Search in sources :

Example 21 with TrustAnchor

use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.

the class JPARpkiRepositories method removeAllForTrustAnchor.

@Override
public void removeAllForTrustAnchor(TrustAnchor trustAnchor) {
    for (RpkiRepository repository : select().where(rpkiRepository.trustAnchors.contains(trustAnchor)).fetch()) {
        repository.removeTrustAnchor(trustAnchor);
        if (repository.getTrustAnchors().isEmpty()) {
            if (repository.getType() == RpkiRepository.Type.RRDP) {
                quartzValidationScheduler.removeRpkiRepository(repository);
            }
            validationRuns.removeAllForRpkiRepository(repository);
            entityManager.remove(repository);
        }
    }
}
Also used : RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository)

Example 22 with TrustAnchor

use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.

the class ValidatedRpkiObjects method initialize.

@PostConstruct
private synchronized void initialize() {
    new TransactionTemplate(transactionManager).execute((status) -> {
        Map<@NotNull @Valid TrustAnchor, List<RpkiObject>> grouped = Stream.concat(rpkiObjects.findCurrentlyValidated(RpkiObject.Type.ROA), rpkiObjects.findCurrentlyValidated(RpkiObject.Type.ROUTER_CER)).collect(Collectors.groupingBy(pair -> pair.getLeft().getTrustAnchor(), Collectors.mapping(pair -> pair.getRight(), Collectors.toList())));
        grouped.forEach(this::update);
        return null;
    });
}
Also used : X509RouterCertificate(net.ripe.rpki.commons.crypto.x509cert.X509RouterCertificate) Autowired(org.springframework.beans.factory.annotation.Autowired) HashMap(java.util.HashMap) Value(lombok.Value) ArrayList(java.util.ArrayList) Sorting(net.ripe.rpki.validator3.api.Sorting) Valid(javax.validation.Valid) Asn(net.ripe.ipresource.Asn) Paging(net.ripe.rpki.validator3.api.Paging) ImmutableList(com.google.common.collect.ImmutableList) Pair(org.apache.commons.lang3.tuple.Pair) Map(java.util.Map) Transactions(net.ripe.rpki.validator3.util.Transactions) ImmutableSortedSet(com.google.common.collect.ImmutableSortedSet) ImmutableSet(com.google.common.collect.ImmutableSet) Transactional(javax.transaction.Transactional) IpRange(net.ripe.ipresource.IpRange) Collection(java.util.Collection) NotNull(javax.validation.constraints.NotNull) Collectors(java.util.stream.Collectors) Consumer(java.util.function.Consumer) Slf4j(lombok.extern.slf4j.Slf4j) Component(org.springframework.stereotype.Component) Base64(java.util.Base64) List(java.util.List) Stream(java.util.stream.Stream) PlatformTransactionManager(org.springframework.transaction.PlatformTransactionManager) TransactionTemplate(org.springframework.transaction.support.TransactionTemplate) PostConstruct(javax.annotation.PostConstruct) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) SearchTerm(net.ripe.rpki.validator3.api.SearchTerm) Optional(java.util.Optional) X509CertificateUtil(net.ripe.rpki.commons.crypto.x509cert.X509CertificateUtil) TransactionTemplate(org.springframework.transaction.support.TransactionTemplate) ArrayList(java.util.ArrayList) ImmutableList(com.google.common.collect.ImmutableList) List(java.util.List) PostConstruct(javax.annotation.PostConstruct)

Example 23 with TrustAnchor

use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.

the class RpkiObjectCleanupService method cleanupRpkiObjects.

/**
 * Marks all RPKI objects that are reachable from a trust anchor by following the entries in the manifests.
 * Objects that are no longer reachable will be deleted after a configurable grace duration.
 */
@Scheduled(initialDelay = 60_000, fixedDelayString = "${rpki.validator.rpki.object.cleanup.interval.ms}")
public long cleanupRpkiObjects() {
    Instant now = Instant.now();
    for (TrustAnchor trustAnchor : trustAnchors.findAll()) {
        transactionTemplate.execute((status) -> {
            entityManager.setFlushMode(FlushModeType.COMMIT);
            log.debug("tracing objects for trust anchor {}", trustAnchor);
            X509ResourceCertificate resourceCertificate = trustAnchor.getCertificate();
            if (resourceCertificate != null) {
                traceCertificateAuthority(now, resourceCertificate);
            }
            return null;
        });
    }
    return deleteUnreachableObjects(now);
}
Also used : Instant(java.time.Instant) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) Scheduled(org.springframework.scheduling.annotation.Scheduled)

