From 720859efb6f339024d7889b7bb12511b686ebf10 Mon Sep 17 00:00:00 2001
From: Montana <montana-ctr@friends.dds.mil>
Date: Mon, 4 Mar 2019 10:59:20 -0500
Subject: [PATCH] Ugly implementation for CRLInvalidException

---
 atst/domain/authnid/crl/__init__.py | 12 +++++++++++-
 tests/domain/authnid/test_crl.py    | 17 ++++++++++++++++-
 2 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/atst/domain/authnid/crl/__init__.py b/atst/domain/authnid/crl/__init__.py
index 937a2db1..82dc4896 100644
--- a/atst/domain/authnid/crl/__init__.py
+++ b/atst/domain/authnid/crl/__init__.py
@@ -16,6 +16,12 @@ class CRLRevocationException(Exception):
     pass
 
 
+class CRLInvalidException(Exception):
+    # CRL expired
+    # CRL missing
+    pass
+
+
 class CRLInterface:
     def __init__(self, *args, logger=None, **kwargs):
         self.logger = logger
@@ -111,7 +117,7 @@ class CRLCache(CRLInterface):
         issuer_name = get_common_name(issuer)
 
         if not crl_info:
-            raise CRLRevocationException(
+            raise CRLInvalidException(
                 "Could not find matching CRL for issuer with Common Name {}".format(
                     issuer_name
                 )
@@ -170,6 +176,10 @@ class CRLCache(CRLInterface):
             return True
 
         except crypto.X509StoreContextError as err:
+            if (
+                err.args[0][2] == "CRL has expired"
+            ):  # there has to be a better way than this
+                raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
             raise CRLRevocationException(
                 "Certificate revoked or errored. Error: {}. Args: {}".format(
                     type(err), err.args
diff --git a/tests/domain/authnid/test_crl.py b/tests/domain/authnid/test_crl.py
index c385c4bb..c51e9a2a 100644
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@@ -12,7 +12,12 @@ from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.x509.oid import NameOID
 
-from atst.domain.authnid.crl import CRLCache, CRLRevocationException, NoOpCRLCache
+from atst.domain.authnid.crl import (
+    CRLCache,
+    CRLRevocationException,
+    CRLInvalidException,
+    NoOpCRLCache,
+)
 
 from tests.mocks import FIXTURE_EMAIL_ADDRESS, DOD_CN
 
@@ -233,6 +238,16 @@ def test_no_op_crl_cache_logs_common_name():
     assert "ART.GARFUNKEL.1234567890" in logger.messages[-1]
 
 
+def test_expired_crl_raises_CRLInvalidException(
+    ca_file, expired_crl_file, ca_key, make_x509
+):
+    client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
+    client_pem = client_cert.public_bytes(Encoding.PEM)
+    crl_cache = CRLCache(ca_file, crl_locations=[expired_crl_file])
+    with pytest.raises(CRLInvalidException):
+        crl_cache.crl_check(client_pem)
+
+
 def test_updates_expired_certs(ca_file, expired_crl_file, crl_file, ca_key, make_x509):
     """
     Given a CRLCache object with an expired CRL and a function for updating the