From a97c9cdba2330456e962bf23959981c7a21e014c Mon Sep 17 00:00:00 2001 From: "Ian H. Pittwood" Date: Tue, 10 Dec 2019 09:01:36 -0600 Subject: [PATCH] Improve check-pki-certs output Adds alternate message when no certificates are expiring Exit code will now be 1 if there are certificates expiring and 0 if no certificates are expiring Change-Id: I94a7a5af0c5469b83001b5439f18691140de6245 --- pegleg/cli.py | 16 ++++++++++++---- pegleg/engine/secrets.py | 4 +++- tests/unit/test_cli.py | 13 +++++++++++-- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/pegleg/cli.py b/pegleg/cli.py index bf14b294..e65312ee 100644 --- a/pegleg/cli.py +++ b/pegleg/cli.py @@ -585,11 +585,19 @@ def check_pki_certs(site_name, days): engine.repository.process_repositories(site_name, overwrite_existing=True) config.set_global_enc_keys(site_name) - cert_results = engine.secrets.check_cert_expiry(site_name, duration=days) + expired_certs_exist, cert_results = engine.secrets.check_cert_expiry( + site_name, duration=days) - click.echo( - "The following certs will expire within {} days: \n{}".format( - days, cert_results)) + if expired_certs_exist: + click.echo( + "The following certs will expire within the next {} days: \n{}". + format(days, cert_results)) + exit(1) + else: + click.echo( + "No certificates will expire within the next {} days.".format( + days)) + exit(0) @main.group(help='Commands related to types') diff --git a/pegleg/engine/secrets.py b/pegleg/engine/secrets.py index 2738f259..6564a597 100644 --- a/pegleg/engine/secrets.py +++ b/pegleg/engine/secrets.py @@ -236,6 +236,7 @@ def check_cert_expiry(site_name, duration=60): # Create a table to output expired/expiring certs for this site. cert_table = PrettyTable() cert_table.field_names = ['file', 'cert_name', 'expiration_date'] + expired_certs_exist = False s = definition.site_files(site_name) for doc in s: @@ -255,9 +256,10 @@ def check_cert_expiry(site_name, duration=60): doc, result['metadata']['name'], cert_info['expiry_date'] ]) + expired_certs_exist = True # Return table of cert names and expiration dates that are expiring - return cert_table.get_string() + return expired_certs_exist, cert_table.get_string() def get_global_creds(site_name): diff --git a/tests/unit/test_cli.py b/tests/unit/test_cli.py index 43699339..a25487d7 100644 --- a/tests/unit/test_cli.py +++ b/tests/unit/test_cli.py @@ -28,7 +28,7 @@ from tests.unit import test_utils TEST_PARAMS = { "site_name": "seaworthy", "site_type": "foundry", - "repo_rev": '33bdd46754b7acabb2cbc2f4b335d34ecb80d4ce', + "repo_rev": '29c67eb3a0ce046e41cfadbb9381697cd556f659', "repo_name": "treasuremap", "repo_url": "https://opendev.org/airship/treasuremap.git", } @@ -592,10 +592,19 @@ class TestSiteSecretsActions(BaseCLIActionTest): @pytest.mark.skipif( not pki_utility.PKIUtility.cfssl_exists(), reason='cfssl must be installed to execute these tests') - def test_check_pki_certs(self): + def test_check_pki_certs_expired(self): repo_path = self.treasuremap_path secrets_opts = ['secrets', 'check-pki-certs', self.site_name] result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts) + assert result.exit_code == 1, result.output + + @pytest.mark.skipif( + not pki_utility.PKIUtility.cfssl_exists(), + reason='cfssl must be installed to execute these tests') + def test_check_pki_certs(self): + repo_path = self.treasuremap_path + secrets_opts = ['secrets', 'check-pki-certs', 'airsloop'] + result = self.runner.invoke(cli.site, ['-r', repo_path] + secrets_opts) assert result.exit_code == 0, result.output @mock.patch.dict(