Ugly implementation for CRLInvalidException

2019-03-04 10:59:20 -05:00 · 2019-03-04 10:59:20 -05:00 · 720859efb6
commit 720859efb6
parent 5f30b347c7
2 changed files with 27 additions and 2 deletions
--- a/atst/domain/authnid/crl/init.py
+++ b/atst/domain/authnid/crl/init.py
@ -16,6 +16,12 @@ class CRLRevocationException(Exception):
    pass


+class CRLInvalidException(Exception):
+    # CRL expired
+    # CRL missing
+    pass
+
+
 class CRLInterface:
    def __init__(self, *args, logger=None, **kwargs):
        self.logger = logger
@ -111,7 +117,7 @@ class CRLCache(CRLInterface):
        issuer_name = get_common_name(issuer)

        if not crl_info:
-            raise CRLRevocationException(
+            raise CRLInvalidException(
                "Could not find matching CRL for issuer with Common Name {}".format(
                    issuer_name
                )
@ -170,6 +176,10 @@ class CRLCache(CRLInterface):
            return True

        except crypto.X509StoreContextError as err:
+            if (
+                err.args[0][2] == "CRL has expired"
+            ):  # there has to be a better way than this
+                raise CRLInvalidException("CRL expired. Args: {}".format(err.args))
            raise CRLRevocationException(
                "Certificate revoked or errored. Error: {}. Args: {}".format(
                    type(err), err.args
--- a/tests/domain/authnid/test_crl.py
+++ b/tests/domain/authnid/test_crl.py
@ -12,7 +12,12 @@ from cryptography.hazmat.primitives.asymmetric import rsa
 from cryptography.hazmat.primitives.serialization import Encoding
 from cryptography.x509.oid import NameOID

-from atst.domain.authnid.crl import CRLCache, CRLRevocationException, NoOpCRLCache
+from atst.domain.authnid.crl import (
+    CRLCache,
+    CRLRevocationException,
+    CRLInvalidException,
+    NoOpCRLCache,
+)

 from tests.mocks import FIXTURE_EMAIL_ADDRESS, DOD_CN

@ -233,6 +238,16 @@ def test_no_op_crl_cache_logs_common_name():
    assert "ART.GARFUNKEL.1234567890" in logger.messages[-1]


+def test_expired_crl_raises_CRLInvalidException(
+    ca_file, expired_crl_file, ca_key, make_x509
+):
+    client_cert = make_x509(rsa_key(), signer_key=ca_key, cn="chewbacca")
+    client_pem = client_cert.public_bytes(Encoding.PEM)
+    crl_cache = CRLCache(ca_file, crl_locations=[expired_crl_file])
+    with pytest.raises(CRLInvalidException):
+        crl_cache.crl_check(client_pem)
+
+
 def test_updates_expired_certs(ca_file, expired_crl_file, crl_file, ca_key, make_x509):
    """
    Given a CRLCache object with an expired CRL and a function for updating the