Example 24 with TrustAnchor

use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.

the class CertificateTreeValidationService method validateCertificateAuthority.

private List<RpkiObject> validateCertificateAuthority(TrustAnchor trustAnchor, Map<URI, RpkiRepository> registeredRepositories, CertificateRepositoryObjectValidationContext context, ValidationResult validationResult) {
    final List<RpkiObject> validatedObjects = new ArrayList<>();
    ValidationLocation certificateLocation = validationResult.getCurrentLocation();
    ValidationResult temporary = ValidationResult.withLocation(certificateLocation);
    try {
        RpkiRepository rpkiRepository = registerRepository(trustAnchor, registeredRepositories, context);
        temporary.warnIfTrue(rpkiRepository.isPending(), VALIDATOR_RPKI_REPOSITORY_PENDING, rpkiRepository.getLocationUri());
        if (rpkiRepository.isPending()) {
            return validatedObjects;
        }
        X509ResourceCertificate certificate = context.getCertificate();
        URI manifestUri = certificate.getManifestUri();
        temporary.setLocation(new ValidationLocation(manifestUri));
        Optional<RpkiObject> manifestObject = rpkiObjects.findLatestByTypeAndAuthorityKeyIdentifier(RpkiObject.Type.MFT, context.getSubjectKeyIdentifier());
        if (!manifestObject.isPresent()) {
            if (rpkiRepository.getStatus() == RpkiRepository.Status.FAILED) {
                temporary.error(ValidationString.VALIDATOR_NO_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
            } else {
                temporary.error(ValidationString.VALIDATOR_NO_LOCAL_MANIFEST_NO_MANIFEST_IN_REPOSITORY, rpkiRepository.getLocationUri());
            }
        }
        Optional<ManifestCms> maybeManifest = manifestObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), ManifestCms.class, temporary));
        temporary.rejectIfTrue(manifestObject.isPresent() && rpkiRepository.getStatus() == RpkiRepository.Status.FAILED && maybeManifest.isPresent() && maybeManifest.get().isPastValidityTime(), ValidationString.VALIDATOR_OLD_LOCAL_MANIFEST_REPOSITORY_FAILED, rpkiRepository.getLocationUri());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        ManifestCms manifest = maybeManifest.get();
        List<Map.Entry<String, byte[]>> crlEntries = manifest.getFiles().entrySet().stream().filter((entry) -> RepositoryObjectType.parse(entry.getKey()) == RepositoryObjectType.Crl).collect(toList());
        temporary.rejectIfFalse(crlEntries.size() == 1, VALIDATOR_MANIFEST_CONTAINS_ONE_CRL_ENTRY, String.valueOf(crlEntries.size()));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        Map.Entry<String, byte[]> crlEntry = crlEntries.get(0);
        URI crlUri = manifestUri.resolve(crlEntry.getKey());
        Optional<RpkiObject> crlObject = rpkiObjects.findBySha256(crlEntry.getValue());
        temporary.rejectIfFalse(crlObject.isPresent(), VALIDATOR_CRL_FOUND, crlUri.toASCIIString());
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(crlUri));
        Optional<X509Crl> crl = crlObject.flatMap(x -> rpkiObjects.findCertificateRepositoryObject(x.getId(), X509Crl.class, temporary));
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        crl.get().validate(crlUri.toASCIIString(), context, null, VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        temporary.setLocation(new ValidationLocation(manifestUri));
        manifest.validate(manifestUri.toASCIIString(), context, crl.get(), manifest.getCrlUri(), VALIDATION_OPTIONS, temporary);
        if (temporary.hasFailureForCurrentLocation()) {
            return validatedObjects;
        }
        validatedObjects.add(manifestObject.get());
        Map<URI, RpkiObject> manifestEntries = retrieveManifestEntries(manifest, manifestUri, temporary);
        manifestEntries.forEach((location, obj) -> {
