aboutsummaryrefslogtreecommitdiff
path: root/rpki/gui/app/check_expired.py
diff options
context:
space:
mode:
authorRob Austein <sra@hactrn.net>2014-04-05 22:42:12 +0000
committerRob Austein <sra@hactrn.net>2014-04-05 22:42:12 +0000
commitfe0bf509f528dbdc50c7182f81057c6a4e15e4bd (patch)
tree07c9a923d4a0ccdfea11c49cd284f6d5757c5eda /rpki/gui/app/check_expired.py
parentaa28ef54c271fbe4d52860ff8cf13cab19e2207c (diff)
Source tree reorg, phase 1. Almost everything moved, no file contents changed.
svn path=/branches/tk685/; revision=5757
Diffstat (limited to 'rpki/gui/app/check_expired.py')
-rw-r--r--rpki/gui/app/check_expired.py209
1 files changed, 209 insertions, 0 deletions
diff --git a/rpki/gui/app/check_expired.py b/rpki/gui/app/check_expired.py
new file mode 100644
index 00000000..fcf5ecae
--- /dev/null
+++ b/rpki/gui/app/check_expired.py
@@ -0,0 +1,209 @@
+# Copyright (C) 2012, 2013 SPARTA, Inc. a Parsons Company
+#
+# Permission to use, copy, modify, and distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND SPARTA DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS. IN NO EVENT SHALL SPARTA BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+__version__ = '$Id$'
+__all__ = ('notify_expired', 'NetworkError')
+
+import sys
+import socket
+from cStringIO import StringIO
+import logging
+import datetime
+
+from rpki.gui.cacheview.models import Cert
+from rpki.gui.app.models import Conf, ResourceCert, Timestamp, Alert
+from rpki.gui.app.glue import list_received_resources
+from rpki.irdb import Zookeeper
+from rpki.left_right import report_error_elt, list_published_objects_elt
+from rpki.x509 import X509
+
+from django.core.mail import send_mail
+
+logger = logging.getLogger(__name__)
+expire_time = 0 # set by notify_expired()
+now = 0
+
+
+def check_cert(handle, p, errs):
+ """Check the expiration date on the X.509 certificates in each element of
+ the list.
+
+ The displayed object name defaults to the class name, but can be overridden
+ using the `object_name` argument.
+
+ """
+ t = p.certificate.getNotAfter()
+ if t <= expire_time:
+ e = 'expired' if t <= now else 'will expire'
+ errs.write("%(handle)s's %(type)s %(desc)s %(expire)s on %(date)s\n" % {
+ 'handle': handle, 'type': p.__class__.__name__, 'desc': str(p),
+ 'expire': e, 'date': t})
+
+
+def check_cert_list(handle, x, errs):
+ for p in x:
+ check_cert(handle, p, errs)
+
+
+def check_expire(conf, errs):
+ # get certs for `handle'
+ cert_set = ResourceCert.objects.filter(conf=conf)
+ for cert in cert_set:
+ # look up cert in cacheview db
+ obj_set = Cert.objects.filter(repo__uri=cert.uri)
+ if not obj_set:
+ # since the <list_received_resources/> output is cached, this can
+ # occur if the cache is out of date as well..
+ errs.write("Unable to locate rescert in rcynic cache: handle=%s uri=%s not_after=%s\n" % (conf.handle, cert.uri, cert.not_after))
+ continue
+ obj = obj_set[0]
+ msg = []
+ expired = False
+ for n, c in enumerate(obj.cert_chain):
+ if c.not_after <= expire_time:
+ expired = True
+ f = '*'
+ else:
+ f = ' '
+ msg.append("%s [%d] uri=%s ski=%s name=%s expires=%s" % (f, n, c.repo.uri, c.keyid, c.name, c.not_after))
+
+ # find ghostbuster records attached to this cert
+ for gbr in c.ghostbusters.all():
+ info = []
+ for s in ('full_name', 'organization', 'email_address', 'telephone'):
+ t = getattr(gbr, s, None)
+ if t:
+ info.append(t)
+
+ msg.append(" Contact: " + ", ".join(info))
+
+ if expired:
+ errs.write("%s's rescert from parent %s will expire soon:\n" % (
+ conf.handle,
+ # parent is None for the root cert
+ cert.parent.handle if cert.parent else 'self'
+ ))
+ errs.write("Certificate chain:\n")
+ errs.write("\n".join(msg))
+ errs.write("\n")
+
+
+def check_child_certs(conf, errs):
+ """Fetch the list of published objects from rpkid, and inspect the issued
+ resource certs (uri ending in .cer).
