Add rotation procedure to expiring-certificates

An upcoming version of Ops Manager 2.10 will start including two new
fields with the `/api/v0/deployed/certificates` endpoint;
rotation_procedure_name and rotation_procedure_url. These fields will be
on every certificate returned, and represent the rotation procedure used
to rotate that particular certificate.

The text output for the `om expiring-certificates` command has been
reworked when this data is available to group certificates by procedure
because in most cases, following a single procedure will rotate all
certificates for that procedure at once; that is, instead of running
that procedure once for each certificate separately.

The new output looks similar to the following:
```
Getting expiring certificates...
Found expiring certificates in the foundation:

One or more certificates will expire in 89 days. Please refer to the certificate rotation procedures below. To optimize deployment time, please rotate expiring CA certificates prior to any leaf certificates.

Services TLS CA Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/advanced-certificate-rotation.html#services-rotation)
    credhub:
        /services/tls_ca: expiring on 28 Feb 23 13:57 UTC

Identity Provider SAML Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-saml-ca.html)
    cf-625e965c186c7b029061:
        .uaa.service_provider_key_credentials: expiring on 29 May 22 12:57 UTC

Standard CA Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-cas-and-leaf-certs.html)
    ops_manager:
        .properties.nats_client_ca.c8b520555b0bc0a9f9f7: expiring on 27 Feb 26 13:57 UTC
        .properties.root_ca.c8b520555b0bc0a9f9f7: expiring on 28 Feb 23 13:57 UTC
    cf-625e965c186c7b029061:
        /opsmgr/bosh_dns/tls_ca: expiring on 27 Feb 26 14:40 UTC
        /p-bosh/cf-625e965c186c7b029061/diego-instance-identity-intermediate-ca-2-7: expiring on 28 Feb 24 14:40 UTC
        /cf/diego-instance-identity-root-ca-2-6: expiring on 27 Feb 25 14:40 UTC

Standard Configurable Leaf Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-configurable-certs.html)
    cf-625e965c186c7b029061:
        .properties.networking_poe_ssl_certs[0].certificate: expiring on 29 May 22 12:57 UTC

Standard Non-Configurable Leaf Procedure (https://docs.pivotal.io/ops-manager/2-10/security/pcf-infrastructure/rotate-non-configurable-certs.html)
    p-bosh-38683bbbab412b152fad:
        .properties.director_ssl: expiring on 28 Feb 24 14:06 UTC
        .properties.uaa_ssl: expiring on 28 Feb 24 14:06 UTC
        ...
    cf-625e965c186c7b029061:
        .properties.auctioneer_client_cert: expiring on 28 Feb 24 14:06 UTC
        .properties.auctioneer_server_cert: expiring on 28 Feb 24 14:06 UTC
        ...

2022/02/28 14:47:46 found expiring certificates in the foundation
```

If the new API fields are blank, then it is assumed that `om` is
targeted at an older version of Ops Manager and the previous output
format is used instead.

[#181158588] Update om CLI to output rotation procedures

Signed-off-by: Brian Upton <[email protected]>
Signed-off-by: Camila Londoño <[email protected]>
Signed-off-by: Long Nguyen <[email protected]>

Author: ystros

api/expiring_certificates_service.go

@@ -13,15 +13,17 @@ type ExpiringCertificatesResponse struct {
 }
 
 type ExpiringCertificate struct {
-	Issuer            string    `json:"issuer"`
-	ValidFrom         time.Time `json:"valid_from"`
-	ValidUntil        time.Time `json:"valid_until"`
-	Configurable      bool      `json:"configurable"`
-	PropertyReference string    `json:"property_reference"`
-	PropertyType      string    `json:"property_type"`
-	ProductGUID       string    `json:"product_guid"`
-	Location          string    `json:"location"`
-	VariablePath      string    `json:"variable_path"`
+	Issuer                string    `json:"issuer"`
+	ValidFrom             time.Time `json:"valid_from"`
+	ValidUntil            time.Time `json:"valid_until"`
+	Configurable          bool      `json:"configurable"`
+	PropertyReference     string    `json:"property_reference"`
+	PropertyType          string    `json:"property_type"`
+	ProductGUID           string    `json:"product_guid"`
+	Location              string    `json:"location"`
+	VariablePath          string    `json:"variable_path"`
+	RotationProcedureName string    `json:"rotation_procedure_name"`
+	RotationProcedureUrl  string    `json:"rotation_procedure_url"`
 }
 
 func (a Api) ListExpiringCertificates(expiresWithin string) ([]ExpiringCertificate, error) {

commands/expiring_certificates.go

@@ -4,6 +4,7 @@ import (
 	"errors"
 	"fmt"
 	"regexp"
+	"sort"
 	"strings"
 	"time"
 
@@ -54,28 +55,92 @@ func (e *ExpiringCerts) Execute(args []string) error {
 
 	e.logger.Println(color.RedString("Found expiring certificates in the foundation:\n"))
 
-	expiringCertsWithVariablePath, expiringCertsWithProductGUID := e.groupByLocation(expiringCerts)
-	for location, certs := range expiringCertsWithVariablePath {
-		e.logger.Printf(color.RedString("[X] %s", location))
+	if len(expiringCerts[0].RotationProcedureName) == 0 {
+		expiringCertsWithVariablePath, expiringCertsWithProductGUID := e.groupByLocation(expiringCerts)
+		for location, certs := range expiringCertsWithVariablePath {
+			e.logger.Printf(color.RedString("[X] %s", location))
 
