Megan/expiration

[meganm53]

Fixes issue #398 , added flag that allows you to check how much longer until a certificate is about to expire, along with the color coding the outputs based on if it is about to expire/expired (red), close (yellow), or still has under 66% of its life used (green). added to description how to use this function.

[CLAassistant]

All committers have signed the CLA.

[dopey]

checking certificate expiration

The tense on the other verbs all seem to end with ing, so we should be consistent.

[codecov]

Codecov Report

Merging #495 (1187e48) into master (0da3b28) will decrease coverage by 0.16%.
The diff coverage is 26.66%.

@@            Coverage Diff             @@
##           master     #495      +/-   ##
==========================================
- Coverage   63.29%   63.12%   -0.17%     
==========================================
  Files          57       57              
  Lines        6865     6894      +29     
==========================================
+ Hits         4345     4352       +7     
- Misses       2281     2303      +22     
  Partials      239      239              

Impacted Files	Coverage Δ
command/certificate/verify.go	44.60% <24.13%> (-5.40%)	⬇️
command/certificate/certificate.go	100.00% <100.00%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0da3b28...1187e48. Read the comment docs.

[dopey]

return an errors.Errorf error here that described the issue. See errors returned in above code for examples.

[dopey]

Just gonna list some bullet points here for improvements to this section:

if percent >= 100 {
}
else if percent >= 90 {
}
else if percent >= 66 {
}
else if percent >= 1 {
}
else if precent >= 0 {
} else {
}

• Use fmt.Printf instead of fmt.Println if possible.
• parameterize commonly used strings and colors so you can reuse them. e.g var colorExpired = "31m".

[dopey]

variable names with capital first letters are exported. Use a lower case first letter unless you need to export the variable beyond the current package.

[dopey]

use remainingValidity and totalValidity. The term validity window is already associated with certificates and we already frequently use the work validity in our code when doing similar calculations.

[dopey]

Why are we specifying .Hours() here rather than using the complete duration?

[dopey]

You can just call this variable percent.

Generally speaking, the rule for variable names is that the length of the name should be proportionate to how far away from the instantiation of the variable it is being used. So if it's super far away, e.g. different functions, files or packages, then you want a really descriptive name like you've chosen here. But in this case, the variable and it's use are super close. So we can opt for shorter, less descriptive, more context dependent names. Lmk if that does/doesn't make sense.

[dopey]

I would check first if time.Now().Before(cert.NotBefore) because if so, then the cert is not valid yet, and that's a different message than any of the ones you have below. At the same time I would check if time.Now().After(cert.NotAfter) just to rule out both of those special cases. Then we know that the results should be within our bounds.

I would also do (1 - remainingValidity/totalValidity) * 100 because it's a bit more natural.

[dopey]

Verify the remaining validity of a certificate ...

[dopey]

Checks the remaining certificate validity till expiration

[dopey]

I think we should verify the certificate first cert.VerifyOpts below, and then if it's valid we can analyze how much of the lifespan has been used. The benefit of this is that we won't have to check if now < cert.NotBefore or if the cert is already expired. The VerifyOpts method already does that for us. So only if the certificate is valid do we print expiry information.

[dopey]

When you use fmt.Printf you can do things like: fmt.Printf("%sLeaf is %d% through it's lifetime.", red, percentUsed). The variables at the end replace the %s and %d.

[dopey]

We're using the word certificate in this output, but the word leaf in future outputs to refer to the same thing. I think we should consistently use the term certificate.

[dopey]

@tashian How would you like this output to look? Your plan was to use this as input from a pipe. I recall you saying that you wanted these to be errorCodes rather than printed statements.

[tashian]

Yes, the exit codes are described in #398

[dopey]

@mmalone @tashian what did we want this flag to be called? expire, validity, verdancy?

