Report the certificate expiration as a prometheus metric.

.gitignore

@@ -7,5 +7,6 @@ _trial_temp*
 
 /.idea
 /.eggs
+/*.egg-info
 /build
 /dist

changelog.d/106.feature

@@ -0,0 +1 @@
+Report the APNs certificate expiry as a prometheus metric.

setup.py

@@ -39,6 +39,7 @@ def read(fname):
  "Twisted>=19.2.1",
  "prometheus_client>=0.7.0,<0.8",
  "aioapns>=1.7",
+ "cryptography>=2.1.4",
  "pyyaml>=5.1.1",
  "service_identity>=18.1.0",
  "jaeger-client>=4.0.0",

sygnal/apnspushkin.py

@@ -16,12 +16,15 @@
 # limitations under the License.
 import asyncio
 import base64
+from datetime import timezone
 import logging
 import os
 from uuid import uuid4
 
 import aioapns
 from aioapns import APNs, NotificationRequest
+from cryptography.hazmat.backends import default_backend
+from cryptography.x509 import load_pem_x509_certificate
 from opentracing import logs, tags
 from prometheus_client import Histogram, Counter, Gauge
 from twisted.internet.defer import Deferred
@@ -51,6 +54,12 @@
  labelnames=["pushkin", "code"],
 )
 
+CERTIFICATE_EXPIRATION_GAUGE = Gauge(
+ "sygnal_client_cert_expiry",
+ "The expiry date of the client certificate in seconds since the epoch",
+ labelnames=["pushkin"],
+)
+
 
 class ApnsPushkin(Pushkin):
  """
@@ -112,10 +121,10 @@ def __init__(self, name, sygnal, config):
  if not self.get_config("topic"):
  raise PushkinSetupException("You must supply topic.")
 
- if self.get_config("certfile") is not None:
- self.apns_client = APNs(
- client_cert=self.get_config("certfile"), use_sandbox=self.use_sandbox
- )
+ if certfile is not None:
+ self.apns_client = APNs(client_cert=certfile, use_sandbox=self.use_sandbox)
+
+ self._report_certificate_expiration(certfile)
  else:
  self.apns_client = APNs(
  key=self.get_config("keyfile"),
@@ -128,6 +137,17 @@ def __init__(self, name, sygnal, config):
  # without this, aioapns will retry every second forever.
  self.apns_client.pool.max_connection_attempts = 3
 
+ def _report_certificate_expiration(self, certfile):
+ """Export the epoch time that the certificate expires as a metric."""
+ with open(certfile, "rb") as f:
+ cert_bytes = f.read()
+
+ cert = load_pem_x509_certificate(cert_bytes, default_backend())
+ # Report the expiration time as seconds since the epoch (in UTC time).
+ CERTIFICATE_EXPIRATION_GAUGE.labels(pushkin=self.name).set(
+ cert.not_valid_after.replace(tzinfo=timezone.utc).timestamp()
+ )
+
  async def _dispatch_request(self, log, span, device, shaved_payload, prio):
  """
  Actually attempts to dispatch the notification once.

tests/test_apns.py

@@ -34,6 +34,8 @@ def setUp(self):
 
  # pretend our certificate exists
  patch("os.path.exists", lambda x: x == TEST_CERTFILE_PATH).start()
+ # Since no certificate exists, don't try to read it.
+ patch("sygnal.apnspushkin.ApnsPushkin._report_certificate_expiration").start()
  self.addCleanup(patch.stopall)
 
  super(ApnsTestCase, self).setUp()