Merge pull request #17 from pvarki/issue-16

Make sure CRL is up-to-date
pvarki · Apr 19, 2024 · 0c5d4bf · 0c5d4bf
2 parents 8e5188f + 151dafb
commit 0c5d4bf
Show file tree

Hide file tree

Showing 7 changed files with 25 additions and 8 deletions.
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.0.3
+current_version = 1.0.4
 commit = False
 tag = False
 

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -50,8 +50,9 @@ jobs:
       runs-on: ubuntu-latest
       steps:
       - uses: actions/checkout@v4
+      - run: mkdir -p /tmp/ca_public && touch /tmp/ca_public/crl.der
       - run: docker build --target ocsprest -t rasenmaeher_ocsprest .
-      - run: docker run -d -p 8887:8887 --name rasenmaeher_ocsprest rasenmaeher_ocsprest
+      - run: docker run -d -p 8887:8887 -v /tmp/ca_public:/ca_public --name rasenmaeher_ocsprest rasenmaeher_ocsprest
       - run: sleep 3 && docker logs rasenmaeher_ocsprest
       - run: echo 'print whole trace' && curl http://localhost:8887/api/v1/healthcheck
       - run: echo 'verify success' && curl http://localhost:8887/api/v1/healthcheck | grep 'success'
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "ocsprest"
-version = "1.0.3"
+version = "1.0.4"
 description = ""
 authors = ["Eero af Heurlin <eero.afheurlin@iki.fi>"]
 readme = "README.rst"

diff --git a/src/ocsprest/__init__.py b/src/ocsprest/__init__.py
@@ -1,2 +1,2 @@
 """Quick and dirty rest API to call the ocsp signing methods for CFSSL CLI"""
-__version__ = "1.0.3"
+__version__ = "1.0.4"
diff --git a/src/ocsprest/routes.py b/src/ocsprest/routes.py
@@ -6,6 +6,7 @@
 import uuid
 from pathlib import Path
 import json
+import time
 
 from libadvian.tasks import TaskMaster
 from libadvian.logging import init_logging
@@ -163,8 +164,15 @@ async def get_crl_der(request: Request) -> FileResponse:
 async def healthcheck(request: Request) -> Dict[str, Any]:
     """Health check"""
     _ = request
-    # TODO: should be actually test something ?
-    return {"healthcheck": "success"}
+    retval = "success"
+    grace = 15
+    cnf = RESTConfig.singleton()
+    modtime = time.time() - cnf.crl.stat().st_mtime
+    LOGGER.debug("{} modified {} seconds ago".format(cnf.crl, modtime))
+    if modtime > (cnf.crl_refresh + grace):
+        LOGGER.warning("{} modified too long ago ({}s)".format(cnf.crl, modtime))
+        retval = "crlfail"
+    return {"healthcheck": retval}
 
 
 def get_app() -> FastAPI:
@@ -186,7 +194,10 @@ async def refresher() -> None:
     """Dump the CRL and refresh OCSP periodically"""
     try:
         while True:
-            await asyncio.gather(dump_crl(), refresh_oscp())
+            try:
+                await asyncio.gather(dump_crl(), refresh_oscp())
+            except asyncio.TimeoutError as exc:
+                LOGGER.warning("Ignoring timeout: {}".format(exc))
             await asyncio.sleep(RESTConfig.singleton().crl_refresh)
     except asyncio.CancelledError:
         LOGGER.debug("Cancelled")
diff --git a/tests/conftest.py b/tests/conftest.py
@@ -19,10 +19,15 @@
 def default_env(monkeysession: pytest.MonkeyPatch, nice_tmpdir_ses: str) -> Generator[None, None, None]:
     """Setup some default environment variables"""
     datadir = Path(nice_tmpdir_ses) / "data"
+    cadir = datadir / "ca_public"
+    cadir.mkdir(parents=True, exist_ok=True)
+    crlfile = cadir / "crl.der"
     with monkeysession.context() as mpatch:
+        crlfile.write_text("DUMMY")
         mpatch.setenv("CI", "true")
         mpatch.setenv("OR_DATA_PATH", str(datadir))
         mpatch.setenv("OR_CFSSL", "fakessl")
+        mpatch.setenv("OR_CRL", str(crlfile))
         yield None
 
 

diff --git a/tests/test_ocsprest.py b/tests/test_ocsprest.py
@@ -10,7 +10,7 @@
 
 def test_version() -> None:
     """Make sure version matches expected"""
-    assert __version__ == "1.0.3"
+    assert __version__ == "1.0.4"
 
 
 def test_healthcheck(client: TestClient) -> None: