Config: Improve --init-tals

1. Update the TAL URLs. (The old ones were very obsolete.)
2. Add --init-as0-tals. (Used to download the ASN0 TALs.)
3. Deprecate and zero-op --init-locations. (Didn't make sense.
   If the user needs a different URL, they can do wget instead.)
4. Deprecate setup_fort.sh. (Seems to be redundant. --init-tals
   already takes care of downloading TALs.)

Author: ydahhrk

examples/README.md

@@ -3,4 +3,3 @@
 This folder contains the following examples:
 - `config.json`: configuration file mostly with the default values used by the validator. Can be set as value of [`--configuration-file`](https://nicmx.github.io/FORT-validator/usage.html#--configuration-file).
 - `demo.slurm`: valid SLURM file mostly with the same values as in [RFC 8416 section 3.5](https://tools.ietf.org/html/rfc8416#section-3.5). Can be set as value of [`--slurm`](https://nicmx.github.io/FORT-validator/usage.html#--slurm).
-- `tal/`: directory that contains almost all RIRs TALs, [read more](tal/).

examples/tal/README.md

@@ -1,9 +1,4 @@
-# TALs
+Please ignore this folder. It only exists in the hopes that `fort_setup.sh` continues working until it's retired. The script is deprecated at the moment.
 
-Most of the Trust Anchor Locators of the RIRs are included here for convenience. (But maybe you should get your own, for security.)
+The TALs contained here are pretty much all old and obsolete. If you need to download the current TALs, run `fort --init-tals --tal <TAL directory>` instead.
 
-**Almost every TAL includes an HTTPS URI to fetch the trust anchor certificates, FORT validator utilizes such URIs by default.**
-
-The only TAL that's not included is ARIN's, because you need to agree to their [RPA](https://www.arin.net/resources/manage/rpki/tal/).
-
-In order to ease the ARIN TAL download, there's a script that does that for you: [fort_setup.sh](../../fort_setup.sh). Read more about it at web docs section [Compilation and Installation](https://nicmx.github.io/FORT-validator/installation.html).

fort_setup.sh

@@ -30,6 +30,12 @@
 #    - Using the values of the configuration file (uses the args '--tal' and
 #      '--local-repository').
 
+echo "WARNING: this script (fort_setup.sh) is deprecated, and will be deleted soon."
+echo "I don't even know if it works properly."
+echo "If you want to download the TALs, use the fort binary's --init-tals option."
+echo "See https://nicmx.github.io/FORT-validator/usage.html#--init-tals"
+echo "===================================="
+
 exit_on_err()
 {
   if ! [ $1 ] ; then

src/config.c

@@ -204,11 +204,12 @@ struct rpki_config {
 	/* Time period that must lapse to warn about a stale repository */
 	unsigned int stale_repository_period;
 
-	/* Download the TALs into --tal? */
+	/* Download the normal TALs into --tal? */
 	bool init_tals;
-
-	/* HTTPS URLS from where the TALS will be fetched */
-	struct init_locations init_tal_locations;
+	/* Download AS0 TALs into --tal? */
+	bool init_tal0s;
+	/* Deprecated; currently does nothing. */
+	unsigned int init_tal_locations;
 
 	/* Thread pools for specific tasks */
 	struct {
@@ -771,15 +772,21 @@ static const struct option_field options[] = {
 		.name = "init-tals",
 		.type = &gt_bool,
 		.offset = offsetof(struct rpki_config, init_tals),
-		.doc = "Fetch the RIR's TAL files into the specified path at --tal",
+		.doc = "Fetch the currently-known TAL files into --tal",
 		.availability = AVAILABILITY_GETOPT,
-	},
-	{
+	}, {
+		.id = 11002,
+		.name = "init-as0-tals",
+		.type = &gt_bool,
+		.offset = offsetof(struct rpki_config, init_tal0s),
+		.doc = "Fetch the currently-known AS0 TAL files into --tal",
+		.availability = AVAILABILITY_GETOPT,
+	}, {
 		.id = 11001,
 		.name = "init-locations",
 		.type = &gt_init_tals_locations,
 		.offset = offsetof(struct rpki_config, init_tal_locations),
-		.doc = "Locations from where the TAL files will be downloaded, and its optional accept message",
+		.doc = "Deprecated. Does nothing as of Fort 1.5.1.",
 		.availability = AVAILABILITY_JSON,
 	},
 
@@ -953,18 +960,6 @@ set_default_values(void)
 		"$LOCAL",
 	};
 
