def beacon(config):
"""
Monitor the certificate files on the minion.
Specify a notification threshold in days and only emit a beacon if any certificates are
expiring within that timeframe or if `notify_days` equals `-1` (always report information).
The default notification threshold is 45 days and can be overridden at the beacon level and
at an individual certificate level.
.. code-block:: yaml
beacons:
cert_info:
- files:
- /etc/pki/tls/certs/mycert.pem
- /etc/pki/tls/certs/yourcert.pem:
notify_days: 15
- /etc/pki/tls/certs/ourcert.pem
- notify_days: 45
- interval: 86400
"""
ret = []
certificates = []
CryptoError = crypto.Error # pylint: disable=invalid-name
_config = {}
list(_map(_config.update, config))
global_notify_days = _config.get("notify_days", DEFAULT_NOTIFY_DAYS)
for cert_path in _config.get("files", []):
notify_days = global_notify_days
if isinstance(cert_path, dict):
try:
next_cert_path = next(iter(cert_path))
notify_days = cert_path[next_cert_path].get(
"notify_days", global_notify_days
)
except StopIteration as exc:
log.error("Unable to load certificate %s (%s)", cert_path, exc)
continue
else:
cert_path = next_cert_path
try:
with salt.utils.files.fopen(cert_path) as fp_:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, fp_.read())
except (IOError, CryptoError) as exc:
log.error("Unable to load certificate %s (%s)", cert_path, exc)
continue
cert_date = datetime.strptime(
cert.get_notAfter().decode(encoding="UTF-8"), "%Y%m%d%H%M%SZ"
)
date_diff = (cert_date - datetime.today()).days
log.debug("Certificate %s expires in %s days.", cert_path, date_diff)
if notify_days < 0 or date_diff <= notify_days:
log.debug(
"Certificate %s triggered beacon due to %s day notification threshold.",
cert_path,
notify_days,
)
extensions = []
for ext in _range(0, cert.get_extension_count()):
extensions.append(
{
"ext_name": cert.get_extension(ext)
.get_short_name()
.decode(encoding="UTF-8"),
"ext_data": str(cert.get_extension(ext)),
}
)
certificates.append(
{
"cert_path": cert_path,
"issuer": ",".join(
[
'{0}="{1}"'.format(
t[0].decode(encoding="UTF-8"),
t[1].decode(encoding="UTF-8"),
)
for t in cert.get_issuer().get_components()
]
),
"issuer_dict": {
k.decode("UTF-8"): v.decode("UTF-8")
for k, v in cert.get_issuer().get_components()
},
"notAfter_raw": cert.get_notAfter().decode(encoding="UTF-8"),
"notAfter": cert_date.strftime("%Y-%m-%d %H:%M:%SZ"),
"notBefore_raw": cert.get_notBefore().decode(encoding="UTF-8"),
"notBefore": datetime.strptime(
cert.get_notBefore().decode(encoding="UTF-8"), "%Y%m%d%H%M%SZ"
).strftime("%Y-%m-%d %H:%M:%SZ"),
"serial_number": cert.get_serial_number(),
"signature_algorithm": cert.get_signature_algorithm().decode(
encoding="UTF-8"
),
"subject": ",".join(
[
'{0}="{1}"'.format(
t[0].decode(encoding="UTF-8"),
t[1].decode(encoding="UTF-8"),
)
for t in cert.get_subject().get_components()
]
),
"subject_dict": {
k.decode("UTF-8"): v.decode("UTF-8")
for k, v in cert.get_subject().get_components()
},
"version": cert.get_version(),
"extensions": extensions,
"has_expired": cert.has_expired(),
}
)
if certificates:
ret.append({"certificates": certificates})
return ret
def beacon(config):
'''
Monitor the certificate files on the minion.
Specify a notification threshold in days and only emit a beacon if any certificates are
expiring within that timeframe or if `notify_days` equals `-1` (always report information).
The default notification threshold is 45 days and can be overridden at the beacon level and
at an individual certificate level.
.. code-block:: yaml
beacons:
cert_info:
- files:
- /etc/pki/tls/certs/mycert.pem
- /etc/pki/tls/certs/yourcert.pem:
notify_days: 15
- /etc/pki/tls/certs/ourcert.pem
- notify_days: 45
- interval: 86400
'''
ret = []
certificates = []
CryptoError = crypto.Error # pylint: disable=invalid-name
_config = {}
list(_map(_config.update, config))
global_notify_days = _config.get('notify_days', DEFAULT_NOTIFY_DAYS)
for cert_path in _config.get('files', []):
notify_days = global_notify_days
if isinstance(cert_path, dict):
try:
notify_days = cert_path[cert_path.keys()[0]].get(
'notify_days', global_notify_days)
cert_path = cert_path.keys()[0]
except IndexError as exc:
log.error('Unable to load certificate %s (%s)', cert_path, exc)
continue
try:
with salt.utils.files.fopen(cert_path) as fp_:
cert = crypto.load_certificate(crypto.FILETYPE_PEM, fp_.read())
except (IOError, CryptoError) as exc:
log.error('Unable to load certificate %s (%s)', cert_path, exc)
continue
cert_date = datetime.strptime(
cert.get_notAfter().decode(encoding='UTF-8'), "%Y%m%d%H%M%SZ")
date_diff = (cert_date - datetime.today()).days
log.debug('Certificate %s expires in %s days.', cert_path, date_diff)
if notify_days < 0 or date_diff <= notify_days:
log.debug(
'Certificate %s triggered beacon due to %s day notification threshold.',
cert_path, notify_days)
extensions = []
for ext in _range(0, cert.get_extension_count()):
extensions.append({
'ext_name':
cert.get_extension(ext).get_short_name().decode(
encoding='UTF-8'),
'ext_data':
str(cert.get_extension(ext))
})
certificates.append({
'cert_path':
cert_path,
'issuer':
','.join([
'{0}="{1}"'.format(t[0].decode(encoding='UTF-8'),
t[1].decode(encoding='UTF-8'))
for t in cert.get_issuer().get_components()
]),
'issuer_dict': {
k.decode('UTF-8'): v.decode('UTF-8')
for k, v in cert.get_issuer().get_components()
},
'notAfter_raw':
cert.get_notAfter().decode(encoding='UTF-8'),
'notAfter':
cert_date.strftime("%Y-%m-%d %H:%M:%SZ"),
'notBefore_raw':
cert.get_notBefore().decode(encoding='UTF-8'),
'notBefore':
datetime.strptime(
cert.get_notBefore().decode(encoding='UTF-8'),
"%Y%m%d%H%M%SZ").strftime("%Y-%m-%d %H:%M:%SZ"),
'serial_number':
cert.get_serial_number(),
'signature_algorithm':
cert.get_signature_algorithm().decode(encoding='UTF-8'),
'subject':
','.join([
'{0}="{1}"'.format(t[0].decode(encoding='UTF-8'),
t[1].decode(encoding='UTF-8'))
for t in cert.get_subject().get_components()
]),
'subject_dict': {
k.decode('UTF-8'): v.decode('UTF-8')
for k, v in cert.get_subject().get_components()
},
'version':
cert.get_version(),
'extensions':
extensions,
'has_expired':
cert.has_expired()
})
if certificates:
ret.append({'certificates': certificates})
return ret
