Fix 2 inactive key problems.

janste63 · c00kiemon5ter · commit 759bd39352d5 · 2020-09-10T17:42:52.000+03:00
Fix that updated keys are marked as inactive if we get 304 from server.
Make sure we return inactive keys when calling get_jwt_verify_keys().
diff --git a/src/cryptojwt/key_bundle.py b/src/cryptojwt/key_bundle.py
@@ -364,7 +364,7 @@ def do_remote(self):
         """
         Load a JWKS from a webpage.
 
-        :return: True or False if load was successful
+        :return: True if load was successful or False if remote hasn't been modified
         """
         # if self.verify_ssl is not None:
         #     self.httpc_params["verify"] = self.verify_ssl
@@ -408,10 +408,12 @@ def do_remote(self):
             if hasattr(_http_resp, "headers"):
                 headers = getattr(_http_resp, "headers")
                 self.last_remote = headers.get("last-modified") or headers.get("date")
+            res = True
 
         elif _http_resp.status_code == 304:  # Not modified
             LOGGER.debug("%s not modified since %s", self.source, self.last_remote)
             self.time_out = time.time() + self.cache_time
+            res = False
 
         else:
             LOGGER.warning(
@@ -424,7 +426,7 @@ def do_remote(self):
 
         self.last_updated = time.time()
         self.ignore_errors_until = None
-        return True
+        return res
 
     def _parse_remote_response(self, response):
         """
@@ -465,7 +467,6 @@ def update(self):
         This is a forced update, will happen even if cache time has not elapsed.
         Replaced keys will be marked as inactive and not removed.
         """
-        res = True  # An update was successful
         if self.source:
             _old_keys = self._keys  # just in case
 
@@ -478,21 +479,25 @@ def update(self):
                         self.do_local_jwk(self.source)
                     elif self.fileformat == "der":
                         self.do_local_der(self.source, self.keytype, self.keyusage)
+                    updated = True
                 elif self.remote:
-                    res = self.do_remote()
+                    updated = self.do_remote()
             except Exception as err:
                 LOGGER.error("Key bundle update failed: %s", err)
                 self._keys = _old_keys  # restore
                 return False
 
-            now = time.time()
-            for _key in _old_keys:
-                if _key not in self._keys:
-                    if not _key.inactive_since:  # If already marked don't mess
-                        _key.inactive_since = now
-                    self._keys.append(_key)
+            if updated:
+                now = time.time()
+                for _key in _old_keys:
+                    if _key not in self._keys:
+                        if not _key.inactive_since:  # If already marked don't mess
+                            _key.inactive_since = now
+                        self._keys.append(_key)
+            else:
+                self._keys = _old_keys
 
-        return res
+        return True
 
     def get(self, typ="", only_active=True):
         """
diff --git a/src/cryptojwt/key_issuer.py b/src/cryptojwt/key_issuer.py
@@ -297,7 +297,7 @@ def get(self, key_use, key_type="", kid=None, alg="", **kwargs):
             else:
                 _bkeys = bundle.keys()
             for key in _bkeys:
-                if key.inactive_since and key_use != "sig":
+                if key.inactive_since and key_use != "ver":
                     # Skip inactive keys unless for signature verification
                     continue
                 if not key.use or use == key.use:
diff --git a/src/cryptojwt/key_jar.py b/src/cryptojwt/key_jar.py
@@ -601,13 +601,13 @@ def get_jwt_verify_keys(self, jwt, **kwargs):
                     except KeyError:
                         pass
 
-            keys = self._add_key([], _iss, "sig", _key_type, _kid, nki, allow_missing_kid)
+            keys = self._add_key([], _iss, "ver", _key_type, _kid, nki, allow_missing_kid)
 
             if _key_type == "oct":
-                keys.extend(self.get(key_use="sig", issuer_id="", key_type=_key_type))
+                keys.extend(self.get(key_use="ver", issuer_id="", key_type=_key_type))
         else:
             # No issuer, just use all keys I have
-            keys = self.get(key_use="sig", issuer_id="", key_type=_key_type)
+            keys = self.get(key_use="ver", issuer_id="", key_type=_key_type)
 
         # Only want the appropriate keys.
         keys = [k for k in keys if k.appropriate_for("verify")]
diff --git a/tests/test_03_key_bundle.py b/tests/test_03_key_bundle.py
@@ -1009,7 +1009,7 @@ def test_remote_not_modified():
 
     with responses.RequestsMock() as rsps:
         rsps.add(method="GET", url=source, status=304, headers=headers)
-        assert kb.do_remote()
+        assert not kb.do_remote()
         assert kb.last_remote == headers.get("Last-Modified")
         timeout2 = kb.time_out
 
@@ -1019,6 +1019,7 @@ def test_remote_not_modified():
     kb2 = KeyBundle().load(exp)
     assert kb2.source == source
     assert len(kb2.keys()) == 3
+    assert len(kb2.active_keys()) == 3
     assert len(kb2.get("rsa")) == 1
     assert len(kb2.get("oct")) == 1
     assert len(kb2.get("ec")) == 1
diff --git a/tests/test_04_key_jar.py b/tests/test_04_key_jar.py
@@ -746,6 +746,12 @@ def test_aud(self):
         keys = self.bob_keyjar.get_jwt_verify_keys(_jwt.jwt, no_kid_issuer=no_kid_issuer)
         assert len(keys) == 1
 
+    def test_inactive_verify_key(self):
+        _jwt = factory(self.sjwt_b)
+        self.alice_keyjar.return_issuer("Bob")[0].mark_all_as_inactive()
+        keys = self.alice_keyjar.get_jwt_verify_keys(_jwt.jwt)
+        assert len(keys) == 1
+
 
 def test_copy():
     kj = KeyJar()
