Clearer demarcation between KeyIssuer and KeyJar.

Set of tests for KeyIssuer.

Author: rohe

src/cryptojwt/key_issuer.py

@@ -1,5 +1,6 @@
 import json
 import logging
+import os
 
 from requests import request
 
@@ -10,6 +11,9 @@
 
 __author__ = 'Roland Hedberg'
 
+from .key_bundle import key_diff
+from .key_bundle import update_key_bundle
+
 from .utils import importer
 
 from .utils import qualified_name
@@ -424,6 +428,23 @@ def __iter__(self):
         for bundle in self._bundles:
             yield bundle
 
+    def __eq__(self, other):
+        if not isinstance(other, self.__class__):
+            return False
+
+        if len(other.all_keys()) != len(self.all_keys()):
+            return False
+
+        for k in self.all_keys():
+            if k not in other:
+                return False
+
+        for k in other.all_keys():
+            if k not in self:
+                return False
+
+        return True
+
 
 # =============================================================================
 
@@ -479,3 +500,129 @@ def build_keyissuer(key_conf, kid_template="", key_issuer=None, issuer_id=''):
     key_issuer.add(bundle)
 
     return key_issuer
+
+
+def rotate_keys(key_conf, issuer, kid_template=""):
+    new_keys = build_keyissuer(key_conf, kid_template)
+    issuer.mark_all_keys_as_inactive()
+    for kb in new_keys:
+        issuer.add_kb(kb)
+    return issuer
+
+
+def init_key_issuer(public_path='', private_path='', key_defs='', read_only=True,
+                 storage_conf=None, abstract_storage_cls=None):
+    """
+    A number of cases here:
+
+    1. A private path is given
+
+       a. The file exists and a JWKS is found there.
+          From that JWKS a KeyJar instance is built.
+       b.
+          If the private path file doesn't exit the key definitions are
+          used to build a KeyJar instance. A JWKS with the private keys are
+          written to the file named in private_path.
+
+       If a public path is also provided a JWKS with public keys are written
+       to that file.
+
+    2. A public path is given but no private path.
+
+       a. If the public path file exists then the JWKS in that file is used to
+          construct a KeyJar.
+       b. If no such file exists then a KeyJar will be built
+          based on the key_defs specification and a JWKS with the public keys
+          will be written to the public path file.
+
+    3. If neither a public path nor a private path is given then a KeyJar is
+       built based on the key_defs specification and no JWKS will be written
+       to file.
+
+    In all cases a KeyJar instance is returned
+
+    The keys stored in the KeyJar will be stored under the '' identifier.
+
+    :param public_path: A file path to a file that contains a JWKS with public
+        keys
+    :param private_path: A file path to a file that contains a JWKS with
+        private keys.
+    :param key_defs: A definition of what keys should be created if they are
+        not already available
+    :param read_only: This function should not attempt to write anything
+        to a file system.
+    :return: An instantiated :py:class;`oidcmsg.key_jar.KeyJar` instance
+    """
+
+    if private_path:
+        if os.path.isfile(private_path):
+            _jwks = open(private_path, 'r').read()
+            _issuer = KeyIssuer()
+            _issuer.import_jwks(json.loads(_jwks))
+            if key_defs:
+                _kb = _issuer[0]
+                _diff = key_diff(_kb, key_defs)
+                if _diff:
+                    update_key_bundle(_kb, _diff)
+                    if read_only:
+                        logger.error('Not allowed to write to disc!')
+                    else:
+                        _issuer.set([_kb])
+                        jwks = _issuer.export_jwks(private=True)
+                        fp = open(private_path, 'w')
+                        fp.write(json.dumps(jwks))
+                        fp.close()
+        else:
+            _issuer = build_keyissuer(key_defs)
+            if not read_only:
+                jwks = _issuer.export_jwks(private=True)
+                head, tail = os.path.split(private_path)
+                if head and not os.path.isdir(head):
+                    os.makedirs(head)
+                fp = open(private_path, 'w')
+                fp.write(json.dumps(jwks))
+                fp.close()
+
+        if public_path and not read_only:
+            jwks = _issuer.export_jwks()  # public part
+            head, tail = os.path.split(public_path)
+            if head and not os.path.isdir(head):
+                os.makedirs(head)
+            fp = open(public_path, 'w')
+            fp.write(json.dumps(jwks))
+            fp.close()
+    elif public_path:
+        if os.path.isfile(public_path):
+            _jwks = open(public_path, 'r').read()
+            _issuer = KeyIssuer()
+            _issuer.import_jwks(json.loads(_jwks))
+            if key_defs:
+                _kb = _issuer[0]
+                _diff = key_diff(_kb, key_defs)
+                if _diff:
+                    if read_only:
+                        logger.error('Not allowed to write to disc!')
+                    else:
+                        update_key_bundle(_kb, _diff)
+                        _issuer.set([_kb])
+                        jwks = _issuer.export_jwks()
+                        fp = open(public_path, 'w')
+                        fp.write(json.dumps(jwks))
+                        fp.close()
+        else:
+            _issuer = build_keyissuer(key_defs)
+            if not read_only:
+                _jwks = _issuer.export_jwks()
+                head, tail = os.path.split(public_path)
+                if head and not os.path.isdir(head):
+                    os.makedirs(head)
+                fp = open(public_path, 'w')
+                fp.write(json.dumps(_jwks))
+                fp.close()
+    else:
+        _issuer = build_keyissuer(key_defs)
+
+    if _issuer is None:
+        raise ValueError('Could not find any keys')
+
+    return _issuer

