Hide expired keys outside of their staleness window

test/test_endpoints.py

@@ -202,14 +202,23 @@ class KeyServerTestCase(EndpointTestCase):
 
   def test_list_service_keys(self):
     unapproved_key = model.service_keys.get_service_key(kid='kid3')
+    expired_key = model.service_keys.get_service_key(kid='kid6')
+
     rv = self.getResponse('key_server.list_service_keys', service='sample_service')
     jwkset = py_json.loads(rv)
 
-    # Make sure the unapproved key isn't returned in our results
+    # Make sure the hidden keys are not returned and the visible ones are returned.
     self.assertTrue(len(jwkset['keys']) > 0)
+    expired_key_found = False
     for jwk in jwkset['keys']:
       self.assertNotEquals(jwk, unapproved_key.jwk)
 
+      if expired_key.jwk == jwk:
+        expired_key_found = True
+
+    self.assertTrue(expired_key_found)
+
+
   def test_get_service_key(self):
     # 200 for an approved key
     self.getResponse('key_server.get_service_key', service='sample_service', kid='kid1')
@@ -222,6 +231,14 @@ class KeyServerTestCase(EndpointTestCase):
     self.getResponse('key_server.get_service_key', service='sample_service', kid='kid9999',
                      expected_code=404)
 
+    # 403 for an approved but expired key that is inside of the 2 week window.
+    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid6',
+                     expected_code=403)
+
+    # 404 for an approved, expired key that is outside of the 2 week window.
+    self.getResponse('key_server.get_service_key', service='sample_service', kid='kid7',
+                     expected_code=404)
+
   def test_put_service_key(self):
     # No Authorization header should yield a 400
     self.putResponse('key_server.put_service_key', service='sample_service', kid='kid420',