue_pdu.query(gctx, parent, ca, self)
+ issue_response = rpki.up_down.issue_pdu.query(parent, ca, self)
self.latest_ca_cert = issue_response.payload.classes[0].certs[0].cert
new_resources = self.latest_ca_cert.get_3779resources()
if sia_uri_changed or old_resources.oversized(new_resources):
- for child_cert in self.child_certs(gctx):
+ for child_cert in self.child_certs():
child_resources = child_cert.cert.get_3779resources()
if sia_uri_changed or child_resources.oversized(new_resources):
child_cert.reissue(
- gctx = gctx,
ca_detail = self,
resources = child_resources.intersection(new_resources))
@classmethod
- def create(cls, gctx, ca):
+ def create(cls, ca):
"""Create a new ca_detail object for a specified CA."""
self = cls()
+ self.gctx = ca.gctx
self.ca_id = ca.ca_id
self.state = "pending"
@@ -581,7 +552,7 @@ class ca_detail_obj(sql_persistant):
self.manifest_private_key_id.generate()
self.manifest_public_key = self.manifest_private_key_id.get_RSApublic()
- self.sql_store(gctx)
+ self.sql_store()
return self
def issue_ee(self, ca, resources, sia = None):
@@ -609,7 +580,7 @@ class ca_detail_obj(sql_persistant):
self.latest_manifest_cert = self.issue_ee(ca, resources)
- def issue(self, gctx, ca, child, subject_key, sia, resources, child_cert = None):
+ def issue(self, ca, child, subject_key, sia, resources, child_cert = None):
"""Issue a new certificate to a child. Optional child_cert
argument specifies an existing child_cert object to update in
place; if not specified, we create a new one. Returns the
@@ -631,6 +602,7 @@ class ca_detail_obj(sql_persistant):
if child_cert is None:
child_cert = rpki.sql.child_cert_obj(
+ gctx = child.gctx,
child_id = child.child_id,
ca_detail_id = self.ca_detail_id,
cert = cert)
@@ -641,31 +613,31 @@ class ca_detail_obj(sql_persistant):
child_cert.ski = cert.get_SKI()
- child_cert.sql_store(gctx)
+ child_cert.sql_store()
- ca.parent(gctx).repository(gctx).publish(gctx, child_cert.cert, child_cert.uri(ca))
+ ca.parent().repository().publish(child_cert.cert, child_cert.uri(ca))
- self.generate_manifest(gctx)
+ self.generate_manifest()
return child_cert
- def generate_crl(self, gctx, nextUpdate = None):
+ def generate_crl(self, nextUpdate = None):
"""Generate a new CRL for this ca_detail. At the moment this is
unconditional, that is, it is up to the caller to decide whether a
new CRL is needed.
"""
- ca = self.ca(gctx)
- parent = ca.parent(gctx)
- repository = parent.repository(gctx)
- crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+ ca = self.ca()
+ parent = ca.parent()
+ repository = parent.repository()
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self().crl_interval)
now = rpki.sundial.now()
if nextUpdate is None:
nextUpdate = now + crl_interval
certlist = []
- for revoked_cert in self.revoked_certs(gctx):
+ for revoked_cert in self.revoked_certs():
if now > revoked_cert.expires + crl_interval:
revoked_cert.sql_delete()
else:
@@ -680,22 +652,22 @@ class ca_detail_obj(sql_persistant):
nextUpdate = nextUpdate,
revokedCertificates = certlist)
- repository.publish(gctx, self.latest_crl, self.crl_uri(ca))
+ repository.publish(self.latest_crl, self.crl_uri(ca))
- def generate_manifest(self, gctx, nextUpdate = None):
+ def generate_manifest(self, nextUpdate = None):
"""Generate a new manifest for this ca_detail."""
- ca = self.ca(gctx)
- parent = ca.parent(gctx)
- repository = parent.repository(gctx)
- crl_interval = rpki.sundial.timedelta(seconds = parent.self(gctx).crl_interval)
+ ca = self.ca()
+ parent = ca.parent()
+ repository = parent.repository()
+ crl_interval = rpki.sundial.timedelta(seconds = parent.self().crl_interval)
now = rpki.sundial.now()
if nextUpdate is None:
nextUpdate = now + crl_interval
- certs = [(c.uri_tail(), c.cert) for c in self.child_certs(gctx)] + \
- [(r.ee_uri_tail(), r.cert) for r in self.route_origins(gctx) if r.cert is not None]
+ certs = [(c.uri_tail(), c.cert) for c in self.child_certs()] + \
+ [(r.ee_uri_tail(), r.cert) for r in self.route_origins() if r.cert is not None]
m = rpki.x509.SignedManifest()
m.build(
@@ -707,28 +679,29 @@ class ca_detail_obj(sql_persistant):
certs = rpki.x509.X509_chain(self.latest_manifest_cert))
self.latest_manifest = m
- repository.publish(gctx, self.latest_manifest, self.manifest_uri(ca))
+ repository.publish(self.latest_manifest, self.manifest_uri(ca))
class child_cert_obj(sql_persistant):
"""Certificate that has been issued to a child."""
sql_template = template("child_cert", "child_cert_id", ("cert", rpki.x509.X509), "child_id", "ca_detail_id", "ski")
- def __init__(self, child_id = None, ca_detail_id = None, cert = None):
+ def __init__(self, gctx = None, child_id = None, ca_detail_id = None, cert = None):
"""Initialize a child_cert_obj."""
+ self.gctx = gctx
self.child_id = child_id
self.ca_detail_id = ca_detail_id
self.cert = cert
if child_id or ca_detail_id or cert:
self.sql_mark_dirty()
- def child(self, gctx):
+ def child(self):
"""Fetch child object to which this child_cert object links."""
- return rpki.left_right.child_elt.sql_fetch(gctx, self.child_id)
+ return rpki.left_right.child_elt.sql_fetch(self.gctx, self.child_id)
- def ca_detail(self, gctx):
+ def ca_detail(self):
"""Fetch ca_detail object to which this child_cert object links."""
- return ca_detail_obj.sql_fetch(gctx, self.ca_detail_id)
+ return ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
def uri_tail(self):
"""Return the tail (filename) portion of the URI for this child_cert."""
@@ -738,18 +711,18 @@ class child_cert_obj(sql_persistant):
"""Return the publication URI for this child_cert."""
return ca.sia_uri + self.uri_tail()
- def revoke(self, gctx):
+ def revoke(self):
"""Revoke a child cert."""
rpki.log.debug("Revoking %s" % repr(self))
- ca_detail = self.ca_detail(gctx)
- ca = ca_detail.ca(gctx)
+ ca_detail = self.ca_detail()
+ ca = ca_detail.ca()
revoked_cert_obj.revoke(cert = self.cert, ca_detail = ca_detail)
- repository = ca.parent(gctx).repository(gctx)
- repository.withdraw(gctx, self.cert, self.uri(ca))
- sql_sweep(gctx)
- self.sql_delete(gctx)
+ repository = ca.parent().repository()
+ repository.withdraw(self.cert, self.uri(ca))
+ self.gctx.sql_sweep()
+ self.sql_delete()
- def reissue(self, gctx, ca_detail, resources = None, sia = None):
+ def reissue(self, ca_detail, resources = None, sia = None):
"""Reissue an existing cert, reusing the public key. If the cert
we would generate is identical to the one we already have, we just
return the one we already have. If we have to revoke the old
@@ -758,12 +731,12 @@ class child_cert_obj(sql_persistant):
child_cert_obj must use the return value from this method.
"""
- ca = ca_detail.ca(gctx)
- child = self.child(gctx)
+ ca = ca_detail.ca()
+ child = self.child()
old_resources = self.cert.get_3779resources()
old_sia = self.cert.get_SIA()
- old_ca_detail = self.ca_detail(gctx)
+ old_ca_detail = self.ca_detail()
if resources is None:
resources = old_resources
@@ -788,7 +761,6 @@ class child_cert_obj(sql_persistant):
child_cert = self
child_cert = ca_detail.issue(
- gctx = gctx,
ca = ca,
child = child,
subject_key = self.cert.getPublicKey(),
@@ -797,14 +769,14 @@ class child_cert_obj(sql_persistant):
child_cert = child_cert)
if must_revoke:
- for cert in child.child_certs(gctx = gctx, ca_detail = ca_detail, ski = self.ski):
+ for cert in child.child_certs(ca_detail = ca_detail, ski = self.ski):
if cert is not child_cert:
- cert.revoke(gctx)
+ cert.revoke()
return child_cert
@classmethod
- def fetch(cls, gctx, child = None, ca_detail = None, ski = None, unique = False):
+ def fetch(cls, gctx = None, child = None, ca_detail = None, ski = None, unique = False):
"""Fetch all child_cert objects matching a particular set of
parameters. This is a wrapper to consolidate various queries that
would otherwise be inline SQL WHERE expressions. In most cases
@@ -828,6 +800,8 @@ class child_cert_obj(sql_persistant):
where = " AND ".join(where)
+ gctx = gctx or (child and child.gctx) or (ca_detail and ca_detail.gctx) or None
+
if unique:
return cls.sql_fetch_where1(gctx, where, args)
else:
@@ -841,8 +815,9 @@ class revoked_cert_obj(sql_persistant):
("revoked", rpki.sundial.datetime),
("expires", rpki.sundial.datetime))
- def __init__(self, serial = None, revoked = None, expires = None, ca_detail_id = None):
+ def __init__(self, gctx = None, serial = None, revoked = None, expires = None, ca_detail_id = None):
"""Initialize a revoked_cert_obj."""
