1 files changed, 66 insertions, 16 deletions

diff --git a/rpkid/portal-gui/scripts/rpkigui-check-expired.py b/rpkid/portal-gui/scripts/rpkigui-check-expired.py
index eefe2ef9..d6d78a25 100644
--- a/rpkid/portal-gui/scripts/rpkigui-check-expired.py
+++ b/rpkid/portal-gui/scripts/rpkigui-check-expired.py
@@ -12,26 +12,21 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.
 
-# Generate a report of all RPKI certs which are about to expire
-
 __version__ = '$Id$'
 
 from rpki.gui.cacheview.models import Cert
 from rpki.gui.cacheview.views import cert_chain
-from rpki.gui.app.models import ResourceCert, Conf
+from rpki.gui.app.models import ResourceCert
 from rpki.gui.app.glue import list_received_resources
 from rpki.irdb.models import ResourceHolderCA
+from rpki.irdb import Zookeeper
+from rpki.left_right import report_error_elt, list_published_objects_elt
+from rpki.x509 import X509
 
 import datetime
 import sys
 from optparse import OptionParser
 
-# check for certs expiring in this many days or less
-expire_days = 14
-
-now = datetime.datetime.utcnow()
-expire_time = now + datetime.timedelta(expire_days)
-
 Verbose = False
 
 
@@ -57,11 +52,6 @@ def check_cert_list(handle, x):
 
 
 def check_expire(conf):
-    # force cache update
-    if Verbose:
-        print 'Updating received resources cache for %s' % conf.handle
-    list_received_resources(sys.stdout, conf)
-
     # get certs for `handle'
     cert_set = ResourceCert.objects.filter(parent__issuer=conf)
     for cert in cert_set:
@@ -89,20 +79,79 @@ def check_expire(conf):
             print "\n".join(msg)
 
 
-parser = OptionParser()
+def check_child_certs(conf):
+    """Fetch the list of published objects from rpkid, and inspect the issued
+    resource certs (uri ending in .cer).
+
+    """
+    z = Zookeeper(handle=conf.handle)
+    req = list_published_objects_elt.make_pdu(action="list",
+                                              tag="list_published_objects",
+                                              self_handle=conf.handle)
+    pdus = z.call_rpkid(req)
+    for pdu in pdus:
+        if isinstance(pdu, report_error_elt):
+            print "rpkid reported an error: %s" % pdu.error_code
+        elif isinstance(pdu, list_published_objects_elt):
+            uri = pdu.uri
+            if uri.endswith('.cer'):
+                cert = X509()
+                cert.set(Base64=pdu.obj)
+                t = cert.getNotAfter()
+                if Verbose or t <= expire_time:
+                    e = 'expired' if t <= now else 'will expire'
+                    subject = cert.getSubject()
+
+                    # if the child is hosted by the same rpkid, we can
+                    # determine which client this cert was issued to
+                    qs = ResourceCert.objects.filter(uri=pdu.uri)
+                    child = qs[0].parent.issuer.handle if qs else '<unknown>'
+
+                    print "%(handle)s's rescert for Child %(child)s %(expire)s on %(date)s uri=%(uri)s subject=%(subject)s" % {
+                        'handle': conf.handle,
+                        'child': child,
+                        'uri': pdu.uri,
+                        'subject': subject,
+                        'expire': e,
+                        'date': t}
+
+
+usage = '%prog [ -vV ] [ handle1 handle2... ]'
+
+description = """Generate a report detailing all RPKI/BPKI certificates which
+are due for impending expiration.  If no resource handles are specified, a
+report about all resource handles hosted by the local rpkid instance will be
+generated."""
+
+parser = OptionParser(usage, description=description)
 parser.add_option('-v', '--verbose', help='enable verbose output',
                     action='store_true', dest='verbose',
                     default=False)
 parser.add_option('-V', '--version', help='display script version',
                     action='store_true', dest='version', default=False)
+parser.add_option('-t', '--expire-time',
+                  dest='expire_days',
+                  default=14,
+                  metavar='DAYS',
+                  help='specify the number of days in the future to check [default: %default]')
 (options, args) = parser.parse_args()
 if options.version:
     print __version__
     sys.exit(0)
 Verbose = options.verbose
+now = datetime.datetime.utcnow()
+expire_time = now + datetime.timedelta(options.expire_days)
+
+# if not arguments are given, query all resource holders
+qs = ResourceHolderCA.objects.all() if not args else ResourceHolderCA.objects.filter(handle__in=args)
 
 # check expiration of certs for all handles managed by the web portal
-for h in ResourceHolderCA.objects.all():
+for h in qs:
+    # force cache update
+    if Verbose:
+        print 'Updating received resources cache for %s' % h.handle
+    list_received_resources(sys.stdout, h)
+
     check_cert(h.handle, h)
 
     # HostedCA is the ResourceHolderCA cross certified under ServerCA, so check
@@ -116,5 +165,6 @@ for h in ResourceHolderCA.objects.all():
     check_cert_list(h.handle, h.repositories.all())
 
     check_expire(h)
+    check_child_certs(h)
 
 sys.exit(0)