src/cryptojwt/key_jar.py

@@ -1,6 +1,5 @@
 import json
 import logging
-import os
 from typing import List
 from typing import Optional
 
@@ -9,16 +8,14 @@
 from .jwe.jwe import alg2keytype as jwe_alg2keytype
 from .jws.utils import alg2keytype as jws_alg2keytype
 from .key_bundle import KeyBundle
-from .key_bundle import key_diff
-from .key_bundle import update_key_bundle
-
-__author__ = 'Roland Hedberg'
-
 from .key_issuer import KeyIssuer
 from .key_issuer import build_keyissuer
+from .key_issuer import init_key_issuer
 from .utils import importer
 from .utils import qualified_name
 
+__author__ = 'Roland Hedberg'
+
 logger = logging.getLogger(__name__)
 
 
@@ -92,7 +89,7 @@ def _get_issuer(self, issuer_id: str) -> Optional[KeyIssuer]:
 
         return self._issuers.get(issuer_id)
 
-    def _add_issuer(self, issuer_id):
+    def _add_issuer(self, issuer_id) -> KeyIssuer:
         _iss = KeyIssuer(ca_certs=self.ca_certs, name=issuer_id,
                          keybundle_cls=self.keybundle_cls,
                          remove_after=self.remove_after,
@@ -197,51 +194,53 @@ def get(self, key_use, key_type="", issuer_id="", kid=None, **kwargs):
         if _issuer is None:
             return []
 
-        lst = []
-        for bundle in _issuer:
-            if key_type:
-                if key_use in ['ver', 'dec']:
-                    _bkeys = bundle.get(key_type, only_active=False)
-                else:
-                    _bkeys = bundle.get(key_type)
-            else:
-                _bkeys = bundle.keys()
-            for key in _bkeys:
-                if key.inactive_since and key_use != "sig":
-                    # Skip inactive keys unless for signature verification
-                    continue
-                if not key.use or use == key.use:
-                    if kid:
-                        if key.kid == kid:
-                            lst.append(key)
-                            break
-                        else:
-                            continue
-                    else:
-                        lst.append(key)
-
-        # if elliptic curve, have to check if I have a key of the right curve
-        if key_type == "EC" and "alg" in kwargs:
-            name = "P-{}".format(kwargs["alg"][2:])  # the type
-            _lst = []
-            for key in lst:
-                if name != key.crv:
-                    continue
-                _lst.append(key)
-            lst = _lst
-
-        if use == 'enc' and key_type == 'oct' and issuer_id != '':
-            # Add my symmetric keys
-            _issuer = self._get_issuer('')
-            if _issuer:
-                for kb in _issuer:
-                    for key in kb.get(key_type):
-                        if key.inactive_since:
-                            continue
-                        if not key.use or key.use == use:
-                            lst.append(key)
-
-        return lst
+        return _issuer.get(key_use=key_use, key_type=key_type, kid=kid, **kwargs)
+
+        # lst = []
+        # for bundle in _issuer:
+        #     if key_type:
+        #         if key_use in ['ver', 'dec']:
+        #             _bkeys = bundle.get(key_type, only_active=False)
+        #         else:
+        #             _bkeys = bundle.get(key_type)
+        #     else:
+        #         _bkeys = bundle.keys()
+        #     for key in _bkeys:
+        #         if key.inactive_since and key_use != "sig":
+        #             # Skip inactive keys unless for signature verification
+        #             continue
+        #         if not key.use or use == key.use:
+        #             if kid:
+        #                 if key.kid == kid:
+        #                     lst.append(key)
+        #                     break
+        #                 else:
+        #                     continue
+        #             else:
+        #                 lst.append(key)
+        #
+        # # if elliptic curve, have to check if I have a key of the right curve
+        # if key_type == "EC" and "alg" in kwargs:
+        #     name = "P-{}".format(kwargs["alg"][2:])  # the type
+        #     _lst = []
+        #     for key in lst:
+        #         if name != key.crv:
+        #             continue
+        #         _lst.append(key)
+        #     lst = _lst
+        #
+        # if use == 'enc' and key_type == 'oct' and issuer_id != '':
+        #     # Add my symmetric keys
+        #     _issuer = self._get_issuer('')
+        #     if _issuer:
+        #         for kb in _issuer:
+        #             for key in kb.get(key_type):
+        #                 if key.inactive_since:
+        #                     continue
+        #                 if not key.use or key.use == use:
+        #                     lst.append(key)
+        #
+        # return lst
 
