Rework -all_time logic

If -all_time is specified, scan the entirety of all logs, even existing logs. This matches user expectation better. Previously, -all_time had no impact on existing logs. The first time Cert Spotter is run, do not scan any logs, unless -all_time is specified. This avoids a several hour wait the first time Cert Spotter is run. If the user is interested in knowing about existing certificates, they can use the certspotter.com API or crt.sh. This is the same as existing behavior. When a new log is added, scan it in its entirety even if -all_time is not specified, so users are alerted to interesting certificates in the new log. Hopefully new logs will be small and this won't take too long! Previously, new logs were not scanned in their entirety unless -all_time was specified. Closes: #5
2016-11-15 12:23:24 -08:00 · 2016-11-15 12:23:24 -08:00 · 31f2316aa2
parent 7d2936eada
commit 31f2316aa2
2 changed files with 29 additions and 9 deletions
--- a/4
+++ b/4
@ -72,7 +72,9 @@ COMMAND LINE FLAGS
  -no_save
 	Do not save a copy of matching certificates.
  -all_time
-	Scan certs from all time, not just since last scan.
+	Scan for certificates from all time, not just those added since
+	the last run of Cert Spotter.  Unless this option is specified,
+	no certificates are scanned the first time Cert Spotter is run.
  -logs FILENAME
 	JSON file containing logs to scan, in the format documented at
 	<https://www.certificate-transparency.org/known-logs>.
--- a/cmd/common.go
+++ b/cmd/common.go
@ -109,6 +109,11 @@ func saveEvidence(logUri string, firstSTH *ct.SignedTreeHead, secondSTH *ct.Sign
 	return firstFilename, secondFilename, proofFilename, nil
 }

+func fileExists (path string) bool {
+	_, err := os.Lstat(path)
+	return err == nil
+}
+
 func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
 	stateDir = argStateDir

@ -132,6 +137,8 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
 		logs = certspotter.DefaultLogs
 	}

+	firstRun := !fileExists(filepath.Join(stateDir, "once"))
+
 	if err := os.Mkdir(stateDir, 0777); err != nil && !os.IsExist(err) {
 		fmt.Fprintf(os.Stderr, "%s: Error creating state directory: %s: %s\n", os.Args[0], stateDir, err)
 		return 1
@ -185,22 +192,26 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
 		}

 		if *verbose {
-			if prevSTH != nil {
+			if *allTime {
+				log.Printf("Scanning all %d entries in the log because -all_time option specified", latestSTH.TreeSize)
+			} else if prevSTH != nil {
 				log.Printf("Existing log; scanning %d new entries since previous scan (previous size %d, previous root hash = %x)", latestSTH.TreeSize-prevSTH.TreeSize, prevSTH.TreeSize, prevSTH.SHA256RootHash)
-			} else if *allTime {
-				log.Printf("new log; scanning all %d entries in the log", latestSTH.TreeSize)
+			} else if firstRun {
+				log.Printf("First run of Cert Spotter; not scanning %d existing entries because -all_time option not specified", latestSTH.TreeSize)
 			} else {
-				log.Printf("new log; not scanning existing entries because -all_time option not specified")
+				log.Printf("New log; scanning all %d entries in the log", latestSTH.TreeSize)
 			}
 		}

 		var startIndex uint64
-		if prevSTH != nil {
-			startIndex = prevSTH.TreeSize
-		} else if *allTime {
+		if *allTime {
 			startIndex = 0
-		} else {
+		} else if prevSTH != nil {
+			startIndex = prevSTH.TreeSize
+		} else if firstRun {
 			startIndex = latestSTH.TreeSize
+		} else {
+			startIndex = 0
 		}

 		if latestSTH.TreeSize > startIndex {
@ -254,5 +265,12 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int {
 		}
 	}

+	if firstRun {
+		if err := ioutil.WriteFile(filepath.Join(stateDir, "once"), []byte{}, 0666); err != nil {
+			log.Printf("Error writing once file: %s\n", err)
+			exitCode |= 1
+		}
+	}
+
 	return exitCode
 }