+ self.gctx = gctx
self.serial = serial
self.revoked = revoked
self.expires = expires
@@ -850,9 +825,9 @@ class revoked_cert_obj(sql_persistant):
if serial or revoked or expires or ca_detail_id:
self.sql_mark_dirty()
- def ca_detail(self, gctx):
+ def ca_detail(self):
"""Fetch ca_detail object to which this revoked_cert_obj links."""
- return ca_detail_obj.sql_fetch(gctx, self.ca_detail_id)
+ return ca_detail_obj.sql_fetch(self.gctx, self.ca_detail_id)
@classmethod
def revoke(cls, cert, ca_detail):
@@ -861,4 +836,5 @@ class revoked_cert_obj(sql_persistant):
serial = cert.getSerial(),
expires = cert.getNotAfter(),
revoked = rpki.sundial.now(),
+ gctx = ca_detail.gctx,
ca_detail_id = ca_detail.ca_detail_id)
diff --git a/rpkid/rpki/up_down.py b/rpkid/rpki/up_down.py
index f902d86c..d69dfd9e 100644
--- a/rpkid/rpki/up_down.py
+++ b/rpkid/rpki/up_down.py
@@ -60,7 +60,7 @@ class base_elt(object):
if value is not None:
lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap=nsmap).text = base64.b64encode(value)
- def serve_pdu(self, gctx, q_msg, r_msg, child):
+ def serve_pdu(self, q_msg, r_msg, child):
"""Default PDU handler to catch unexpected types."""
raise rpki.exceptions.BadQuery, "Unexpected query type %s" % q_msg.type
@@ -183,16 +183,16 @@ class list_pdu(base_elt):
"""Generate (empty) payload of "list" PDU."""
return []
- def serve_pdu(self, gctx, q_msg, r_msg, child):
+ def serve_pdu(self, q_msg, r_msg, child):
"""Serve one "list" PDU."""
r_msg.payload = list_response_pdu()
# This will require a callback when we go event-driven
- irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+ irdb_resources = self.gctx.irdb_query(child.self_id, child.child_id)
- for parent in child.parents(gctx):
- for ca in parent.cas(gctx):
- ca_detail = ca.fetch_active(gctx)
+ for parent in child.parents():
+ for ca in parent.cas():
+ ca_detail = ca.fetch_active()
if not ca_detail:
continue
resources = ca_detail.latest_ca_cert.get_3779resources().intersection(irdb_resources)
@@ -202,7 +202,7 @@ class list_pdu(base_elt):
rc.class_name = str(ca.ca_id)
rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
rc.from_resource_bag(resources)
- for child_cert in child.child_certs(gctx, ca_detail = ca_detail):
+ for child_cert in child.child_certs(ca_detail = ca_detail):
c = certificate_elt()
c.cert_url = multi_uri(child_cert.uri(ca))
c.cert = child_cert.cert
@@ -211,9 +211,9 @@ class list_pdu(base_elt):
r_msg.payload.classes.append(rc)
@classmethod
- def query(cls, gctx, parent):
+ def query(cls, parent):
"""Send a "list" query to parent."""
- return parent.query_up_down(gctx, cls())
+ return parent.query_up_down(cls())
class class_response_syntax(base_elt):
"""Syntax for Up-Down protocol "list_response" and "issue_response" PDUs."""
@@ -263,29 +263,28 @@ class issue_pdu(base_elt):
elt.text = self.pkcs10.get_Base64()
return [elt]
- def serve_pdu(self, gctx, q_msg, r_msg, child):
+ def serve_pdu(self, q_msg, r_msg, child):
"""Serve one issue request PDU."""
