reduce queries for OCSP view to one

mathiasertl · Jan 19, 2025 · 2d623f0 · 2d623f0
1 parent a0eca93
commit 2d623f0
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 10 deletions.
diff --git a/ca/django_ca/tests/views/test_generic_ocsp_view.py b/ca/django_ca/tests/views/test_generic_ocsp_view.py
@@ -65,7 +65,7 @@ def test_get(
     profile_ocsp: Certificate,
 ) -> None:
     """Test getting OCSP responses."""
-    with django_assert_num_queries(2):
+    with django_assert_num_queries(1):
         response = ocsp_get(client, child_cert)
     assert_ocsp_response(response, child_cert, responder_certificate=profile_ocsp)
 

diff --git a/ca/django_ca/tests/views/test_ocsp_view.py b/ca/django_ca/tests/views/test_ocsp_view.py
@@ -330,9 +330,10 @@ def test_ca_ocsp(
 def test_bad_ca(caplog: LogCaptureFixture, client: Client) -> None:
     """Fetch data for a CA that does not exist."""
     data = base64.b64encode(req1).decode("utf-8")
+    serial = CERT_DATA["child-cert"]["serial"]
     response = client.get(reverse("unknown", kwargs={"data": data}))
     assert caplog.record_tuples == [
-        ("django_ca.views", logging.ERROR, "unknown: Certificate Authority could not be found.")
+        ("django_ca.views", logging.WARNING, f"{serial}: OCSP request for unknown CA received.")
     ]
 
     assert response.status_code == HTTPStatus.OK

diff --git a/ca/django_ca/views.py b/ca/django_ca/views.py
@@ -390,6 +390,14 @@ def malformed_request(self) -> HttpResponse:
         """Get a response for a malformed request."""
         return self.fail(ocsp.OCSPResponseStatus.MALFORMED_REQUEST)
 
+    def get_ca_and_cert(
+        self, cert_serial: str
+    ) -> tuple[CertificateAuthority, Union[Certificate, CertificateAuthority]]:
+        """Get CA and certificate for this request."""
+        ca = self.get_ca()
+        cert = self.get_cert(ca, cert_serial)
+        return ca, cert
+
     def process_ocsp_request(self, data: bytes) -> HttpResponse:
         """Process OCSP request data."""
         try:
@@ -406,17 +414,10 @@ def process_ocsp_request(self, data: bytes) -> HttpResponse:
 
         cert_serial = int_to_hex(ocsp_req.serial_number)
 
-        # Get CA and certificate
-        try:
-            ca = self.get_ca()
-        except CertificateAuthority.DoesNotExist:
-            log.error("%s: Certificate Authority could not be found.", self.ca)
-            return self.fail()
-
         # NOINSPECTION NOTE: PyCharm wrongly things that second except is already covered by the first.
         # noinspection PyExceptClausesOrder
         try:
-            cert = self.get_cert(ca, cert_serial)
+            ca, cert = self.get_ca_and_cert(cert_serial)
         except CertificateAuthority.DoesNotExist:
             log.warning("%s: OCSP request for unknown CA received.", cert_serial)
             return self.fail()
@@ -491,6 +492,13 @@ def dispatch(self, request: HttpRequest, serial: str, **kwargs: Any) -> "HttpRes
     def get_ca(self) -> CertificateAuthority:
         return CertificateAuthority.objects.get(serial=self.kwargs["serial"])
 
+    def get_ca_and_cert(
+        self, cert_serial: str
+    ) -> tuple[CertificateAuthority, Union[Certificate, CertificateAuthority]]:
+        ca_serial = self.kwargs["serial"]
+        cert = Certificate.objects.select_related("ca").get(ca__serial=ca_serial, serial=cert_serial)
+        return cert.ca, cert
+
     def get_expires(self, ca: CertificateAuthority, now: datetime) -> datetime:
         return now + timedelta(seconds=ca.ocsp_response_validity)