feat(rpki): provider scaffold — base, factory, paths, ripestat skeleton

New decnet/rpki/ module mirrors decnet/asn/ shape. Validator ABC, lazy singleton factory (DECNET_RPKI_PROVIDER=ripestat default), paths.py with DECNET_RPKI_ROOT override. RipeStatValidator stub returns 'unknown' unconditionally — HTTP wired in next commit. enrich_rpki(ip, asn) -> (status, source) | (None, None); short-circuits on DECNET_RPKI_ENABLED=false or asn=None.
2026-05-21 16:10:01 -04:00
parent e3d9908bed
commit 1a11287f76
8 changed files with 218 additions and 0 deletions
--- a/decnet/rpki/base.py
+++ b/decnet/rpki/base.py
@@ -0,0 +1,38 @@
+"""RPKI validator protocol.
+
+Concrete validators (:mod:`decnet.rpki.ripestat`, future offline providers)
+implement this. Callers must go through
+:func:`~decnet.rpki.factory.get_validator`; never import a concrete
+validator class directly.
+"""
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+from dataclasses import dataclass
+from datetime import datetime
+from typing import Literal, Optional
+
+RpkiStatus = Literal["valid", "invalid", "not-found", "unknown"]
+
+
+@dataclass(frozen=True)
+class RpkiResult:
+    """Outcome of a single RPKI validity check."""
+
+    status: RpkiStatus
+    prefix: Optional[str] = None  # announced prefix the validator resolved for this IP
+    validated_at: Optional[datetime] = None
+
+
+class Validator(ABC):
+    """Abstract RPKI validator."""
+
+    #: Short tag written to ``Attacker.rpki_source`` (e.g. ``'ripestat'``).
+    name: str
+
+    @abstractmethod
+    def validate(self, ip: str, asn: int) -> RpkiResult:
+        """Return RPKI validity for (ip, asn). Never raises."""
+
+    def refresh(self) -> None:
+        """No-op for online validators; offline providers may override."""