From 32b7a7b22c11129c2c17d8adc3f6aceac0e6de0b Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Sun, 16 Sep 2007 21:06:15 +0000
Subject: Switch to using APNIC's preferred version of the up-down protocol
 schema.  I still think the folks at APNIC are wrong about allowing bogus
 error codes to slip past schema checking, but coding around this problem is
 less work in the long run than maintaining a forked schema would be.  Time to
 bury the hatchet and move on.

svn path=/scripts/Makefile; revision=975
---
 scripts/Makefile                                   |   5 -
 scripts/encode-test.py                             |   2 +-
 scripts/rpki/up_down.py                            |  44 +++-
 scripts/rpkid.py                                   |   2 +-
 scripts/up-down-medium-schema.rnc                  |  79 -------
 scripts/up-down-medium-schema.rng                  | 258 ---------------------
 .../up-down-protocol-samples/issue_response.xml    |   8 +-
 scripts/up-down-protocol-samples/list_response.xml |  12 +-
 scripts/xml-parse-test.py                          |   2 +-
 9 files changed, 54 insertions(+), 358 deletions(-)
 delete mode 100644 scripts/up-down-medium-schema.rnc
 delete mode 100644 scripts/up-down-medium-schema.rng

(limited to 'scripts')

diff --git a/scripts/Makefile b/scripts/Makefile
index 26d31538..5aa33cba 100644
--- a/scripts/Makefile
+++ b/scripts/Makefile
@@ -11,11 +11,6 @@ all:: left-right-schema.rng
 left-right-schema.rng: left-right-schema.rnc
 	trang left-right-schema.rnc left-right-schema.rng
 
-all:: up-down-medium-schema.rng
-
-up-down-medium-schema.rng: up-down-medium-schema.rnc
-	trang up-down-medium-schema.rnc up-down-medium-schema.rng
-
 all:: up-down-schema.rng
 
 up-down-schema.rng: up-down-schema.rnc
diff --git a/scripts/encode-test.py b/scripts/encode-test.py
index 08f78d82..b4709866 100755
--- a/scripts/encode-test.py
+++ b/scripts/encode-test.py
@@ -23,7 +23,7 @@ def main():
     dir = "biz-certs"
     cer = "biz-certs/Alice-EE.cer"
     key = "biz-certs/Alice-EE.key"
-    rng = "up-down-medium-schema.rng"
+    rng = "up-down-schema.rng"
 
     for x in xml:
         print x
diff --git a/scripts/rpki/up_down.py b/scripts/rpki/up_down.py
index 256ef790..d1437775 100644
--- a/scripts/rpki/up_down.py
+++ b/scripts/rpki/up_down.py
@@ -45,13 +45,37 @@ class base_elt(object):
     if value is not None:
       lxml.etree.SubElement(elt, "{%s}%s" % (xmlns, name), nsmap=nsmap).text = base64.b64encode(value)
 
+class multi_uri(list):
+  """Container for a set of URIs."""
+
+  def __init__(self, ini):
+    """Initialize a set of URIs, which includes basic some syntax checking."""
+    if isinstance(ini, (list, tuple)):
+      self[:] = ini
+    elif isinstance(ini, str):
+      self[:] = ini.split(",")
+      for s in self:
+        assert s.strip() == s and s.find("://") >= 0, "Bad URI \"%s\"" % s
+    else:
+      raise TypeError
+
+  def __str__(self):
+    return ",".join(self)
+
+  def rsync(self):
+    """Find first rsync://... URI in self."""
+    for s in self:
+      if s.startswith("rsync://"):
+        return s
+    return None
+
 class certificate_elt(base_elt):
   """Up-Down protocol representation of an issued certificate."""
 
   def startElement(self, stack, name, attrs):
     """Handle attributes of <certificate/> element."""
     assert name == "certificate", "Unexpected name %s, stack %s" % (name, stack)
-    self.cert_url = attrs["cert_url"]
+    self.cert_url = multi_uri(attrs["cert_url"])
     self.req_resource_set_as   = resource_set.resource_set_as(attrs.get("req_resource_set_as"))
     self.req_resource_set_ipv4 = resource_set.resource_set_ipv4(attrs.get("req_resource_set_ipv4"))
     self.req_resource_set_ipv6 = resource_set.resource_set_ipv6(attrs.get("req_resource_set_ipv6"))
@@ -84,7 +108,7 @@ class class_elt(base_elt):
     elif name != "issuer":
       assert name == "class", "Unexpected name %s, stack %s" % (name, stack)
       self.class_name = attrs["class_name"]
-      self.cert_url = attrs["cert_url"]
+      self.cert_url = multi_uri(attrs["cert_url"])
       self.suggested_sia_head = attrs.get("suggested_sia_head")
       self.resource_set_as   = resource_set.resource_set_as(attrs["resource_set_as"])
       self.resource_set_ipv4 = resource_set.resource_set_ipv4(attrs["resource_set_ipv4"])
@@ -180,10 +204,23 @@ class revoke_response_pdu(revoke_pdu):
 class error_response_pdu(base_elt):
   """Up-Down protocol "error_response" PDU."""
 
