diff --git a/data/templates/frr/rpki.frr.j2 b/data/templates/frr/rpki.frr.j2 index 384cbbe52..59724102c 100644 --- a/data/templates/frr/rpki.frr.j2 +++ b/data/templates/frr/rpki.frr.j2 @@ -1,18 +1,24 @@ ! {# as FRR does not support deleting the entire rpki section we leave it in place even when it's empty #} rpki {% if cache is vyos_defined %} {% for peer, peer_config in cache.items() %} {# port is mandatory and preference uses a default value #} {% if peer_config.ssh.username is vyos_defined %} rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} {{ peer_config.ssh.username }} {{ peer_config.ssh.private_key_file }} {{ peer_config.ssh.public_key_file }} preference {{ peer_config.preference }} {% else %} rpki cache {{ peer | replace('_', '-') }} {{ peer_config.port }} preference {{ peer_config.preference }} {% endif %} {% endfor %} {% endif %} +{% if expire_interval is vyos_defined %} + rpki expire_interval {{ expire_interval }} +{% endif %} {% if polling_period is vyos_defined %} rpki polling_period {{ polling_period }} {% endif %} +{% if retry_interval is vyos_defined %} + rpki retry_interval {{ retry_interval }} +{% endif %} exit ! diff --git a/interface-definitions/protocols_rpki.xml.in b/interface-definitions/protocols_rpki.xml.in index 6a38b2961..a2a0a2799 100644 --- a/interface-definitions/protocols_rpki.xml.in +++ b/interface-definitions/protocols_rpki.xml.in @@ -1,87 +1,113 @@ <?xml version="1.0" encoding="utf-8"?> <interfaceDefinition> <node name="protocols"> <children> <node name="rpki" owner="${vyos_conf_scripts_dir}/protocols_rpki.py"> <properties> <help>BGP prefix origin validation</help> </properties> <children> <tagNode name="cache"> <properties> <help>RPKI cache server address</help> <valueHelp> <format>ipv4</format> <description>IP address of RPKI server</description> </valueHelp> <valueHelp> <format>ipv6</format> <description>IPv6 address of RPKI server</description> </valueHelp> <valueHelp> <format>hostname</format> <description>Fully qualified domain name of RPKI server</description> </valueHelp> <constraint> <validator name="ip-address"/> <validator name="fqdn"/> </constraint> </properties> <children> #include <include/port-number.xml.i> <leafNode name="preference"> <properties> <help>Preference of the cache server</help> <valueHelp> <format>u32:1-255</format> <description>Preference of the cache server</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-255"/> </constraint> </properties> </leafNode> <node name="ssh"> <properties> <help>RPKI SSH connection settings</help> </properties> <children> <leafNode name="private-key-file"> <properties> <help>RPKI SSH private key file</help> <constraint> <validator name="file-path"/> </constraint> </properties> </leafNode> <leafNode name="public-key-file"> <properties> <help>RPKI SSH public key file path</help> <constraint> <validator name="file-path"/> </constraint> </properties> </leafNode> #include <include/generic-username.xml.i> </children> </node> </children> </tagNode> + <leafNode name="expire-interval"> + <properties> + <help>Interval to wait before expiring the cache</help> + <valueHelp> + <format>u32:600-172800</format> + <description>Interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 600-172800"/> + </constraint> + </properties> + <defaultValue>7200</defaultValue> + </leafNode> <leafNode name="polling-period"> <properties> - <help>RPKI cache polling period</help> + <help>Cache polling interval</help> <valueHelp> <format>u32:1-86400</format> - <description>Polling period in seconds</description> + <description>Interval in seconds</description> </valueHelp> <constraint> <validator name="numeric" argument="--range 1-86400"/> </constraint> </properties> <defaultValue>300</defaultValue> </leafNode> + <leafNode name="retry-interval"> + <properties> + <help>Retry interval to connect to the cache server</help> + <valueHelp> + <format>u32:1-7200</format> + <description>Interval in seconds</description> + </valueHelp> + <constraint> + <validator name="numeric" argument="--range 1-7200"/> + </constraint> + </properties> + <defaultValue>600</defaultValue> + </leafNode> </children> </node> </children> </node> </interfaceDefinition> diff --git a/smoketest/scripts/cli/test_protocols_rpki.py b/smoketest/scripts/cli/test_protocols_rpki.py index b43c626c4..c52c0dd76 100755 --- a/smoketest/scripts/cli/test_protocols_rpki.py +++ b/smoketest/scripts/cli/test_protocols_rpki.py @@ -1,156 +1,159 @@ #!/usr/bin/env python3 # # Copyright (C) 2021-2024 VyOS maintainers and contributors # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License version 2 or later as # published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. import os import unittest from base_vyostest_shim import VyOSUnitTestSHIM from vyos.configsession import ConfigSessionError from vyos.utils.process import cmd from vyos.utils.process import process_named_running base_path = ['protocols', 'rpki'] PROCESS_NAME = 'bgpd' rpki_ssh_key = '/config/auth/id_rsa_rpki' rpki_ssh_pub = f'{rpki_ssh_key}.pub' class TestProtocolsRPKI(VyOSUnitTestSHIM.TestCase): @classmethod def setUpClass(cls): # call base-classes classmethod super(TestProtocolsRPKI, cls).setUpClass() # Retrieve FRR daemon PID - it is not allowed to crash, thus PID must remain the same cls.daemon_pid = process_named_running(PROCESS_NAME) # ensure we can also run this test on a live system - so lets clean # out the current configuration :) cls.cli_delete(cls, base_path) def tearDown(self): self.cli_delete(base_path) self.cli_commit() # Nothing RPKI specific should be left over in the config # frrconfig = self.getFRRconfig('rpki') # self.assertNotIn('rpki', frrconfig) # check process health and continuity self.assertEqual(self.daemon_pid, process_named_running(PROCESS_NAME)) def test_rpki(self): - polling = '7200' + expire_interval = '3600' + polling_period = '600' + retry_interval = '300' cache = { '192.0.2.1' : { 'port' : '8080', - 'preference' : '1' - }, - '192.0.2.2' : { - 'port' : '9090', - 'preference' : '2' + 'preference' : '10' }, '2001:db8::1' : { 'port' : '1234', - 'preference' : '3' + 'preference' : '30' }, - '2001:db8::2' : { + 'rpki.vyos.net' : { 'port' : '5678', - 'preference' : '4' + 'preference' : '40' }, } - self.cli_set(base_path + ['polling-period', polling]) + self.cli_set(base_path + ['expire-interval', expire_interval]) + self.cli_set(base_path + ['polling-period', polling_period]) + self.cli_set(base_path + ['retry-interval', retry_interval]) + for peer, peer_config in cache.items(): self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']]) self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']]) # commit changes self.cli_commit() # Verify FRR configuration frrconfig = self.getFRRconfig('rpki') - self.assertIn(f'rpki polling_period {polling}', frrconfig) + self.assertIn(f'rpki expire_interval {expire_interval}', frrconfig) + self.assertIn(f'rpki polling_period {polling_period}', frrconfig) + self.assertIn(f'rpki retry_interval {retry_interval}', frrconfig) for peer, peer_config in cache.items(): port = peer_config['port'] preference = peer_config['preference'] self.assertIn(f'rpki cache {peer} {port} preference {preference}', frrconfig) def test_rpki_ssh(self): polling = '7200' cache = { '192.0.2.3' : { 'port' : '1234', 'username' : 'foo', 'preference' : '10' }, '192.0.2.4' : { 'port' : '5678', 'username' : 'bar', 'preference' : '20' }, } self.cli_set(base_path + ['polling-period', polling]) for peer, peer_config in cache.items(): self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']]) self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']]) self.cli_set(base_path + ['cache', peer, 'ssh', 'username', peer_config['username']]) self.cli_set(base_path + ['cache', peer, 'ssh', 'public-key-file', rpki_ssh_pub]) self.cli_set(base_path + ['cache', peer, 'ssh', 'private-key-file', rpki_ssh_key]) # commit changes self.cli_commit() # Verify FRR configuration frrconfig = self.getFRRconfig('rpki') self.assertIn(f'rpki polling_period {polling}', frrconfig) for peer, peer_config in cache.items(): port = peer_config['port'] preference = peer_config['preference'] username = peer_config['username'] self.assertIn(f'rpki cache {peer} {port} {username} {rpki_ssh_key} {rpki_ssh_pub} preference {preference}', frrconfig) def test_rpki_verify_preference(self): cache = { '192.0.2.1' : { 'port' : '8080', 'preference' : '1' }, '192.0.2.2' : { 'port' : '9090', 'preference' : '1' }, } for peer, peer_config in cache.items(): self.cli_set(base_path + ['cache', peer, 'port', peer_config['port']]) self.cli_set(base_path + ['cache', peer, 'preference', peer_config['preference']]) # check validate() - preferences must be unique with self.assertRaises(ConfigSessionError): self.cli_commit() if __name__ == '__main__': # Create OpenSSH keypair used in RPKI tests if not os.path.isfile(rpki_ssh_key): cmd(f'ssh-keygen -t rsa -f {rpki_ssh_key} -N ""') unittest.main(verbosity=2)