improving check revoked by only considering authorities which do support revocation and also only including not expired certs

2019-08-07 17:54:10 -07:00 · 2019-08-07 17:54:10 -07:00 · d1519343d1
parent bbc3bf513d
commit d1519343d1
2 changed files with 23 additions and 2 deletions
--- a/lemur/certificates/cli.py
+++ b/lemur/certificates/cli.py
@ -33,7 +33,7 @@ from lemur.certificates.service import (
    get_certificate_primitives,
    get_all_pending_reissue,
    get_by_name,
-    get_all_certs,
+    get_all_valid_certs,
    get,
 )

@ -467,7 +467,9 @@ def check_revoked():
    encounters an issue with verification it marks the certificate status
    as `unknown`.
    """
-    for cert in get_all_certs():
+
+    certs = get_all_valid_certs(current_app.config.get("CHECK_REVOCATION_AUTHORITY_IDS", []))
+    for cert in certs:
        try:
            if cert.chain:
                status = verify_string(cert.body, cert.chain)
--- a/lemur/certificates/service.py
+++ b/lemur/certificates/service.py
@ -102,6 +102,25 @@ def get_all_certs():
    return Certificate.query.all()


+def get_all_valid_certs(authority_ids):
+    """
+    Retrieves all valid (not expired) certificates within Lemur, for the given authority_ids
+    ignored if no authority_ids provided.
+
+    :return:
+    """
+    if authority_ids:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD"))
+            .filter(Certificate.authority_id.in_(authority_ids)).all()
+        )
+    else:
+        return (
+            Certificate.query.filter(Certificate.not_after > arrow.now().format("YYYY-MM-DD")).all()
+        )
+
+
+
 def get_all_pending_cleaning(source):
    """
    Retrieves all certificates that are available for cleaning.