From 31f2316aa2cdb56fc355f181f55da3e938fd9f55 Mon Sep 17 00:00:00 2001 From: Andrew Ayer Date: Tue, 15 Nov 2016 12:23:24 -0800 Subject: [PATCH] Rework -all_time logic If -all_time is specified, scan the entirety of all logs, even existing logs. This matches user expectation better. Previously, -all_time had no impact on existing logs. The first time Cert Spotter is run, do not scan any logs, unless -all_time is specified. This avoids a several hour wait the first time Cert Spotter is run. If the user is interested in knowing about existing certificates, they can use the certspotter.com API or crt.sh. This is the same as existing behavior. When a new log is added, scan it in its entirety even if -all_time is not specified, so users are alerted to interesting certificates in the new log. Hopefully new logs will be small and this won't take too long! Previously, new logs were not scanned in their entirety unless -all_time was specified. Closes: #5 --- README | 4 +++- cmd/common.go | 34 ++++++++++++++++++++++++++-------- 2 files changed, 29 insertions(+), 9 deletions(-) diff --git a/README b/README index 589da91..e63c833 100644 --- a/README +++ b/README @@ -72,7 +72,9 @@ COMMAND LINE FLAGS -no_save Do not save a copy of matching certificates. -all_time - Scan certs from all time, not just since last scan. + Scan for certificates from all time, not just those added since + the last run of Cert Spotter. Unless this option is specified, + no certificates are scanned the first time Cert Spotter is run. -logs FILENAME JSON file containing logs to scan, in the format documented at . diff --git a/cmd/common.go b/cmd/common.go index f434ec5..b1c9c97 100644 --- a/cmd/common.go +++ b/cmd/common.go @@ -109,6 +109,11 @@ func saveEvidence(logUri string, firstSTH *ct.SignedTreeHead, secondSTH *ct.Sign return firstFilename, secondFilename, proofFilename, nil } +func fileExists (path string) bool { + _, err := os.Lstat(path) + return err == nil +} + func Main(argStateDir string, processCallback certspotter.ProcessCallback) int { stateDir = argStateDir @@ -132,6 +137,8 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int { logs = certspotter.DefaultLogs } + firstRun := !fileExists(filepath.Join(stateDir, "once")) + if err := os.Mkdir(stateDir, 0777); err != nil && !os.IsExist(err) { fmt.Fprintf(os.Stderr, "%s: Error creating state directory: %s: %s\n", os.Args[0], stateDir, err) return 1 @@ -185,22 +192,26 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int { } if *verbose { - if prevSTH != nil { + if *allTime { + log.Printf("Scanning all %d entries in the log because -all_time option specified", latestSTH.TreeSize) + } else if prevSTH != nil { log.Printf("Existing log; scanning %d new entries since previous scan (previous size %d, previous root hash = %x)", latestSTH.TreeSize-prevSTH.TreeSize, prevSTH.TreeSize, prevSTH.SHA256RootHash) - } else if *allTime { - log.Printf("new log; scanning all %d entries in the log", latestSTH.TreeSize) + } else if firstRun { + log.Printf("First run of Cert Spotter; not scanning %d existing entries because -all_time option not specified", latestSTH.TreeSize) } else { - log.Printf("new log; not scanning existing entries because -all_time option not specified") + log.Printf("New log; scanning all %d entries in the log", latestSTH.TreeSize) } } var startIndex uint64 - if prevSTH != nil { - startIndex = prevSTH.TreeSize - } else if *allTime { + if *allTime { startIndex = 0 - } else { + } else if prevSTH != nil { + startIndex = prevSTH.TreeSize + } else if firstRun { startIndex = latestSTH.TreeSize + } else { + startIndex = 0 } if latestSTH.TreeSize > startIndex { @@ -254,5 +265,12 @@ func Main(argStateDir string, processCallback certspotter.ProcessCallback) int { } } + if firstRun { + if err := ioutil.WriteFile(filepath.Join(stateDir, "once"), []byte{}, 0666); err != nil { + log.Printf("Error writing once file: %s\n", err) + exitCode |= 1 + } + } + return exitCode }