Lots of smaller fixes:

- Add the rotation_duration to the keys API
- Have the key service UI use the new rotation_duration field
- Fix notification deletion lookup path
- Add proper support for the new notification in the UI
- Only delete expired keys after 7 days (configurable)
- Fix angular digest loop
- Fix unit tests
- Regenerate initdb

data/model/service_keys.py

@@ -15,6 +15,11 @@ def _expired_keys_clause(service):
   return ((ServiceKey.service == service) &
           (ServiceKey.expiration_date <= datetime.utcnow()))
 
+def _stale_expired_keys_clause(service):
+  expired_ttl = timedelta(seconds=config.app_config['EXPIRED_SERVICE_KEY_TTL_SEC'])
+  return ((ServiceKey.service == service) &
+          (ServiceKey.expiration_date <= (datetime.utcnow() - expired_ttl)))
+
 
 def _stale_unapproved_keys_clause(service):
   unapproved_ttl = timedelta(seconds=config.app_config['UNAPPROVED_SERVICE_KEY_TTL_SEC'])
@@ -24,7 +29,7 @@ def _stale_unapproved_keys_clause(service):
 
 
 def _gc_expired(service):
-  ServiceKey.delete().where(_expired_keys_clause(service) |
+  ServiceKey.delete().where(_stale_expired_keys_clause(service) |
                             _stale_unapproved_keys_clause(service)).execute()
 
 
@@ -53,17 +58,18 @@ def create_service_key(name, kid, service, jwk, metadata, expiration_date, rotat
 
   _notify_superusers(key)
   _gc_expired(service)
-
   return key
 
 
-def generate_service_key(service, expiration_date, kid=None, name='', metadata=None):
+def generate_service_key(service, expiration_date, kid=None, name='', metadata=None,
+                         rotation_duration=None):
   private_key = RSA.generate(2048)
   jwk = RSAKey(key=private_key.publickey()).serialize()
   if kid is None:
     kid = canonical_kid(jwk)
 
-  key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date)
+  key = create_service_key(name, kid, service, jwk, metadata or {}, expiration_date,
+                           rotation_duration=rotation_duration)
   return (private_key, key)