+  codes = {
+    1101 : "Already processing request",
+    1102 : "Version number error",
+    1103 : "Unrecognised request type",
+    1201 : "Request - no such resource class",
+    1202 : "Request - no resources allocated in resource class",
+    1203 : "Request - badly formed certificate request",
+    1301 : "Revoke - no such resource class",
+    1302 : "Revoke - no such key",
+    2001 : "Internal Server Error - Request not performed" }
+
   def endElement(self, stack, name, text):
     """Handle "error_response" PDU."""
     if name == "status":
-      self.status = int(text)
+      code = int(text)
+      assert code in self.codes
+      self.status = code
     elif name == "last_message_processed":
       self.last_message_processed = text
     elif name == "description":
@@ -195,6 +232,7 @@ class error_response_pdu(base_elt):
 
   def toXML(self):
     """Generate payload of "error_response" PDU."""
+    assert self.status in self.codes
     elt = self.make_elt("status")
     elt.text = str(self.status)
     return [elt]
diff --git a/scripts/rpkid.py b/scripts/rpkid.py
index a8eb024c..483ad5be 100755
--- a/scripts/rpkid.py
+++ b/scripts/rpkid.py
@@ -88,7 +88,7 @@ db = MySQLdb.connect(user   = cfg.get(section, "sql-username"),
 cur = db.cursor()
 
 lr_rng = rpki.relaxng.RelaxNG("left-right-schema.rng")
-ud_rng = rpki.relaxng.RelaxNG("up-down-medium-schema.rng")
+ud_rng = rpki.relaxng.RelaxNG("up-down-schema.rng")
 
