From 363a3cac369fe8d9d60c749f53027e1138e23b4f Mon Sep 17 00:00:00 2001
From: Alexander Hughes <ah8742@att.com>
Date: Tue, 9 Apr 2019 12:32:41 -0500
Subject: [PATCH] Update validity checks and docs of PKI functions

https://review.openstack.org/#/c/639414/ was merged with outstanding
comments related to PKI cert expiration checks and PKI cert generation

This patch addresses those critiques to:
1. Make documentation clearer and more standard in format
2. Make code clearer by streamlining a validity check

Change-Id: If5352acd33cfd9e3e177aa11ff8f8ba74d5f55af
---
 doc/source/cli/cli.rst               | 16 +++++++++-------
 pegleg/engine/catalog/pki_utility.py |  8 ++------
 2 files changed, 11 insertions(+), 13 deletions(-)

diff --git a/doc/source/cli/cli.rst b/doc/source/cli/cli.rst
index 8644d466..9e753930 100644
--- a/doc/source/cli/cli.rst
+++ b/doc/source/cli/cli.rst
@@ -477,10 +477,10 @@ Dashes in the document names will be converted to underscores for consistency.
 
 Name of site.
 
-**days** (Optional).
+**-d / --days** (Optional).
 
 Duration (in days) certificates should be valid.  Default=365,
-minimum=0, no maximum.
+minimum=0, no maximum.  Values less than 0 will raise an exception.
 
 NOTE: A generated certificate where days = 0 should only be used for testing.
 A certificate generated in such a way will be valid for 0 seconds.
@@ -510,14 +510,16 @@ Check PKI Certs
 ---------------
 
 Determine if any PKI certificates from a site are expired, or will be expired
-within N days (default N=60, no maximum, minimum 0). Print those cert names
-and expiration dates to ``stdout``.
+within ``days`` days.  If any are found, print the cert names and expiration
+dates to ``stdout``.
 
 **-d / --days** (Optional).
 
-Number of days past today's date to check certificate expirations.
-Default days=60.  Minimum days=0, days less than 0 will raise an exception.
-No maximum days.
+Duration (in days) to check certificate validity from today.  Default=60,
+minimum=0, no maximum.  Values less than 0 will raise an exception.
+
+NOTE: Checking PKI certs where days = 0 will check for certs that are expired
+at the time the command is run.
 
 **site_name** (Required).
 
diff --git a/pegleg/engine/catalog/pki_utility.py b/pegleg/engine/catalog/pki_utility.py
index e84076ce..582209e7 100644
--- a/pegleg/engine/catalog/pki_utility.py
+++ b/pegleg/engine/catalog/pki_utility.py
@@ -64,9 +64,7 @@ class PKIUtility(object):
 
     @property
     def ca_config(self):
-        if self.duration is not None and self.duration >= 0:
-            pass
-        else:
+        if self.duration is None or self.duration < 0:
             raise exceptions.PKICertificateInvalidDuration()
 
         if not self._ca_config_string:
@@ -209,9 +207,7 @@ class PKIUtility(object):
 
         """
 
-        if self.duration is not None and self.duration >= 0:
-            pass
-        else:
+        if self.duration is None or self.duration < 0:
             raise exceptions.PKICertificateInvalidDuration()
 
         info = self.cert_info(cert)