Add scripts for RIPE route object and ROA

Python CLI that syncs RIPE DB route objects and RPKI ROAs from a YAML config, authenticated via 1Password CLI. Supports dry-run, test/production environments, and a --setup-test command to bootstrap the RIPE test DB.

Author: VegasNative

.github/workflows/ci.yml

@@ -0,0 +1,32 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+        with:
+          enable-cache: true
+
+      - name: Set up Python
+        run: uv python install
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Lint
+        run: uv run ruff check .
+
+      - name: Format check
+        run: uv run ruff format --check .
+
+      - name: Test
+        run: uv run pytest

.gitignore

@@ -1,3 +1,6 @@
+# Local config (use config.example.yaml as template)
+config.yaml
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[codz]
@@ -182,9 +185,9 @@ cython_debug/
 .abstra/
 
 # Visual Studio Code
-#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore 
+#  Visual Studio Code specific template is maintained in a separate VisualStudioCode.gitignore
 #  that can be found at https://github.com/github/gitignore/blob/main/Global/VisualStudioCode.gitignore
-#  and can be added to the global gitignore or merged into this file. However, if you prefer, 
+#  and can be added to the global gitignore or merged into this file. However, if you prefer,
 #  you could uncomment the following to ignore the entire vscode folder
 # .vscode/
 
@@ -205,3 +208,8 @@ cython_debug/
 marimo/_static/
 marimo/_lsp/
 __marimo__/
+
+# Claude AI
+.claude/
+CLAUDE.md
+CLAUDE.local.md

.python-version

@@ -0,0 +1 @@
+3.14

config.example.yaml

@@ -0,0 +1,18 @@
+ripe:
+  maintainer: "MAINT-AS12345"
+  sso_emails:
+    - "admin1@example.com"
+    - "admin2@example.com"
+  routes:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      description: "Example IPv4 prefix"
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+      description: "Example IPv6 prefix"
+  roas:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      max_length: 24
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"

main.py

@@ -0,0 +1,4 @@
+from rir_updater.main import main
+
+if __name__ == "__main__":
+    main()

pyproject.toml

@@ -0,0 +1,36 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "rir-updater"
+version = "0.1.0"
+description = "Scripts to update RIR (Regional Internet Registry) databases"
+readme = "README.md"
+requires-python = ">=3.14"
+dependencies = [
+    "httpx>=0.28.1",
+    "pydantic>=2.13.3",
+    "pyyaml>=6.0.3",
+]
+
+[dependency-groups]
+dev = [
+    "pytest>=9.0.3",
+    "ruff>=0.15.11",
+]
+
+[project.scripts]
+rir-updater = "rir_updater.main:main"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/rir_updater"]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+
+[tool.ruff]
+line-length = 88
+
+[tool.ruff.lint]
+select = ["E", "F", "I", "UP"]

src/rir_updater/__init__.py

@@ -0,0 +1,89 @@
+import ipaddress
+import re
+from pathlib import Path
+
+import yaml
+from pydantic import BaseModel, field_validator
+
+_ASN_RE = re.compile(r"^AS\d+$", re.IGNORECASE)
+
+
+def _validate_prefix(value: str) -> str:
+    try:
+        ipaddress.ip_network(value, strict=True)
+    except ValueError:
+        raise ValueError(
+            f"invalid prefix {value!r} — must be a network address in CIDR notation "
+            "(e.g. '192.0.2.0/24' or '2001:db8::/32'), host bits must be zero"
+        )
+    return value
+
+
+def _validate_asn(value: str) -> str:
+    if not _ASN_RE.match(value):
+        raise ValueError(
+            f"invalid ASN {value!r} — must be in 'AS<number>' format (e.g. 'AS64496')"
+        )
+    return value.upper()
+
+
+class RouteObject(BaseModel):
+    prefix: str
+    origin: str
+    description: str = ""
+
+    @field_validator("prefix")
+    @classmethod
+    def validate_prefix(cls, v: str) -> str:
+        return _validate_prefix(v)
+
+    @field_validator("origin")
+    @classmethod
+    def validate_origin(cls, v: str) -> str:
+        return _validate_asn(v)
+
+
+class ROA(BaseModel):
+    prefix: str
+    origin: str
+    max_length: int | None = None
+
+    @field_validator("prefix")
+    @classmethod
+    def validate_prefix(cls, v: str) -> str:
+        return _validate_prefix(v)
+
+    @field_validator("origin")
+    @classmethod
+    def validate_origin(cls, v: str) -> str:
+        return _validate_asn(v)
+
+    @field_validator("max_length")
+    @classmethod
+    def validate_max_length(cls, v: int | None, info) -> int | None:
+        if v is None:
+            return v
+        prefix = info.data.get("prefix", "")
+        if prefix:
+            prefix_len = int(prefix.split("/")[1])
+            if v < prefix_len:
+                raise ValueError(
+                    f"max_length {v} is less than prefix length {prefix_len}"
+                )
+        return v
+
+
+class RipeConfig(BaseModel):
+    maintainer: str
+    sso_emails: list[str] = []
+    routes: list[RouteObject] = []
+    roas: list[ROA] = []
+
+
+class Config(BaseModel):
+    ripe: RipeConfig | None = None
+
+
+def load_config(path: Path) -> Config:
+    raw = yaml.safe_load(path.read_text())
+    return Config.model_validate(raw)

src/rir_updater/config.py

@@ -0,0 +1,37 @@
+import subprocess
+
+from rir_updater.exceptions import CredentialError
+
+
+def read_op(reference: str) -> str:
+    """Fetch a secret from 1Password using the op CLI."""
+    try:
+        result = subprocess.run(
+            ["op", "read", reference],
+            capture_output=True,
+            text=True,
+            check=True,
+        )
+        return result.stdout.strip()
+    except FileNotFoundError:
+        raise CredentialError(
+            "1Password CLI ('op') not found — install it from https://1password.com/downloads/command-line/"
+        ) from None
+    except subprocess.CalledProcessError as e:
+        raise CredentialError(
+            f"Failed to read secret from 1Password ({reference!r}): {e.stderr.strip()}"
+        ) from e
+
+
+def get_ripe_db_auth() -> str:
+    """Return base64(username:password) for the RIPE DB REST API Basic auth header."""
+    import base64
+
+    username = read_op("op://Code/Mozilla - RIPE NNC/username")
+    password = read_op("op://Code/Mozilla - RIPE NNC/credential")
+    return base64.b64encode(f"{username}:{password}".encode()).decode()
+
+
+def get_ripe_rpki_key() -> str:
+    """Return the API key for the RIPE RPKI Management API."""
+    return read_op("op://Code/Mozilla - RIPE NNC/RPKI API Key")

src/rir_updater/credentials.py

@@ -0,0 +1,14 @@
+class RirUpdaterError(Exception):
+    pass
+
+
+class ApiError(RirUpdaterError):
+    pass
+
+
+class CredentialError(RirUpdaterError):
+    pass
+
+
+class ConfigError(RirUpdaterError):
+    pass