Old keys not mark as inactive - fixed.

Author: rohe

doc/keyhandling.rst

@@ -204,6 +204,8 @@ bundle::
       ]
     }
 
+**Note** that you will get a JWKS representing the public keys unless you
+specify that you want a representation of the private keys.
 
 Key Jar
 -------

src/cryptojwt/key_bundle.py

@@ -107,7 +107,7 @@ def ec_init(spec):
 
 class KeyBundle(object):
     def __init__(self, keys=None, source="", cache_time=300, verify_ssl=True,
-                 fileformat="jwk", keytype="RSA", keyusage=None, kid=''):
+                 fileformat="jwks", keytype="RSA", keyusage=None, kid=''):
         """
         Contains a set of keys that have a common origin.
         The sources can be serveral:
@@ -120,7 +120,7 @@ def __init__(self, keys=None, source="", cache_time=300, verify_ssl=True,
             with the keys ["kty", "key", "alg", "use", "kid"]
         :param source: Where the key set can be fetch from
         :param verify_ssl: Verify the SSL cert used by the server
-        :param fileformat: For a local file either "jwk" or "der"
+        :param fileformat: For a local file either "jwks" or "der"
         :param keytype: Iff local file and 'der' format what kind of key it is.
             presently only 'rsa' is supported.
         :param keyusage: What the key loaded from file should be used for.
@@ -332,7 +332,7 @@ def update(self):
 
             try:
                 if self.remote is False:
-                    if self.fileformat == "jwks":
+                    if self.fileformat in ["jwks", "jwk"]:
                         self.do_local_jwk(self.source)
                     elif self.fileformat == "der":
                         self.do_local_der(self.source, self.keytype,
@@ -347,9 +347,7 @@ def update(self):
             now = time.time()
             for _key in _keys:
                 if _key not in self._keys:
-                    try:
-                        _key.inactive_since  # If already marked don't mess
-                    except ValueError:
+                    if not _key.inactive_since:  # If already marked don't mess
                         _key.inactive_since = now
                     self._keys.append(_key)
 

tests/test_10_key_bundle.py

@@ -5,7 +5,9 @@
 import shutil
 import time
 
-from cryptojwt.jwk.rsa import RSAKey
+from cryptojwt.jwk.ec import new_ec_key
+
+from cryptojwt.jwk.rsa import RSAKey, new_rsa_key
 from cryptojwt.jwk.hmac import SYMKey
 
 from cryptojwt.key_bundle import dump_jwks
@@ -453,3 +455,48 @@ def test_remote(httpserver):
     assert len(kb.keys())
     assert len(kb.get('rsa')) == 1
     assert len(kb.get('oct')) == 1
+
+
+def test_update_2():
+    rsa_key = new_rsa_key()
+    _jwks = {"keys": [rsa_key.serialize()]}
+    fname = 'tmp_jwks.json'
+    with open(fname, 'w') as fp:
+        fp.write(json.dumps(_jwks))
+
+    kb = KeyBundle(source="file://{}".format(fname), fileformat='jwks')
+    assert len(kb) == 1
+
+    # Added one more key
+    ec_key = new_ec_key(crv='P-256')
+    _jwks = {'keys': [rsa_key.serialize(), ec_key.serialize()]}
+
+    with open(fname, 'w') as fp:
+        fp.write(json.dumps(_jwks))
+
+    kb.update()
+    assert len(kb) == 2
+
+
+def test_update_mark_inactive():
+    rsa_key = new_rsa_key()
+    _jwks = {"keys": [rsa_key.serialize()]}
+    fname = 'tmp_jwks.json'
+    with open(fname, 'w') as fp:
+        fp.write(json.dumps(_jwks))
+
+    kb = KeyBundle(source="file://{}".format(fname), fileformat='jwks')
+    assert len(kb) == 1
+
+    # new set of keys
+    rsa_key = new_rsa_key()
+    ec_key = new_ec_key(crv='P-256')
+    _jwks = {'keys': [rsa_key.serialize(), ec_key.serialize()]}
+
+    with open(fname, 'w') as fp:
+        fp.write(json.dumps(_jwks))
+
+    kb.update()
+    # 2 active and 1 inactive
+    assert len(kb) == 3
+    assert len(kb.active_keys()) == 2