improving logging and the possibility of defining which Authorities qualify for auto-rotation

This commit is contained in:
Hossein Shafagh 2020-05-07 18:28:01 -07:00
parent 54035e8db8
commit f68900d2b3
1 changed files with 18 additions and 1 deletions

View File

@ -483,18 +483,35 @@ def check_revoked():
@manager.command @manager.command
def automatically_enable_autorotate(): def automatically_enable_autorotate():
""" """
This function automatically enables autorotation for unexpired certificates that are This function automatically enables auto-rotation for unexpired certificates that are
attached to an endpoint but do not have autorotate enabled. attached to an endpoint but do not have autorotate enabled.
WARNING: This will overwrite the Auto-rotate toggle!
""" """
log_data = { log_data = {
"function": f"{__name__}.{sys._getframe().f_code.co_name}", "function": f"{__name__}.{sys._getframe().f_code.co_name}",
} }
permitted_authorities = current_app.config.get("ENABLE_AUTO_ROTATE_AUTHORITY", [])
eligible_certs = get_all_certs_attached_to_endpoint_without_autorotate() eligible_certs = get_all_certs_attached_to_endpoint_without_autorotate()
for cert in eligible_certs: for cert in eligible_certs:
if cert.authority_id not in permitted_authorities:
continue
log_data["certificate"] = cert.name log_data["certificate"] = cert.name
log_data["certificate_id"] = cert.id log_data["certificate_id"] = cert.id
log_data["message"] = "Enabling auto-rotate for certificate" log_data["message"] = "Enabling auto-rotate for certificate"
current_app.logger.info(log_data) current_app.logger.info(log_data)
cert.rotation = True cert.rotation = True
database.update(cert) database.update(cert)
# TODO: add the cert destination to the logging
metrics.send("automatically_enable_autorotate",
"counter", 1,
metric_tags={"certificate": cert.name,
"certificate_id": cert.id,
"authority_id": cert.authority_id,
"authority_name": Authority.get(cert.authority_id).name})
cert.rotation = True
database.update(cert)