manager: files: watchdog: added RPZ files

Separate timer for each command.

Author: alesmrazek

python/knot_resolver/manager/files/watchdog.py

@@ -11,18 +11,20 @@
 
 logger = logging.getLogger(__name__)
 
+FilesToWatch = Dict[Path, Optional[str]]
 
-def tls_cert_files_config(config: KresConfig) -> List[Any]:
+_config_store: Optional[ConfigStore] = None
+
+
+def watched_files_config(config: KresConfig) -> List[Any]:
     return [
         config.network.tls.files_watchdog,
         config.network.tls.cert_file,
         config.network.tls.key_file,
+        config.local_data.rpz,
     ]
 
 
-FilesToWatch = Dict[Path, str]
-
-
 if WATCHDOG_LIB:
     from watchdog.events import (
         FileSystemEvent,
@@ -33,48 +35,76 @@ def tls_cert_files_config(config: KresConfig) -> List[Any]:
     class FilesWatchdogEventHandler(FileSystemEventHandler):
         def __init__(self, files: FilesToWatch) -> None:
             self._files = files
-            self._timer: Optional[Timer] = None
+            self._policy_timer: Optional[Timer] = None
+            self._timers: Dict[str, Timer] = {}
+
+        def _trigger(self, cmd: Optional[str]) -> None:
+            def policy_reload() -> None:
+                assert _config_store is not None
+                if compat.asyncio.is_event_loop_running():
+                    compat.asyncio.create_task(_config_store.renew())
+                else:
+                    compat.asyncio.run(_config_store.renew())
+                logger.info("Reloading policy rules has finished")
+
+            if not cmd:
+                # skipping if reload was already triggered
+                if self._policy_timer and self._policy_timer.is_alive():
+                    logger.info("Skipping reloading policy rules, it was already triggered")
+                    return
+                # start a 5sec timer
+                logger.info("Delayed policy rules reload has started")
+                self._policy_timer = Timer(5, policy_reload)
+                self._policy_timer.start()
+                return
 
-        def _reload(self, cmd: str) -> None:
             def command() -> None:
                 if compat.asyncio.is_event_loop_running():
                     compat.asyncio.create_task(command_registered_workers(cmd))
                 else:
                     compat.asyncio.run(command_registered_workers(cmd))
-                logger.info("Reloading of TLS certificate files has finished")
+                logger.info(f"Sending '{cmd}' command to reload watched files has finished")
 
-            # skipping if reload was already triggered
-            if self._timer and self._timer.is_alive():
-                logger.info("Skipping TLS certificate files reloading, reload command was already triggered")
+            # skipping if command was already triggered
+            if cmd in self._timers and self._timers[cmd].is_alive():
+                logger.info(f"Skipping sending '{cmd}' command, it was already triggered")
                 return
             # start a 5sec timer
-            logger.info("Delayed reload of TLS certificate files has started")
-            self._timer = Timer(5, command)
-            self._timer.start()
+            logger.info(f"Delayed send of '{cmd}' command has started")
+            self._timers[cmd] = Timer(5, command)
+            self._timers[cmd].start()
 
         def on_created(self, event: FileSystemEvent) -> None:
             src_path = Path(str(event.src_path))
             if src_path in self._files.keys():
                 logger.info(f"Watched file '{src_path}' has been created")
-                self._reload(self._files[src_path])
+                self._trigger(self._files[src_path])
 
         def on_deleted(self, event: FileSystemEvent) -> None:
             src_path = Path(str(event.src_path))
             if src_path in self._files.keys():
                 logger.warning(f"Watched file '{src_path}' has been deleted")
-                if self._timer:
-                    self._timer.cancel()
+                cmd = self._files[src_path]
+                if cmd in self._timers:
+                    self._timers[cmd].cancel()
             for file in self._files.keys():
                 if file.parent == src_path:
                     logger.warning(f"Watched directory '{src_path}' has been deleted")
-                    if self._timer:
-                        self._timer.cancel()
+                    cmd = self._files[file]
+                    if cmd in self._timers:
+                        self._timers[cmd].cancel()
+
+        def on_moved(self, event: FileSystemEvent) -> None:
+            src_path = Path(str(event.src_path))
+            if src_path in self._files.keys():
+                logger.info(f"Watched file '{src_path}' has been moved")
+                self._trigger(self._files[src_path])
 
         def on_modified(self, event: FileSystemEvent) -> None:
             src_path = Path(str(event.src_path))
             if src_path in self._files.keys():
                 logger.info(f"Watched file '{src_path}' has been modified")
-                self._reload(self._files[src_path])
+                self._trigger(self._files[src_path])
 
     _files_watchdog: Optional["FilesWatchdog"] = None
 
@@ -104,7 +134,7 @@ def stop(self) -> None:
             self._observer.join()
 
