improving check revoked by only considering authorities which do support revocation and also only including not expired certs

This commit is contained in:
Hossein Shafagh 2019-08-07 17:54:10 -07:00
parent bbc3bf513d
commit d1519343d1
2 changed files with 23 additions and 2 deletions

View File

@ -33,7 +33,7 @@ from lemur.certificates.service import (
get_certificate_primitives,
get_all_pending_reissue,
get_by_name,
get_all_certs,
get_all_valid_certs,
get,
)
@ -467,7 +467,9 @@ def check_revoked():
encounters an issue with verification it marks the certificate status
as `unknown`.
"""
for cert in get_all_certs():
certs = get_all_valid_certs(current_app.config.get("CHECK_REVOCATION_AUTHORITY_IDS", []))
for cert in certs:
try:
if cert.chain:
status = verify_string(cert.body, cert.chain)

View File

@ -102,6 +102,25 @@ def get_all_certs():
return Certificate.query.all()
def get_all_valid_certs(authority_ids):
"""
Retrieves all valid (not expired) certificates within Lemur, for the given authority_ids
ignored if no authority_ids provided.
:return:
"""
if authority_ids:
return (
Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD"))
.filter(Certificate.authority_id.in_(authority_ids)).all()
)
else:
return (
Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).all()
)
def get_all_pending_cleaning(source):
"""
Retrieves all certificates that are available for cleaning.