Merge pull request #169 from NLnetLabs/v0.4.2-pre

V0.4.2 pre

Author: Tim Bruijnzeels

.dockerignore

@@ -0,0 +1,2 @@
+/target
+.git

Cargo.toml

@@ -1,15 +1,12 @@
 [package]
 name    = "krill"
-version = "0.4.2-pre"
+version = "0.4.2"
 authors = [ "The NLnet Labs RPKI team <[email protected]>" ]
 description = "Resource Public Key Infrastructure (RPKI) daemon"
 license = "MPL-2.0"
 
 [dependencies]
-actix-identity  = "0.1.0"
 actix-web       = { version = "1.0.3", features = ["ssl"] }
-actix-session   = "0.1.0"
-actix-service   = "0.4.0"
 base64          = "^0.10"
 bcder           = "0.4.0"
 bytes           = "^0.4"
@@ -26,7 +23,7 @@ openssl         = { version = "^0.10", features = ["v110"] }
 pretty          = "0.5.2"
 rand            = "^0.5"
 reqwest         = "^0.9.17"
-rpki            = "0.8.2"
+rpki            = "0.8.3"
 serde           = { version = "^1.0", features = ["derive"] }
 serde_json      = "^1.0"
 syslog          = "^4.0"
@@ -45,7 +42,3 @@ ignore          = "^0.4"
 [features]
 default = []
 extra-debug = [ "rpki/extra-debug" ]
-
-# Used when depending on development branches of rpki-rs or bcder
-#[patch.crates-io]
-#rpki = { git = "https://github.com/NLnetLabs/rpki-rs.git", branch = "resource-set-fix" }

Changelog.md

@@ -1,7 +1,21 @@
 # Change Log
 
 Please see [here](https://github.com/NLnetLabs/krill/projects?query=is%3Aopen+sort%3Aname-asc)
-for planned releases. 
+for planned releases.
+
+## 0.4.2 'Finer Things'
+
+This release fixes a bug, and introduces minor usability improvements:
+* Certain adjacent resources were encoded incorrectly (#161)
+* Let users explicitly specify a repository before adding a parent (#160)
+* Allow timezone to be set on the Docker container (#156)
+* Improve error messaging when failing to start Krill (#155)
+* Improve readability for CLI error responses (#162)
+* Introduce configurable size limits for data submitted to Krill (#158)
+
+Note that contrary to previous versions a new CA is set up without a default repository. For most
+users we recommend that a remote (RFC 8181) repository is used, e.g. provided by their RIR or NIR.
+A repository MUST be configured before a parent can be added to a CA.
 
 ## 0.4.1 'Fogo de Krill'
 
@@ -82,7 +96,6 @@ Known issues:
 Work for the next release has already started. [Release 0.3](https://github.com/NLnetLabs/krill/projects/6)
 will focus on (remote) publication, and will also solve the out-of-sync issue.
 
-
 ## 0.1.0 'A View to a Krill'
 
 This is the first version of Krill that we are testing in the real world. Please note that the

defaults/krill.conf

@@ -93,4 +93,22 @@
 #
 # Defaults to 10 minutes
 #
-#ca_refresh = 600
+#ca_refresh = 600
+
+# Restrict size of messages sent to the API
+#
+# Default 256 kB
+#
+# post_limit_api = 262144
+
+# Restrict size of messages sent to the RFC 8181 publication protocol
+#
+# Default 32MB (enough for a keyroll with about 8000 issued certificates)
+#
+# post_limit_rfc8181 = 33554432
+
+# Restrict size of messages sent to the RFC 6492 up-down protocol
+#
+# Default 1MB (enough for a keyroll with certs of ~400kb, the biggest known cert is 220kB)
+#
+# post_limit_rfc6492 = 1048576

