aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorB. Stack <bgstack15@gmail.com>2024-05-03 14:44:59 -0400
committerB. Stack <bgstack15@gmail.com>2024-05-03 14:44:59 -0400
commit72666867559733328ce406937e2dfb313a8f9234 (patch)
tree6422bf20a41b69d28a26a89dd76a477376cc23d3
parentadd PASTDAYS support (diff)
downloadfreeipa-cert-alert-72666867559733328ce406937e2dfb313a8f9234.tar.gz
freeipa-cert-alert-72666867559733328ce406937e2dfb313a8f9234.tar.bz2
freeipa-cert-alert-72666867559733328ce406937e2dfb313a8f9234.zip
add hide-replaced-certs parameter
-rw-r--r--README.md1
-rw-r--r--fca.conf.example1
-rwxr-xr-xfreeipa-cert-alert.py28
3 files changed, 28 insertions, 2 deletions
diff --git a/README.md b/README.md
index 70cf3e4..0c4bdec 100644
--- a/README.md
+++ b/README.md
@@ -10,6 +10,7 @@ You configure it with environment variables at runtime, including:
* `FREEIPA_USERNAME`
* `FREEIPA_PASSWORD`
* `DAYS`
+* `FREEIPA_HIDE_REPLACED_CERTS`
For some reason, domain name does not suffice as the server name. You must pick a server name. This is discoverable in a properly-functioning Kerberos domain with:
diff --git a/fca.conf.example b/fca.conf.example
index 2f89665..abba582 100644
--- a/fca.conf.example
+++ b/fca.conf.example
@@ -6,3 +6,4 @@ export FREEIPA_PASSWORD='plaintextpassword'
#export FREEIPA_PASSWORD="$( printf '9237a419f3741ef734==' | base64 -d )"
export PASTDAYS=0
export DAYS=30
+export FREEIPA_HIDE_REPLACED_CERTS=1
diff --git a/freeipa-cert-alert.py b/freeipa-cert-alert.py
index ab2c39e..f451196 100755
--- a/freeipa-cert-alert.py
+++ b/freeipa-cert-alert.py
@@ -8,8 +8,9 @@
# Purpose: Send me alerts for certs that are about to expire
# History:
# 2022-12-18 added PASTDAYS option
+# 2024-05-03 add remove replaced certs option
# Usage:
-# Set env: FREEIPA_SERVER FREEIPA_USERNAME FREEIPA_PASSWORD DAYS PASTDAYS
+# Set env: FREEIPA_SERVER FREEIPA_USERNAME FREEIPA_PASSWORD DAYS PASTDAYS FREEIPA_HIDE_REPLACED_CERTS
# References:
# https://python-freeipa.readthedocs.io/en/latest/
# https://stackoverflow.com/questions/72899/how-do-i-sort-a-list-of-dictionaries-by-a-value-of-the-dictionary/73050#73050
@@ -21,7 +22,7 @@
# Somehow this is not a requisite component of freeipa! Those are named python3-ipa*
# fedora-req: python3-freeipa
-import python_freeipa, json, datetime, os, sys
+import python_freeipa, json, datetime, os, sys, re
import dateutil.parser as dparser
# Functions
@@ -43,6 +44,26 @@ def show_list(inlist):
for i in inlist:
print(f"{i['valid_not_before']:<{col1max}} {i['valid_not_after']:<{col2max}} {i['subject']:<{col3max}}")
+def hide_replaced_certs(certlist,future,client):
+ """
+ Remove from certlist any certs that have been replaced already. This is defined as a cert whose subject name exists as a cert with a further-out validto date.
+
+ Args:
+ certlist: the list of objects from python_freeipa.cert_find()
+ future: YYYY-mm-dd of the end date of the search that generated certlist.
+ client: the python_freeipa client object
+
+ Returns:
+ list: certlist with any superseded certificates removed.
+ """
+ #print(f"Got certlist {certlist}")
+ newlist = []
+ for i in certlist:
+ b = client.cert_find(o_validnotafter_from = future,subject = re.sub(",O=.*$","",re.sub("^CN=","",i["subject"])))
+ if not ("count" in b and b["count"] > 0):
+ newlist.append(i)
+ return newlist
+
# Main
DAYS = os.getenv("DAYS",default=60)
try:
@@ -62,6 +83,9 @@ today = str(datetime.date.today() + datetime.timedelta(days=-PASTDAYS))
future = str(datetime.date.today() + datetime.timedelta(days=DAYS))
results = client.cert_find(o_validnotafter_from=today,o_validnotafter_to=future)
certs = results['result']
+
+if os.getenv("FREEIPA_HIDE_REPLACED_CERTS",""):
+ certs = hide_replaced_certs(certs,future,client)
# Sort
certs = sorted(certs,key=lambda d: int(dparser.parse(d['valid_not_after']).strftime('%s')))
if len(certs) > 0:
bgstack15