create key server data interface
This commit is contained in:
Jimmy Zelinskie
parent
c06d395f96
commit
2e5a94bc0b
4 changed files with 140 additions and 21 deletions
|
|
@ -4,11 +4,9 @@ from datetime import datetime, timedelta
|
|||
from flask import Blueprint, jsonify, abort, request, make_response
|
||||
from jwt import get_unverified_header
|
||||
|
||||
import data.model
|
||||
import data.model.service_keys
|
||||
from data.model.log import log_action
|
||||
|
||||
from app import app
|
||||
from data.interfaces.key_server import PreOCIModel as model, ServiceKeyDoesNotExist
|
||||
from data.model.log import log_action
|
||||
from util.security import jwtutil
|
||||
|
||||
|
||||
|
|
@ -38,7 +36,7 @@ def _validate_jwt(encoded_jwt, jwk, service):
|
|||
|
||||
try:
|
||||
jwtutil.decode(encoded_jwt, public_key, algorithms=['RS256'],
|
||||
audience=JWT_AUDIENCE, issuer=service)
|
||||
audience=JWT_AUDIENCE, issuer=service)
|
||||
except jwtutil.InvalidTokenError:
|
||||
logger.exception('JWT validation failure')
|
||||
abort(400)
|
||||
|
|
@ -55,23 +53,22 @@ def _signer_kid(encoded_jwt, allow_none=False):
|
|||
|
||||
def _lookup_service_key(service, signer_kid, approved_only=True):
|
||||
try:
|
||||
return data.model.service_keys.get_service_key(signer_kid, service=service,
|
||||
approved_only=approved_only)
|
||||
except data.model.ServiceKeyDoesNotExist:
|
||||
return model.get_service_key(signer_kid, service=service, approved_only=approved_only)
|
||||
except ServiceKeyDoesNotExist:
|
||||
abort(403)
|
||||
|
||||
|
||||
@key_server.route('/services/<service>/keys', methods=['GET'])
|
||||
def list_service_keys(service):
|
||||
keys = data.model.service_keys.list_service_keys(service)
|
||||
keys = model.list_service_keys(service)
|
||||
return jsonify({'keys': [key.jwk for key in keys]})
|
||||
|
||||
|
||||
@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
|
||||
def get_service_key(service, kid):
|
||||
try:
|
||||
key = data.model.service_keys.get_service_key(kid, alive_only=False, approved_only=False)
|
||||
except data.model.ServiceKeyDoesNotExist:
|
||||
key = model.get_service_key(kid, alive_only=False, approved_only=False)
|
||||
except ServiceKeyDoesNotExist:
|
||||
abort(404)
|
||||
|
||||
if key.approval is None:
|
||||
|
|
@ -119,8 +116,8 @@ def put_service_key(service, kid):
|
|||
if kid == signer_kid or signer_kid is None:
|
||||
# The key is self-signed. Create a new instance and await approval.
|
||||
_validate_jwt(encoded_jwt, jwk, service)
|
||||
data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date,
|
||||
rotation_duration=rotation_duration)
|
||||
model.create_service_key('', kid, service, jwk, metadata, expiration_date,
|
||||
rotation_duration=rotation_duration)
|
||||
|
||||
key_log_metadata = {
|
||||
'kid': kid,
|
||||
|
|
@ -143,8 +140,8 @@ def put_service_key(service, kid):
|
|||
_validate_jwt(encoded_jwt, signer_jwk, service)
|
||||
|
||||
try:
|
||||
data.model.service_keys.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
|
||||
except data.model.ServiceKeyDoesNotExist:
|
||||
model.replace_service_key(signer_key.kid, kid, jwk, metadata, expiration_date)
|
||||
except ServiceKeyDoesNotExist:
|
||||
abort(404)
|
||||
|
||||
key_log_metadata = {
|
||||
|
|
@ -180,8 +177,8 @@ def delete_service_key(service, kid):
|
|||
_validate_jwt(encoded_jwt, signer_key.jwk, service)
|
||||
|
||||
try:
|
||||
data.model.service_keys.delete_service_key(kid)
|
||||
except data.model.ServiceKeyDoesNotExist:
|
||||
model.delete_service_key(kid)
|
||||
except ServiceKeyDoesNotExist:
|
||||
abort(404)
|
||||
|
||||
key_log_metadata = {
|
||||
Reference in a new issue