3 files changed, 38 insertions, 25 deletions

diff --git a/scripts/rpki/left_right.py b/scripts/rpki/left_right.py
index 8446f2d1..c817f08e 100644
--- a/scripts/rpki/left_right.py
+++ b/scripts/rpki/left_right.py
@@ -313,7 +313,7 @@ class self_elt(data_elt):
     now = rpki.sundial.datetime.utcnow()
 
     for child in self.children(gctx):
-      child_certs = rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s AND revoked IS NULL" % child.child_id)
+      child_certs = child.child_certs(gctx)
       if not child_certs:
         continue
 
@@ -554,9 +554,9 @@ class child_elt(data_elt):
 
   cms_ta = None
 
-  def child_certs(self, gctx):
+  def child_certs(self, gctx, ca_detail = None, ski = None, revoked = False, unique = False):
     """Fetch all child_cert objects that link to this child object."""
-    return rpki.sql.child_cert_obj.sql_fetch_where(gctx, "child_id = %s" % self.child_id)
+    return rpki.sql.child_cert_obj.fetch(gctx, self, ca_detail, ski, revoked, unique)
 
   def parents(self, gctx):
     """Fetch all parent objects that link to self object to which this child object links."""
diff --git a/scripts/rpki/sql.py b/scripts/rpki/sql.py
index efafb889..e34673e8 100644
--- a/scripts/rpki/sql.py
+++ b/scripts/rpki/sql.py
@@ -308,6 +308,8 @@ class ca_obj(sql_persistant):
       for child_cert in ca_detail.child_certs(gctx):
         repository.withdraw(gctx, (child_cert.cert, child_cert.uri(self)))
         child_cert.sql_delete(gctx)
+      for child_cert in ca_detail.child_certs(gctx, revoked = True):
+        child_cert.sql_delete(gctx)
       repository.withdraw(gctx, (ca_detail.latest_crl, ca_detail.crl_uri()), (ca_detail.latest_manifest, ca_detail.manifest_uri(self)))
       ca_detail.sql_delete(gctx)
     self.sql_delete(gctx)
@@ -361,9 +363,9 @@ class ca_detail_obj(sql_persistant):
     """Fetch CA object to which this ca_detail links."""
     return ca_obj.sql_fetch(gctx, self.ca_id)
 
-  def child_certs(self, gctx):
+  def child_certs(self, gctx, child = None, ski = None, revoked = False, unique = False):
     """Fetch all child_cert objects that link to this ca_detail."""
-    return child_cert_obj.sql_fetch_where(gctx, "ca_detail_id = %s" % self.ca_detail_id)
+    return rpki.sql.child_cert_obj.fetch(gctx, child, self, ski, revoked, unique)
 
   def route_origins(self, gctx):
     """Fetch all route_origin objects that link to this ca_detail."""
@@ -497,13 +499,11 @@ class ca_detail_obj(sql_persistant):
     """
 
     ca = self.ca(gctx)
-    parent = ca.parent(gctx)
-    self_obj = parent.self(gctx)
-    crl_interval = rpki.sundial.timedelta(seconds = self_obj.crl_interval)
+    crl_interval = rpki.sundial.timedelta(seconds = ca.parent(gctx).self(gctx).crl_interval)
     now = rpki.sundial.datetime.utcnow()
 
     certlist = []
-    for child_cert in child_cert_obj.sql_fetch_where(gctx, "child_cert.ca_detail_id = %s AND child_cert.revoked IS NOT NULL" % self.ca_detail_id):
+    for child_cert in self.child_certs(gctx, revoked = True):
       if now > child_cert.cert.getNotAfter() + crl_interval:
         child_cert.sql_delete()
       else:
@@ -522,14 +522,12 @@ class ca_detail_obj(sql_persistant):
     """Generate a new manifest for this ca_detail."""
 
