keyserver: add cache-control headers

endpoints/key_server.py

@@ -1,6 +1,6 @@
 import logging
 
-from datetime import datetime
+from datetime import datetime, timedelta
 
 from cryptography.hazmat.backends import default_backend
 from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicNumbers
@@ -88,7 +88,15 @@ def get_service_key(service, kid):
   if key.approval is None:
     abort(409)
 
-  return jsonify(key.jwk)
+  resp = jsonify(key.jwk)
+
+  # Set the cache header to be a year for non-expiring keys.
+  lifetime = timedelta(days=365)
+  if key.expiration_date is not None:
+    lifetime = key.expiration_date - key.created_date
+  resp.cache_control.max_age = lifetime.seconds
+
+  return resp
 
 
 @key_server.route('/services/<service>/keys/<kid>', methods=['PUT'])