test(signing): update PasswordTest for fail-closed CRL behavior

Migrates 'valid'/'revoked' string literals to CrlValidationStatus enum
and adds test cases for the new DISABLED and urls_inaccessible/
validation_failed statuses introduced by the fail-closed policy.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

tests/php/Unit/Service/IdentifyMethod/PasswordTest.php

@@ -9,6 +9,7 @@
 namespace OCA\Libresign\Tests\Unit\Service\IdentifyMethod;
 
 use OCA\Libresign\AppInfo\Application;
+use OCA\Libresign\Enum\CrlValidationStatus;
 use OCA\Libresign\Exception\LibresignException;
 use OCA\Libresign\Handler\CertificateEngine\CertificateEngineFactory;
 use OCA\Libresign\Handler\DocMdpHandler;
@@ -228,15 +229,22 @@ public static function providerValidateToSignWithCertificateData(): array {
 			'revoked certificate' => [
 				'certificateData' => [
 					'validTo_time_t' => $futureTimestamp,
-					'crl_validation' => 'revoked',
+					'crl_validation' => CrlValidationStatus::REVOKED,
 				],
 				'shouldThrow' => true,
 				'expectedMessage' => 'Certificate has been revoked',
 			],
 			'valid certificate with crl validation' => [
 				'certificateData' => [
 					'validTo_time_t' => $futureTimestamp,
-					'crl_validation' => 'valid',
+					'crl_validation' => CrlValidationStatus::VALID,
+				],
+				'shouldThrow' => false,
+			],
+			'disabled crl validation - admin disabled external check' => [
+				'certificateData' => [
+					'validTo_time_t' => $futureTimestamp,
+					'crl_validation' => CrlValidationStatus::DISABLED,
 				],
 				'shouldThrow' => false,
 			],
@@ -246,28 +254,52 @@ public static function providerValidateToSignWithCertificateData(): array {
 					'crl_validation' => 'failed',
 				],
 				'shouldThrow' => true,
-				'expectedMessage' => 'Certificate has been revoked',
+				'expectedMessage' => 'Certificate revocation status could not be verified',
 			],
 			'invalid certificate - crl validation empty string' => [
 				'certificateData' => [
 					'validTo_time_t' => $futureTimestamp,
 					'crl_validation' => '',
 				],
 				'shouldThrow' => true,
-				'expectedMessage' => 'Certificate has been revoked',
+				'expectedMessage' => 'Certificate revocation status could not be verified',
 			],
 			'invalid certificate - crl validation null' => [
 				'certificateData' => [
 					'validTo_time_t' => $futureTimestamp,
 					'crl_validation' => null,
 				],
 				'shouldThrow' => true,
-				'expectedMessage' => 'Certificate has been revoked',
+				'expectedMessage' => 'Certificate revocation status could not be verified',
+			],
+			'invalid certificate - crl urls_inaccessible' => [
+				'certificateData' => [
+					'validTo_time_t' => $futureTimestamp,
+					'crl_validation' => CrlValidationStatus::URLS_INACCESSIBLE,
+				],
+				'shouldThrow' => true,
+				'expectedMessage' => 'Certificate revocation status could not be verified',
+			],
+			'invalid certificate - crl validation_failed' => [
+				'certificateData' => [
+					'validTo_time_t' => $futureTimestamp,
+					'crl_validation' => CrlValidationStatus::VALIDATION_FAILED,
+				],
+				'shouldThrow' => true,
+				'expectedMessage' => 'Certificate revocation status could not be verified',
+			],
+			'invalid certificate - crl validation_error' => [
+				'certificateData' => [
+					'validTo_time_t' => $futureTimestamp,
+					'crl_validation' => CrlValidationStatus::VALIDATION_ERROR,
+				],
+				'shouldThrow' => true,
+				'expectedMessage' => 'Certificate revocation status could not be verified',
 			],
 			'revoked and expired certificate' => [
 				'certificateData' => [
 					'validTo_time_t' => $pastTimestamp,
-					'crl_validation' => 'revoked',
+					'crl_validation' => CrlValidationStatus::REVOKED,
 				],
 				'shouldThrow' => true,
 				'expectedMessage' => 'Certificate has been revoked', // revocation is checked first