From 489752a0b7654312fd830091cf0aa9f76645de9f Mon Sep 17 00:00:00 2001 From: Evan Cordell Date: Fri, 29 Apr 2016 11:20:30 -0500 Subject: [PATCH] Only refresh current instance service key --- boot.py | 4 ++++ data/model/service_keys.py | 17 ++--------------- workers/service_key_worker.py | 12 ++++++++---- 3 files changed, 14 insertions(+), 19 deletions(-) diff --git a/boot.py b/boot.py index a97b507cd..4e51816de 100644 --- a/boot.py +++ b/boot.py @@ -45,6 +45,10 @@ def create_quay_service_key(): expiration = timedelta(minutes=minutes_until_expiration) quay_key, key_id = generate_key('quay', get_audience(), datetime.now() + expiration) + with open('/conf/quay.kid', mode='w') as f: + f.truncate(0) + f.write(key_id) + with open('/conf/quay.pem', mode='w') as f: f.truncate(0) f.write(quay_key.exportKey()) diff --git a/data/model/service_keys.py b/data/model/service_keys.py index 7e37908c4..193a25a84 100644 --- a/data/model/service_keys.py +++ b/data/model/service_keys.py @@ -7,7 +7,7 @@ from peewee import JOIN_LEFT_OUTER from Crypto.PublicKey import RSA from jwkest.jwk import RSAKey -from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval, ServiceKeyApprovalType +from data.database import db_for_update, User, ServiceKey, ServiceKeyApproval from data.model import (ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, ServiceNameInvalid, db_transaction, config) from data.model.notification import create_notification, delete_all_notifications_by_path_prefix @@ -29,6 +29,7 @@ def _stale_expired_keys_clause(): expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC']) return (ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl)) + def _stale_unapproved_keys_clause(service): unapproved_ttl = timedelta(seconds=config.app_config['UNAPPROVED_SERVICE_KEY_TTL_SEC']) return ((ServiceKey.service == service) & @@ -36,10 +37,6 @@ def _stale_unapproved_keys_clause(service): (ServiceKey.created_date <= (datetime.utcnow() - unapproved_ttl))) -def _unexpired_clause(): - return ServiceKey.expiration_date >= datetime.utcnow() - - def _gc_expired(service): ServiceKey.delete().where(_stale_expired_keys_service_clause(service) | _stale_unapproved_keys_clause(service)).execute() @@ -147,16 +144,6 @@ def set_key_expiration(kid, expiration_date): service_key.save() -def refresh_automatic_service_keys(extension): - """ - Finds all unexpired automatic keys and sets their - expiration to `now + extension` - """ - for service_key in list(_list_service_keys_query(approval_type=ServiceKeyApprovalType.AUTOMATIC).where(_unexpired_clause())): - service_key.expiration_date = datetime.now() + extension - service_key.save() - - def approve_service_key(kid, approver, approval_type, notes=''): try: with db_transaction(): diff --git a/workers/service_key_worker.py b/workers/service_key_worker.py index 6086916d3..59a07ef62 100644 --- a/workers/service_key_worker.py +++ b/workers/service_key_worker.py @@ -1,8 +1,8 @@ import logging -from datetime import timedelta +from datetime import datetime, timedelta from app import app -from data.model.service_keys import refresh_automatic_service_keys +from data.model.service_keys import set_key_expiration from workers.worker import Worker logger = logging.getLogger(__name__) @@ -14,13 +14,17 @@ class ServiceKeyWorker(Worker): app.config.get('QUAY_SERVICE_KEY_REFRESH', 60)*60) def _refresh_service_keys(self): - """ Refreshes active service keys so they don't get garbage collected. """ + """ + Refreshes active service keys so they don't get garbage collected. + """ + with open("/conf/quay.kid") as f: + kid = f.read() minutes_until_expiration = app.config.get('QUAY_SERVICE_KEY_EXPIRATION', 120) expiration = timedelta(minutes=minutes_until_expiration) logger.debug('Starting refresh of automatic service keys') - refresh_automatic_service_keys(expiration) + set_key_expiration(kid, datetime.now() + expiration) logger.debug('Finished refresh of automatic service keys') if __name__ == "__main__":