From 331e28373121db47395368b140b6421f72df8b39 Mon Sep 17 00:00:00 2001
From: Tore Martin Hagen <tore@kosli.com>
Date: Wed, 25 Sep 2024 10:55:06 +0200
Subject: [PATCH] Added job to check if secrets have expired

---
 .github/workflows/secret-expire-check.yml | 38 ++++++++++++
 bin/check_secret_expire.sh                | 72 +++++++++++++++++++++++
 2 files changed, 110 insertions(+)
 create mode 100644 .github/workflows/secret-expire-check.yml
 create mode 100755 bin/check_secret_expire.sh

diff --git a/.github/workflows/secret-expire-check.yml b/.github/workflows/secret-expire-check.yml
new file mode 100644
index 00000000..7e2ca155
--- /dev/null
+++ b/.github/workflows/secret-expire-check.yml
@@ -0,0 +1,38 @@
+name: Daily Check to see if any secrets will expire soon
+
+on:
+  workflow_dispatch:
+  schedule: # At 04:00 every morning
+    - cron: '0 04 * * *'
+
+
+jobs:
+  secret-expire-check:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Run check if any secrets will expire within next month
+        id: secrete-expire-check-month
+        run: |
+          ./bin/check_secret_expire.sh $(date -d "+1 month" +"%Y-%m-%d")
+
+      - name: Slack Notification on Failure
+        if: ${{ failure() }}
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_CHANNEL: ${{ secrets.MERKELY_SLACK_CI_FAILURES_CHANNEL }}
+          SLACK_WEBHOOK: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }}
+          SLACK_USERNAME: GithubActions
+          SLACK_COLOR: ${{ job.status }}
+          SLACKIFY_MARKDOWN: true
+          SLACK_TITLE: Secret has expired
+          SLACK_MESSAGE: "Some secrets in `cli` is about to or has expired. Please check the \
+              [log](${{ github.event.repository.html_url }}/actions/runs/${{ github.run_id }}) \
+              for more details."
+          SLACK_FOOTER:
diff --git a/bin/check_secret_expire.sh b/bin/check_secret_expire.sh
new file mode 100755
index 00000000..09989940
--- /dev/null
+++ b/bin/check_secret_expire.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeu
+
+SCRIPT_NAME=check_secret_expire.sh
+ROOT_DIR=$(dirname $(readlink -f $0))/..
+NOW_DATE=$(date +%Y-%m-%d)
+
+print_help()
+{
+    cat <<EOF
+Usage: $SCRIPT_NAME <options> [yyyy-mm-dd]
+
+Will search all txt-files in secrets directory to see if any of them
+has a secret that has expired. You can specify a date if you want to
+know if something expires in the future
+
+Options are:
+  -h          Print this help menu
+EOF
+}
+
+check_arguments()
+{
+    while getopts "h" opt; do
+        case $opt in
+            h)
+                print_help
+                exit 1
+                ;;
+            \?)
+                echo "Invalid option: -$OPTARG" >&2
+                exit 1
+                ;;
+        esac
+    done
+
+    # Remove options from command line
+    shift $((OPTIND-1))
+
+    if [ $# -eq 1 ]; then
+        NOW_DATE=$1; shift
+    fi
+}
+
+echo_if_secret_expired()
+{
+    local file=$1; shift
+    local now_date=$1; shift
+    local expire_date now_sec expire_sec
+    expire_date=$(grep "secret-expire:" ${file} | sed "s/secret-expire: *//")
+
+    if [[ ! "${now_date}" < "${expire_date}" ]]; then
+        grep "secret-name:" ${file} | sed "s/secret-name: */  /" | tr '\n' ' '
+        grep "secret-expire:" ${file}
+        return 1
+    fi
+    return 0
+}
+
+main()
+{
+    check_arguments "$@"
+    local file
+    local result=0
+    echo "The following is a list of secrets in 'secrets/*txt' which will have expired on ${NOW_DATE}"
+    for file in ${ROOT_DIR}/secrets/*txt; do
+        echo_if_secret_expired ${file} ${NOW_DATE} || result=1
+    done
+    return $result
+}
+
+main "$@"