From d1519343d13f1d87c3b52ef953a8507b294e4936 Mon Sep 17 00:00:00 2001
From: Hossein Shafagh <hshafagh@netflix.com>
Date: Wed, 7 Aug 2019 17:54:10 -0700
Subject: [PATCH] improving check revoked by only considering authorities which
 do support revocation and also only including not expired certs

---
 lemur/certificates/cli.py     |  6 ++++--
 lemur/certificates/service.py | 19 +++++++++++++++++++
 2 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/lemur/certificates/cli.py b/lemur/certificates/cli.py
index b57ff175..e5e1191b 100644
--- a/lemur/certificates/cli.py
+++ b/lemur/certificates/cli.py
@@ -33,7 +33,7 @@ from lemur.certificates.service import (
     get_certificate_primitives,
     get_all_pending_reissue,
     get_by_name,
-    get_all_certs,
+    get_all_valid_certs,
     get,
 )
 
@@ -467,7 +467,9 @@ def check_revoked():
     encounters an issue with verification it marks the certificate status
     as `unknown`.
     """
-    for cert in get_all_certs():
+
+    certs = get_all_valid_certs(current_app.config.get("CHECK_REVOCATION_AUTHORITY_IDS", []))
+    for cert in certs:
         try:
             if cert.chain:
                 status = verify_string(cert.body, cert.chain)
diff --git a/lemur/certificates/service.py b/lemur/certificates/service.py
index 5a65c383..bb714eb0 100644
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@@ -102,6 +102,25 @@ def get_all_certs():
     return Certificate.query.all()
 
 
+def get_all_valid_certs(authority_ids):
+    """
+    Retrieves all valid (not expired) certificates within Lemur, for the given authority_ids
+    ignored if no authority_ids provided.
+
+    :return:
+    """
+    if authority_ids:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD"))
+            .filter(Certificate.authority_id.in_(authority_ids)).all()
+        )
+    else:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).all()
+        )
+
+
+
 def get_all_pending_cleaning(source):
     """
     Retrieves all certificates that are available for cleaning.