Fix key server to not list expired keys

Fixes the key server to not list expire keys and by default not return expired or unapproved keys unless explicitly requested.

Fixes #1430

endpoints/api/superuser.py

@@ -639,7 +639,7 @@ class SuperUserServiceKey(ApiResource):
   def get(self, kid):
     if SuperUserPermission().can():
       try:
-        key = model.service_keys.get_service_key(kid)
+        key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
         return jsonify(key_view(key))
       except model.service_keys.ServiceKeyDoesNotExist:
         abort(404)
@@ -655,7 +655,7 @@ class SuperUserServiceKey(ApiResource):
     if SuperUserPermission().can():
       body = request.get_json()
       try:
-        key = model.service_keys.get_service_key(kid)
+        key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
       except model.service_keys.ServiceKeyDoesNotExist:
         abort(404)
 
@@ -690,7 +690,8 @@ class SuperUserServiceKey(ApiResource):
         model.service_keys.update_service_key(kid, body.get('name'), body.get('metadata'))
         log_action('service_key_modify', None, key_log_metadata)
 
-      return jsonify(key_view(model.service_keys.get_service_key(kid)))
+      updated_key = model.service_keys.get_service_key(kid, approved_only=False, alive_only=False)
+      return jsonify(key_view(updated_key))
 
     abort(403)
 

endpoints/key_server.py

@@ -60,14 +60,19 @@ def _validate_jwt(encoded_jwt, jwk, service):
     abort(400)
 
 
-def _signer_kid(encoded_jwt):
+def _signer_kid(encoded_jwt, allow_none=False):
   headers = get_unverified_header(encoded_jwt)
-  return headers.get('kid', None)
+  kid = headers.get('kid', None)
+  if not kid and not allow_none:
+    abort(400)
+
+  return kid
 
 
-def _signer_key(service, signer_kid):
+def _lookup_service_key(service, signer_kid, approved_only=True):
   try:
-    return data.model.service_keys.get_service_key(signer_kid, service=service)
+    return data.model.service_keys.get_service_key(signer_kid, service=service,
+                                                   approved_only=approved_only)
   except data.model.ServiceKeyDoesNotExist:
     abort(403)
 
@@ -81,7 +86,7 @@ def list_service_keys(service):
 @key_server.route('/services/<service>/keys/<kid>', methods=['GET'])
 def get_service_key(service, kid):
   try:
-    key = data.model.service_keys.get_service_key(kid)
+    key = data.model.service_keys.get_service_key(kid, alive_only=False, approved_only=False)
   except data.model.ServiceKeyDoesNotExist:
     abort(404)
 
@@ -126,8 +131,7 @@ def put_service_key(service, kid):
 
   _validate_jwk(jwk)
 
-  signer_kid = _signer_kid(encoded_jwt)
-
+  signer_kid = _signer_kid(encoded_jwt, allow_none=True)
   if kid == signer_kid or signer_kid is None:
     # The key is self-signed. Create a new instance and await approval.
     _validate_jwt(encoded_jwt, jwk, service)
@@ -147,11 +151,10 @@ def put_service_key(service, kid):
     log_action('service_key_create', None, metadata=key_log_metadata, ip=request.remote_addr)
     return make_response('', 202)
 
+  # Key is going to be rotated.
   metadata.update({'created_by': 'Key Rotation'})
-  signer_key = _signer_key(service, signer_kid)
+  signer_key = _lookup_service_key(service, signer_kid)
   signer_jwk = signer_key.jwk
-  if signer_key.service != service:
-    abort(403)
 
   _validate_jwt(encoded_jwt, signer_jwk, service)
 
@@ -184,9 +187,9 @@ def delete_service_key(service, kid):
   encoded_jwt = match.group(1)
 
   signer_kid = _signer_kid(encoded_jwt)
-  signer_key = _signer_key(service, signer_kid)
+  signer_key = _lookup_service_key(service, signer_kid, approved_only=False)
 
-  self_signed = kid == signer_kid or signer_kid == ''
+  self_signed = kid == signer_kid
   approved_key_for_service = signer_key.approval is not None
 
   if self_signed or approved_key_for_service: