improving check revoked by only considering authorities which do support revocation and also only including not expired certs

lemur/certificates/cli.py

@@ -33,7 +33,7 @@ from lemur.certificates.service import (
     get_certificate_primitives,
     get_all_pending_reissue,
     get_by_name,
-    get_all_certs,
+    get_all_valid_certs,
     get,
 )
 
@@ -467,7 +467,9 @@ def check_revoked():
     encounters an issue with verification it marks the certificate status
     as `unknown`.
     """
-    for cert in get_all_certs():
+
+    certs = get_all_valid_certs(current_app.config.get("CHECK_REVOCATION_AUTHORITY_IDS", []))
+    for cert in certs:
         try:
             if cert.chain:
                 status = verify_string(cert.body, cert.chain)

lemur/certificates/service.py

@@ -102,6 +102,25 @@ def get_all_certs():
     return Certificate.query.all()
 
 
+def get_all_valid_certs(authority_ids):
+    """
+    Retrieves all valid (not expired) certificates within Lemur, for the given authority_ids
+    ignored if no authority_ids provided.
+
+    :return:
+    """
+    if authority_ids:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD"))
+            .filter(Certificate.authority_id.in_(authority_ids)).all()
+        )
+    else:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).all()
+        )
+
+
+
 def get_all_pending_cleaning(source):
     """
     Retrieves all certificates that are available for cleaning.