     ca = self.ca(gctx)
-    parent = ca.parent(gctx)
-    self_obj = parent.self(gctx)
-    certs = child_cert_obj.sql_fetch_where(gctx, "child_cert.ca_detail_id = %s AND child_cert.revoked IS NULL" % self.ca_detail_id)
+    certs = self.child_certs(gctx)
 
     m = rpki.x509.SignedManifest()
     m.build(
       serial         = ca.next_manifest_number(),
-      nextUpdate     = rpki.sundial.datetime.utcnow() + rpki.sundial.timedelta(seconds = self_obj.crl_interval),
+      nextUpdate     = rpki.sundial.datetime.utcnow() + rpki.sundial.timedelta(seconds = ca.parent(gctx).self(gctx).crl_interval),
       names_and_objs = [(c.uri_tail(), c.cert) for c in certs],
       keypair        = self.manifest_private_key_id,
       certs          = rpki.x509.X509_chain(self.latest_manifest_cert))
@@ -613,3 +611,26 @@ class child_cert_obj(sql_persistant):
       self.revoke()
 
     return child_cert
+
+  @classmethod
+  def fetch(cls, gctx, child = None, ca_detail = None, ski = None, revoked = False, unique = False):
+    """Fetch all child_cert objects matching a particular set of
+    parameters.  This is a wrapper to consolidate various queries that
+    would otherwise be inline SQL WHERE expressions.  In most cases
+    code calls this indirectly, through methods in other classes.
+    """
+
+    if revoked:
+      where = "revoked IS NOT NULL"
+    else:
+      where = "revoked IS NULL"
+    if child:
+      where += " AND child_id = %s" % child.child_id
+    if ca_detail:
+      where += " AND ca_detail_id = %s" % ca_detail.ca_detail_id
+    if ski:
+      where += " AND ski = '%s'" % ski
+    if unique:
+      return cls.sql_fetch_where1(gctx, where)
+    else:
+      return cls.sql_fetch_where(gctx, where)
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 809ac80e..3b196d9d 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -184,9 +184,7 @@ class list_pdu(base_elt):
         rc.class_name = str(ca.ca_id)
         rc.cert_url = multi_uri(ca_detail.ca_cert_uri)
         rc.from_resource_bag(resources)
-        for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
-                  child_id = %s AND ca_detail_id = %s
-                  """ % (child.child_id, ca_detail.ca_detail_id)):
+        for child_cert in child.child_certs(gctx, ca_detail = ca_detail):
           c = certificate_elt()
           c.cert_url = multi_uri(child_cert.uri(ca))
           c.cert = child_cert.cert
@@ -267,9 +265,7 @@ class issue_pdu(base_elt):
     resources = irdb_resources.intersection(ca_detail.latest_ca_cert.get_3779resources())
     req_key = self.pkcs10.getPublicKey()
     req_sia = self.pkcs10.get_SIA()
-    child_cert = rpki.sql.child_cert_obj.sql_fetch_where1(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = "%s"
-                """ % (child.child_id, ca_detail.ca_detail_id, req_key.get_SKI()))
+    child_cert = child.child_certs(gctx, ca_detail = ca_detail, ski = req_key.get_SKI(), unique = True)
 
     # Generate new cert or regenerate old one if necessary
 
@@ -347,12 +343,8 @@ class revoke_pdu(revoke_syntax):
     """Serve one revoke request PDU."""
     if not self.class_name.isdigit():
       raise rpki.exceptions.BadClassNameSyntax, "Bad class name %s" % self.class_name
-    ca_id = long(self.class_name)
-    ski = self.get_SKI()
-    for ca_detail in rpki.sql.ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state != 'revoked'" % ca_id):
-      for child_cert in rpki.sql.child_cert_obj.sql_fetch_where(gctx, """
-                child_id = %s AND ca_detail_id = %s AND ski = '%s'
-                """ % (child.child_id, ca_detail.ca_detail_id, ski)):
+    for ca_detail in rpki.sql.ca_detail_obj.sql_fetch_where(gctx, "ca_id = %s AND state != 'revoked'" % long(self.class_name)):
+      for child_cert in child.child_certs(gctx, ca_detail = ca_detail, ski = self.get_SKI()):
         child_cert.revoke()
     rpki.sql.sql_sweep(gctx)
     r_msg.payload = revoke_response_pdu()