[tashian]

verdancy

[tashian]

hi @cookie-annihilator @tommy-56 I'm excited to see this PR!
I want to explain why --verdancy is the word we landed on for this flag during design discussions.
The idea of verdancy is, it's a matter of degree: What the command is asking is "Just how green is this certificate?"
And, like a leaf on a tree, as the certificate ages it changes color.
Whereas, --expire implies a yes/no answer: Is it expired or not?
Verdancy provides that answer and more.

The use cases are:

• Verdancy aids automated renewal, and once this feature is released I will immediately put it into use in our docs. We recommend people renew certificates when they are around 2/3 through their validity period, so we want an easy way to confirm that.
• Expired (yes/no) could also be used in a script, if there is a chance a certificate may have expired. Because with an unexpired cert you can run step ca renew to get a new certificate, but with an expired cert you'd need to run step ca certificate.
• We also discussed an expires-in flag that would allow you to pass a % or duration, and you'd get back a yes/no.

Happy to answer any other questions y'all have about this feature...

[dopey]

step certificate needs-renewal returns '0' if the certificate needs to be renewed based on it's remaining lifetime. Returns '1' if the certificate is within it's validity lifetime bounds and does not need to be renewed. Returns '255' for any other error. By default, if a certificate "needs renewal" when it has passed 66% of it's allotted lifetime. This threshold can be adjusted using the '--expires-in' flag.

[dopey]

Combine the positional arguments into one, as we do with the UsageText above.

<cert_file or hostname> The path to a certificate to validate OR a hostname with protocol prefix.

[dopey]

This command returns '0' if the certificate needs renewal, '1' if the certificate does not need renewal, and '255' for any other error.

[dopey]

using a hostname:

[dopey]

Put a colon : after each sentence prefacing the example command, like so: https://github.com/smallstep/cli/blob/master/command/certificate/verify.go#L38

[dopey]

With -> For

[dopey]

this should return 255 as well

[dopey]

Since we're changing the operation of this command to now apply to all certificates in the bundle, you can probably just use the full list of peer certificates rather than grabbing the first index.

[dopey]

Since we're changing the behavior of this command to apply to all certs in the file, what we want to do is loop over each pem block in the file (just like you're doing) and then convert it to a certificate and append it to an array of x509 certifcates.

[dopey]

This will happen in a for loop over all the certificates in the list

[dopey]

I would say just trimSuffix instead of replace all. We want people entering 50% instead of %3%5

[dopey]

Let's parameterize this value, meaning let's make it a constant defined at the top of the file.

const defaultPercentUsedThreshold = 66

[dopey]

I think this is the case where we want to return 1.

[dopey]

It would be nice to combine this with the other percentage case so we don't copy the same conditional code.

Something like:

for _, cert := range certs {
if expiredIn == "" || strings.Contains(expiresIn, "%") {
    var threshold int
    if expiresIn == "" {
        threshold = defaultPercentThreshold
    } else {
        threshold, err = strconv.Atoi(strings.TrimSuffix(expiresIn, "%"))
        if err ....
    }
    
    if threshold > 100 || threshold < 0 ...

    if int(percentUsed) >= threshold ...
        return nil
} else {
    			duration, err := time.ParseDuration(expiresIn)

			if err != nil {
				return errs.NewExitError(err, 255)
			} else if duration > remainingValidity {
				return nil
			}
}
}
// We only get here if the certs are not expiring, so return an error to that effect.
return errors.New("certificate is verdant")

[dopey]

left a bunch of comments.

[dopey]

Use cert_file here and in other places where you refer to this input. Over time we came to the custom of using cert if it's in documentation that the user sees because that's the standard other popular tools use (e.g. openssl, curl), and crt if we're just naming variables internally in our code.

[dopey]

remove the if in this line.

[dopey]

remove to validate

[tashian]

Thank you @tommy-56 @cookie-annihilator for this!

I've updated our systemd stuff to use needs-renewal (see smallstep/certificates#653 and smallstep/docs#105). It's so much cleaner, and it removes the dependency on jq.