Skip to content

Commit

Permalink
Merge pull request #169 from NLnetLabs/v0.4.2-pre
Browse files Browse the repository at this point in the history
V0.4.2 pre
  • Loading branch information
Tim Bruijnzeels authored Jan 6, 2020
2 parents ab7a152 + 8d85dba commit f95669e
Show file tree
Hide file tree
Showing 33 changed files with 587 additions and 356 deletions.
2 changes: 2 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
/target
.git
11 changes: 2 additions & 9 deletions Cargo.toml
Original file line number Diff line number Diff line change
@@ -1,15 +1,12 @@
[package]
name = "krill"
version = "0.4.2-pre"
version = "0.4.2"
authors = [ "The NLnet Labs RPKI team <[email protected]>" ]
description = "Resource Public Key Infrastructure (RPKI) daemon"
license = "MPL-2.0"

[dependencies]
actix-identity = "0.1.0"
actix-web = { version = "1.0.3", features = ["ssl"] }
actix-session = "0.1.0"
actix-service = "0.4.0"
base64 = "^0.10"
bcder = "0.4.0"
bytes = "^0.4"
Expand All @@ -26,7 +23,7 @@ openssl = { version = "^0.10", features = ["v110"] }
pretty = "0.5.2"
rand = "^0.5"
reqwest = "^0.9.17"
rpki = "0.8.2"
rpki = "0.8.3"
serde = { version = "^1.0", features = ["derive"] }
serde_json = "^1.0"
syslog = "^4.0"
Expand All @@ -45,7 +42,3 @@ ignore = "^0.4"
[features]
default = []
extra-debug = [ "rpki/extra-debug" ]

# Used when depending on development branches of rpki-rs or bcder
#[patch.crates-io]
#rpki = { git = "https://github.com/NLnetLabs/rpki-rs.git", branch = "resource-set-fix" }
17 changes: 15 additions & 2 deletions Changelog.md
Original file line number Diff line number Diff line change
@@ -1,7 +1,21 @@
# Change Log

Please see [here](https://github.com/NLnetLabs/krill/projects?query=is%3Aopen+sort%3Aname-asc)
for planned releases.
for planned releases.

## 0.4.2 'Finer Things'

This release fixes a bug, and introduces minor usability improvements:
* Certain adjacent resources were encoded incorrectly (#161)
* Let users explicitly specify a repository before adding a parent (#160)
* Allow timezone to be set on the Docker container (#156)
* Improve error messaging when failing to start Krill (#155)
* Improve readability for CLI error responses (#162)
* Introduce configurable size limits for data submitted to Krill (#158)

Note that contrary to previous versions a new CA is set up without a default repository. For most
users we recommend that a remote (RFC 8181) repository is used, e.g. provided by their RIR or NIR.
A repository MUST be configured before a parent can be added to a CA.

## 0.4.1 'Fogo de Krill'

Expand Down Expand Up @@ -82,7 +96,6 @@ Known issues:
Work for the next release has already started. [Release 0.3](https://github.com/NLnetLabs/krill/projects/6)
will focus on (remote) publication, and will also solve the out-of-sync issue.


## 0.1.0 'A View to a Krill'

This is the first version of Krill that we are testing in the real world. Please note that the
Expand Down
20 changes: 19 additions & 1 deletion defaults/krill.conf
Original file line number Diff line number Diff line change
Expand Up @@ -93,4 +93,22 @@
#
# Defaults to 10 minutes
#
#ca_refresh = 600
#ca_refresh = 600

# Restrict size of messages sent to the API
#
# Default 256 kB
#
# post_limit_api = 262144

# Restrict size of messages sent to the RFC 8181 publication protocol
#
# Default 32MB (enough for a keyroll with about 8000 issued certificates)
#
# post_limit_rfc8181 = 33554432

# Restrict size of messages sent to the RFC 6492 up-down protocol
#
# Default 1MB (enough for a keyroll with certs of ~400kb, the biggest known cert is 220kB)
#
# post_limit_rfc6492 = 1048576
54 changes: 52 additions & 2 deletions doc/openapi.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -593,6 +593,9 @@ paths:
will be used. In principle CAs can also use this to talk to a local
parent CA in the same krill server, but this is inefficient. Therefore
it is also possible to add an 'embedded' parent in this case.
Note that you MUST specify a repository for your CA before you are
allowed to add a parent to it.
parameters:
- $ref: '#/components/parameters/ca_handle'
requestBody:
Expand All @@ -607,7 +610,14 @@ paths:
'403':
$ref: '#/components/responses/Forbidden'
'400':
$ref: '#/components/schemas/ParentWithHandleExists'
description: Bad request parameters.
content:
application/json:
schema:
oneOf:
- $ref: '#/components/schemas/ParentWithHandleExists'
- $ref: '#/components/responses/ParentNoResponse'
- $ref: '#/components/schemas/NoRepositoryConfiguredYetForCA'
'404':
$ref: '#/components/responses/UnknownCA'
'500':
Expand Down Expand Up @@ -655,7 +665,13 @@ paths:
'200':
$ref: '#/components/responses/Success'
'400':
$ref: '#/components/responses/UnknownParent'
description: Bad request parameters.
content:
application/json:
schema:
oneOf:
- $ref: '#/components/responses/UnknownParent'
- $ref: '#/components/responses/ParentNoResponse'
'403':
$ref: '#/components/responses/Forbidden'
'404':
Expand Down Expand Up @@ -719,8 +735,12 @@ paths:
- Request new certificates with SIA entries pointing to the new
locations.
- (best effort) Clean up of the old repository.
The new repository can be embedded, or remote. To use a remote
repository, the RFC 8181 Repository Response must be encoded into JSON.
Note: for most users it's better to use a remote repository, e.g. provided
by your RIR or NIR.
parameters:
- $ref: '#/components/parameters/ca_handle'
requestBody:
Expand Down Expand Up @@ -1436,6 +1456,18 @@ components:
msg:
type: string
example: Parent with handle exists.
ParentNoResponse:
type: object
required:
- code
- msg
properties:
code:
type: integer
enum: [2308]
msg:
type: string
example: No response from parent.
UnknownChild:
type: object
required:
Expand All @@ -1460,6 +1492,18 @@ components:
msg:
type: string
example: No known parent for handle.
NoRepositoryConfiguredYetForCA:
type: object
required:
- code
- msg
properties:
code:
type: integer
enum: [2307]
msg:
type: string
example: No repository configured yet for CA.
InvalidROADeltaAddingDefinitionAlreadyPresent:
type: object
required:
Expand Down Expand Up @@ -1588,6 +1632,12 @@ components:
application/json:
schema:
$ref: '#/components/schemas/UnknownParent'
ParentNoResponse:
description: No response from parent.
content:
application/json:
schema:
$ref: '#/components/schemas/ParentNoResponse'
GeneralPublicationServerError:
description: General Publication Server error.
content:
Expand Down
5 changes: 2 additions & 3 deletions docker/entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,7 @@ if [ "$1" == "krill" ]; then
# RSYNC and RRDP endpoints to the correct FQDN. We cannot know know the
# FQDN which clients use to reach us so the operator must inform this
# script via a "-e KRILL_FQDN=some.domain.name" argument to
# "docker run". If KRILL_FQDN is not set assume that the user is
# managing the Krill configuration themselves.
# "docker run".
cat << EOF >> ${KRILL_CONF}
rsync_base = "rsync://${KRILL_FQDN}/repo/" ${MAGIC}
service_uri = "https://${KRILL_FQDN}/" ${MAGIC}
Expand All @@ -81,4 +80,4 @@ fi
# to ensure krill runs as PID 1 as required by Docker for proper signal
# handling. This also allows this Docker image to be used to run krill_admin
# instead of krill.
exec "$@"
exec "$@"
9 changes: 7 additions & 2 deletions src/bin/krill.rs
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,14 @@ use krill::daemon::http::server;

fn main() {
match Config::create() {
Ok(config) => server::start(&config).unwrap(),
Ok(config) => {
if let Err(e) = server::start(&config) {
eprintln!("Krill failed to start: {}", e);
::std::process::exit(1);
}
}
Err(e) => {
eprintln!("{}", e);
eprintln!("Krill failed to start: {}", e);
::std::process::exit(1);
}
}
Expand Down
19 changes: 17 additions & 2 deletions src/bin/krillc.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,8 @@ extern crate krill;

use krill::cli::options::Options;
use krill::cli::report::ReportFormat;
use krill::cli::KrillClient;
use krill::cli::{Error, KrillClient};
use krill::commons::util::httpclient;

fn main() {
match Options::from_args() {
Expand All @@ -12,7 +13,21 @@ fn main() {
Ok(()) => {} //,
Err(e) => {
if format != ReportFormat::None {
eprintln!("{}", e);
match &e {
Error::HttpClientError(httpclient::Error::ErrorWithJson(
_code,
res,
)) => {
if format == ReportFormat::Json {
eprintln!("{}", e);
} else {
eprintln!("Error {}: {}", res.code(), res.msg());
}
}
_ => {
eprintln!("{}", e);
}
}
}
::std::process::exit(1);
}
Expand Down
19 changes: 12 additions & 7 deletions src/cli/report.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@ use std::str::{from_utf8_unchecked, FromStr};

use crate::commons::api::{
CaRepoDetails, CertAuthHistory, CertAuthInfo, CertAuthList, ChildCaInfo, CurrentObjects,
ParentCaContact, PublisherDetails, PublisherList, RepositoryContact, RoaDefinition,
CurrentRepoState, ParentCaContact, PublisherDetails, PublisherList, RepositoryContact,
RoaDefinition,
};
use crate::commons::remote::api::ClientInfo;
use crate::commons::remote::rfc8183;
use commons::api::CurrentRepoState;

