starlingx
/
config
Code Issues Proposed changes

Audit for deleted certificates 

Cert-alarm feature was missing an audit for deleted
certificate resources. If an installed certificate was
deleted, the alarm would stay forever. This code change
audits (during the full audit mode, i.e., once a day)
for such conditions and deletes the related alarm.

To achieve this feature, various internal function
definitions had to be changed, resulting in some
code refactoring.

Test Plan:
PASS: Existing feature works as intended/designed
PASS: Deleting a certificate resource will cleanup
      the alarm during the full audit cycle

Story: 2008946
Task: 42852

Signed-off-by: Sabeel Ansari <Sabeel.Ansari@windriver.com>
Change-Id: Ie9f9c056c1af6c0e1887d294ed8d1765532ae8f9
This commit is contained in:
Sabeel Ansari 2021-11-15 14:37:13 -05:00
parent 8e6ce5bf11
commit f0843c40d9
3 changed files with 191 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

142
sysinv/sysinv/sysinv/sysinv/cert_alarm/audit.py
View File

@ -6,7 +6,6 @@
from datetime import datetime
from datetime import timedelta
from fm_api import constants as fm_constants
from itertools import chain
from oslo_log import log
import re
from sysinv.cert_alarm import fm as fm_mgr
@ -32,15 +31,29 @@ class CertAlarmAudit(object):
# Reset both CERT_SNAPSHOT & ALARM_SNAPSHOT
utils.reset_cert_snapshot()
self.fm_obj.reset_alarms_snapshot()
self.fm_obj.reset_entityid_to_certname_map()
# Collect CERT_SNAPSHOT
# Collect snapshots
self.collect_cert_snapshot()
self.fm_obj.collect_all_cert_alarms()
# Update snapshots
"""
In order to correlate alarms with CERT_SNAPSHOT,
we need references to entity_instance_id and
alarm_uuids (if any alarms present). This is needed
to audit for deleted certificates
"""
# Needs entity_id present before auditing deleted certificates
# Do not change order
self.update_entity_ids_in_cert_snapshot()
self.audit_for_deleted_certificates()
utils.print_cert_snapshot()
self.fm_obj.print_alarms_snapshot()
self.compute_action_full_audit()
self.apply_action_full_audit()
LOG.info('cert-alarm full completed')
LOG.info('cert-alarm full audit completed')
def collect_cert_snapshot(self):
"""
@ -94,9 +107,18 @@ class CertAlarmAudit(object):
if entry[1] is not None:
utils.add_cert_snapshot(entry[0], entry[1], entry[2], entry[3])
def compute_action_full_audit(self):
def update_entity_ids_in_cert_snapshot(self):
for cert_name in utils.CERT_SNAPSHOT:
self.compute_action(cert_name)
entity_id = self.fm_obj.get_entity_instance_id(cert_name)
utils.update_cert_snapshot_field(cert_name,
utils.ENTITY_ID,
entity_id)
def apply_action_full_audit(self):
for cert_name in utils.CERT_SNAPSHOT:
entity_id = utils.CERT_SNAPSHOT[cert_name].get(utils.ENTITY_ID,
self.fm_obj.get_entity_instance_id(cert_name))
self.apply_action(cert_name, entity_id)
# ============== Active Alarm audit ===================
def run_active_alarm_audit(self):
@ -106,22 +128,26 @@ class CertAlarmAudit(object):
LOG.info('Running cert-alarm active_alarm_audit')
# Collect ALARM_SNAPSHOT
self.fm_obj.reset_alarms_snapshot()
self.fm_obj.collect_all_cert_alarms()
self.compute_action_active_alarms()
self.apply_action_active_alarms()
utils.print_cert_snapshot()
self.fm_obj.print_alarms_snapshot()
LOG.info('cert-alarm active_alarm_audit completed')
def compute_action_active_alarms(self):
# Create single list of expiring_soon & expired certs
all_active_alarms = list(chain(*self.fm_obj.ALARMS_SNAPSHOT.values()))
def apply_action_active_alarms(self):
for alarm_instance in self.fm_obj.ALARMS_SNAPSHOT:
entity_id = self.fm_obj.ALARMS_SNAPSHOT[alarm_instance]['ENTITY_ID']
cert_name = utils.get_cert_name_with_entity_id(entity_id)
if cert_name is not None:
# 1. First refresh expiry date snapshot data
self.refresh_expiry_data(cert_name)
for cert_name in all_active_alarms:
# 1. First refresh expiry date snapshot data
self.refresh_expiry_data(cert_name)
# 2. Now check dates and compute_action
self.compute_action(cert_name)