doc/openapi.yaml

@@ -593,6 +593,9 @@ paths:
         will be used. In principle CAs can also use this to talk to a local
         parent CA in the same krill server, but this is inefficient. Therefore
         it is also possible to add an 'embedded' parent in this case.
+
+        Note that you MUST specify a repository for your CA before you are
+        allowed to add a parent to it.
       parameters:
         - $ref: '#/components/parameters/ca_handle'
       requestBody:
@@ -607,7 +610,14 @@ paths:
         '403':
           $ref: '#/components/responses/Forbidden'
         '400':
-          $ref: '#/components/schemas/ParentWithHandleExists'
+          description: Bad request parameters.
+          content:
+            application/json:
+              schema:
+                oneOf:
+                  - $ref: '#/components/schemas/ParentWithHandleExists'
+                  - $ref: '#/components/responses/ParentNoResponse'
+                  - $ref: '#/components/schemas/NoRepositoryConfiguredYetForCA'
         '404':
           $ref: '#/components/responses/UnknownCA'
         '500':
@@ -655,7 +665,13 @@ paths:
         '200':
           $ref: '#/components/responses/Success'
         '400':
-          $ref: '#/components/responses/UnknownParent'
+          description: Bad request parameters.
+          content:
+            application/json:
+              schema:
+                oneOf:
+                  - $ref: '#/components/responses/UnknownParent'
+                  - $ref: '#/components/responses/ParentNoResponse'
         '403':
           $ref: '#/components/responses/Forbidden'
         '404':
@@ -719,8 +735,12 @@ paths:
           - Request new certificates with SIA entries pointing to the new
             locations.
           - (best effort) Clean up of the old repository.
+
         The new repository can be embedded, or remote. To use a remote
         repository, the RFC 8181 Repository Response must be encoded into JSON.
+
+        Note: for most users it's better to use a remote repository, e.g. provided
+        by your RIR or NIR.
       parameters:
         - $ref: '#/components/parameters/ca_handle'
       requestBody:
@@ -1436,6 +1456,18 @@ components:
         msg:
           type: string
           example: Parent with handle exists.
+    ParentNoResponse:
+      type: object
+      required:
+        - code
+        - msg
+      properties:
+        code:
+          type: integer
+          enum: [2308]
+        msg:
+          type: string
+          example: No response from parent.
     UnknownChild:
       type: object
       required:
@@ -1460,6 +1492,18 @@ components:
         msg:
           type: string
           example: No known parent for handle.
+    NoRepositoryConfiguredYetForCA:
+      type: object
+      required:
+        - code
+        - msg
+      properties:
+        code:
+          type: integer
+          enum: [2307]
+        msg:
+          type: string
+          example: No repository configured yet for CA.
     InvalidROADeltaAddingDefinitionAlreadyPresent:
       type: object
       required:
@@ -1588,6 +1632,12 @@ components:
         application/json:
           schema:
             $ref: '#/components/schemas/UnknownParent'
+    ParentNoResponse:
+      description: No response from parent.
+      content:
+        application/json:
+          schema:
+            $ref: '#/components/schemas/ParentNoResponse'
     GeneralPublicationServerError:
       description: General Publication Server error.
       content:

docker/entrypoint.sh

@@ -61,8 +61,7 @@ if [ "$1" == "krill" ]; then
         # RSYNC and RRDP endpoints to the correct FQDN. We cannot know know the
         # FQDN which clients use to reach us so the operator must inform this
         # script via a "-e KRILL_FQDN=some.domain.name" argument to
-        # "docker run". If KRILL_FQDN is not set assume that the user is
-        # managing the Krill configuration themselves.
+        # "docker run".
         cat << EOF >> ${KRILL_CONF}
 rsync_base  = "rsync://${KRILL_FQDN}/repo/" ${MAGIC}
 service_uri = "https://${KRILL_FQDN}/" ${MAGIC}
@@ -81,4 +80,4 @@ fi
 # to ensure krill runs as PID 1 as required by Docker for proper signal
 # handling. This also allows this Docker image to be used to run krill_admin
 # instead of krill.
-exec "$@"
+exec "$@"

src/bin/krill.rs

@@ -5,9 +5,14 @@ use krill::daemon::http::server;
 
 fn main() {
     match Config::create() {
-        Ok(config) => server::start(&config).unwrap(),
+        Ok(config) => {
+            if let Err(e) = server::start(&config) {
+                eprintln!("Krill failed to start: {}", e);
+                ::std::process::exit(1);
+            }
+        }
         Err(e) => {
-            eprintln!("{}", e);
+            eprintln!("Krill failed to start: {}", e);
             ::std::process::exit(1);
         }
     }

src/bin/krillc.rs

@@ -2,7 +2,8 @@ extern crate krill;
 
 use krill::cli::options::Options;
 use krill::cli::report::ReportFormat;
-use krill::cli::KrillClient;
+use krill::cli::{Error, KrillClient};
+use krill::commons::util::httpclient;
 
 fn main() {
     match Options::from_args() {
@@ -12,7 +13,21 @@ fn main() {
                 Ok(()) => {} //,
                 Err(e) => {
                     if format != ReportFormat::None {
-                        eprintln!("{}", e);
+                        match &e {
+                            Error::HttpClientError(httpclient::Error::ErrorWithJson(
+                                _code,
+                                res,
+                            )) => {
+                                if format == ReportFormat::Json {
+                                    eprintln!("{}", e);
+                                } else {
+                                    eprintln!("Error {}: {}", res.code(), res.msg());
+                                }
+                            }
+                            _ => {
+                                eprintln!("{}", e);
+                            }
+                        }
                     }
                     ::std::process::exit(1);
                 }

src/cli/report.rs

@@ -2,11 +2,11 @@ use std::str::{from_utf8_unchecked, FromStr};
 
 use crate::commons::api::{
     CaRepoDetails, CertAuthHistory, CertAuthInfo, CertAuthList, ChildCaInfo, CurrentObjects,
-    ParentCaContact, PublisherDetails, PublisherList, RepositoryContact, RoaDefinition,
+    CurrentRepoState, ParentCaContact, PublisherDetails, PublisherList, RepositoryContact,
+    RoaDefinition,
 };
 use crate::commons::remote::api::ClientInfo;
 use crate::commons::remote::rfc8183;
-use commons::api::CurrentRepoState;
 
 //------------ ApiResponse ---------------------------------------------------
 
@@ -148,14 +148,19 @@ impl Report for CertAuthInfo {
             ReportFormat::Text => {
                 let mut res = String::new();
 
-                let base_uri = self.repo_repo().base_uri();
-                let rrdp_uri = self.repo_repo().rpki_notify();
-
                 res.push_str(&format!("Name:     {}\n", self.handle()));
                 res.push_str("\n");
-                res.push_str(&format!("Base uri: {}\n", base_uri));
-                res.push_str(&format!("RRDP uri: {}\n", rrdp_uri));
+
+                if let Some(repo_info) = self.repo_info() {
+                    let base_uri = repo_info.base_uri();
+                    let rrdp_uri = repo_info.rpki_notify();
+                    res.push_str(&format!("Base uri: {}\n", base_uri));
+                    res.push_str(&format!("RRDP uri: {}\n", rrdp_uri));
+                } else {
+                    res.push_str("No repository configured.")
+                }
                 res.push_str("\n");
+
                 res.push_str(&format!("ID cert PEM:\n{}\n", self.id_cert().pem()));
                 res.push_str(&format!("Hash: {}\n", self.id_cert().hash()));
                 res.push_str("\n");

src/commons/api/admin.rs

@@ -373,7 +373,7 @@ impl fmt::Display for RepositoryContact {
 /// This type defines all parent ca details needed to add a parent to a CA
 #[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
 pub struct ParentCaReq {
-    handle: Handle,           // the local name the child gave to the parent
+    handle: ParentHandle,     // the local name the child gave to the parent
     contact: ParentCaContact, // where the parent can be contacted
 }
 
@@ -382,6 +382,14 @@ impl ParentCaReq {
         ParentCaReq { handle, contact }
     }
 
+    pub fn handle(&self) -> &ParentHandle {
+        &self.handle
+    }
+
+    pub fn contact(&self) -> &ParentCaContact {
+        &self.contact
+    }
+
     pub fn unwrap(self) -> (Handle, ParentCaContact) {
         (self.handle, self.contact)
     }

src/commons/api/ca.rs

@@ -1473,7 +1473,7 @@ impl fmt::Display for ParentInfo {
 pub struct CertAuthInfo {
     handle: Handle,
     id_cert: IdCertPem,
-    repo_info: RepoInfo,
+    repo_info: Option<RepoInfo>,
     parents: Vec<ParentInfo>,
     resources: ResourceSet,
     resource_classes: HashMap<ResourceClassName, ResourceClassInfo>,
@@ -1484,7 +1484,7 @@ impl CertAuthInfo {
     pub fn new(
         handle: Handle,
         id_cert: IdCertPem,
-        repo_info: RepoInfo,
+        repo_info: Option<RepoInfo>,
         parents: HashMap<ParentHandle, ParentCaContact>,
         resource_classes: HashMap<ResourceClassName, ResourceClassInfo>,
         children: Vec<ChildHandle>,
@@ -1521,8 +1521,8 @@ impl CertAuthInfo {
         &self.id_cert
     }
 
-    pub fn repo_repo(&self) -> &RepoInfo {
-        &self.repo_info
+    pub fn repo_info(&self) -> Option<&RepoInfo> {
+        self.repo_info.as_ref()
     }
 
     pub fn parents(&self) -> &Vec<ParentInfo> {
@@ -1543,10 +1543,14 @@ impl CertAuthInfo {
 
     pub fn published_objects(&self) -> Vec<Publish> {
         let mut res = vec![];
-        for (_rc_name, rc) in self.resource_classes.iter() {
-            let name_space = rc.name_space();
-            res.append(&mut rc.current_objects().publish(self.repo_repo(), name_space));
+
+        if let Some(repo_info) = &self.repo_info {
+            for (_rc_name, rc) in self.resource_classes.iter() {
+                let name_space = rc.name_space();
+                res.append(&mut rc.current_objects().publish(repo_info, name_space));
+            }
         }
+
         res
     }
 }
@@ -1958,9 +1962,9 @@ mod test {
 
         let parent_resources_json =
             include_str!("../../../test-resources/resources/parent_resources.json");
-        let parent_resouces: ResourceSet = serde_json::from_str(parent_resources_json).unwrap();
+        let parent_resources: ResourceSet = serde_json::from_str(parent_resources_json).unwrap();
 
-        let intersection = parent_resouces.intersection(&child_resources);
+        let intersection = parent_resources.intersection(&child_resources);
 
         assert_eq!(intersection, child_resources);
     }