From 1a1c31b5a7eedb6e7abd94d6a3a3ff8a31d4bd56 Mon Sep 17 00:00:00 2001
From: Alexander Hughes <Alexander.Hughes@att.com>
Date: Fri, 6 Dec 2019 10:13:22 -0600
Subject: [PATCH] Add generate-pki command as deprecated

In [0] the secrets generate-pki command was moved to secrets
generate certificates. While release notes were added, this change
impacts automation set up for users of Pegleg. This change adds
back the generate-pki command but marks it as deprecated.

[0] https://review.opendev.org/#/c/694810/

Change-Id: I6a3841e5f5313511ec2afd8340bcae5857cd81fa
---
 doc/source/cli/cli.rst | 66 ++++++++++++++++++++++++++++++++++++++++++
 pegleg/cli.py          | 51 ++++++++++++++++++++++++++++++++
 2 files changed, 117 insertions(+)

diff --git a/doc/source/cli/cli.rst b/doc/source/cli/cli.rst
index 0db4f17c..6594cdd1 100644
--- a/doc/source/cli/cli.rst
+++ b/doc/source/cli/cli.rst
@@ -484,6 +484,72 @@ level operations for secrets documents of a site.
   ./pegleg.sh site -r <site_repo> -e <extra_repo> secrets <command> <options>
 
 
+  Generate PKI (deprecated)
+  ^^^^^^^^^^^^^^^^^^^^^^^^^
+
+  Generate certificates and keys according to all PKICatalog documents in the
+  site using the :ref:`pki` module. The default behavior is to generate all
+  certificates that are not yet present. For example, the first time generate PKI
+  is run or when new entries are added to the PKICatalogue, only those new
+  entries will be generated on subsequent runs.
+
+  Pegleg also supports a full regeneration of all certificates at any time, by
+  using the --regenerate-all flag.
+
+  Pegleg places generated document files in ``<site>/secrets/passphrases``,
+  ``<site>/secrets/certificates``, or ``<site>/secrets/keypairs`` as
+  appropriate:
+
+  * The generated filenames for passphrases will follow the pattern
+    :file:`<passphrase-doc-name>.yaml`.
+  * The generated filenames for certificate authorities will follow the pattern
+    :file:`<ca-name>_ca.yaml`.
+  * The generated filenames for certificates will follow the pattern
+    :file:`<ca-name>_<certificate-doc-name>_certificate.yaml`.
+  * The generated filenames for certificate keys will follow the pattern
+    :file:`<ca-name>_<certificate-doc-name>_key.yaml`.
+  * The generated filenames for keypairs will follow the pattern
+    :file:`<keypair-doc-name>.yaml`.
+
+  Dashes in the document names will be converted to underscores for consistency.
+
+  **site_name** (Required).
+
+  Name of site.
+
+  **-a / --author** (Optional).
+
+  Identifying name of the author generating new certificates. Used for tracking
+  provenance information in the PeglegManagedDocuments. An attempt is made to
+  automatically determine this value, but should be provided.
+
+  **-d / --days** (Optional, Default=365).
+
+  Duration (in days) certificates should be valid.
+  Minimum=0, no maximum.  Values less than 0 will raise an exception.
+
+  NOTE: A generated certificate where days = 0 should only be used for testing.
+  A certificate generated in such a way will be valid for 0 seconds.
+
+  **--regenerate-all** (Optional, Default=False).
+
+  Force Pegleg to regenerate all PKI items.
+
+  Examples
+  """"""""
+
+  ::
+
+    ./pegleg.sh site -r <site_repo> -e <extra_repo> \
+      secrets generate-pki \
+      <site_name> \
+      -a <author> \
+      -d <days> \
+      --regenerate-all
+
+  .. _command-line-repository-overrides:
+
+
 Check PKI Certs
 ---------------
 
diff --git a/pegleg/cli.py b/pegleg/cli.py
index c6bb711f..bf14b294 100644
--- a/pegleg/cli.py
+++ b/pegleg/cli.py
@@ -15,6 +15,7 @@
 import functools
 import logging
 import os
+import warnings
 
 import click
 
@@ -430,6 +431,56 @@ def secrets():
     pass
 
 
+@secrets.command(
+    'generate-pki',
+    short_help='[DEPRECATED - Use secrets generate certificates] \n'
+    'Generate certs and keys according to the site PKICatalog',
+    help='[DEPRECATED - Use secrets generate certificates]\n'
+    'Generate certificates and keys according to all PKICatalog '
+    'documents in the site using the PKI module. The default behavior is '
+    'to generate all certificates that are not yet present. For example, '
+    'the first time generate PKI is run or when new entries are added '
+    'to the PKICatalogue, only those new entries will be generated on '
+    'subsequent runs.')
+@click.option(
+    '-a',
+    '--author',
+    'author',
+    help='Identifying name of the author generating new certificates. Used'
+    'for tracking provenance information in the PeglegManagedDocuments. '
+    'An attempt is made to automatically determine this value, '
+    'but should be provided.')
+@click.option(
+    '-d',
+    '--days',
+    'days',
+    default=365,
+    show_default=True,
+    help='Duration in days generated certificates should be valid.')
+@click.option(
+    '--regenerate-all',
+    'regenerate_all',
+    is_flag=True,
+    default=False,
+    show_default=True,
+    help='Force Pegleg to regenerate all PKI items.')
+@click.argument('site_name')
+def generate_pki_deprecated(site_name, author, days, regenerate_all):
+    """Generate certificates, certificate authorities and keypairs for a given
+    site.
+
+    """
+    warnings.warn(
+        "DEPRECATED - Use secrets generate certificates", DeprecationWarning)
+    engine.repository.process_repositories(site_name, overwrite_existing=True)
+    config.set_global_enc_keys(site_name)
+    pkigenerator = catalog.pki_generator.PKIGenerator(
+        site_name, author=author, duration=days, regenerate_all=regenerate_all)
+    output_paths = pkigenerator.generate()
+
+    click.echo("Generated PKI files written to:\n%s" % '\n'.join(output_paths))
+
+
 @secrets.command(
     'wrap',
     help='Wrap bare files (e.g. pem or crt) in a PeglegManagedDocument '