Fix a few bugs in CRL handling.

- Don't write a CRL to the cache if the response code is above 399. (We
  were getting HTML files as CRLs, d'oh).
- Fix a kwarg in the CRL logger (extras -> extra).
- Set Kubernetes clusters to log output as JSON.

atst/domain/authnid/crl/__init__.py

@@ -33,7 +33,7 @@ class CRLInterface:
 
     def _log(self, message, level=logging.INFO):
         if self.logger:
-            self.logger.log(level, message, extras={"tags": ["authorization", "crl"]})
+            self.logger.log(level, message, extra={"tags": ["authorization", "crl"]})
 
     def crl_check(self, cert):
         raise NotImplementedError()

atst/domain/authnid/crl/util.py

@@ -4,6 +4,11 @@ import os
 import pendulum
 import requests
 
+
+class CRLNotFoundError(Exception):
+    pass
+
+
 MODIFIED_TIME_BUFFER = 15 * 60
 
 
@@ -54,9 +59,9 @@ CRL_LIST = [
     "http://crl.disa.mil/crl/DODEMAILCA_51.crl",
     "http://crl.disa.mil/crl/DODEMAILCA_52.crl",
     "http://crl.disa.mil/crl/DODEMAILCA_59.crl",
-    "http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA1.crl ",
+    "http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA1.crl",
-    "http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl ",
+    "http://crl.disa.mil/crl/DODINTEROPERABILITYROOTCA2.crl",
-    "http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA1.crl ",
+    "http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA1.crl",
     "http://crl.disa.mil/crl/USDODCCEBINTEROPERABILITYROOTCA2.crl",
     "http://crl.disa.mil/crl/DODNIPRINTERNALNPEROOTCA1.crl",
     "http://crl.disa.mil/crl/DODNPEROOTCA1.crl",
@@ -92,6 +97,9 @@ def write_crl(out_dir, target_dir, crl_location):
         options["headers"] = {"If-Modified-Since": mod_time}
 
     with requests.get(crl_location, **options) as response:
+        if response.status_code > 399:
+            raise CRLNotFoundError()
+
         if response.status_code == 304:
             return False
 
@@ -108,6 +116,15 @@ def remove_bad_crl(out_dir, crl_location):
     os.remove(crl)
 
 
+def log_error(logger, crl_location):
+    if logger:
+        logger.error(
+            "Error downloading {}, removing file and continuing anyway".format(
+                crl_location
+            )
+        )
+
+
 def refresh_crls(out_dir, target_dir, logger):
     for crl_location in CRL_LIST:
         logger.info("updating CRL from {}".format(crl_location))
@@ -117,13 +134,10 @@ def refresh_crls(out_dir, target_dir, logger):
             else:
                 logger.info("no updates for CRL from {}".format(crl_location))
         except requests.exceptions.ChunkedEncodingError:
-            if logger:
+            log_error(logger, crl_location)
-                logger.error(
-                    "Error downloading {}, removing file and continuing anyway".format(
-                        crl_location
-                    )
-                )
             remove_bad_crl(out_dir, crl_location)
+        except CRLNotFoundError:
+            log_error(logger, crl_location)
 
 
 if __name__ == "__main__":

k8s/aws/atst-envvars-configmap.yml

@@ -10,3 +10,4 @@ data:
   OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
   UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
   CRL_STORAGE_PROVIDER: CLOUDFILES
+  LOG_JSON: "true"

k8s/azure/atst-envvars-configmap.yml

@@ -10,3 +10,4 @@ data:
   OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
   UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
   CRL_STORAGE_PROVIDER: CLOUDFILES
+  LOG_JSON: "true"