From 72666867559733328ce406937e2dfb313a8f9234 Mon Sep 17 00:00:00 2001 From: "B. Stack" Date: Fri, 3 May 2024 14:44:59 -0400 Subject: add hide-replaced-certs parameter --- README.md | 1 + fca.conf.example | 1 + freeipa-cert-alert.py | 28 ++++++++++++++++++++++++++-- 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 70cf3e4..0c4bdec 100644 --- a/README.md +++ b/README.md @@ -10,6 +10,7 @@ You configure it with environment variables at runtime, including: * `FREEIPA_USERNAME` * `FREEIPA_PASSWORD` * `DAYS` +* `FREEIPA_HIDE_REPLACED_CERTS` For some reason, domain name does not suffice as the server name. You must pick a server name. This is discoverable in a properly-functioning Kerberos domain with: diff --git a/fca.conf.example b/fca.conf.example index 2f89665..abba582 100644 --- a/fca.conf.example +++ b/fca.conf.example @@ -6,3 +6,4 @@ export FREEIPA_PASSWORD='plaintextpassword' #export FREEIPA_PASSWORD="$( printf '9237a419f3741ef734==' | base64 -d )" export PASTDAYS=0 export DAYS=30 +export FREEIPA_HIDE_REPLACED_CERTS=1 diff --git a/freeipa-cert-alert.py b/freeipa-cert-alert.py index ab2c39e..f451196 100755 --- a/freeipa-cert-alert.py +++ b/freeipa-cert-alert.py @@ -8,8 +8,9 @@ # Purpose: Send me alerts for certs that are about to expire # History: # 2022-12-18 added PASTDAYS option +# 2024-05-03 add remove replaced certs option # Usage: -# Set env: FREEIPA_SERVER FREEIPA_USERNAME FREEIPA_PASSWORD DAYS PASTDAYS +# Set env: FREEIPA_SERVER FREEIPA_USERNAME FREEIPA_PASSWORD DAYS PASTDAYS FREEIPA_HIDE_REPLACED_CERTS # References: # https://python-freeipa.readthedocs.io/en/latest/ # https://stackoverflow.com/questions/72899/how-do-i-sort-a-list-of-dictionaries-by-a-value-of-the-dictionary/73050#73050 @@ -21,7 +22,7 @@ # Somehow this is not a requisite component of freeipa! Those are named python3-ipa* # fedora-req: python3-freeipa -import python_freeipa, json, datetime, os, sys +import python_freeipa, json, datetime, os, sys, re import dateutil.parser as dparser # Functions @@ -43,6 +44,26 @@ def show_list(inlist): for i in inlist: print(f"{i['valid_not_before']:<{col1max}} {i['valid_not_after']:<{col2max}} {i['subject']:<{col3max}}") +def hide_replaced_certs(certlist,future,client): + """ + Remove from certlist any certs that have been replaced already. This is defined as a cert whose subject name exists as a cert with a further-out validto date. + + Args: + certlist: the list of objects from python_freeipa.cert_find() + future: YYYY-mm-dd of the end date of the search that generated certlist. + client: the python_freeipa client object + + Returns: + list: certlist with any superseded certificates removed. + """ + #print(f"Got certlist {certlist}") + newlist = [] + for i in certlist: + b = client.cert_find(o_validnotafter_from = future,subject = re.sub(",O=.*$","",re.sub("^CN=","",i["subject"]))) + if not ("count" in b and b["count"] > 0): + newlist.append(i) + return newlist + # Main DAYS = os.getenv("DAYS",default=60) try: @@ -62,6 +83,9 @@ today = str(datetime.date.today() + datetime.timedelta(days=-PASTDAYS)) future = str(datetime.date.today() + datetime.timedelta(days=DAYS)) results = client.cert_find(o_validnotafter_from=today,o_validnotafter_to=future) certs = results['result'] + +if os.getenv("FREEIPA_HIDE_REPLACED_CERTS",""): + certs = hide_replaced_certs(certs,future,client) # Sort certs = sorted(certs,key=lambda d: int(dparser.parse(d['valid_not_after']).strftime('%s'))) if len(certs) > 0: -- cgit