def check_revoked()

in lemur/certificates/cli.py [0:0]

• 73 lines of code
• 10 McCabe index (conditional complexity)

def check_revoked():
    """
    Function attempts to update Lemur's internal cache with revoked
    certificates. This is called periodically by Lemur. It checks both
    CRLs and OCSP to see if a certificate is revoked. If Lemur is unable
    encounters an issue with verification it marks the certificate status
    as `unknown`.
    """

    log_data = {
        "function": f"{__name__}.{sys._getframe().f_code.co_name}",
        "message": "Checking for revoked Certificates"
    }
    there_are_still_certs = True
    page = 1
    count = 1000
    ocsp_err_count = 0
    crl_err_count = 0
    while there_are_still_certs:
        # get all valid certs issued until day before. This is to avoid OCSP not knowing about a newly created cert.
        certs = get_all_valid_certs(current_app.config.get("SUPPORTED_REVOCATION_AUTHORITY_PLUGINS", []),
                                    paginate=True, page=page, count=count,
                                    created_on_or_before=arrow.now().shift(days=-1))
        if len(certs) < count:
            # this must be tha last page
            there_are_still_certs = False
        else:
            metrics.send(
                "certificate_revoked_progress",
                "counter",
                1,
                metric_tags={"page": page}
            )
            page += 1

        for cert in certs:
            try:
                if cert.chain:
                    status, ocsp_err, crl_err = verify_string(cert.body, cert.chain)
                else:
                    status, ocsp_err, crl_err = verify_string(cert.body, "")

                ocsp_err_count += ocsp_err
                crl_err_count += crl_err

                if status is None:
                    cert.status = "unknown"
                else:
                    cert.status = "valid" if status else "revoked"

                if cert.status == "revoked":
                    log_data["valid"] = cert.status
                    log_data["certificate_name"] = cert.name
                    log_data["certificate_id"] = cert.id
                    metrics.send(
                        "certificate_revoked",
                        "counter",
                        1,
                        metric_tags={"status": log_data["valid"],
                                 "certificate_name": log_data["certificate_name"],
                                 "certificate_id": log_data["certificate_id"]},
                    )
                    current_app.logger.info(log_data)

            except Exception as e:
                capture_exception()
                current_app.logger.warning(e)
                cert.status = "unknown"

            try:
                database.update(cert)
            except Exception as e:
                capture_exception()
                current_app.logger.warning(e)

    metrics.send(
        "certificate_revoked_ocsp_error",
        "gauge",
        ocsp_err_count,
    )
    metrics.send(
        "certificate_revoked_crl_error",
        "gauge",
        crl_err_count,
    )
    metrics.send(
        "certificate_revoked_checked",
        "gauge",
        (page - 1) * count + len(certs),
    )