Merge pull request #132 from Icinga/feature/mange-expired-certificates

lippserd · web-flow · commit 3da65d0d13de · 2023-02-23T14:28:30.000+01:00
Introduce `CleanupCommand`
diff --git a/application/clicommands/CleanupCommand.php b/application/clicommands/CleanupCommand.php
@@ -0,0 +1,84 @@
+<?php
+
+/* Icinga Web 2 X.509 Module | (c) 2023 Icinga GmbH | GPLv2 */
+
+namespace Icinga\Module\X509\Clicommands;
+
+use DateTime;
+use Exception;
+use Icinga\Application\Logger;
+use Icinga\Module\X509\CertificateUtils;
+use Icinga\Module\X509\Command;
+use InvalidArgumentException;
+use Throwable;
+
+class CleanupCommand extends Command
+{
+    /**
+     * Remove targets whose last scan is older than a certain date/time and certificates that are no longer used.
+     *
+     * By default, any targets whose last scan is older than 1 month are removed. The last scan information is
+     * always updated when scanning a target, regardless of whether a successful connection is made or not.
+     * Therefore, targets that have been decommissioned or are no longer part of a job configuration are removed
+     * after the specified period. Any certificates that are no longer used are also removed. This can either be
+     * because the associated target has been removed or because it is presenting a new certificate chain.
+     *
+     * USAGE
+     *
+     *     icingacli x509 cleanup [OPTIONS]
+     *
+     * OPTIONS
+     *
+     * --since-last-scan=<datetime>
+     *     Clean up targets whose last scan is older than the specified date/time,
+     *     which can also be an English textual datetime description like "2 days".
+     *     Defaults to "1 month".
+     *
+     * EXAMPLES
+     *
+     * Remove any targets that have not been scanned for at least two months and any certificates that are no longer
+     * used.
+     *
+     *     icingacli x509 cleanup --since-last-scan="2 months"
+     *
+     */
+    public function indexAction()
+    {
+        $sinceLastScan = $this->params->get('since-last-scan', '-1 month');
+        $lastScan = $sinceLastScan;
+        if ($lastScan[0] !== '-') {
+            // When the user specified "2 days" as a threshold strtotime() will compute the
+            // timestamp NOW() + 2 days, but it has to be NOW() + (-2 days)
+            $lastScan = "-$lastScan";
+        }
+
+        try {
+            $sinceLastScan = new DateTime($lastScan);
+        } catch (Exception $_) {
+            throw new InvalidArgumentException(sprintf(
+                'The specified last scan time is in an unknown format: %s',
+                $sinceLastScan
+            ));
+        }
+
+        try {
+            $conn = $this->getDb();
+            $query = $conn->delete(
+                'x509_target',
+                ['last_scan < ?' => $sinceLastScan->format('Uv')]
+            );
+
+            if ($query->rowCount() > 0) {
+                Logger::info(
+                    'Removed %d targets matching since last scan filter: %s',
+                    $query->rowCount(),
+                    $sinceLastScan->format('Y-m-d H:i:s')
+                );
+            }
+
+            CertificateUtils::cleanupNoLongerUsedCertificates($conn);
+        } catch (Throwable $err) {
+            Logger::error($err);
+        }
+    }
+}
diff --git a/library/X509/CertificateUtils.php b/library/X509/CertificateUtils.php
@@ -11,8 +11,10 @@
 use Icinga\Module\X509\Model\X509CertificateChain;
 use Icinga\Module\X509\Model\X509CertificateSubjectAltName;
 use Icinga\Module\X509\Model\X509Dn;
+use Icinga\Module\X509\Model\X509Target;
 use ipl\Sql\Connection;
 use ipl\Sql\Expression;
+use ipl\Sql\Select;
 use ipl\Stdlib\Filter;
 
 class CertificateUtils
@@ -365,6 +367,49 @@ private static function findOrInsertDn($db, $certInfo, $type)
         return $hash;
     }
 
+    /**
+     * Remove certificates that are no longer in use
+     *
+     * Remove chains that aren't used by any target, certificates that aren't part of any chain, and DNs
+     * that aren't used anywhere.
+     *
+     * @param Connection $conn
+     */
+    public static function cleanupNoLongerUsedCertificates(Connection $conn)
+    {
+        $chainQuery = $conn->delete(
+            'x509_certificate_chain',
+            ['id NOT IN ?' => X509Target::on($conn)->columns('latest_certificate_chain_id')->assembleSelect()]
+        );
+
+        $rows = $chainQuery->rowCount();
+        if ($rows > 0) {
+            Logger::info('Removed %d certificate chains that are not used by any targets', $rows);
+        }
+
+        $certsQuery = $conn->delete('x509_certificate', [
+            'id NOT IN ?' => (new Select())
+                ->from('x509_certificate_chain_link ccl')
+                ->columns(['ccl.certificate_id'])
+                ->distinct(),
+            'trusted = ?' => 'n',
+        ]);
+
+        $rows = $certsQuery->rowCount();
+        if ($rows > 0) {
+            Logger::info('Removed %d certificates that are not part of any chains', $rows);
+        }
+
+        $dnQuery = $conn->delete('x509_dn', [
+            'hash NOT IN ?' => X509Certificate::on($conn)->columns('subject_hash')->assembleSelect()
+        ]);
+
+        $rows = $dnQuery->rowCount();
+        if ($rows > 0) {
+            Logger::info('Removed %d DNs that are not used anywhere', $rows);
+        }
+    }
+
     /**
      * Verify certificates
      *
