rework superuser api

2016-03-25 18:44:11 -04:00 · 2016-03-25 18:44:11 -04:00 · 35ed73e195
commit 35ed73e195
parent 4079dba167
4 changed files with 205 additions and 60 deletions
--- a/endpoints/key_server.py
+++ b/endpoints/key_server.py
@ -18,7 +18,24 @@ JWT_HEADER_NAME = 'Authorization'
 JWT_AUDIENCE = 'quay'


-def _validate_JWT(encoded_jwt, jwk, service):
+def _validate_jwk(jwk, kid):
+  if 'kty' not in jwk:
+    abort(400)
+
+  if 'kid' not in jwk or jwk['kid'] != kid:
+    abort(400)
+
+  if jwk['kty'] == 'EC':
+    if 'x' not in jwk or 'y' not in jwk:
+      abort(400)
+  elif jwk['kty'] == 'RSA':
+    if 'e' not in jwk or 'n' not in jwk:
+      abort(400)
+  else:
+    abort(400)
+
+
+def _validate_jwt(encoded_jwt, jwk, service):
  public_key = RSAPublicNumbers(e=jwk.e,
                                n=jwk.n).public_key(default_backend())

@ -47,15 +64,16 @@ def _signer_jwk(encoded_jwt, jwk, service, kid):

@key_server.route('/services/<service>/keys', methods=['GET'])
 def get_service_keys(service):
-  kid = request.args.get('kid', None)
-  if kid is not None:
-    keys = data.model.service_keys.get_service_keys(service, kid=kid)
-  else:
-    keys = data.model.service_keys.get_service_keys(service)
-
+  keys = data.model.service_keys.get_service_keys(service)
  return jsonify({'keys': [key.jwk for key in keys]})


+@key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
+def get_service_key(service, kid):
+  key = data.model.service_keys.get_service_keys(service, kid=kid)
+  return jsonify(key.jwk)
+
+
@key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])
 def put_service_keys(service, kid):
  expiration_date = request.args.get('expiration', None)
@ -70,27 +88,14 @@ def put_service_keys(service, kid):
  except ValueError:
    abort(400)

-  if 'kty' not in jwk:
-    abort(400)
-
-  if 'kid' not in jwk or jwk['kid'] != kid:
-    abort(400)
-
-  if jwk['kty'] == 'EC':
-    if 'x' not in jwk or 'y' not in jwk:
-      abort(400)
-  elif jwk['kty'] == 'RSA':
-    if 'e' not in jwk or 'n' not in jwk:
-      abort(400)
-  else:
-    abort(400)
+  _validate_jwk(jwk, kid)

  encoded_jwt = request.headers.get(JWT_HEADER_NAME, None)
  if not encoded_jwt:
    abort(400)

  signer_jwk = _signer_jwk(encoded_jwt, jwk, service, kid)
-  _validate_JWT(encoded_jwt, signer_jwk, service)
+  _validate_jwt(encoded_jwt, signer_jwk, service)

  metadata = {
    'ip': request.remote_addr,
@ -98,7 +103,10 @@ def put_service_keys(service, kid):
  }


-  data.model.service_keys.upsert_service_key('', kid, service, jwk, metadata, expiration_date)
+  try:
+    data.model.service_keys.update_service_key('', kid, service, metadata, expiration_date)
+  except data.model.ServiceKeyDoesNotExist:
+    data.model.service_keys.create_service_key('', kid, service, jwk, metadata, expiration_date)


@key_server.route('/services/<service>/keys/<kid>', methods=['DELETE'])
@ -108,7 +116,7 @@ def delete_service_key(service, kid):
    abort(400)

  signer_jwk = _signer_jwk(encoded_jwt, None, service, kid)
-  _validate_JWT(encoded_jwt, signer_jwk, service)
+  _validate_jwt(encoded_jwt, signer_jwk, service)

  try:
    data.model.service_keys.delete_service_key(service, kid)