Improve check-pki-certs output

Adds alternate message when no certificates are expiring Exit code will now be 1 if there are certificates expiring and 0 if no certificates are expiring Change-Id: I94a7a5af0c5469b83001b5439f18691140de6245
2019-12-10 09:01:36 -06:00 · 2019-12-10 09:01:36 -06:00 · a97c9cdba2
parent 87d24d530a
commit a97c9cdba2
3 changed files with 26 additions and 7 deletions
--- a/pegleg/cli.py
+++ b/pegleg/cli.py
@ -585,11 +585,19 @@ def check_pki_certs(site_name, days):
    engine.repository.process_repositories(site_name, overwrite_existing=True)
    config.set_global_enc_keys(site_name)

-    cert_results = engine.secrets.check_cert_expiry(site_name, duration=days)
+    expired_certs_exist, cert_results = engine.secrets.check_cert_expiry(
+        site_name, duration=days)

-    click.echo(
-        "The following certs will expire within {} days: \n{}".format(
-            days, cert_results))
+    if expired_certs_exist:
+        click.echo(
+            "The following certs will expire within the next {} days: \n{}".
+            format(days, cert_results))
+        exit(1)
+    else:
+        click.echo(
+            "No certificates will expire within the next {} days.".format(
+                days))
+        exit(0)


@main.group(help='Commands related to types')
--- a/pegleg/engine/secrets.py
+++ b/pegleg/engine/secrets.py
@ -236,6 +236,7 @@ def check_cert_expiry(site_name, duration=60):
    # Create a table to output expired/expiring certs for this site.
    cert_table = PrettyTable()
    cert_table.field_names = ['file', 'cert_name', 'expiration_date']
+    expired_certs_exist = False

    s = definition.site_files(site_name)
    for doc in s:
@ -255,9 +256,10 @@ def check_cert_expiry(site_name, duration=60):
                                    doc, result['metadata']['name'],
                                    cert_info['expiry_date']
                                ])
+                            expired_certs_exist = True

    # Return table of cert names and expiration dates that are expiring
-    return cert_table.get_string()
+    return expired_certs_exist, cert_table.get_string()


 def get_global_creds(site_name):
--- a/tests/unit/test_cli.py
+++ b/tests/unit/test_cli.py
@ -28,7 +28,7 @@ from tests.unit import test_utils
 TEST_PARAMS = {
    "site_name": "seaworthy",
    "site_type": "foundry",
-    "repo_rev": '33bdd46754b7acabb2cbc2f4b335d34ecb80d4ce',
+    "repo_rev": '29c67eb3a0ce046e41cfadbb9381697cd556f659',
    "repo_name": "treasuremap",
    "repo_url": "https://opendev.org/airship/treasuremap.git",
 }
@ -592,10 +592,19 @@ class TestSiteSecretsActions(BaseCLIActionTest):
    @pytest.mark.skipif(
        not pki_utility.PKIUtility.cfssl_exists(),
        reason='cfssl must be installed to execute these tests')
-    def test_check_pki_certs(self):
+    def test_check_pki_certs_expired(self):
        repo_path = self.treasuremap_path
        secrets_opts = ['secrets', 'check-pki-certs', self.site_name]
        result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts)
+        assert result.exit_code == 1, result.output
+
+    @pytest.mark.skipif(
+        not pki_utility.PKIUtility.cfssl_exists(),
+        reason='cfssl must be installed to execute these tests')
+    def test_check_pki_certs(self):
+        repo_path = self.treasuremap_path
+        secrets_opts = ['secrets', 'check-pki-certs', 'airsloop']
+        result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts)
        assert result.exit_code == 0, result.output

    @mock.patch.dict(