diff options
Diffstat (limited to 'gn_auth/auth/jwks.py')
| -rw-r--r-- | gn_auth/auth/jwks.py | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/gn_auth/auth/jwks.py b/gn_auth/auth/jwks.py index 1352b95..810a162 100644 --- a/gn_auth/auth/jwks.py +++ b/gn_auth/auth/jwks.py @@ -67,3 +67,20 @@ def newest_jwk(storagedir: Path) -> Either: if len(existingkeys) > 0: return Right(pem_to_jwk(existingkeys[-1][1])) return Left("No JWKs exist") + + +def newest_jwk_with_rotation(jwksdir: Path, keyage: int) -> JsonWebKey: + """ + Retrieve the latests JWK, creating a new one if older than `keyage` days. + """ + def newer_than_days(jwkey): + filestat = os.stat(Path( + jwksdir, f"{jwkey.as_dict()['kid']}.private.pem")) + oldesttimeallowed = (datetime.now() - timedelta(days=keyage)) + if filestat.st_ctime < (oldesttimeallowed.timestamp()): + return Left("JWK is too old!") + return jwkey + + return newest_jwk(jwksdir).then(newer_than_days).either( + lambda _errmsg: generate_and_save_private_key(jwksdir), + lambda key: key) |