def run_checks(key_ttl)
@config.keys.zsks.each {|zsk|
prepublished_zsk_count = @cache.prepublished.keys.select {|k|
k.zone_key? && !k.sep_key? && (k.algorithm == zsk.algorithm) &&
(k.key_length == zsk.alg_length)
}.length
if (prepublished_zsk_count < zsk.standby)
msg = "Not enough prepublished ZSKs! Should be #{zsk.standby} but have #{prepublished_zsk_count}"
@parent.log(LOG_WARNING, msg)
end
}
@cache.inuse.each {|key, time|
timestamp = time[0]
first_timestamp = time[1]
key_group_policy_changed = false
keys = @config.changed_config.zsks
if (key.sep_key?)
keys = @config.changed_config.ksks
end
possible_groups = keys.select{|k| (k.algorithm == key.algorithm) &&
(k.alg_length == key.key_length)}
key_group_policy_changed_time = 0
if (possible_groups.length == 0)
if (@config.changed_config.kasp_timestamp < first_timestamp)
end
else
possible_groups.each {|g|
if (g.timestamp > key_group_policy_changed_time)
key_group_policy_changed_time = g.timestamp
key_group_policy_changed = true
end
}
next if (key_group_policy_changed && (first_timestamp < key_group_policy_changed_time))
end
if (key.zone_key? && !key.sep_key?)
zsks = @config.keys.zsks.select{|zsk|
(zsk.algorithm == key.algorithm) &&
(zsk.alg_length == key.key_length)}
next if (zsks.length == 0)
zsk_lifetime = 0
zsks.each {|z|
zsk_lifetime = z.lifetime if (z.lifetime > zsk_lifetime)
}
lifetime = zsk_lifetime + @enforcer_interval
if timestamp < (Time.now.to_i - lifetime)
msg = "ZSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
@parent.log(LOG_WARNING, msg)
end
else
ksks = @config.keys.ksks.select{|ksk| (ksk.algorithm == key.algorithm) &&
(ksk.alg_length == key.key_length)}
next if (ksks.length == 0)
ksk_lifetime = 0
ksks.each {|k|
ksk_lifetime = k.lifetime if (k.lifetime > ksk_lifetime)
}
lifetime = ksk_lifetime + @enforcer_interval
if timestamp < (Time.now.to_i - lifetime)
msg = "KSK #{key.key_tag} reaching end of lifetime - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds, not including time taken for DS to be seen"
@parent.log(LOG_WARNING, msg)
end
end
}
if (@config.audit_tag_present)
check_inuse_keys_history(key_ttl)
end
end