converging on proper rotation
This commit is contained in:
Jimmy Zelinskie
Jimmy Zelinskie
parent
aaf9e83278
commit
f406942984
4 changed files with 101 additions and 67 deletions
|
|
@ -6,26 +6,27 @@ from data.model import ServiceKeyDoesNotExist, ServiceKeyAlreadyApproved, db_tra
|
|||
from data.model.notification import create_notification
|
||||
|
||||
|
||||
# TODO ACTION_LOGS for keys
|
||||
UNAPPROVED_TTL = timedelta(seconds=app.config['UNAPPROVED_SERVICE_KEY_TTL_SEC'])
|
||||
|
||||
|
||||
def _expired_keys_clause(service):
|
||||
return ((ServiceKey.service == service) &
|
||||
(ServiceKey.expiration_date <= datetime.utcnow()))
|
||||
|
||||
|
||||
def _stale_unapproved_keys_clause(service):
|
||||
return ((ServiceKey.service >> service) &
|
||||
(ServiceKey.approval >> None) &
|
||||
(ServiceKey.created_date + UNAPPROVED_TTL) >= datetime.utcnow())
|
||||
|
||||
|
||||
def _gc_expired(service):
|
||||
expired_keys = ((ServiceKey.service == service) &
|
||||
(ServiceKey.expiration_date <= datetime.utcnow()))
|
||||
|
||||
stale_unapproved_keys = ((ServiceKey.service >> service) &
|
||||
(ServiceKey.approval >> None) &
|
||||
(ServiceKey.created_date + UNAPPROVED_TTL) >= datetime.utcnow())
|
||||
|
||||
ServiceKey.delete().where(expired_keys | stale_unapproved_keys).execute()
|
||||
|
||||
|
||||
# TODO ACTION_LOGS for keys
|
||||
ServiceKey.delete().where(_expired_keys_clause(service) |
|
||||
_stale_unapproved_keys_clause(service)).execute()
|
||||
|
||||
|
||||
def create_service_key(name, kid, service, jwk, metadata, expiration_date):
|
||||
_gc_expired(service)
|
||||
|
||||
sk = ServiceKey.create(name=name, kid=kid, service=service, jwk=jwk, metadata=metadata,
|
||||
expiration_date=expiration_date)
|
||||
|
||||
|
|
@ -43,10 +44,24 @@ def create_service_key(name, kid, service, jwk, metadata, expiration_date):
|
|||
'expiration_date': expiration_date,
|
||||
})
|
||||
|
||||
|
||||
def update_service_key(name, kid, metadata, expiration_date):
|
||||
_gc_expired(service)
|
||||
|
||||
|
||||
def replace_service_key(kid, jwk, metadata, expiration_date):
|
||||
try:
|
||||
with db_transaction():
|
||||
key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
|
||||
metadata = key.metadata.update(metadata)
|
||||
ServiceKey.create(name=key.name, kid=kid, service=key.service, jwk=jwk,
|
||||
metadata=metadata, expiration_date=expiration_date, approval=key.approval)
|
||||
key.delete_instance()
|
||||
except ServiceKey.DoesNotExist:
|
||||
raise ServiceKeyDoesNotExist
|
||||
|
||||
_gc_expired(key.service)
|
||||
|
||||
|
||||
def update_service_key(name, kid, metadata, expiration_date):
|
||||
try:
|
||||
with db_transaction():
|
||||
key = db_for_update(ServiceKey.select().where(ServiceKey.kid == kid)).get()
|
||||
|
|
@ -57,37 +72,18 @@ def update_service_key(name, kid, metadata, expiration_date):
|
|||
except ServiceKey.DoesNotExist:
|
||||
raise ServiceKeyDoesNotExist
|
||||
|
||||
|
||||
def get_service_keys(approved_only, kid=None, service=None):
|
||||
_gc_expired(service)
|
||||
|
||||
query = ServiceKey.select()
|
||||
|
||||
if approved_only:
|
||||
query = query.where(~(ServiceKey.approval >> None))
|
||||
|
||||
if service is not None:
|
||||
query = query.where(ServiceKey.service == service)
|
||||
|
||||
if kid is not None:
|
||||
query.where(ServiceKey.kid == kid)
|
||||
|
||||
return query
|
||||
|
||||
|
||||
def get_service_key(kid):
|
||||
return get_service_keys(False, kid=kid).get()
|
||||
_gc_expired(key.service)
|
||||
|
||||
|
||||
def delete_service_key(service, kid):
|
||||
_gc_expired(service)
|
||||
|
||||
try:
|
||||
ServiceKey.delete().where(ServiceKey.service == service,
|
||||
ServiceKey.kid == kid).execute()
|
||||
except ServiceKey.DoesNotExist:
|
||||
raise ServiceKeyDoesNotExist()
|
||||
|
||||
_gc_expired(service)
|
||||
|
||||
|
||||
def approve_service_key(kid, approver, approval_type):
|
||||
try:
|
||||
|
|
@ -101,3 +97,32 @@ def approve_service_key(kid, approver, approval_type):
|
|||
key.save()
|
||||
except ServiceKey.DoesNotExist:
|
||||
raise ServiceKeyDoesNotExist
|
||||
|
||||
|
||||
def _get_service_keys_query(kid=None, service=None, approved_only=False):
|
||||
query = ServiceKey.select()
|
||||
|
||||
if approved_only:
|
||||
query = query.where(~(ServiceKey.approval >> None))
|
||||
|
||||
if service is not None:
|
||||
query = query.where(ServiceKey.service == service)
|
||||
query = query.where(~(_expired_keys_clause(service)) &
|
||||
~(_stale_unapproved_keys_clause(service)))
|
||||
|
||||
if kid is not None:
|
||||
query.where(ServiceKey.kid == kid)
|
||||
|
||||
return query
|
||||
|
||||
|
||||
def get_keys():
|
||||
return list(_get_service_keys_query())
|
||||
|
||||
|
||||
def get_service_keys(service):
|
||||
return list(_get_service_keys_query(service=service, approved_only=True))
|
||||
|
||||
|
||||
def get_service_key(kid):
|
||||
return _get_service_keys_query(kid=kid).get()
|
||||
|
|
|
|||
Reference in a new issue