+
+ """
+ z = Zookeeper(handle=conf.handle)
+ req = list_published_objects_elt.make_pdu(action="list",
+ tag="list_published_objects",
+ self_handle=conf.handle)
+ pdus = z.call_rpkid(req)
+ for pdu in pdus:
+ if isinstance(pdu, report_error_elt):
+ logger.error("rpkid reported an error: %s" % pdu.error_code)
+ elif isinstance(pdu, list_published_objects_elt):
+ if pdu.uri.endswith('.cer'):
+ cert = X509()
+ cert.set(Base64=pdu.obj)
+ t = cert.getNotAfter()
+ if t <= expire_time:
+ e = 'expired' if t <= now else 'will expire'
+ errs.write("%(handle)s's rescert for Child %(child)s %(expire)s on %(date)s uri=%(uri)s subject=%(subject)s\n" % {
+ 'handle': conf.handle,
+ 'child': pdu.child_handle,
+ 'uri': pdu.uri,
+ 'subject': cert.getSubject(),
+ 'expire': e,
+ 'date': t})
+
+
+class NetworkError(Exception):
+ pass
+
+
+def notify_expired(expire_days=14, from_email=None):
+ """Send email notificates about impending expirations of resource
+ and BPKI certificates.
+
+ expire_days: the number of days ahead of today to warn
+
+ from_email: set the From: address for the email
+
+ """
+ global expire_time # so i don't have to pass it around
+ global now
+
+ now = datetime.datetime.utcnow()
+ expire_time = now + datetime.timedelta(expire_days)
+
+ # this is not exactly right, since we have no way of knowing what the
+ # vhost for the web portal running on this machine is
+ host = socket.getfqdn()
+ if not from_email:
+ from_email = 'root@' + host
+
+ # Ensure that the rcynic and routeviews data has been updated recently
+ # The QuerySet is created here so that it will be cached and reused on each
+ # iteration of the loop below
+ t = now - datetime.timedelta(hours=12) # 12 hours
+ stale_timestamps = Timestamp.objects.filter(ts__lte=t)
+
+ # if not arguments are given, query all resource holders
+ qs = Conf.objects.all()
+
+ # check expiration of certs for all handles managed by the web portal
+ for h in qs:
+ # Force cache update since several checks require fresh data
+ try:
+ list_received_resources(sys.stdout, h)
+ except socket.error as e:
+ raise NetworkError('Error while talking to rpkid: %s' % e)
+
+ errs = StringIO()
+
+ # Warn the resource holder admins when data may be out of date
+ if stale_timestamps:
+ errs.write('Warning! Stale data from external sources.\n')
+ errs.write('data source : last import\n')
+ for obj in stale_timestamps:
+ errs.write('%-15s: %s\n' % (obj.name, obj.ts))
+ errs.write('\n')
+
+ check_cert(h.handle, h, errs)
+
+ # HostedCA is the ResourceHolderCA cross certified under ServerCA, so
+ # check the ServerCA expiration date as well
+ check_cert(h.handle, h.hosted_by, errs)
+ check_cert(h.handle, h.hosted_by.issuer, errs)
+
+ check_cert_list(h.handle, h.bscs.all(), errs)
+ check_cert_list(h.handle, h.parents.all(), errs)
+ check_cert_list(h.handle, h.children.all(), errs)
+ check_cert_list(h.handle, h.repositories.all(), errs)
+
+ check_expire(h, errs)
+ check_child_certs(h, errs)
+
+ # if there was output, display it now
+ s = errs.getvalue()
+ if s:
+ logger.info(s)
+
+ t = """This is an automated notice about the upcoming expiration of RPKI resources for the handle %s on %s. You are receiving this notification because your email address is either registered in a Ghostbuster record, or as the default email address for the account.\n\n""" % (h.handle, host)
+ h.send_alert(
+ subject='RPKI expiration notice for %s' % h.handle,
+ message=t + s,
+ from_email=from_email,
+ severity=Alert.WARNING
+ )
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-10 10:38:33 +0000