# Check the request
- ca = child.ca_from_class_name(gctx, self.class_name)
- ca_detail = ca.fetch_active(gctx)
+ ca = child.ca_from_class_name(self.class_name)
+ ca_detail = ca.fetch_active()
self.pkcs10.check_valid_rpki()
# Check current cert, if any
# This will require a callback when we go event-driven
- irdb_resources = rpki.left_right.irdb_query(gctx, child.self_id, child.child_id)
+ irdb_resources = self.gctx.irdb_query(child.self_id, child.child_id)
resources = irdb_resources.intersection(ca_detail.latest_ca_cert.get_3779resources())
req_key = self.pkcs10.getPublicKey()
req_sia = self.pkcs10.get_SIA()
- child_cert = child.child_certs(gctx, ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True)
+ child_cert = child.child_certs(ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True)
# Generate new cert or regenerate old one if necessary
if child_cert is None:
child_cert = ca_detail.issue(
- gctx = gctx,
ca = ca,
child = child,
subject_key = req_key,
@@ -293,13 +292,12 @@ class issue_pdu(base_elt):
resources = resources)
else:
child_cert = child_cert.reissue(
- gctx = gctx,
ca_detail = ca_detail,
sia = req_sia,
resources = resources)
# Save anything we modified and generate response
- rpki.sql.sql_sweep(gctx)
+ self.gctx.sql_sweep()
assert child_cert and child_cert.sql_in_db
c = certificate_elt()
c.cert_url = multi_uri(child_cert.uri(ca))
@@ -314,7 +312,7 @@ class issue_pdu(base_elt):
r_msg.payload.classes.append(rc)
@classmethod
- def query(cls, gctx, parent, ca, ca_detail):
+ def query(cls, parent, ca, ca_detail):
"""Send an "issue" request to parent associated with ca."""
assert ca_detail is not None and ca_detail.state in ("pending", "active")
sia = ((rpki.oids.name2oid["id-ad-caRepository"], ("uri", ca.sia_uri)),
@@ -322,7 +320,7 @@ class issue_pdu(base_elt):
self = cls()
self.class_name = ca.parent_resource_class
self.pkcs10 = rpki.x509.PKCS10.create_ca(ca_detail.private_key_id, sia)
- return parent.query_up_down(gctx, self)
+ return parent.query_up_down(self)
class issue_response_pdu(class_response_syntax):
"""Up-Down protocol "issue_response" PDU."""
@@ -353,25 +351,25 @@ class revoke_pdu(revoke_syntax):
"""Convert g(SKI) encoding from PDU back to raw SKI."""
return base64.urlsafe_b64decode(self.ski + "=")
- def serve_pdu(self, gctx, q_msg, r_msg, child):
+ def serve_pdu(self, q_msg, r_msg, child):
"""Serve one revoke request PDU."""
- for ca_detail in child.ca_from_class_name(gctx, self.class_name).ca_details(gctx):
- for child_cert in child.child_certs(gctx, ca_detail = ca_detail, ski = self.get_SKI()):
- child_cert.revoke(gctx)
- rpki.sql.sql_sweep(gctx)
+ for ca_detail in child.ca_from_class_name(self.class_name).ca_details():
+ for child_cert in child.child_certs(ca_detail = ca_detail, ski = self.get_SKI()):
+ child_cert.revoke()
+ self.gctx.sql_sweep()
r_msg.payload = revoke_response_pdu()
r_msg.payload.class_name = self.class_name
r_msg.payload.ski = self.ski
@classmethod
- def query(cls, gctx, ca_detail):
+ def query(cls, ca_detail):
"""Send a "revoke" request to parent associated with ca_detail."""
- ca = ca_detail.ca(gctx)
- parent = ca.parent(gctx)
+ ca = ca_detail.ca()
+ parent = ca.parent()
self = cls()
self.class_name = ca.parent_resource_class
self.ski = ca_detail.latest_ca_cert.gSKI()
- return parent.query_up_down(gctx, self)
+ return parent.query_up_down(self)
class revoke_response_pdu(revoke_syntax):
"""Up-Down protocol "revoke_response" PDU."""
@@ -477,12 +475,12 @@ class message_pdu(base_elt):
"""Convert a message PDU to a string."""
lxml.etree.tostring(self.toXML(), pretty_print = True, encoding = "UTF-8")
- def serve_top_level(self, gctx, child):
+ def serve_top_level(self, child):
"""Serve one message request PDU."""
r_msg = message_pdu()
r_msg.sender = self.recipient
r_msg.recipient = self.sender
- self.payload.serve_pdu(gctx, self, r_msg, child)
+ self.payload.serve_pdu(self, r_msg, child)
r_msg.type = self.type2name[type(r_msg.payload)]
return r_msg
diff --git a/rpkid/rpkid.py b/rpkid/rpkid.py
index cb142da4..6b356c90 100755
--- a/rpkid/rpkid.py
+++ b/rpkid/rpkid.py
@@ -25,84 +25,7 @@ Default configuration file is rpkid.conf, override with --config option.
import traceback, os, time, getopt, sys, MySQLdb, lxml.etree
import rpki.resource_set, rpki.up_down, rpki.left_right, rpki.x509, rpki.sql
import rpki.https, rpki.config, rpki.cms, rpki.exceptions, rpki.relaxng, rpki.log
-
-def left_right_handler(query, path):
- """Process one left-right PDU."""