//------------ ApiResponse ---------------------------------------------------

Expand Down Expand Up @@ -148,14 +148,19 @@ impl Report for CertAuthInfo {
ReportFormat::Text => {
let mut res = String::new();

let base_uri = self.repo_repo().base_uri();
let rrdp_uri = self.repo_repo().rpki_notify();

res.push_str(&format!("Name: {}\n", self.handle()));
res.push_str("\n");
res.push_str(&format!("Base uri: {}\n", base_uri));
res.push_str(&format!("RRDP uri: {}\n", rrdp_uri));

if let Some(repo_info) = self.repo_info() {
let base_uri = repo_info.base_uri();
let rrdp_uri = repo_info.rpki_notify();
res.push_str(&format!("Base uri: {}\n", base_uri));
res.push_str(&format!("RRDP uri: {}\n", rrdp_uri));
} else {
res.push_str("No repository configured.")
}
res.push_str("\n");

res.push_str(&format!("ID cert PEM:\n{}\n", self.id_cert().pem()));
res.push_str(&format!("Hash: {}\n", self.id_cert().hash()));
res.push_str("\n");
Expand Down
10 changes: 9 additions & 1 deletion src/commons/api/admin.rs
Original file line number Diff line number Diff line change
Expand Up @@ -373,7 +373,7 @@ impl fmt::Display for RepositoryContact {
/// This type defines all parent ca details needed to add a parent to a CA
#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
pub struct ParentCaReq {
handle: Handle, // the local name the child gave to the parent
handle: ParentHandle, // the local name the child gave to the parent
contact: ParentCaContact, // where the parent can be contacted
}

Expand All @@ -382,6 +382,14 @@ impl ParentCaReq {
ParentCaReq { handle, contact }
}

pub fn handle(&self) -> &ParentHandle {
&self.handle
}

pub fn contact(&self) -> &ParentCaContact {
&self.contact
}

pub fn unwrap(self) -> (Handle, ParentCaContact) {
(self.handle, self.contact)
}
Expand Down
22 changes: 13 additions & 9 deletions src/commons/api/ca.rs
Original file line number Diff line number Diff line change
Expand Up @@ -1473,7 +1473,7 @@ impl fmt::Display for ParentInfo {
pub struct CertAuthInfo {
handle: Handle,
id_cert: IdCertPem,
repo_info: RepoInfo,
repo_info: Option<RepoInfo>,
parents: Vec<ParentInfo>,
resources: ResourceSet,
resource_classes: HashMap<ResourceClassName, ResourceClassInfo>,
Expand All @@ -1484,7 +1484,7 @@ impl CertAuthInfo {
pub fn new(
handle: Handle,
id_cert: IdCertPem,
repo_info: RepoInfo,
repo_info: Option<RepoInfo>,
parents: HashMap<ParentHandle, ParentCaContact>,
resource_classes: HashMap<ResourceClassName, ResourceClassInfo>,
children: Vec<ChildHandle>,
Expand Down Expand Up @@ -1521,8 +1521,8 @@ impl CertAuthInfo {
&self.id_cert
}

pub fn repo_repo(&self) -> &RepoInfo {
&self.repo_info
pub fn repo_info(&self) -> Option<&RepoInfo> {
self.repo_info.as_ref()
}

pub fn parents(&self) -> &Vec<ParentInfo> {
Expand All @@ -1543,10 +1543,14 @@ impl CertAuthInfo {

pub fn published_objects(&self) -> Vec<Publish> {
let mut res = vec![];
for (_rc_name, rc) in self.resource_classes.iter() {
let name_space = rc.name_space();
res.append(&mut rc.current_objects().publish(self.repo_repo(), name_space));

if let Some(repo_info) = &self.repo_info {
for (_rc_name, rc) in self.resource_classes.iter() {
let name_space = rc.name_space();
res.append(&mut rc.current_objects().publish(repo_info, name_space));
}
}

res
}
}
Expand Down Expand Up @@ -1958,9 +1962,9 @@ mod test {

let parent_resources_json =
include_str!("../../../test-resources/resources/parent_resources.json");
let parent_resouces: ResourceSet = serde_json::from_str(parent_resources_json).unwrap();
let parent_resources: ResourceSet = serde_json::from_str(parent_resources_json).unwrap();

let intersection = parent_resouces.intersection(&child_resources);
let intersection = parent_resources.intersection(&child_resources);

assert_eq!(intersection, child_resources);
}
Expand Down
Loading

0 comments on commit f95669e

Please sign in to comment.