From c6e34b47cae6e2ef4510767350a44e82fcc7ea83 Mon Sep 17 00:00:00 2001
From: Alexander Hughes <Alexander.Hughes@pm.me>
Date: Tue, 7 Jan 2020 21:18:17 +0000
Subject: [PATCH] Check cert expiry for multiple types

This patch adds support for:
- Checking expiration of CAs in manifests
- Multiple certs per data field of a YAML document

Change-Id: I9dae69acb4252d4de4469eb6733b533ef479f7b4
---
 pegleg/engine/secrets.py | 30 +++++++++++++++++++-----------
 1 file changed, 19 insertions(+), 11 deletions(-)

diff --git a/pegleg/engine/secrets.py b/pegleg/engine/secrets.py
index ce39702d..26cb6679 100644
--- a/pegleg/engine/secrets.py
+++ b/pegleg/engine/secrets.py
@@ -16,6 +16,7 @@ from collections import OrderedDict
 from glob import glob
 import logging
 import os
+import re
 
 from prettytable import PrettyTable
 import yaml
@@ -275,6 +276,9 @@ def check_cert_expiry(site_name, duration=60):
     :rtype: str
     """
 
+    cert_schemas = [
+        'deckhand/Certificate/v1', 'deckhand/CertificateAuthority/v1'
+    ]
     pki_util = PKIUtility(duration=duration)
     # Create a table to output expired/expiring certs for this site.
     cert_table = PrettyTable()
@@ -289,17 +293,21 @@ def check_cert_expiry(site_name, duration=60):
                 results = PeglegSecretManagement(
                     docs=results).get_decrypted_secrets()
                 for result in results:
-                    if result['schema'] == \
-                            "deckhand/Certificate/v1":
-                        cert = result['data']
-                        cert_info = pki_util.check_expiry(cert)
-                        if cert_info['expired'] is True:
-                            cert_table.add_row(
-                                [
-                                    doc, result['metadata']['name'],
-                                    cert_info['expiry_date']
-                                ])
-                            expired_certs_exist = True
+                    if result['schema'] in cert_schemas:
+                        text = result['data']
+                        header_pattern = '-----BEGIN CERTIFICATE-----'
+                        find_pattern = r'%s.*?(?=%s|$)' % (
+                            header_pattern, header_pattern)
+                        certs = re.findall(find_pattern, text, re.DOTALL)
+                        for cert in certs:
+                            cert_info = pki_util.check_expiry(cert)
+                            if cert_info['expired'] is True:
+                                cert_table.add_row(
+                                    [
+                                        doc, result['metadata']['name'],
+                                        cert_info['expiry_date']
+                                    ])
+                                expired_certs_exist = True
 
     # Return table of cert names and expiration dates that are expiring
     return expired_certs_exist, cert_table.get_string()