            temporary.setLocation(new ValidationLocation(location));
            Optional<CertificateRepositoryObject> maybeCertificateRepositoryObject = rpkiObjects.findCertificateRepositoryObject(obj.getId(), CertificateRepositoryObject.class, temporary);
            if (temporary.hasFailureForCurrentLocation()) {
                return;
            }
            maybeCertificateRepositoryObject.ifPresent(certificateRepositoryObject -> {
                certificateRepositoryObject.validate(location.toASCIIString(), context, crl.get(), crlUri, VALIDATION_OPTIONS, temporary);
                if (!temporary.hasFailureForCurrentLocation()) {
                    validatedObjects.add(obj);
                }
                if (certificateRepositoryObject instanceof X509ResourceCertificate && ((X509ResourceCertificate) certificateRepositoryObject).isCa() && !temporary.hasFailureForCurrentLocation()) {
                    CertificateRepositoryObjectValidationContext childContext = context.createChildContext(location, (X509ResourceCertificate) certificateRepositoryObject);
                    validatedObjects.addAll(validateCertificateAuthority(trustAnchor, registeredRepositories, childContext, temporary));
                }
            });
        });
    } catch (Exception e) {
        log.debug("e", e);
        validationResult.error(ErrorCodes.UNHANDLED_EXCEPTION, e.toString(), ExceptionUtils.getStackTrace(e));
    } finally {
        validationResult.addAll(temporary);
    }
    return validatedObjects;
}
Also used : RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns) Arrays(java.util.Arrays) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) Autowired(org.springframework.beans.factory.annotation.Autowired) FlushModeType(javax.persistence.FlushModeType) HashMap(java.util.HashMap) ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes) ArrayList(java.util.ArrayList) ValidationOptions(net.ripe.rpki.commons.validation.ValidationOptions) LinkedHashMap(java.util.LinkedHashMap) RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Service(org.springframework.stereotype.Service) Map(java.util.Map) URI(java.net.URI) Objects(com.google.common.base.Objects) CertificateTreeValidationRun(net.ripe.rpki.validator3.domain.CertificateTreeValidationRun) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationStatus(net.ripe.rpki.commons.validation.ValidationStatus) ValidatedRpkiObjects(net.ripe.rpki.validator3.domain.ValidatedRpkiObjects) Transactional(javax.transaction.Transactional) TrustAnchors(net.ripe.rpki.validator3.domain.TrustAnchors) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) EntityManager(javax.persistence.EntityManager) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) RepositoryObjectType(net.ripe.rpki.commons.util.RepositoryObjectType) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) Slf4j(lombok.extern.slf4j.Slf4j) List(java.util.List) Collectors.toList(java.util.stream.Collectors.toList) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) Optional(java.util.Optional) Settings(net.ripe.rpki.validator3.domain.Settings) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils) X509Crl(net.ripe.rpki.commons.crypto.crl.X509Crl) CertificateRepositoryObjectValidationContext(net.ripe.rpki.commons.validation.objectvalidators.CertificateRepositoryObjectValidationContext) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ArrayList(java.util.ArrayList) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) ValidationString(net.ripe.rpki.commons.validation.ValidationString) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) ManifestCms(net.ripe.rpki.commons.crypto.cms.manifest.ManifestCms) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) X509ResourceCertificate(net.ripe.rpki.commons.crypto.x509cert.X509ResourceCertificate) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) Map(java.util.Map)