- rpki.log.trace()
- try:
- q_elt = rpki.cms.xml_verify(query, gctx.cms_ta_irbe)
- rpki.relaxng.left_right.assertValid(q_elt)
- q_msg = rpki.left_right.sax_handler.saxify(q_elt)
- r_msg = q_msg.serve_top_level(gctx)
- r_elt = r_msg.toXML()
- rpki.relaxng.left_right.assertValid(r_elt)
- reply = rpki.cms.xml_sign(r_elt, gctx.cms_key, gctx.cms_certs)
- rpki.sql.sql_sweep(gctx)
- return 200, reply
- except lxml.etree.DocumentInvalid:
- rpki.log.warn("Received reply document does not pass schema check: " + lxml.etree.tostring(r_elt, pretty_print = True))
- rpki.log.warn(traceback.format_exc())
- return 500, "Schema violation"
- except Exception, data:
- rpki.log.error(traceback.format_exc())
- return 500, "Unhandled exception %s" % data
-
-def up_down_handler(query, path):
- """Process one up-down PDU."""
- rpki.log.trace()
- try:
- child_id = path.partition("/up-down/")[2]
- if not child_id.isdigit():
- raise rpki.exceptions.BadContactURL, "Bad path: %s" % path
- child = rpki.left_right.child_elt.sql_fetch(gctx, long(child_id))
- if child is None:
- raise rpki.exceptions.ChildNotFound, "Could not find child %s" % child_id
- reply = child.serve_up_down(gctx, query)
- rpki.sql.sql_sweep(gctx)
- return 200, reply
- except Exception, data:
- rpki.log.error(traceback.format_exc())
- return 400, "Could not process PDU: %s" % data
-
-def cronjob_handler(query, path):
- """Periodic tasks. As simple as possible for now, may need to break
- this up into separate handlers later.
- """
-
- rpki.log.trace()
- for s in rpki.left_right.self_elt.sql_fetch_all(gctx):
- s.client_poll(gctx)
- s.update_children(gctx)
- s.regenerate_crls_and_manifests(gctx)
- rpki.sql.sql_sweep(gctx)
- return 200, "OK"
-
-class global_context(object):
- """A container for various global parameters."""
-
- def __init__(self, cfg):
-
- self.db = MySQLdb.connect(user = cfg.get("sql-username"),
- db = cfg.get("sql-database"),
- passwd = cfg.get("sql-password"))
- self.cur = self.db.cursor()
-
- self.cms_ta_irdb = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irdb"))
- self.cms_ta_irbe = rpki.x509.X509(Auto_file = cfg.get("cms-ta-irbe"))
- self.cms_key = rpki.x509.RSA(Auto_file = cfg.get("cms-key"))
- self.cms_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("cms-cert"))
-
- self.https_key = rpki.x509.RSA(Auto_file = cfg.get("https-key"))
- self.https_certs = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-cert"))
- self.https_ta_irdb = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irdb"))
- self.https_ta_irbe = rpki.x509.X509_chain(Auto_files = cfg.multiget("https-ta-irbe"))
-
- self.irdb_url = cfg.get("irdb-url")
-
- self.https_server_host = cfg.get("server-host", "")
- self.https_server_port = int(cfg.get("server-port", "4433"))
-
- self.publication_kludge_base = cfg.get("publication-kludge-base", "publication/")
+import rpki.gctx
os.environ["TZ"] = "UTC"
time.tzset()
@@ -127,13 +50,13 @@ startup_msg = cfg.get("startup-message", "")
if startup_msg:
rpki.log.info(startup_msg)
-gctx = global_context(cfg)
+gctx = rpki.gctx.global_context(cfg)
rpki.https.server(privateKey = gctx.https_key,
certChain = gctx.https_certs,
x509TrustList = gctx.https_ta_irbe,
host = gctx.https_server_host,
port = gctx.https_server_port,
- handlers=(("/left-right", left_right_handler),
- ("/up-down/", up_down_handler),
- ("/cronjob", cronjob_handler)))
+ handlers=(("/left-right", gctx.left_right_handler),
+ ("/up-down/", gctx.up_down_handler),
+ ("/cronjob", gctx.cronjob_handler)))
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-12 14:06:44 +0000