add two new options to "certmaster-ca"

-list-signed shows a list of certs the certmaster has already signed

--list-cert-hashes returns the list of signed certs in the CN-hash format that
the acls files expects. Should make it a little easier to use the acls.

Both options take optional hostnames or hostname globs

diff --git a/certmaster/certmaster.py b/certmaster/certmaster.py
index 970ff59..7431324 100755 (executable)
--- a/certmaster/certmaster.py
+++ b/certmaster/certmaster.py
@@ -252,7 +252,47 @@ class CertMaster(object):
             os.unlink(csr_unlink_file)
             
         return certfile
+
+    # return a list of already signed certs
+    def get_signed_certs(self, hostglobs=None):
+        certglob = "%s/*.cert" % (self.cfg.certroot)
+
+        certs = []
+        globs = "*"
+        if hostglobs:
+            globs = hostglobs
+
+        for hostglob in globs:
+            certglob = "%s/%s.cert" % (self.cfg.certroot, hostglob)
+            certs = certs + glob.glob(certglob)
+
+        signed_certs = []
+        for cert in certs:
+            # just want the hostname, so strip off path and ext
+            signed_certs.append(os.path.basename(cert).split(".cert", 1)[0])
+
+        return signed_certs
+
+    # return a list of the cert hash string we use to identify systems
+    def get_cert_hashes(self, hostglobs=None):
+        certglob = "%s/*.cert" % (self.cfg.certroot)
+
+        certfiles = []
+        globs = "*"
+        if hostglobs:
+            globs = hostglobs
+
+        for hostglob in globs:
+            certglob = "%s/%s.cert" % (self.cfg.certroot, hostglob)
+            certfiles = certfiles + glob.glob(certglob)
         
+        cert_hashes = []
+        for certfile in certfiles:
+            cert = certs.retrieve_cert_from_file(certfile)
+            cert_hashes.append("%s-%s" % (cert.get_subject().CN, cert.subject_name_hash()))
+            
+        return cert_hashes
+
     def _run_triggers(self, ref, globber):
         return utils.run_triggers(ref, globber)
 

diff --git a/scripts/certmaster-ca b/scripts/certmaster-ca
index 27e190e..7370ef3 100755 (executable)
--- a/scripts/certmaster-ca
+++ b/scripts/certmaster-ca
@@ -31,11 +31,17 @@ def parseargs(args):
           help='sign requests of hosts specified')
     parser.add_option('-c', '--clean', default=False, action="store_true",
           help="clean out all certs or csrs for the hosts specified")
+    parser.add_option("", "--list-signed", default=False, action="store_true",
+          help='list all signed certs')
+    parser.add_option("", "--list-cert-hash", default=False, action="store_true",
+          help="list the cert hash for signed certs")
           
     (opts, args) = parser.parse_args()
     
     
-    if not opts.list and not opts.sign and not opts.clean:
+    # gotta be a better way...
+    if not opts.list and not opts.sign and not opts.clean \
+            and not opts.list_signed and not opts.list_cert_hash:
         parser.print_help()
         sys.exit(1)
             
@@ -88,5 +94,29 @@ def main(args):
         
         return 0
 
+    if opts.list_signed:
+        hostglobs = ["*"]
+        if args:
+            hostglobs = args
+
+        signed_certs = cm.get_signed_certs(args)
+
+        for i in signed_certs:
+            print i
+            
+        return 0
+        
+    if opts.list_cert_hash:
+        hostglobs = ["*"]
+        if args:
+            hostglobs = args
+            
+        cert_hashes = cm.get_cert_hashes(hostglobs)
+
+        for i in cert_hashes:
+            print i
+            
+        return 0
+
 if __name__ == "__main__":
     sys.exit(main(sys.argv[1:]))