in kinto-remote-settings/src/kinto_remote_settings/signer/backends/autograph.py [0:0]
def healthcheck(self, request):
if not self.server_url.startswith("https"):
# No certificate to check if not connected via HTTPs.
return
settings = request.registry.settings
percentage_remaining_validity = int(
settings.get(
"signer.heartbeat_certificate_percentage_remaining_validity", 5
)
)
min_remaining_days = int(
settings.get("signer.heartbeat_certificate_min_remaining_days", 10)
)
max_remaining_days = int(
settings.get("signer.heartbeat_certificate_max_remaining_days", 30)
)
# Check the server certificate validity.
cert = fetch_cert(self.server_url)
start = cert.not_valid_before.replace(tzinfo=datetime.timezone.utc)
end = cert.not_valid_after.replace(tzinfo=datetime.timezone.utc)
utcnow = datetime.datetime.now(datetime.timezone.utc)
remaining_days = (end - utcnow).days
lifespan = (end - start).days
# The minimum remaining days depends on the certificate lifespan.
relative_minimum = lifespan * percentage_remaining_validity / 100
# We don't want to alert to much in advance, nor too late, hence we bound it.
clamped_minimum = int(
min(max_remaining_days, max(min_remaining_days, relative_minimum))
)
if remaining_days <= clamped_minimum:
msg = "Only %s days before Autograph certificate expires (%s)"
logger.warning(msg, remaining_days, end)
logger.info(
f"Certificate lasts {lifespan} days and ends in {remaining_days} days "
f"({remaining_days - clamped_minimum} days before alert)."
)