WIP

raviks789 · raviks789 · commit 9c9d26a510c2 · 2022-10-11T10:06:05.000+02:00
diff --git a/application/clicommands/CheckCommand.php b/application/clicommands/CheckCommand.php
@@ -113,15 +113,15 @@ public function hostAction()
 
         $state = 3;
         foreach ($this->getDb()->select($targets) as $target) {
-            if ($target['valid'] === 'no' && ($target['self_signed'] === 'no' || ! $allowSelfSigned)) {
-                $invalidMessage = $target['subject'] . ': ' . $target['invalid_reason'];
+            if ($target->valid === 'no' && ($target->self_signed === 'no' || ! $allowSelfSigned)) {
+                $invalidMessage = $target->subject . ': ' . $target->invalid_reason;
                 $output[$invalidMessage] = $invalidMessage;
                 $state = 2;
             }
 
             $now = new \DateTime();
-            $validFrom = (new \DateTime())->setTimestamp($target['valid_from']);
-            $validTo = (new \DateTime())->setTimestamp($target['valid_to']);
+            $validFrom = (new \DateTime())->setTimestamp($target->valid_from);
+            $validTo = (new \DateTime())->setTimestamp($target->valid_to);
             $criticalAfter = $this->thresholdToDateTime($validFrom, $validTo, $criticalThreshold, $criticalUnit);
             $warningAfter = $this->thresholdToDateTime($validFrom, $validTo, $warningThreshold, $warningUnit);
 
@@ -136,28 +136,28 @@ public function hostAction()
             $remainingTime = $now->diff($validTo);
             if (! $remainingTime->invert) {
                 // The certificate has not expired yet
-                $output[$target['subject']] = sprintf(
+                $output[$target->subject] = sprintf(
                     '%s expires in %d days',
-                    $target['subject'],
+                    $target->subject,
                     $remainingTime->days
                 );
             } else {
-                $output[$target['subject']] = sprintf(
+                $output[$target->subject] = sprintf(
                     '%s has expired since %d days',
-                    $target['subject'],
+                    $target->subject,
                     $remainingTime->days
                 );
             }
 
-            $perfData[$target['subject']] = sprintf(
+            $perfData[$target->subject] = sprintf(
                 "'%s'=%ds;%d:;%d:;0;%d",
-                $target['subject'],
+                $target->subject,
                 $remainingTime->invert
                     ? 0
-                    : $target['valid_to'] - time(),
-                $target['valid_to'] - $warningAfter->getTimestamp(),
-                $target['valid_to'] - $criticalAfter->getTimestamp(),
-                $target['valid_to'] - $target['valid_from']
+                    : $target->valid_to - time(),
+                $target->valid_to - $warningAfter->getTimestamp(),
+                $target->valid_to - $criticalAfter->getTimestamp(),
+                $target->valid_to - $target->valid_from
             );
         }
 
diff --git a/application/clicommands/ScanCommand.php b/application/clicommands/ScanCommand.php
@@ -9,6 +9,8 @@
 use Icinga\Module\X509\Command;
 use Icinga\Module\X509\Hook\SniHook;
 use Icinga\Module\X509\Job;
+use ipl\Sql\Connection;
+use ipl\Sql\Expression;
 
 class ScanCommand extends Command
 {
@@ -58,9 +60,19 @@ public function indexAction()
                 $name
             );
 
+//            $this->cleanupTargets($this->getDb());
+
             $verified = CertificateUtils::verifyCertificates($this->getDb());
 
             Logger::info("Checked %d certificate chain%s.", $verified, $verified !== 1 ? 's' : '');
         }
     }
+
+    protected function cleanupTargets(Connection $db)
+    {
+        $db->delete(
+            'x509_target',
+            ['last_seen = ?' => new Expression('NOW() - INTERVAL 1 DAY')]
+        );
+    }
 }
diff --git a/library/X509/CertificateUtils.php b/library/X509/CertificateUtils.php
@@ -8,6 +8,7 @@
 use Icinga\Application\Logger;
 use Icinga\File\Storage\TemporaryLocalFileStorage;
 use ipl\Sql\Connection;
+use ipl\Sql\Expression;
 use ipl\Sql\Select;
 
 class CertificateUtils
@@ -244,7 +245,8 @@ public static function findOrInsertCert(Connection $db, $cert)
                 'valid_to'            => $certInfo['validTo_time_t'],
                 'fingerprint'         => $dbTool->marshalBinary($fingerprint),
                 'serial'              => $dbTool->marshalBinary(gmp_export($certInfo['serialNumber'])),
-                'certificate'         => $dbTool->marshalBinary($der)
+                'certificate'         => $dbTool->marshalBinary($der),
+                'last_seen'           => new Expression('NOW()')
             ]
         );
 
@@ -353,6 +355,26 @@ private static function findOrInsertDn($db, $certInfo, $type)
         return $hash;
     }
 
+    public static function cleanupCertificates(Connection $db)
+    {
+        $db->delete(
+            'x509_certificate',
+            ['last_seen = ?' => new Expression('NOW() - INTERVAL 7 DAY')]
+        );
+
+        $db->delete(
+            'x509_dn',
+            ['last_seen' => new Expression('NOW() - INTERVAL 7 DAY')]
+        );
+
+//        DELETE
+//FROM x509_dn
+//WHERE type='subject' AND HASH <> ALL (
+//        SELECT DISTINCT subject_hash
+//FROM x509_certificate
+//);
+    }
+
     /**
      * Verify certificates
      *
@@ -405,7 +427,7 @@ public static function verifyCertificates(Connection $db)
                 $certs = $db->select(
                     (new Select())
                         ->from('x509_certificate c')
-                        ->columns('c.certificate')
+                        ->columns(['c.certificate', 'c.id'])
                         ->join('x509_certificate_chain_link ccl', 'ccl.certificate_id = c.id')
                         ->where(['ccl.certificate_chain_id = ?' => $chain->id])
                         ->orderBy(['ccl.order' => 'DESC'])
@@ -414,6 +436,11 @@ public static function verifyCertificates(Connection $db)
                 $collection = [];
 
                 foreach ($certs as $cert) {
+                    $db->update(
+                        'x509_certificate',
+                        ['last_seen' => new Expression('NOW()')],
+                        ['id = ?' => $chain->id]
+                    );
                     $collection[] = CertificateUtils::der2pem(DbTool::unmarshalBinary($cert->certificate));
                 }
 
diff --git a/library/X509/Job.php b/library/X509/Job.php
@@ -85,7 +85,7 @@ private static function numberToAddr($num, $ipv6 = true)
         }
     }
 
-    private static function generateTargets(ConfigObject $jobDescription, array $hostnamesConfig)
+    private function generateTargets(ConfigObject $jobDescription, array $hostnamesConfig)
     {
         foreach (StringHelper::trimSplit($jobDescription->get('cidrs')) as $cidr) {
             $pieces = explode('/', $cidr);
@@ -124,6 +124,17 @@ private static function generateTargets(ConfigObject $jobDescription, array $hos
                     foreach (range($start_port, $end_port) as $port) {
                         $hostnames = isset($hostnamesConfig[$ip]) ? $hostnamesConfig[$ip] : [];
 
+                        if (! empty($hostnames)) {
+                            $this->db->delete(
+                                'x509_target',
+                                [
+                                    'ip = ?'       => $this->dbTool->marshalBinary(static::binary($ip)),
+                                    'port = ?'     => $port,
+                                    'hostname NOT IN (?)' => array_values($hostnames)
+                                ]
+                            );
+                        }
+
                         if (empty($hostnames)) {
                             $hostnames[] = null;
                         }
@@ -133,6 +144,8 @@ private static function generateTargets(ConfigObject $jobDescription, array $hos
                             $target->ip = $ip;
                             $target->port = $port;
                             $target->hostname = $hostname;
+
+                            $this->updateLastScan($target);
                             yield $target;
                         }
                     }
@@ -243,6 +256,22 @@ function (\Exception $exception) use ($target, $streamCapture) {
         });
     }
 
+    protected function updateLastScan($target)
+    {
+        if (isset($target->id)) {
+            $filter = ['id = ?' => $target->id];
+        } else {
+            $filter = [
+                'ip = ?'       => $this->dbTool->marshalBinary(static::binary($target->ip)),
+                'port = ?'     => $target->port,
+                'hostname = ?' => $target->hostname
+            ];
+        }
+
+        $now = new Expression('NOW()');
+        $this->db->update('x509_target', ['last_scan' => $now], $filter);
+    }
+
     public function getJobId()
     {
         return $this->jobId;
@@ -252,13 +281,13 @@ public function run()
     {
         $this->loop = Factory::create();
 
-        $this->totalTargets = iterator_count(static::generateTargets($this->jobDescription, $this->snimap));
+        $this->totalTargets = iterator_count($this->generateTargets($this->jobDescription, $this->snimap));
 
         if ($this->totalTargets == 0) {
             return null;
         }
 
-        $this->targets = static::generateTargets($this->jobDescription, $this->snimap);
+        $this->targets = $this->generateTargets($this->jobDescription, $this->snimap);
 
         $this->db->insert(
             'x509_job_run',
@@ -309,7 +338,8 @@ protected function processChain($target, $chain)
                     [
                         'ip'       => $this->dbTool->marshalBinary(static::binary($target->ip)),
                         'port'     => $target->port,
-                        'hostname' => $target->hostname
+                        'hostname' => $target->hostname,
+                        'last_scan' => new Expression('NOW()')
                     ]
                 );
                 $targetId = $this->db->lastInsertId();
@@ -369,6 +399,12 @@ protected function processChain($target, $chain)
 
                     $certId = CertificateUtils::findOrInsertCert($this->db, $cert, $certInfo);
 
+                    $this->db->update(
+                        'x509_certificate',
+                        ['last_seen' => new Expression('NOW()')],
+                        ['id = ?' => $certId]
+                    );
+
                     $this->db->insert(
                         'x509_certificate_chain_link',
                         [
@@ -382,7 +418,10 @@ protected function processChain($target, $chain)
 
             $this->db->update(
                 'x509_target',
-                ['latest_certificate_chain_id' => $chainId],
+                [
+                    'latest_certificate_chain_id' => $chainId,
+                    'last_seen' => new Expression('NOW()')
+                ],
                 ['id = ?' => $targetId]
             );
         });