 cms_ta_irdb = cfg.get(section, "cms-ta-irdb")
 cms_ta_irbe = cfg.get(section, "cms-ta-irbe")
diff --git a/scripts/up-down-medium-schema.rnc b/scripts/up-down-medium-schema.rnc
deleted file mode 100644
index 623d83b5..00000000
--- a/scripts/up-down-medium-schema.rnc
+++ /dev/null
@@ -1,79 +0,0 @@
-# $Id$
-#
-# RelaxNG (Compact Syntax) Schema
-# for RPKI up-down protocol.  This is based on the schema in the APNIC
-# Wiki, but has tighter constraints on some fields.
-#
-# libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
-# run the output of this script through a converter like trang to get
-# XML syntax.
-
-     default namespace = "http://www.apnic.net/specs/rescerts/up-down/"
-
-     grammar {
-       start = element message {
-         attribute version { xsd:positiveInteger { maxInclusive="1" } },
-         attribute sender { xsd:token { maxLength="1024" } },
-         attribute recipient { xsd:token { maxLength="1024" } },
-         payload
-       }
-
-       payload |= attribute type { "list" }, list_request
-       payload |= attribute type { "list_response"}, list_response
-       payload |= attribute type { "issue" }, issue_request
-       payload |= attribute type { "issue_response"}, issue_response
-       payload |= attribute type { "revoke" }, revoke_request
-       payload |= attribute type { "revoke_response"}, revoke_response
-       payload |= attribute type { "error_response"}, error_response
-
-       list_request = empty
-       list_response = class*
-
-       class = element class {
-         attribute class_name { xsd:token { maxLength="1024" } },
-         attribute cert_url { xsd:anyURI { maxLength="1024" } },
-         attribute resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } },
-         attribute resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } },
-         attribute resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } },
-         attribute suggested_sia_head { xsd:anyURI { maxLength="1024" pattern="rsync://.+"} }?,
-         element certificate {
-           attribute cert_url { xsd:anyURI { maxLength="1024" } },
-           attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?,
-           attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?,
-           attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?,
-           xsd:base64Binary { maxLength="512000" }
-         }*,
-         element issuer { xsd:base64Binary { maxLength="512000" } }
-       }
-
-       issue_request = element request {
-         attribute class_name { xsd:token { maxLength="1024" } },
-         attribute req_resource_set_as { xsd:string { maxLength="512000" pattern="[\-,0-9]*" } }?,
-         attribute req_resource_set_ipv4 { xsd:string { maxLength="512000" pattern="[\-,/.0-9]*" } }?,
-         attribute req_resource_set_ipv6 { xsd:string { maxLength="512000" pattern="[\-,/:0-9a-fA-F]*" } }?,
-         xsd:base64Binary { maxLength="512000" }
-       }
-       issue_response = class
-
-       revoke_request = revocation
-       revoke_response = revocation
-
-       revocation = element key {
-         attribute class_name { xsd:token { maxLength="1024" } },
-         attribute ski { xsd:token { maxLength="1024" } }
-       }
-
-       error_response =
-         element status {
-	    "1101" |	# Already processing request
-	    "1102" |	# version number error
-	    "1103" |	# unrecognised request type
-	    "1201" |	# request - no such resource class
-	    "1202" |	# request - no resources allocated in resource class
-	    "1203" |	# request - badly formed certificate request
-	    "1301" |	# revoke - no such resource class
-	    "1302" |	# revoke - no such key
-	    "2001" 	# Internal Server Error - Request not performed
-         },
-         element description { attribute xml:lang { xsd:language }, xsd:string { maxLength="1024" } }?
-     }
diff --git a/scripts/up-down-medium-schema.rng b/scripts/up-down-medium-schema.rng
deleted file mode 100644
index d9c84489..00000000
--- a/scripts/up-down-medium-schema.rng
+++ /dev/null
@@ -1,258 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!--
-  $Id: up-down-medium-schema.rnc 704 2007-07-02 16:11:58Z sra $
-  
-  RelaxNG (Compact Syntax) Schema
-  for RPKI up-down protocol.  This is based on the schema in the APNIC
-  Wiki, but has tighter constraints on some fields.
-  
-  libxml2 (including xmllint) only groks the XML syntax of RelaxNG, so
-  run the output of this script through a converter like trang to get
-  XML syntax.
--->
-<grammar ns="http://www.apnic.net/specs/rescerts/up-down/" xmlns="http://relaxng.org/ns/structure/1.0" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes">
-  <start>
-    <element name="message">
-      <attribute name="version">
-        <data type="positiveInteger">
-          <param name="maxInclusive">1</param>
-        </data>
-      </attribute>
-      <attribute name="sender">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <attribute name="recipient">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <ref name="payload"/>
-    </element>
-  </start>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>list</value>
-    </attribute>
-    <ref name="list_request"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>list_response</value>
-    </attribute>
-    <ref name="list_response"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>issue</value>
-    </attribute>
-    <ref name="issue_request"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>issue_response</value>
-    </attribute>
-    <ref name="issue_response"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>revoke</value>
-    </attribute>
-    <ref name="revoke_request"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>revoke_response</value>
-    </attribute>
-    <ref name="revoke_response"/>
-  </define>
-  <define name="payload" combine="choice">
-    <attribute name="type">
-      <value>error_response</value>
-    </attribute>
-    <ref name="error_response"/>
-  </define>
-  <define name="list_request">
-    <empty/>
-  </define>
-  <define name="list_response">
-    <zeroOrMore>
-      <ref name="class"/>
-    </zeroOrMore>
-  </define>
-  <define name="class">
-    <element name="class">
-      <attribute name="class_name">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <attribute name="cert_url">
-        <data type="anyURI">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <attribute name="resource_set_as">
-        <data type="string">
-          <param name="maxLength">512000</param>
-          <param name="pattern">[\-,0-9]*</param>
-        </data>
-      </attribute>
-      <attribute name="resource_set_ipv4">
-        <data type="string">
-          <param name="maxLength">512000</param>
-          <param name="pattern">[\-,/.0-9]*</param>
-        </data>
-      </attribute>
-      <attribute name="resource_set_ipv6">
-        <data type="string">
-          <param name="maxLength">512000</param>
-          <param name="pattern">[\-,/:0-9a-fA-F]*</param>
-        </data>
-      </attribute>
-      <optional>
-        <attribute name="suggested_sia_head">
-          <data type="anyURI">
-            <param name="maxLength">1024</param>
-            <param name="pattern">rsync://.+</param>
-          </data>
-        </attribute>
-      </optional>
-      <zeroOrMore>
-        <element name="certificate">
-          <attribute name="cert_url">
-            <data type="anyURI">
-              <param name="maxLength">1024</param>
-            </data>
-          </attribute>
-          <optional>
-            <attribute name="req_resource_set_as">
-              <data type="string">
-                <param name="maxLength">512000</param>
-                <param name="pattern">[\-,0-9]*</param>
-              </data>
-            </attribute>
-          </optional>
-          <optional>
-            <attribute name="req_resource_set_ipv4">
-              <data type="string">
-                <param name="maxLength">512000</param>
-                <param name="pattern">[\-,/.0-9]*</param>
-              </data>
-            </attribute>
-          </optional>
-          <optional>
-            <attribute name="req_resource_set_ipv6">
-              <data type="string">
-                <param name="maxLength">512000</param>
-                <param name="pattern">[\-,/:0-9a-fA-F]*</param>
-              </data>
-            </attribute>
-          </optional>
-          <data type="base64Binary">
-            <param name="maxLength">512000</param>
-          </data>
-        </element>
-      </zeroOrMore>
-      <element name="issuer">
-        <data type="base64Binary">
-          <param name="maxLength">512000</param>
-        </data>
-      </element>
-    </element>
-  </define>
-  <define name="issue_request">
-    <element name="request">
-      <attribute name="class_name">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <optional>
-        <attribute name="req_resource_set_as">
-          <data type="string">
-            <param name="maxLength">512000</param>
-            <param name="pattern">[\-,0-9]*</param>
-          </data>
-        </attribute>
-      </optional>
-      <optional>
-        <attribute name="req_resource_set_ipv4">
-          <data type="string">
-            <param name="maxLength">512000</param>
-            <param name="pattern">[\-,/.0-9]*</param>
-          </data>
-        </attribute>
-      </optional>
-      <optional>
-        <attribute name="req_resource_set_ipv6">
-          <data type="string">
-            <param name="maxLength">512000</param>
-            <param name="pattern">[\-,/:0-9a-fA-F]*</param>
-          </data>
-        </attribute>
-      </optional>
-      <data type="base64Binary">
-        <param name="maxLength">512000</param>
-      </data>
-    </element>
-  </define>
-  <define name="issue_response">
-    <ref name="class"/>
-  </define>
-  <define name="revoke_request">
-    <ref name="revocation"/>
-  </define>
-  <define name="revoke_response">
-    <ref name="revocation"/>
-  </define>
-  <define name="revocation">
-    <element name="key">
-      <attribute name="class_name">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-      <attribute name="ski">
-        <data type="token">
-          <param name="maxLength">1024</param>
-        </data>
-      </attribute>
-    </element>
-  </define>
-  <define name="error_response">
-    <element name="status">
-      <choice>
-        <value>1101</value>
-        <!-- Already processing request -->
-        <value>1102</value>
-        <!-- version number error -->
-        <value>1103</value>
-        <!-- unrecognised request type -->
