initial implementation of rescert expiration cron script

svn path=/trunk/; revision=4570
author: Michael Elkins <melkins@tislabs.com> 2012-07-03 23:31:35 +0000
committer: Michael Elkins <melkins@tislabs.com> 2012-07-03 23:31:35 +0000
commit: ba7b0f5624de71e925431af8fea72f01448eea08 (patch)
tree: 2745103098bc3a4228d2d37401b8447819cb2f51
parent: d7f74dcdd3e9852126d730b0dde2c4cd2ac3cd54 (diff)
3 files changed, 88 insertions, 4 deletions
diff --git a/rpkid/Makefile.in b/rpkid/Makefile.in
index d7b9464c..bd004f28 100644
--- a/rpkid/Makefile.in
+++ b/rpkid/Makefile.in
@@ -45,7 +45,8 @@ POW_SO	= rpki/POW/_POW.so
 SCRIPTS = rpki-sql-backup rpki-sql-setup rpki-start-servers irbe_cli irdbd \
 	  pubd rootd rpkic rpkid \
 	  portal-gui/scripts/rpkigui-rcynic \
-	  portal-gui/scripts/rpkigui-import-routes
+	  portal-gui/scripts/rpkigui-import-routes \
+	  portal-gui/scripts/rpkigui-check-expired
 
 # scripts we build, but don't install
 BUILD_SCRIPTS = portal-gui/scripts/rpkigui-reset-demo
@@ -239,6 +240,9 @@ portal-gui/scripts/rpkigui-import-routes: portal-gui/scripts/rpkigui-import-rout
 portal-gui/scripts/rpkigui-reset-demo: portal-gui/scripts/rpkigui-reset-demo.py
 	${COMPILE_DJANGO}
 
+portal-gui/scripts/rpkigui-check-expired: portal-gui/scripts/rpkigui-check-expired.py
+	${COMPILE_DJANGO}
+
 portal-gui/rpki.wsgi: ${srcdir}/portal-gui/rpki.wsgi.in
 	sed -e "s|@VIRTUAL"_"ENV@|${VIRTUAL_ENV}|" \
 		-e "s|@PYTHON""PATH@|${sysconfdir}/rpki|" \
diff --git a/rpkid/portal-gui/scripts/rpkigui-check-expired.py b/rpkid/portal-gui/scripts/rpkigui-check-expired.py
new file mode 100644
index 00000000..a5fdca1d
--- /dev/null
+++ b/rpkid/portal-gui/scripts/rpkigui-check-expired.py
@@ -0,0 +1,80 @@
+# Copyright (C) 2012  SPARTA, Inc. a Parsons Company
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+# Generate a report of all RPKI certs which are about to expire
+
+__version__ = '$Id$'
+
+from rpki.gui.cacheview.models import Cert
+from rpki.gui.cacheview.views import cert_chain
+from rpki.gui.app.models import ResourceCert, Conf
+
+import datetime
+import sys
+from optparse import OptionParser
+
+# check for certs expiring in this many days or less
+expire_days = 14
+
+expire_time = datetime.datetime.utcnow() + datetime.timedelta(expire_days)
+
+Verbose = False
+
+
+def check_expire(handle):
+    if Verbose:
+        print 'checking rescert expiration for %s' % handle
+    # get certs for `handle'
+    cert_set = ResourceCert.objects.filter(parent__issuer=handle)
+    for cert in cert_set:
+        # look up cert in cacheview db
+        obj_set = Cert.objects.filter(repo__uri=cert.uri)
+        if not obj_set:
+            print >>sys.stderr, "Unable to locate rescert %s in rcynic cache" % cert.uri
+            continue
+        obj = obj_set[0]
+        cert_list = cert_chain(obj)
+        msg = []
+        expired = False
+        for n, c in cert_list:
+            if c.not_after <= expire_time:
+                expired = True
+                f = '*'
+            else:
+                f = ' '
+            msg.append("%s  [%d] uri=%s ski=%s name=%s expires=%s" % (f, n, c.repo.uri, c.keyid, c.name, c.not_after))
+        if expired:
+            print "Warning: resource cert for user %s will expire soon:\n"
+        if expired or Verbose:
+            print "Certificate chain:"
+            print "\n".join(msg)
+
+
+if __name__ == '__main__':
+    parser = OptionParser()
+    parser.add_option('-v', '--verbose', help='enable verbose output',
+                      action='store_true', dest='verbose',
+                      default=False)
+    parser.add_option('-V', '--version', help='display script version',
+                      action='store_true', dest='version', default=False)
+    (options, args) = parser.parse_args()
+    if options.version:
+        print __version__
+        sys.exit(0)
+    Verbose = options.verbose
+
+    # check expiration of certs for all handles managed by the web portal
+    for h in Conf.objects.all():
+        check_expire(h)
+
+    sys.exit(0)
diff --git a/rpkid/rpki/gui/cacheview/views.py b/rpkid/rpki/gui/cacheview/views.py
index 53e06859..b75763fa 100644
--- a/rpkid/rpki/gui/cacheview/views.py
+++ b/rpkid/rpki/gui/cacheview/views.py
@@ -28,10 +28,10 @@ def cert_chain(obj):
     """
     returns an iterator covering all certs from the root cert down to the EE.
     """
-    chain = []
-    while obj:
-        chain.append(obj)
+    chain = [ obj ]
+    while obj != obj.issuer:
         obj = obj.issuer
+        chain.append(obj)
     return zip(range(len(chain)), reversed(chain))
 
 def signed_object_detail(request, model_class, pk):
author	Michael Elkins <melkins@tislabs.com>	2012-07-03 23:31:35 +0000
committer	Michael Elkins <melkins@tislabs.com>	2012-07-03 23:31:35 +0000
commit	ba7b0f5624de71e925431af8fea72f01448eea08 (patch)
tree	2745103098bc3a4228d2d37401b8447819cb2f51
parent	d7f74dcdd3e9852126d730b0dde2c4cd2ac3cd54 (diff)