# 2. Now check dates and apply_action
self.apply_action(cert_name, entity_id)
def refresh_expiry_data(self, cert_name):
if cert_name not in utils.CERT_SNAPSHOT:
@ -167,9 +193,9 @@ class CertAlarmAudit(object):
time_params[name] = int(param)
return timedelta(**time_params)
def compute_action(self, cert_name):
def apply_action(self, cert_name, entity_id):
"""
Computes any action required based on parameters passed and calls FM API
Applies any action required based on parameters passed and calls FM API
Input: cert_name: Certificate name
"""
if cert_name not in utils.CERT_SNAPSHOT:
@ -183,8 +209,8 @@ class CertAlarmAudit(object):
renew_before = None
if utils.SNAPSHOT_KEY_RENEW_BEFORE in snapshot:
renew_before = self.parse_time(snapshot[utils.SNAPSHOT_KEY_RENEW_BEFORE])
LOG.debug('cert_name=%s, expiry=%s, alarm_before=%s, renew_before=%s'
% (cert_name, expiry.days, alarm_before.days, renew_before.days))
LOG.debug('cert_name=%s, entity_id=%s, expiry=%s, alarm_before=%s, renew_before=%s'
% (cert_name, entity_id, expiry.days, alarm_before.days, renew_before.days))
days_to_expiry = expiry.days
alarm_before_days = alarm_before.days
@ -198,32 +224,64 @@ class CertAlarmAudit(object):
threshold = alarm_before_days
if days_to_expiry > threshold:
self.clear_expiring_soon(cert_name)
self.clear_expired(cert_name)
self.clear_expiring_soon(cert_name, entity_id)
self.clear_expired(cert_name, entity_id)
else:
if days_to_expiry < 0:
# Expired. Clear expiring-soon & raise expired
self.clear_expiring_soon(cert_name)
self.raise_expired(cert_name)
self.clear_expiring_soon(cert_name, entity_id)
self.raise_expired(cert_name, entity_id)
else:
self.raise_expiring_soon(cert_name)
self.raise_expiring_soon(cert_name, entity_id)
def raise_expiring_soon(self, cert_name):
self.fm_obj.set_fault(cert_name,
False,
fm_constants.FM_ALARM_STATE_SET)
def raise_expiring_soon(self, cert_name, entity_id):
if self.alarm_override_check_passed(cert_name):
self.fm_obj.set_fault(entity_id,
fm_constants.FM_ALARM_ID_CERT_EXPIRING_SOON,
fm_constants.FM_ALARM_STATE_SET)
def clear_expiring_soon(self, cert_name):
self.fm_obj.set_fault(cert_name,
False,
fm_constants.FM_ALARM_STATE_CLEAR)
def clear_expiring_soon(self, cert_name, entity_id):
if self.alarm_override_check_passed(cert_name):
self.fm_obj.set_fault(entity_id,
fm_constants.FM_ALARM_ID_CERT_EXPIRING_SOON,
fm_constants.FM_ALARM_STATE_CLEAR)
def raise_expired(self, cert_name):
self.fm_obj.set_fault(cert_name,
True,
fm_constants.FM_ALARM_STATE_SET)
def raise_expired(self, cert_name, entity_id):
if self.alarm_override_check_passed(cert_name):
self.fm_obj.set_fault(entity_id,
fm_constants.FM_ALARM_ID_CERT_EXPIRED,
fm_constants.FM_ALARM_STATE_SET)
def clear_expired(self, cert_name):
self.fm_obj.set_fault(cert_name,
True,
fm_constants.FM_ALARM_STATE_CLEAR)
def clear_expired(self, cert_name, entity_id):
if self.alarm_override_check_passed(cert_name):
self.fm_obj.set_fault(entity_id,
fm_constants.FM_ALARM_ID_CERT_EXPIRED,
fm_constants.FM_ALARM_STATE_CLEAR)
def alarm_override_check_passed(self, cert_name):
'''
Check for alarm overrides in annotation.
Return: True for enabled, False for disabled alarms
'''
if cert_name in utils.CERT_SNAPSHOT:
snapshot = utils.CERT_SNAPSHOT[cert_name]
if snapshot.get(constants.CERT_ALARM_ANNOTATION_ALARM,
constants.CERT_ALARM_DEFAULT_ANNOTATION_ALARM) == 'disabled':
LOG.info('Found annotation override, disabling alarm. Suppressing %s' %
cert_name)
return False
return True # defaults to True (i.e., raise alarm)
def audit_for_deleted_certificates(self):
LOG.info('Auditing for deleted certificates')
for alarm_instance in self.fm_obj.ALARMS_SNAPSHOT:
entity_id = self.fm_obj.ALARMS_SNAPSHOT[alarm_instance]['ENTITY_ID']
cert_name = utils.get_cert_name_with_entity_id(entity_id)
if cert_name is None:
LOG.info('Found alarm for entity %s, but no related \
certificate resource' % entity_id)
alarm_id = self.fm_obj.ALARMS_SNAPSHOT[alarm_instance]['ALARM_ID']
self.fm_obj.set_fault(entity_id,
alarm_id,
fm_constants.FM_ALARM_STATE_CLEAR)