-	static char const *init_locations_no_msg[] = {
-		"https://raw.githubusercontent.com/NICMx/FORT-validator/master/examples/tal/lacnic.tal",
-		"https://raw.githubusercontent.com/NICMx/FORT-validator/master/examples/tal/ripe.tal",
-		"https://raw.githubusercontent.com/NICMx/FORT-validator/master/examples/tal/afrinic.tal",
-		"https://raw.githubusercontent.com/NICMx/FORT-validator/master/examples/tal/apnic.tal",
-	};
-
-	static char const *init_locations_w_msg[] = {
-		"https://www.arin.net/resources/manage/rpki/arin.tal",
-		"Please download and read ARIN Relying Party Agreement (RPA) from https://www.arin.net/resources/manage/rpki/rpa.pdf. Once you've read it and if you agree ARIN RPA, type 'yes' to proceed with ARIN's TAL download:",
-	};
-
 	int error;
 
 	/*
@@ -1083,20 +1078,15 @@ set_default_values(void)
 	rpki_config.stale_repository_period = 43200; /* 12 hours */
 
 	rpki_config.init_tals = false;
-	error = init_locations_init(&rpki_config.init_tal_locations,
-	    init_locations_no_msg, ARRAY_LEN(init_locations_no_msg),
-	    init_locations_w_msg, ARRAY_LEN(init_locations_w_msg));
-	if (error)
-		goto revert_init_locations;
+	rpki_config.init_tal_locations = 0;
 
 	/* Common scenario is to connect 1 router or a couple of them */
 	rpki_config.thread_pool.server.max = 20;
 	/* Usually 5 TALs, let a few more available */
 	rpki_config.thread_pool.validation.max = 5;
 
 	return 0;
-revert_init_locations:
-	free(rpki_config.validation_log.tag);
+
 revert_validation_log_tag:
 	free(rpki_config.http.user_agent);
 revert_flat_array:
@@ -1256,9 +1246,11 @@ handle_flags_config(int argc, char **argv)
 		goto end;
 
 	/* If present, nothing else is done */
-	if (rpki_config.init_tals) {
-		error = init_tals_exec(&rpki_config.init_tal_locations,
-		    rpki_config.tal);
+	if (rpki_config.init_tals || rpki_config.init_tal0s) {
+		if (rpki_config.init_tals)
+			error = download_tals();
+		if (!error && rpki_config.init_tal0s)
+			error = download_tal0s();
 		free(long_opts);
 		free(short_opts);
 		exit(error);

src/config/init_tals.c

@@ -1,234 +1,13 @@
 #include "config/init_tals.h"
 
-#include <getopt.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/queue.h>
-#include "log.h"
-
-#define JSON_MEMBER_URL "url"
-#define JSON_MEMBER_MESSAGE "accept-message"
-
-static int
-init_location_create(char const *url, struct init_location **result)
-{
-	struct init_location *tmp;
-
-	tmp = malloc(sizeof(struct init_location));
-	if (tmp == NULL)
-		return pr_enomem();
-
-	tmp->url = strdup(url);
-	if (tmp->url == NULL) {
-		free(tmp);
-		return pr_enomem();
-	}
-
-	tmp->accept_message = NULL;
-
-	*result = tmp;
-	return 0;
-}
-
-static void
-init_location_destroy(struct init_location *location)
-{
-	if (location->accept_message != NULL)
-		free(location->accept_message);
-	free(location->url);
-	free(location);
-}
-
-void
-init_locations_cleanup(struct init_locations *locations)
-{
-	struct init_location *tmp;
-
-	while (!SLIST_EMPTY(locations)) {
-		tmp = locations->slh_first;
-		SLIST_REMOVE_HEAD(locations, next);
-		init_location_destroy(tmp);
-	}
-}
-
-void
-__init_locations_cleanup(void *arg)
-{
-	init_locations_cleanup(arg);
-}
-
-static int
-init_locations_add_n_msg(struct init_locations *locations, char const *url)
-{
-	struct init_location *tmp;
-	int error;
-
-	tmp = NULL;
-	error = init_location_create(url, &tmp);
-	if (error)
-		return error;
-
-	SLIST_INSERT_HEAD(locations, tmp, next);
-	return 0;
-}
-
-static int
-init_locations_add_w_msg(struct init_locations *locations, char const *url,
-    char const *message)
-{
-	struct init_location *tmp;
-	int error;
-
-	tmp = NULL;
-	error = init_location_create(url, &tmp);
-	if (error)
-		return error;
-
-	tmp->accept_message = strdup(message);
-	if (tmp->accept_message == NULL) {
-		init_location_destroy(tmp);
-		return pr_enomem();
-	}
-
-	SLIST_INSERT_HEAD(locations, tmp, next);
-	return 0;
-}
-
-int
-init_locations_init(struct init_locations *locations,
-    char const *const *non_message, size_t non_message_len,
-    char const *const *with_message, size_t with_message_len)
-{
-	size_t i;
-	int error;
-
-	SLIST_INIT(locations);
-
-	for (i = 0; i < non_message_len; i++) {
-		error = init_locations_add_n_msg(locations, non_message[i]);
-		if (error)
-			goto cleanup;
-	}
-
-	for (i = 0; i < with_message_len; i+=2) {
-		error = init_locations_add_w_msg(locations, with_message[i],
-		    with_message[i + 1]);
-		if (error)
-			goto cleanup;
-	}
-
-	return 0;
-cleanup:
-	init_locations_cleanup(locations);
-	return error;
-}
-
-int
-init_locations_foreach(struct init_locations *locations,
-    init_locations_foreach_cb cb, void *arg)
-{
-	struct init_location *ptr;
-	int error;
-
-	SLIST_FOREACH(ptr, locations, next) {
-		error = cb(ptr->url, ptr->accept_message, arg);
-		if (error)
-			return error;
-	}
-
-	return 0;
-}
-
-static int
-parse_location(char const *name, size_t pos, json_t *json, char const **url,
-    char const **message)
-{
-	json_t *member;
-
-	member = json_object_get(json, JSON_MEMBER_URL);
-	if (member == NULL)
-		return pr_op_err("'%s' array element #%zu requires the member '%s'.",
-		    name, pos, JSON_MEMBER_URL);
-
-	if (!json_is_string(member))
-		return pr_op_err("'%s' array element #%zu '%s' member must be a string",
-		    name, pos, JSON_MEMBER_URL);
-
-	*url = json_string_value(member);
-
-	/* Optional */
-	member = json_object_get(json, JSON_MEMBER_MESSAGE);
-	if (member == NULL) {
-		*message = NULL;
-		return 0;
-	}
-
-	if (!json_is_string(member))
-		return pr_op_err("'%s' array element #%zu '%s' member must be a string",
-		    name, pos, JSON_MEMBER_MESSAGE);
-
-	*message = json_string_value(member);
-
-	return 0;
-}
-
 static int
 init_tals_parse_json(struct option_field const *opt, json_t *json, void *result)
 {
-	struct init_locations *ptr;
-	json_t *elem;
-	size_t len;
-	size_t i;
-	char const *url;
-	char const *message;
-	int error;
-
-	if (!json_is_array(json)) {
-		return pr_op_err("The '%s' element is not a JSON array",
-		    opt->name);
-	}
-
-	len = json_array_size(json);
-
-	if (len == 0) {
-		/* Cleanup default value */
-		init_locations_cleanup(result);
-		return 0;
-	}
-
-	ptr = result;
-
-	/* Remove the previous value (usually the default). */
-	init_locations_cleanup(ptr);
-
-	for (i = 0; i < len; i++) {
-		elem = json_array_get(json, i);
-		if (!json_is_object(elem))
-			return pr_op_err("'%s' array element #%zu is not an object",
-			    opt->name, i);
-
-		url = NULL;
-		message = NULL;
-		error = parse_location(opt->name, i, elem, &url, &message);
-		if (error)
-			goto cleanup;
-
-		if (message == NULL)
-			error = init_locations_add_n_msg(ptr, url);
-		else
-			error = init_locations_add_w_msg(ptr, url, message);
-
-		if (error)
-			goto cleanup;
-	}
+	/* This is deprecated. Please delete it in the future. */
 	return 0;
-cleanup:
-	init_locations_cleanup(ptr);
-	return error;
 }
 
 const struct global_type gt_init_tals_locations = {
 	.print = NULL,
 	.parse.json = init_tals_parse_json,
-	.free = __init_locations_cleanup,
 };

src/config/init_tals.h

@@ -1,27 +1,8 @@
 #ifndef SRC_CONFIG_INIT_TALS_H_
 #define SRC_CONFIG_INIT_TALS_H_
 
-#include <stddef.h>
-#include <sys/queue.h>
 #include "config/types.h"
 
-/* Struct where each URL and its optional message are stored */
-struct init_location {
-	char *url;
-	char *accept_message;
-	SLIST_ENTRY(init_location) next;
-};
-
-SLIST_HEAD(init_locations, init_location);
-
 extern const struct global_type gt_init_tals_locations;
 
-typedef int (*init_locations_foreach_cb)(char const *, char const *, void *);
-int init_locations_foreach(struct init_locations *, init_locations_foreach_cb,
-    void *);
-
-int init_locations_init(struct init_locations *, char const *const *, size_t,
-    char const *const *, size_t);
-void init_locations_cleanup(struct init_locations *);
-
 #endif /* SRC_CONFIG_INIT_TALS_H_ */