-        <value>1201</value>
-        <!-- request - no such resource class -->
-        <value>1202</value>
-        <!-- request - no resources allocated in resource class -->
-        <value>1203</value>
-        <!-- request - badly formed certificate request -->
-        <value>1301</value>
-        <!-- revoke - no such resource class -->
-        <value>1302</value>
-        <!-- revoke - no such key -->
-        <value>2001</value>
-      </choice>
-      <!-- Internal Server Error - Request not performed -->
-    </element>
-    <optional>
-      <element name="description">
-        <attribute name="xml:lang">
-          <data type="language"/>
-        </attribute>
-        <data type="string">
-          <param name="maxLength">1024</param>
-        </data>
-      </element>
-    </optional>
-  </define>
-</grammar>
diff --git a/scripts/up-down-protocol-samples/issue_response.xml b/scripts/up-down-protocol-samples/issue_response.xml
index 849626c6..39f6b954 100644
--- a/scripts/up-down-protocol-samples/issue_response.xml
+++ b/scripts/up-down-protocol-samples/issue_response.xml
@@ -5,12 +5,12 @@
 	 recipient="recipient name"
 	 type="issue_response">
     <class class_name="ISP5"
-           cert_url="url"
+           cert_url="rsync://wombat.example/ISP5"
 	   resource_set_as="64534-64540"
 	   resource_set_ipv4="10.0.0.0/24,10.3.0.0/24"
 	   resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120"
 	   suggested_sia_head="rsync://wombat.example/fnord/">
-        <certificate cert_url="ISP5a"
+        <certificate cert_url="rsync://wombat.example/ISP5a"
 		     req_resource_set_as=""
 		     req_resource_set_ipv4="10.0.0.0/24"
 		     req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120">
@@ -36,7 +36,7 @@
 	    AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo
 	    n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w==
         </certificate>
-        <certificate cert_url="ISP5b"
+        <certificate cert_url="rsync://wombat.example/ISP5b"
 		     req_resource_set_as=""
 		     req_resource_set_ipv4="10.3.0.0/24"
 		     req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120">
@@ -62,7 +62,7 @@
 	    2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0
 	    tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw==
         </certificate>
-        <certificate cert_url="ISP5c"
+        <certificate cert_url="rsync://wombat.example/ISP5c"
 		     req_resource_set_as="64534-64540"
 		     req_resource_set_ipv4=""
 		     req_resource_set_ipv6="">
diff --git a/scripts/up-down-protocol-samples/list_response.xml b/scripts/up-down-protocol-samples/list_response.xml
index a2598d33..9e368f5a 100644
--- a/scripts/up-down-protocol-samples/list_response.xml
+++ b/scripts/up-down-protocol-samples/list_response.xml
@@ -5,12 +5,12 @@
 	 recipient="recipient name"
 	 type="list_response">
     <class class_name="ISP5"
-           cert_url="url"
+           cert_url="rsync://wombat.example/ISP5"
 	   resource_set_as="64534-64540"
 	   resource_set_ipv4="10.0.0.0/24,10.3.0.0/24"
 	   resource_set_ipv6="2001:db8:0:0:0:0:a00::/120,2001:db8:0:0:0:0:a03::/120"
 	   suggested_sia_head="rsync://wombat.example/fnord/">
-        <certificate cert_url="ISP5a"
+        <certificate cert_url="rsync://wombat.example/ISP5a"
 		     req_resource_set_as=""
 		     req_resource_set_ipv4="10.0.0.0/24"
 		     req_resource_set_ipv6="2001:db8:0:0:0:0:a00::/120">
@@ -36,7 +36,7 @@
 	    AIYRKF4k4ZDYZ9gA/LYnH56xvpEXwRE1bpxgUC5n8wQrdIn5/pJz3R5EgWe4CGOo
 	    n/SMvEfe8d+LEc0C7LmtCwYoDOKENoOF809GVkbV9fjL8w==
         </certificate>
-        <certificate cert_url="ISP5b"
+        <certificate cert_url="rsync://wombat.example/ISP5b"
 		     req_resource_set_as=""
 		     req_resource_set_ipv4="10.3.0.0/24"
 		     req_resource_set_ipv6="2001:db8:0:0:0:0:a03::/120">
@@ -62,7 +62,7 @@
 	    2emkoegzzS2cN+5I5I+O8IRnZInqmiPgEgElgEFw+rg6xw23yax5Nyqx12J56tt0
 	    tPWGhrYe1dCwKZajWKn3P9+NMcGQ0d8bw/QU+B3RyVeVfw==
         </certificate>
-        <certificate cert_url="ISP5c"
+        <certificate cert_url="rsync://wombat.example/ISP5c"
 		     req_resource_set_as="64534-64540"
 		     req_resource_set_ipv4=""
 		     req_resource_set_ipv6="">
@@ -114,11 +114,11 @@
 	</issuer>
     </class>
     <class class_name="ISP2"
-           cert_url="url"
+           cert_url="rsync://wombat.example/ISP2"
 	   resource_set_as=""
 	   resource_set_ipv4="192.0.2.44-192.0.2.100"
 	   resource_set_ipv6="">
-        <certificate cert_url="url">
+        <certificate cert_url="http://wombat.example/ISP2a,rsync://wombat.example/ISP2a,ftp://wombat.example/ISP2a">
 	    MIIDzDCCArSgAwIBAgIBCTANBgkqhkiG9w0BAQUFADAbMRkwFwYDVQQDExBURVNU
 	    IEVOVElUWSBMSVIxMB4XDTA3MDgwMTE0NDgyMloXDTA4MDczMTE0NDgyMlowGzEZ
 	    MBcGA1UEAxMQVEVTVCBFTlRJVFkgSVNQMjCCASIwDQYJKoZIhvcNAQEBBQADggEP
diff --git a/scripts/xml-parse-test.py b/scripts/xml-parse-test.py
index ed437789..73ab295d 100755
--- a/scripts/xml-parse-test.py
+++ b/scripts/xml-parse-test.py
@@ -42,7 +42,7 @@ def lr_tester(elt_in, elt_out, msg):
         pprint_cert(cert)
 
 test(fileglob="up-down-protocol-samples/*.xml",
-     schema="up-down-medium-schema.rng",
+     schema="up-down-schema.rng",
      sax_handler=rpki.up_down.sax_handler,
      encoding="utf-8",
      tester=ud_tester)
-- 
cgit v1.2.3