-		for _, cert := range certs {
-			e.printExpiringCertInfo(cert)
+			for _, cert := range certs {
+				e.printExpiringCertInfo(cert, 4)
+			}
 		}
-	}
 
-	for location, productGUIDs := range expiringCertsWithProductGUID {
-		e.logger.Printf(color.RedString("[X] %s", location))
-		for guid, certs := range productGUIDs {
-			e.logger.Printf(color.RedString("    %s:", guid))
-			for _, cert := range certs {
-				e.printExpiringCertInfo(cert)
+		for location, productGUIDs := range expiringCertsWithProductGUID {
+			e.logger.Printf(color.RedString("[X] %s", location))
+			for guid, certs := range productGUIDs {
+				e.logger.Printf(color.RedString("    %s:", guid))
+				for _, cert := range certs {
+					e.printExpiringCertInfo(cert, 8)
+				}
 			}
 		}
+	} else {
+		remainingDuration := e.earliestExpiryDate(expiringCerts).Sub(time.Now())
+		remainingDays := int(remainingDuration.Hours() / 24)
+		expiringCertsByProcedure, procedures := e.groupByProcedure(expiringCerts)
+
+		e.logger.Printf(color.RedString("One or more certificates will expire in %d days. Please refer to the certificate rotation procedures below. To optimize deployment time, please rotate expiring CA certificates prior to any leaf certificates."), remainingDays)
+		e.logger.Println()
+		for _, procedure := range procedures {
+			certsByTile := expiringCertsByProcedure[procedure]
+			e.logger.Printf(color.RedString(procedure))
+			for tile, certs := range certsByTile {
+				e.logger.Printf(color.RedString("    %s:", tile))
+				for _, cert := range certs {
+					e.printExpiringCertInfo(cert, 8)
+				}
+			}
+			e.logger.Println()
+		}
 	}
 
 	return errors.New("found expiring certificates in the foundation")
 }
 
+func (e *ExpiringCerts) earliestExpiryDate(certs []api.ExpiringCertificate) time.Time {
+	earliestExpiry := certs[0].ValidUntil
+	for _, cert := range certs {
+		if cert.ValidUntil.Before(earliestExpiry) {
+			earliestExpiry = cert.ValidUntil
+		}
+	}
+	return earliestExpiry
+}
+
+func (e *ExpiringCerts) groupByProcedure(certs []api.ExpiringCertificate) (map[string]map[string][]api.ExpiringCertificate, []string) {
+	expiringCertsByProcedure := make(map[string]map[string][]api.ExpiringCertificate)
+	for _, cert := range certs {
+		procedureKey := fmt.Sprintf("%v (%v)", cert.RotationProcedureName, cert.RotationProcedureUrl)
+		tileKey := cert.ProductGUID
+
+		// Only CredHub-base certificates may be missing the tile / product GUID
+		if len(tileKey) == 0 {
+			tileKey = "credhub"
+		}
+
+		if expiringCertsByProcedure[procedureKey] == nil {
+			expiringCertsByProcedure[procedureKey] = make(map[string][]api.ExpiringCertificate)
+		}
+
+		expiringCertsByProcedure[procedureKey][tileKey] = append(expiringCertsByProcedure[procedureKey][tileKey], cert)
+	}
+
+	procedureNames := []string{}
+	for key := range expiringCertsByProcedure {
+		procedureNames = append(procedureNames, key)
+	}
+
+	sort.SliceStable(procedureNames, func(i, j int) bool {
+		if strings.Contains(procedureNames[i], "CA") {
+			return true
+		}
+
+		return procedureNames[i] < procedureNames[j]
+	})
+
+	return expiringCertsByProcedure, procedureNames
+}
+
 func (e *ExpiringCerts) groupByLocation(certs []api.ExpiringCertificate) (map[string][]api.ExpiringCertificate, map[string]map[string][]api.ExpiringCertificate) {
 	expiringCertsWithVariablePath := make(map[string][]api.ExpiringCertificate)
 	expiringCertsWithProductGUID := make(map[string]map[string][]api.ExpiringCertificate)
@@ -96,7 +161,7 @@ func (e *ExpiringCerts) groupByLocation(certs []api.ExpiringCertificate) (map[st
 	return expiringCertsWithVariablePath, expiringCertsWithProductGUID
 }
 
-func (e *ExpiringCerts) printExpiringCertInfo(cert api.ExpiringCertificate) {
+func (e *ExpiringCerts) printExpiringCertInfo(cert api.ExpiringCertificate, indent int) {
 	expiringStr := "expiring"
 	if time.Now().After(cert.ValidUntil) {
 		expiringStr = "expired"
@@ -105,11 +170,11 @@ func (e *ExpiringCerts) printExpiringCertInfo(cert api.ExpiringCertificate) {
 	validUntil := cert.ValidUntil.Format(time.RFC822)
 
 	if cert.VariablePath != "" {
-		e.logger.Printf(color.RedString("    %s: %s on %s"), cert.VariablePath, expiringStr, validUntil)
+		e.logger.Printf(color.RedString("%s%s: %s on %s"), strings.Repeat(" ", indent), cert.VariablePath, expiringStr, validUntil)
 		return
 	}
 
-	e.logger.Printf(color.RedString("        %s: %s on %s"), cert.PropertyReference, expiringStr, validUntil)
+	e.logger.Printf(color.RedString("%s%s: %s on %s"), strings.Repeat(" ", indent), cert.PropertyReference, expiringStr, validUntil)
 }
 
 func (e ExpiringCerts) validateConfig() error {