From: Alberto Leiva Popper Date: Mon, 24 Mar 2025 13:06:55 +0000 (-0300) Subject: Prioritize https refreshes on TAL URLs X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=edfde02f1b9375a04658c253c778797d54f0beee;p=thirdparty%2FFORT-validator.git Prioritize https refreshes on TAL URLs Few reasons: 1. rsync is a bit of a pain as a retrieval tool for RPKI, and I'd like to avoid it when I can get away with it. 2. Refresh by SIA was already prioritizing RRDP over rsync, so this makes the overall behavior more consistent. 3. Always preferring one protocol over the other tends to reduce bandwidth & cache usage. So, mirror the SIA refresh order for TAs. From highest to lowest priority: 1. Online HTTPS (including RRDP) 2. Online rsync 3. Fallback HTTPS (including RRDP) 4. Fallback rsync --- diff --git a/src/object/tal.c b/src/object/tal.c index 79e2b1be..ec460593 100644 --- a/src/object/tal.c +++ b/src/object/tal.c @@ -165,43 +165,51 @@ validate_ta(struct tal *tal, struct cache_mapping const *ta_map) } static int -traverse_tal(char const *tal_path) +try_urls(struct tal *tal, bool (*url_is_protocol)(char const *), + char *(*get_path)(char const *)) { - struct tal tal; char **url; struct cache_mapping map; - int error; - - fnstack_push(tal_path); - - error = tal_init(&tal, tal_path); - if (error) - goto end1; - /* Online attempts */ - ARRAYLIST_FOREACH(&tal.urls, url) { + ARRAYLIST_FOREACH(&tal->urls, url) { map.url = *url; + if (!url_is_protocol(map.url)) + continue; // XXX if this is rsync, it seems this will queue and fail - map.path = cache_refresh_by_url(*url); + map.path = get_path(*url); if (!map.path) continue; - if (validate_ta(&tal, &map) != 0) + if (validate_ta(tal, &map) != 0) continue; cache_commit_file(&map); - goto end2; /* Happy path */ + return 0; } + return ESRCH; +} + +static int +traverse_tal(char const *tal_path) +{ + struct tal tal; + int error; + + fnstack_push(tal_path); + + error = tal_init(&tal, tal_path); + if (error) + goto end1; + + /* Online attempts */ + if (try_urls(&tal, url_is_https, cache_refresh_by_url) == 0) + goto end2; + if (try_urls(&tal, url_is_rsync, cache_refresh_by_url) == 0) + goto end2; /* Offline fallback attempts */ - ARRAYLIST_FOREACH(&tal.urls, url) { - map.url = *url; - map.path = cache_get_fallback(*url); - if (!map.path) - continue; - if (validate_ta(&tal, &map) != 0) - continue; - cache_commit_file(&map); - goto end2; /* Happy path */ - } + if (try_urls(&tal, url_is_https, cache_get_fallback) == 0) + goto end2; + if (try_urls(&tal, url_is_rsync, cache_get_fallback) == 0) + goto end2; pr_op_err("None of the TAL URIs yielded a successful traversal."); error = EINVAL;