     def get_signing_key(self, key_type="", issuer_id="", kid=None, **kwargs):
         """
@@ -472,12 +471,7 @@ def __eq__(self, other):
 
         # Keys per issuer must be the same
         for iss in self.owners():
-            sk = self.get_issuer_keys(iss)
-            ok = other.get_issuer_keys(iss)
-            if len(sk) != len(ok):
-                return False
-
-            if not any(k in ok for k in sk):
+            if self[iss] != other[iss]:
                 return False
 
         return True
@@ -825,73 +819,9 @@ def init_key_jar(public_path='', private_path='', key_defs='', issuer_id='', rea
     :return: An instantiated :py:class;`oidcmsg.key_jar.KeyJar` instance
     """
 
-    if private_path:
-        if os.path.isfile(private_path):
-            _jwks = open(private_path, 'r').read()
-            _issuer = KeyIssuer(name=issuer_id)
-            _issuer.import_jwks(json.loads(_jwks))
-            if key_defs:
-                _kb = _issuer[0]
-                _diff = key_diff(_kb, key_defs)
-                if _diff:
-                    update_key_bundle(_kb, _diff)
-                    if read_only:
-                        logger.error('Not allowed to write to disc!')
-                    else:
-                        _issuer.set([_kb])
-                        jwks = _issuer.export_jwks(private=True)
-                        fp = open(private_path, 'w')
-                        fp.write(json.dumps(jwks))
-                        fp.close()
-        else:
-            _issuer = build_keyissuer(key_defs, issuer_id=issuer_id)
-            if not read_only:
-                jwks = _issuer.export_jwks(private=True)
-                head, tail = os.path.split(private_path)
-                if head and not os.path.isdir(head):
-                    os.makedirs(head)
-                fp = open(private_path, 'w')
-                fp.write(json.dumps(jwks))
-                fp.close()
-
-        if public_path and not read_only:
-            jwks = _issuer.export_jwks()  # public part
-            head, tail = os.path.split(public_path)
-            if head and not os.path.isdir(head):
-                os.makedirs(head)
-            fp = open(public_path, 'w')
-            fp.write(json.dumps(jwks))
-            fp.close()
-    elif public_path:
-        if os.path.isfile(public_path):
-            _jwks = open(public_path, 'r').read()
-            _issuer = KeyIssuer(name=issuer_id)
-            _issuer.import_jwks(json.loads(_jwks))
-            if key_defs:
-                _kb = _issuer[0]
-                _diff = key_diff(_kb, key_defs)
-                if _diff:
-                    if read_only:
-                        logger.error('Not allowed to write to disc!')
-                    else:
-                        update_key_bundle(_kb, _diff)
-                        _issuer.set([_kb])
-                        jwks = _issuer.export_jwks()
-                        fp = open(public_path, 'w')
-                        fp.write(json.dumps(jwks))
-                        fp.close()
-        else:
-            _issuer = build_keyissuer(key_defs, issuer_id=issuer_id)
-            if not read_only:
-                _jwks = _issuer.export_jwks(issuer=issuer_id)
-                head, tail = os.path.split(public_path)
-                if head and not os.path.isdir(head):
-                    os.makedirs(head)
-                fp = open(public_path, 'w')
-                fp.write(json.dumps(_jwks))
-                fp.close()
-    else:
-        _issuer = build_keyissuer(key_defs, issuer_id=issuer_id)
+    _issuer = init_key_issuer(public_path=public_path, private_path=private_path,
+                              key_defs=key_defs, read_only=read_only,
+                              storage_conf=storage_conf, abstract_storage_cls=abstract_storage_cls)
 
     if _issuer is None:
         raise ValueError('Could not find any keys')