From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Tue, 9 Oct 2018 15:40:04 +0000 (+0200)
Subject: CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter
X-Git-Tag: v2.11.0-rc1~101^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=refs%2Fpull%2F7026%2Fhead;p=icinga2

CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter

https://puppet.com/docs/puppet/5.5/man/cert.html
---

diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md
index 58730420b..f1697ae37 100644
--- a/doc/06-distributed-monitoring.md
+++ b/doc/06-distributed-monitoring.md
@@ -417,13 +417,21 @@ Disadvantages:
 * Needs client verification on the master.
 
 
-You can list certificate requests by using the `ca list` CLI command. This also shows
-which requests already have been signed.
+You can list pending certificate signing requests with the `ca list` CLI command.
 
 ```
 [root@icinga2-master1.localdomain /]# icinga2 ca list
 Fingerprint                                                      | Timestamp           | Signed | Subject
 -----------------------------------------------------------------|---------------------|--------|--------
+71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 |        | CN = icinga2-client2.localdomain
+```
+
+In order to show all requests, use the `--all` parameter.
+
+```
+[root@icinga2-master1.localdomain /]# icinga2 ca list --all
+Fingerprint                                                      | Timestamp           | Signed | Subject
+-----------------------------------------------------------------|---------------------|--------|--------
 403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | *      | CN = icinga2-client1.localdomain
 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 |        | CN = icinga2-client2.localdomain
 ```
diff --git a/doc/11-cli-commands.md b/doc/11-cli-commands.md
index 883dd3995..4cbfb8659 100644
--- a/doc/11-cli-commands.md
+++ b/doc/11-cli-commands.md
@@ -205,6 +205,42 @@ Report bugs at <https://github.com/Icinga/icinga2>
 Icinga home page: <https://icinga.com/>
 ```
 
+
+### CLI command: Ca List <a id="cli-command-ca-list"></a>
+
+```
+icinga2 ca list --help
+icinga2 - The Icinga 2 network monitoring daemon (version: v2.11.0)
+
+Usage:
+  icinga2 ca list [<arguments>]
+
+Lists pending certificate signing requests.
+
+Global options:
+  -h [ --help ]             show this help message
+  -V [ --version ]          show version information
+  --color                   use VT100 color codes even when stdout is not a
+                            terminal
+  -D [ --define ] arg       define a constant
+  -I [ --include ] arg      add include search directory
+  -x [ --log-level ] arg    specify the log level for the console log.
+                            The valid value is either debug, notice,
+                            information (default), warning, or critical
+  -X [ --script-debugger ]  whether to enable the script debugger
+
+Command options:
+  --all                     List all certificate signing requests, including
+                            signed. Note: Old requests are automatically
+                            cleaned by Icinga after 1 week.
+  --json                    encode output as JSON
+
+Report bugs at <https://github.com/Icinga/icinga2>
+Get support: <https://icinga.com/support/>
+Documentation: <https://icinga.com/docs/>
+Icinga home page: <https://icinga.com/>
+```
+
 ## CLI command: Console <a id="cli-command-console"></a>
 
 The CLI command `console` can be used to debug and evaluate Icinga 2 config expressions,
diff --git a/doc/16-upgrading-icinga-2.md b/doc/16-upgrading-icinga-2.md
index 5b2ba51a9..d8d9ac221 100644
--- a/doc/16-upgrading-icinga-2.md
+++ b/doc/16-upgrading-icinga-2.md
@@ -89,6 +89,8 @@ This value also is available in the [ido](10-icinga-template-library.md#itl-icin
 
 ### CLI Commands <a id="upgrading-to-2-11-cli-commands"></a>
 
+#### Permissions <a id="upgrading-to-2-11-cli-commands-permissions"></a>
+
 CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list`
 required root permissions previously. Since the file permissions allow
 the Icinga user to change things already, and users kept asking to
@@ -103,6 +105,13 @@ user has the capabilities to change to a different user.
 If you still encounter problems, run the aforementioned CLI commands as root,
 or with sudo.
 
+#### CA List Behaviour Change <a id="upgrading-to-2-11-cli-commands-ca-list"></a>
+
+`ca list` only shows the pending certificate signing requests by default.
+
+You can use the new `--all` parameter to show all signing requests.
+Note that Icinga automatically purges signed requests older than 1 week.
+
 ### Configuration <a id="upgrading-to-2-11-configuration"></a>
 
 The deprecated `concurrent_checks` attribute in the [checker feature](09-object-types.md#objecttype-checkercomponent)
diff --git a/lib/cli/calistcommand.cpp b/lib/cli/calistcommand.cpp
index 509d0a91d..829086b98 100644
--- a/lib/cli/calistcommand.cpp
+++ b/lib/cli/calistcommand.cpp
@@ -16,20 +16,20 @@ REGISTER_CLICOMMAND("ca/list", CAListCommand);
 
 String CAListCommand::GetDescription() const
 {
-	return "Lists all certificate signing requests.";
+	return "Lists pending certificate signing requests.";
 }
 
 String CAListCommand::GetShortDescription() const
 {
-	return "lists all certificate signing requests";
+	return "lists pending certificate signing requests";
 }
 
 void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc,
 	boost::program_options::options_description& hiddenDesc) const
 {
 	visibleDesc.add_options()
-		("json", "encode output as JSON")
-	;
+		("all", "List all certificate signing requests, including signed. Note: Old requests are automatically cleaned by Icinga after 1 week.")
+		("json", "encode output as JSON");
 }
 
 /**
@@ -52,6 +52,10 @@ int CAListCommand::Run(const boost::program_options::variables_map& vm, const st
 		for (auto& kv : requests) {
 			Dictionary::Ptr request = kv.second;
 
+			/* Skip signed requests by default. */
+			if (!vm.count("all") && request->Contains("cert_response"))
+				continue;
+
 			std::cout << kv.first
 				<< " | "
 /*			    << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp")) */