123
sysinv/sysinv/sysinv/sysinv/cert_alarm/fm.py
View File

@ -14,6 +14,8 @@ from sysinv.common import constants
LOG = log.getLogger(__name__)
CONF = cfg.CONF
ALARM_ID = 'ALARM_ID'
ENTITY_ID = 'ENTITY_ID'
EXPIRING_SOON = 'EXPIRING_SOON'
EXPIRED = 'EXPIRED'
@ -24,19 +26,18 @@ class FaultApiMgr(object):
self.fm_api = fm_api.FaultAPIs()
"""
After an audit is completed, ALARMS_SNAPSHOT stores all active alarms
ALARMS_SNAPSHOT is a dict of list.
ALARMS_SNAPSHOT is a dict of dict. Each entry is per certificate.
{
EXPIRING_SOON: [certname1, certname2,...]
EXPIRED: [certname7, certname8,...]
alarm_uuid_1: {
ALARM_ID: FM_ALARM_ID_CERT_EXPIRED or FM_ALARM_ID_CERT_EXPIRING_SOON
ENTITY_ID: entity_instance_id returned from FM API
}
alarm_uuid_2: {
...
}
}
"""
self.ALARMS_SNAPSHOT = {}
"""
Entity ID to cert_name mapping
Due to the nature of entity_id strings generated, we need a map
to lookup cert_name's in utils.CERT_SNAPSHOT during audits
"""
self.ENTITYID_TO_CERTNAME_MAP = {}
def get_entity_instance_id(self, cert_name):
"""
@ -65,21 +66,20 @@ class FaultApiMgr(object):
tmp_id.append("system.certificate.%s" % cert_name)
entity_id = ''.join(tmp_id)
self.ENTITYID_TO_CERTNAME_MAP[entity_id] = cert_name
return entity_id
def get_cert_name_from_entity_instance_id(self, instance_id):
if instance_id in self.ENTITYID_TO_CERTNAME_MAP:
return self.ENTITYID_TO_CERTNAME_MAP[instance_id]
else:
return 'Unknown'
@staticmethod
def get_mode(cert_name):
return 'ssl_ca' if 'ssl_ca' in cert_name else cert_name
def get_reason_text(self, cert_name, expired_flag):
def get_reason_text(self, entity_id, alrm_id):
txt = []
cert_name = utils.get_cert_name_with_entity_id(entity_id)
if cert_name is None:
LOG.eror('Error retrieving certificate from snapshot. Returning entity_id')
txt.append(entity_id)
return ''.join(txt)
if cert_name in utils.CERT_SNAPSHOT:
# Add entity related text
snapshot = utils.CERT_SNAPSHOT[cert_name]
@ -106,7 +106,7 @@ class FaultApiMgr(object):
txt.append(' ')
# Add Expired or Expiring
if expired_flag:
if alrm_id == fm_constants.FM_ALARM_ID_CERT_EXPIRED:
txt.append("expired.")
else:
expiry_date = snapshot[utils.SNAPSHOT_KEY_EXPDATE]
@ -122,9 +122,15 @@ class FaultApiMgr(object):
LOG.debug('Alarm text: %s' % txt_str)
return txt_str
def get_severity(self, cert_name, expired_flag):
alarm_severity = fm_constants.FM_ALARM_SEVERITY_CRITICAL if expired_flag \
else fm_constants.FM_ALARM_SEVERITY_MAJOR
def get_severity(self, entity_id, alrm_id):
alarm_severity = fm_constants.FM_ALARM_SEVERITY_CRITICAL if \
alrm_id == fm_constants.FM_ALARM_ID_CERT_EXPIRED \
else fm_constants.FM_ALARM_SEVERITY_MAJOR
cert_name = utils.get_cert_name_with_entity_id(entity_id)
if cert_name is None:
LOG.error('Error retrieving certificate from snapshot. Using default severity')
return alarm_severity
# Check for annotation overrides
if cert_name in utils.CERT_SNAPSHOT:
@ -136,62 +142,57 @@ class FaultApiMgr(object):
return alarm_severity
def set_fault(self, cert_name, expired_flag, state):
"""
def set_fault(self, entity_inst_id, alrm_id, state):
'''
Set Fault calls the FM API to raise or clear alarm
Params: cert-name: certificate name
expired_flag: True/False
Determines whether 'Expired' (True) or 'Expiring Soon' (False)
Also determines the severity Critical (True) or Major (False)
Params: entity_inst_id: entity id for alarm
alrm_id: fm_constants.FM_ALARM_ID_CERT_EXPIRED or
fm_constant.FM_ALARM_ID_CERT_EXPIRING_SOON
state: will determine SET or CLEAR
"""
alrm_id = fm_constants.FM_ALARM_ID_CERT_EXPIRED if expired_flag \
else fm_constants.FM_ALARM_ID_CERT_EXPIRING_SOON
entity_inst_id = self.get_entity_instance_id(cert_name)
