Give clear error for ASPA with duplicate providers #1061 (#1062)

Author: Tim Bruijnzeels

src/cli/options.rs

@@ -1977,6 +1977,8 @@ impl Options {
         let aspa = AspaDefinition::from_str(aspa_config_str)?;
         if aspa.customer_used_as_provider() {
             Err(Error::general("Customer AS may not be used as provider."))
+        } else if aspa.contains_duplicate_providers() {
+            Err(Error::general("ASPA may not have duplicate providers."))
         } else if !aspa.providers_has_both_afis() {
             Err(Error::general("Definition has providers for one address family only. Please include an explicit AS0 provider for the missing address family if this is intentional."))
         } else if aspa.providers().is_empty() {

src/commons/api/aspa.rs

@@ -100,6 +100,20 @@ impl AspaDefinition {
         self.providers.iter().any(|p| p.provider() == self.customer)
     }
 
+    /// Returns true if there are duplicate provider ASNs. This
+    /// is not allowed by spec and these definitions should be
+    /// rejected by Krill.
+    pub fn contains_duplicate_providers(&self) -> bool {
+        let mut providers: Vec<Asn> = self.providers.iter().map(|p| p.provider()).collect();
+
+        let len_before_duplicates = providers.len();
+
+        providers.sort();
+        providers.dedup();
+
+        len_before_duplicates > providers.len()
+    }
+
     /// Returns true if this contains both IPv4 and IPv6 providers.
     ///
     /// Technically,it is allowed to omit one address family entirely,

src/commons/error.rs

@@ -274,6 +274,7 @@ pub enum Error {
     AspaCustomerAlreadyPresent(CaHandle, AspaCustomer),
     AspaCustomerUnknown(CaHandle, AspaCustomer),
     AspaCustomerAsProvider(CaHandle, AspaCustomer),
+    AspaProvidersDuplicates(CaHandle, AspaCustomer),
     AspaProvidersEmpty(CaHandle, AspaCustomer),
     AspaProvidersSingleAfi(CaHandle, AspaCustomer),
 
@@ -464,6 +465,7 @@ impl fmt::Display for Error {
             Error::AspaCustomerAlreadyPresent(_ca, asn) => write!(f, "ASPA already exists for customer AS '{}'", asn),
             Error::AspaProvidersEmpty(_ca, asn) => write!(f, "ASPA for customer AS '{}' requires at least one provider", asn),
             Error::AspaCustomerAsProvider(_ca, asn) => write!(f, "ASPA for customer AS '{}' cannot have that AS as provider", asn),
+            Error::AspaProvidersDuplicates(_ca, asn) => write!(f, "ASPA for customer AS '{}' cannot have duplicate providers", asn),
             Error::AspaCustomerUnknown(_ca, asn) => write!(f, "No current ASPA exists for customer AS '{}'", asn),
             Error::AspaProvidersSingleAfi(_ca, asn) => write!(f, "ASPA for customer AS '{}' only has providers for one address family. Please include an explicit AS0 provider for the missing address family if this is intentional.", asn),
 
@@ -882,6 +884,9 @@ impl Error {
             Error::AspaCustomerAsProvider(ca, asn) => ErrorResponse::new("ca-aspa-customer-as-provider", self)
                 .with_ca(ca)
                 .with_asn(*asn),
+            Error::AspaProvidersDuplicates(ca, asn) => ErrorResponse::new("ca-aspa-provider-duplicates", self)
+                .with_ca(ca)
+                .with_asn(*asn),
             Error::AspaCustomerUnknown(ca, asn) => ErrorResponse::new("ca-aspa-unknown-customer-as", self)
                 .with_ca(ca)
                 .with_asn(*asn),

src/daemon/ca/certauth.rs

@@ -1744,6 +1744,10 @@ impl CertAuth {
                 return Err(Error::AspaProvidersSingleAfi(self.handle.clone(), customer));
             }
 
+            if aspa_config.contains_duplicate_providers() {
+                return Err(Error::AspaProvidersDuplicates(self.handle.clone(), customer));
+            }
+
             if !self.all_resources().contains_asn(customer) {
                 return Err(Error::AspaCustomerAsNotEntitled(self.handle().clone(), customer));
             }