 
-@only_on_real_changes_update(tls_cert_files_config)
+@only_on_real_changes_update(watched_files_config)
 async def _init_files_watchdog(config: KresConfig) -> None:
     if WATCHDOG_LIB:
         global _files_watchdog
@@ -119,12 +149,21 @@ async def _init_files_watchdog(config: KresConfig) -> None:
             files_to_watch[config.network.tls.cert_file.to_path()] = net_tls
             files_to_watch[config.network.tls.key_file.to_path()] = net_tls
 
+        # local-data.rpz
+        if config.local_data.rpz:
+            for rpz in config.local_data.rpz:
+                if rpz.watchdog:
+                    files_to_watch[rpz.file.to_path()] = None
+
         if files_to_watch:
             logger.info("Initializing files watchdog")
             _files_watchdog = FilesWatchdog(files_to_watch)
             _files_watchdog.start()
 
 
 async def init_files_watchdog(config_store: ConfigStore) -> None:
+    global _config_store
+    _config_store = config_store
+
     # register files watchdog callback
     await config_store.register_on_change_callback(_init_files_watchdog)

tests/packaging/interactive/rpz_watchdog.sh

@@ -0,0 +1,124 @@
+#!/usr/bin/env bash
+
+set -e
+
+gitroot=$(git rev-parse --show-toplevel)
+rpz_file=$gitroot/example.rpz
+
+rpz_example=$(cat <<EOF
+\$ORIGIN RPZ.EXAMPLE.ORG.
+ok.example.com                    CNAME rpz-passthru.
+EOF
+)
+
+# create example RPZ
+echo "$rpz_example" >> $rpz_file
+
+rpz_conf=$(cat <<EOF
+local-data:
+  rpz:
+    - file: $rpz_file
+      watchdog: false
+EOF
+)
+
+# configure RPZ file
+echo "$rpz_conf" >> /etc/knot-resolver/config.yaml
+kresctl reload
+if [ "$?" -ne "0" ]; then
+    echo "Could not set RPZ."
+    exit 1
+fi
+
+function count_errors(){
+    echo "$(journalctl -u knot-resolver.service | grep -c error)"
+}
+
+function count_reloads(){
+    echo "$(journalctl -u knot-resolver.service | grep -c "Reloading policy rules has finished")"
+}
+
+# test that RPZ watchdog is turned off
+# {{
+
+err_count=$(count_errors)
+rel_count=$(count_reloads)
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -ne $rel_count ]; then
+    echo "RPZ file watchdog is running (should not) or other errors occurred."
+    exit 1
+fi
+
+# }}
+
+# configure RPZ file and turn on watchdog
+kresctl config set -p /local-data/rpz/0/watchdog true
+if [ "$?" -ne "0" ]; then
+    echo "Could not turn on RPZ file watchdog."
+    exit 1
+fi
+
+# test modification
+# {{
+
+# modify RPZ file, it will trigger reload
+rel_count=$(count_reloads)
+echo "32.1.2.0.192.rpz-client-ip        CNAME rpz-passthru." >> $rpz_file
+
+# wait for files reload to finish
+sleep 10
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload modified RPZ file."
+    exit 1
+fi
+
+# }}
+
+# test replacement
+# {{
+
+rel_count=$(count_reloads)
+
+# copy RPZ file
+cp $rpz_file $rpz_file.new
+
+# edit new files
+echo "48.zz.101.db8.2001.rpz-client-ip  CNAME rpz-passthru." >> $rpz_file.new
+
+# replace files
+cp -f $rpz_file.new $rpz_file
+
+# wait for files reload to finish
+sleep 6
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload replaced RPZ file."
+    exit 1
+fi
+
+# }}
+
+# test recovery from deletion and creation
+# {{
+
+rel_count=$(count_reloads)
+
+# backup rpz file
+cp $rpz_file $rpz_file.backup
+
+# delete RPZ file
+rm $rpz_file
+
+# create cert files
+mv $rpz_file.backup $rpz_file
+
+# wait for files reload to finish
+sleep 10
+
+if [ $(count_errors) -ne $err_count ] || [ $(count_reloads) -eq $rel_count ]; then
+    echo "Could not reload created RPZ file."
+    exit 1
+fi
+
+# }}

tests/packaging/interactive/watchdog.sh

@@ -26,7 +26,7 @@ function count_errors(){
 }
 
 function count_reloads(){
-    echo "$(journalctl -u knot-resolver.service | grep -c "Reloading of TLS certificate files has finished")"
+    echo "$(journalctl -u knot-resolver.service | grep -c "to reload watched files has finished")"
 }
 
 # test that files watchdog is turned off