Optimized cert speed, testing etc.

module_utils/cert_utils.py

@@ -1,9 +1,16 @@
 #!/usr/bin/python
 
+from __future__ import absolute_import, division, print_function
+__metaclass__ = type
+
 import os
 import subprocess
+import time
 
 class CertUtils:
+    _domain_cert_mapping = None
+    _cert_snapshot = None
+
     @staticmethod
     def run_openssl(cert_path):
         try:
@@ -40,12 +47,93 @@ class CertUtils:
 
     @staticmethod
     def matches(domain, san):
-        """Check if the SAN entry matches the domain according to wildcard rules."""
         if san.startswith('*.'):
             base = san[2:]
-            # Check if domain is direct subdomain (one label only)
-            if domain.count('.') == base.count('.') + 1 and domain.endswith('.' + base):
-                return True
+            # Wildcard does NOT cover the base domain itself
+            if domain == base:
+                return False
+            if domain.endswith('.' + base):
+                # Check if the domain has exactly one label more than the base
+                domain_labels = domain.split('.')
+                base_labels = base.split('.')
+                if len(domain_labels) == len(base_labels) + 1:
+                    return True
             return False
         else:
+            # Exact match required for non-wildcard SAN entries
             return domain == san
+
+
+    @classmethod
+    def build_snapshot(cls, cert_base_path):
+        snapshot = []
+        for cert_file in cls.list_cert_files(cert_base_path):
+            try:
+                stat = os.stat(cert_file)
+                snapshot.append((cert_file, stat.st_mtime, stat.st_size))
+            except FileNotFoundError:
+                continue
+        snapshot.sort()
+        return snapshot
+
+    @classmethod
+    def snapshot_changed(cls, cert_base_path):
+        current_snapshot = cls.build_snapshot(cert_base_path)
+        if cls._cert_snapshot != current_snapshot:
+            cls._cert_snapshot = current_snapshot
+            return True
+        return False
+
+    @classmethod
+    def refresh_cert_mapping(cls, cert_base_path, debug=False):
+        cert_files = cls.list_cert_files(cert_base_path)
+        mapping = {}
+        for cert_path in cert_files:
+            cert_text = cls.run_openssl(cert_path)
+            if not cert_text:
+                continue
+            sans = cls.extract_sans(cert_text)
+            folder = os.path.basename(os.path.dirname(cert_path))
+            for san in sans:
+                if san not in mapping:
+                    mapping[san] = folder
+        cls._domain_cert_mapping = mapping
+        if debug:
+            print(f"[DEBUG] Refreshed domain-to-cert mapping: {mapping}")
+
+    @classmethod
+    def ensure_cert_mapping(cls, cert_base_path, debug=False):
+        if cls._domain_cert_mapping is None or cls.snapshot_changed(cert_base_path):
+            cls.refresh_cert_mapping(cert_base_path, debug)
+
+    @classmethod
+    def find_cert_for_domain(cls, domain, cert_base_path, debug=False):
+        cls.ensure_cert_mapping(cert_base_path, debug)
+
+        exact_match = None
+        wildcard_match = None
+
+        for san, folder in cls._domain_cert_mapping.items():
+            if san == domain:
+                exact_match = folder
+                break
+            if san.startswith('*.'):
+                base = san[2:]
+                if domain.count('.') == base.count('.') + 1 and domain.endswith('.' + base):
+                    wildcard_match = folder
+
+        if exact_match:
+            if debug:
+                print(f"[DEBUG] Exact match for {domain} found in {exact_match}")
+            return exact_match
+
+        if wildcard_match:
+            if debug:
+                print(f"[DEBUG] Wildcard match for {domain} found in {wildcard_match}")
+            return wildcard_match
+
+        if debug:
+            print(f"[DEBUG] No certificate folder found for {domain}")
+
+        return None
+