Example 25 with TrustAnchor

use of net.ripe.rpki.validator3.domain.TrustAnchor in project rpki-validator-3 by RIPE-NCC.

the class RpkiRepositoryValidationService method validateRsyncRepositories.

@Scheduled(initialDelay = 10_000, fixedDelay = 10_000)
public void validateRsyncRepositories() {
    entityManager.setFlushMode(FlushModeType.COMMIT);
    Instant cutoffTime = Instant.now().minus(rsyncRepositoryDownloadInterval);
    log.info("updating all rsync repositories that have not been downloaded since {}", cutoffTime);
    Set<TrustAnchor> affectedTrustAnchors = new HashSet<>();
    final RsyncRepositoryValidationRun validationRun = new RsyncRepositoryValidationRun();
    validationRunRepository.add(validationRun);
    Stream<RpkiRepository> repositories = rpkiRepositories.findRsyncRepositories();
    Map<String, RpkiObject> objectsBySha256 = new HashMap<>();
    Map<URI, RpkiRepository> fetchedLocations = new HashMap<>();
    ValidationResult results = repositories.filter((repository) -> {
        boolean needsUpdate = repository.isPending() || repository.getLastDownloadedAt() == null || repository.getLastDownloadedAt().isBefore(cutoffTime);
        if (!needsUpdate) {
            fetchedLocations.put(URI.create(repository.getRsyncRepositoryUri()), repository);
        }
        return needsUpdate;
    }).map((repository) -> processRsyncRepository(affectedTrustAnchors, validationRun, fetchedLocations, objectsBySha256, repository)).collect(() -> ValidationResult.withLocation("placeholder"), ValidationResult::addAll, ValidationResult::addAll);
    validationRun.completeWith(results);
    affectedTrustAnchors.forEach(validationRunRepository::runCertificateTreeValidation);
}
Also used : RsyncRepositoryValidationRun(net.ripe.rpki.validator3.domain.RsyncRepositoryValidationRun) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) ValidationRuns(net.ripe.rpki.validator3.domain.ValidationRuns) CertificateRepositoryObject(net.ripe.rpki.commons.crypto.CertificateRepositoryObject) RpkiRepositoryValidationRun(net.ripe.rpki.validator3.domain.RpkiRepositoryValidationRun) RsyncRepositoryValidationRun(net.ripe.rpki.validator3.domain.RsyncRepositoryValidationRun) Autowired(org.springframework.beans.factory.annotation.Autowired) ArrayUtils(org.apache.commons.lang3.ArrayUtils) FlushModeType(javax.persistence.FlushModeType) HashMap(java.util.HashMap) Scheduled(org.springframework.scheduling.annotation.Scheduled) CertificateRepositoryObjectFactory(net.ripe.rpki.commons.crypto.util.CertificateRepositoryObjectFactory) ErrorCodes(net.ripe.rpki.validator3.domain.ErrorCodes) Value(org.springframework.beans.factory.annotation.Value) HashSet(java.util.HashSet) RpkiRepositories(net.ripe.rpki.validator3.domain.RpkiRepositories) RpkiObjects(net.ripe.rpki.validator3.domain.RpkiObjects) Service(org.springframework.stereotype.Service) Locale(java.util.Locale) Duration(java.time.Duration) Map(java.util.Map) Sha256(net.ripe.rpki.validator3.util.Sha256) URI(java.net.URI) Path(java.nio.file.Path) SimpleFileVisitor(java.nio.file.SimpleFileVisitor) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) Rsync(net.ripe.rpki.commons.rsync.Rsync) Transactional(javax.transaction.Transactional) Files(java.nio.file.Files) RrdpService(net.ripe.rpki.validator3.rrdp.RrdpService) Hex(net.ripe.rpki.validator3.util.Hex) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) Set(java.util.Set) IOException(java.io.IOException) RrdpRepositoryValidationRun(net.ripe.rpki.validator3.domain.RrdpRepositoryValidationRun) EntityManager(javax.persistence.EntityManager) BasicFileAttributes(java.nio.file.attribute.BasicFileAttributes) Instant(java.time.Instant) File(java.io.File) ValidationLocation(net.ripe.rpki.commons.validation.ValidationLocation) FileVisitResult(java.nio.file.FileVisitResult) Slf4j(lombok.extern.slf4j.Slf4j) Stream(java.util.stream.Stream) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) RsyncUtils(net.ripe.rpki.validator3.util.RsyncUtils) ExceptionUtils(org.apache.commons.lang3.exception.ExceptionUtils) RpkiRepository(net.ripe.rpki.validator3.domain.RpkiRepository) HashMap(java.util.HashMap) Instant(java.time.Instant) TrustAnchor(net.ripe.rpki.validator3.domain.TrustAnchor) ValidationResult(net.ripe.rpki.commons.validation.ValidationResult) URI(java.net.URI) RpkiObject(net.ripe.rpki.validator3.domain.RpkiObject) HashSet(java.util.HashSet) Scheduled(org.springframework.scheduling.annotation.Scheduled)

Aggregations

TrustAnchor (net.ripe.rpki.validator3.domain.TrustAnchor)36 IntegrationTest (net.ripe.rpki.validator3.IntegrationTest)23 RpkiRepository (net.ripe.rpki.validator3.domain.RpkiRepository)23 Test (org.junit.Test)23 RpkiObject (net.ripe.rpki.validator3.domain.RpkiObject)15 RpkiObjects (net.ripe.rpki.validator3.domain.RpkiObjects)15 ValidationCheck (net.ripe.rpki.validator3.domain.ValidationCheck)14 CertificateTreeValidationRun (net.ripe.rpki.validator3.domain.CertificateTreeValidationRun)10 RrdpRepositoryValidationRun (net.ripe.rpki.validator3.domain.RrdpRepositoryValidationRun)10 Autowired (org.springframework.beans.factory.annotation.Autowired)10 List (java.util.List)9 Transactional (javax.transaction.Transactional)9 TestObjects (net.ripe.rpki.validator3.TestObjects)9 URI (java.net.URI)8 ValidationResult (net.ripe.rpki.commons.validation.ValidationResult)8 EntityManager (javax.persistence.EntityManager)7 Optional (java.util.Optional)6 RpkiRepositories (net.ripe.rpki.validator3.domain.RpkiRepositories)6 TrustAnchors (net.ripe.rpki.validator3.domain.TrustAnchors)6 ValidationRuns (net.ripe.rpki.validator3.domain.ValidationRuns)6