def execute(json_revocation): if json_revocation['type'] != 'revocation': return secdir = secure_mount.mount() cert_path = config.get('cloud_agent', 'revocation_cert') if cert_path == "default": cert_path = os.path.join(secdir, "unzipped", "RevocationNotifier-cert.crt") else: # if it is a relative, convert to absolute in work_dir if cert_path[0] != '/': cert_path = os.path.abspath( os.path.join(common.WORK_DIR, cert_path)) if not os.path.exists(cert_path): raise Exception( f"revocation_cert {os.path.abspath(cert_path)} not found") # get the updated CRL dist_path = ca_util.get_crl_distpoint(cert_path) with open(os.path.join(secdir, "unzipped", "cacrl.der"), "rb") as f: oldcrl = f.read() updated = False for _ in range(10): logger.debug("Getting updated CRL from %s", dist_path) response = tornado_requests.request("GET", dist_path, None, None, None) if response.status_code != 200: logger.warning("Unable to get updated CRL from %s. Code %d", dist_path, response.status_code) time.sleep(1) continue if response.body == oldcrl: logger.warning("CRL not yet updated, trying again in 1 second...") time.sleep(1) continue # write out the updated CRL logger.debug("Updating CRL in %s/unzipped/cacrl.der", secdir) with open(os.path.join(secdir, "unzipped", "cacrl.der"), "wb") as f: f.write(response.body) ca_util.convert_crl_to_pem( os.path.join(secdir, "unzipped", "cacrl.der"), os.path.join(secdir, "unzipped", "cacrl.pem")) updated = True break if not updated: logger.error( "Unable to load new CRL from %s after receiving notice of a revocation", dist_path)
def test_get_crl_distpoint(self): curdir = os.path.dirname(os.path.abspath(__file__)) cert_path = os.path.join(curdir, "data", "ca", "cacert.crt") crl_distpoint = ca_util.get_crl_distpoint(cert_path) self.assertEqual(crl_distpoint, 'http://localhost/crl.pem')