'''
# If case of api errors during data collection, we do not want to raise alarms with
# "unknown" UUID (because we will need to clear such alarms manually). In such a case,
# we log the error and skip the alarm raise. Subsequent audit runs will raise the alarms.
if "uuid=unknown" in entity_inst_id:
if entity_inst_id is None or "uuid=unknown" in entity_inst_id:
LOG.error('set_fault called for certificate %s with unknown UUID. Suppressing alarm' %
cert_name)
entity_inst_id)
return
try:
if state == fm_constants.FM_ALARM_STATE_SET:
# Raise alarm only if alarm does not already exist
if not self.fm_api.get_fault(alrm_id, entity_inst_id):
# Check for annotation override
if cert_name in utils.CERT_SNAPSHOT:
snapshot = utils.CERT_SNAPSHOT[cert_name]
if snapshot.get(constants.CERT_ALARM_ANNOTATION_ALARM,
constants.CERT_ALARM_DEFAULT_ANNOTATION_ALARM) == 'disabled':
LOG.info('Found annotation override, disabling alarm. Suppressing %s' %
cert_name)
return
fault = fm_api.Fault(
alarm_id=alrm_id,
alarm_state=state,
entity_type_id=fm_constants.FM_ENTITY_TYPE_CERTIFICATE,
entity_instance_id=entity_inst_id,
severity=self.get_severity(cert_name, expired_flag),
reason_text=self.get_reason_text(cert_name, expired_flag),
severity=self.get_severity(entity_inst_id, alrm_id),
reason_text=self.get_reason_text(entity_inst_id, alrm_id),
alarm_type=fm_constants.FM_ALARM_TYPE_9,
probable_cause=fm_constants.ALARM_PROBABLE_CAUSE_77,
proposed_repair_action="Renew certificate for entity identified",
suppression=False,
service_affecting=False)
LOG.info('Setting fault for cert_name=%s, expired_flag=%s, state=%s' %
(cert_name, expired_flag, state))
self.fm_api.set_fault(fault)
LOG.info('Setting fault for entity_id=%s, alarm_type=%s, state=%s' %
(entity_inst_id, alrm_id, state))
alarm_uuid = self.fm_api.set_fault(fault)
# Update CERT_SNAPSHOT
utils.update_cert_snapshot_field_with_entity_id(entity_inst_id,
utils.ALARM_UUID,
alarm_uuid)
else:
if self.fm_api.get_fault(alrm_id, entity_inst_id):
LOG.info('Setting fault for cert_name=%s, expired_flag=%s, state=%s' %
(cert_name, expired_flag, state))
LOG.info('Setting fault for entity_id=%s, alarm_type=%s, state=%s' %
(entity_inst_id, alrm_id, state))
self.fm_api.clear_fault(alrm_id, entity_inst_id)
# Update CERT_SNAPSHOT
utils.update_cert_snapshot_field_with_entity_id(entity_inst_id,
utils.ALARM_UUID,
"")
except Exception as e:
LOG.exception(e)
@ -210,11 +211,13 @@ class FaultApiMgr(object):
# Expiring Soon alarms
exp_soon_alarms = self.get_faults(False)
self.add_alarms_snapshot(EXPIRING_SOON, exp_soon_alarms)
self.add_alarms_snapshot(fm_constants.FM_ALARM_ID_CERT_EXPIRING_SOON,
exp_soon_alarms)
# Expired alarms
exprd_alarms = self.get_faults(True)
self.add_alarms_snapshot(EXPIRED, exprd_alarms)
self.add_alarms_snapshot(fm_constants.FM_ALARM_ID_CERT_EXPIRED,
exprd_alarms)
def reset_alarms_snapshot(self):
self.ALARMS_SNAPSHOT = {}
@ -222,16 +225,10 @@ class FaultApiMgr(object):
def print_alarms_snapshot(self):
LOG.info('Alarms snapshot = %s' % self.ALARMS_SNAPSHOT)
def add_alarms_snapshot(self, key, alarms):
cert_names = []
def add_alarms_snapshot(self, alarm_type, alarms):
if alarms:
for item in alarms:
cert_names.append(self.get_cert_name_from_entity_instance_id(item.entity_instance_id))
self.ALARMS_SNAPSHOT[key] = cert_names
def reset_entityid_to_certname_map(self):
self.ENTITYID_TO_CERTNAME_MAP = {}
def print_entityid_to_certname_map(self):
LOG.info('Entityid_to_certname map = %s' % self.ENTITYID_TO_CERTNAME_MAP)
self.ALARMS_SNAPSHOT[item.uuid] = {
ALARM_ID: alarm_type,
ENTITY_ID: item.entity_instance_id
}

31
sysinv/sysinv/sysinv/sysinv/cert_alarm/utils.py
View File

@ -40,6 +40,9 @@ MODE_SECRET = 'secret'
MODE_CERT_MGR = 'certmgr'
MODE_OTHER = 'other'
ALARM_UUID = 'alarm_uuid'
ENTITY_ID = 'entity_id'
CERT_SNAPSHOT = {}
"""
CERT_SNAPSHOT is a dict of dict. Each entry is per certificate.
@ -58,6 +61,8 @@ CERT_SNAPSHOT is a dict of dict. Each entry is per certificate.
mode_other: <other>
file_location: <filepath>
renewBefore: <renewBefore>
alarm_uuid: <alarm-uuid>
entity_id: <entity-instance-id>
}
certname2: {
...
@ -296,6 +301,32 @@ def add_cert_snapshot(certname, expirydate, annotation_data, mode_metadata):
CERT_SNAPSHOT[certname] = internaldict
def update_cert_snapshot_field(cert_name, key, value):
global CERT_SNAPSHOT
if cert_name not in CERT_SNAPSHOT:
LOG.error('Cannot find certificate %s in CERT_SNAPSHOT' % cert_name)
else:
LOG.debug('Updating CERT_SNAPSHOT cert_name=%s, key=%s, val=%s' % (cert_name, key, value))
CERT_SNAPSHOT[cert_name][key] = value
def update_cert_snapshot_field_with_entity_id(entity_id, key, value):
cert_name = get_cert_name_with_entity_id(entity_id)
if cert_name is None:
LOG.error('Cannot find certificate with entity_id %s' % entity_id)
else:
update_cert_snapshot_field(cert_name, key, value)
def get_cert_name_with_entity_id(entity_id):
global CERT_SNAPSHOT
for cert_name in CERT_SNAPSHOT:
if CERT_SNAPSHOT[cert_name].get(ENTITY_ID) == entity_id:
return cert_name
return None
def get_default_annotation_values():
return {
constants.CERT_ALARM_ANNOTATION_ALARM: