From ce7f87aeb0515128cadafa7b5f6d90415222190a Mon Sep 17 00:00:00 2001 From: amantri Date: Mon, 4 Mar 2024 14:22:35 -0500 Subject: [PATCH] Change cert-alarm service audit behavior Cert-alarm audit only considering days while comparing the alarm_before ,renew_before and expiry times this leaves a window for few hours where an alarm is raised before the renew_before time of the certificate. This change addresses this issue by considering hours,mins along with days. TestCases: PASS: Create a certificate with duration 3hr, renewbefore 2h30min now wait for 15mins and run full audit and verify that no alarm is raised since expiry(2hr45min)> threshold(2hr30min) PASS: Create a certificate with duration 3hr,renewbefore 2h30min. delete the issuer which issued the certificate, after 30mins the certificate renew fails then the expiry of the certificate becomes less than threshold which is 2h30min, restart cert-alarm service to run the full audit, notice an alarm 500.200 is raised for this certificate, let it expire and notice that 500.200 is cleared and 500.210 expired alarm is raised,create the issuer and notice that 500.210 alarm cleared when active alarm audit runs. PASS: Install a ssl_ca certificate which expires in 1 day, notice that an alarm 500.200 is raised and let it expire, notice that 500.210 alarm is raised and 500.200 is cleared on this certificate. Closes-Bug: 2056071 Change-Id: I4f1a866d101d0b8d8cb50f1bf5a2e6698511296a Signed-off-by: amantri --- .../sysinv/sysinv/sysinv/cert_alarm/audit.py | 20 ++++++++----------- 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py b/sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py index dff4bb4476..5faffa5db6 100644 --- a/sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py +++ b/sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py @@ -171,7 +171,7 @@ class CertAlarmAudit(object): @staticmethod def parse_time(time_str): - regex = re.compile(r'((?P\d+?)w)?((?P\d+?)d)?((?P\d+?)h)?') + regex = re.compile(r'((?P\d+?)w)?((?P\d+?)d)?((?P\d+?)h)?((?P\d+?)m)?') parts = regex.match(time_str).groupdict() time_params = {} for name, param in parts.items(): @@ -196,27 +196,23 @@ class CertAlarmAudit(object): if utils.SNAPSHOT_KEY_RENEW_BEFORE in snapshot: renew_before = self.parse_time(snapshot[utils.SNAPSHOT_KEY_RENEW_BEFORE]) LOG.debug('cert_name=%s, entity_id=%s, expiry=%s, alarm_before=%s, renew_before=%s' - % (cert_name, entity_id, expiry.days, alarm_before.days, renew_before.days)) - - days_to_expiry = expiry.days - alarm_before_days = alarm_before.days - renew_before_days = renew_before.days + % (cert_name, entity_id, expiry, alarm_before, renew_before)) # set threshold date to raise alarms - if renew_before_days: - # if renew_before_days valid, take latest (smaller timedelta) of two dates as threshold - threshold = renew_before_days if renew_before_days < alarm_before_days else alarm_before_days + if renew_before: + # if renew_before valid, take latest (smaller timedelta) of two dates as threshold + threshold = renew_before if renew_before < alarm_before else alarm_before else: - threshold = alarm_before_days + threshold = alarm_before is_alarm_enabled = self.alarm_override_check_passed(cert_name) if is_alarm_enabled: - if days_to_expiry > threshold: + if expiry > threshold: self.clear_expiring_soon(cert_name, entity_id) self.clear_expired(cert_name, entity_id) else: - if days_to_expiry < 0: + if expiry < timedelta(): # Expired. Clear expiring-soon & raise expired self.clear_expiring_soon(cert_name, entity_id) self.raise_expired(cert_name, entity_id)