Merge pull request #620 from ericchiang/dev-fix-rotation-polling

server: fix key rotation polling
This commit is contained in:
Eric Chiang 2016-10-17 11:13:00 -07:00 committed by GitHub
commit 688d798ff4

View File

@ -20,7 +20,7 @@ import (
// often to rotate them, and how long they can validate signatures after rotation. // often to rotate them, and how long they can validate signatures after rotation.
type rotationStrategy struct { type rotationStrategy struct {
// Time between rotations. // Time between rotations.
period time.Duration rotationFrequency time.Duration
// After being rotated how long can a key validate signatues? // After being rotated how long can a key validate signatues?
verifyFor time.Duration verifyFor time.Duration
@ -34,18 +34,18 @@ type rotationStrategy struct {
func staticRotationStrategy(key *rsa.PrivateKey) rotationStrategy { func staticRotationStrategy(key *rsa.PrivateKey) rotationStrategy {
return rotationStrategy{ return rotationStrategy{
// Setting these values to 100 years is easier than having a flag indicating no rotation. // Setting these values to 100 years is easier than having a flag indicating no rotation.
period: time.Hour * 8760 * 100, rotationFrequency: time.Hour * 8760 * 100,
verifyFor: time.Hour * 8760 * 100, verifyFor: time.Hour * 8760 * 100,
key: func() (*rsa.PrivateKey, error) { return key, nil }, key: func() (*rsa.PrivateKey, error) { return key, nil },
} }
} }
// defaultRotationStrategy returns a strategy which rotates keys every provided period, // defaultRotationStrategy returns a strategy which rotates keys every provided period,
// holding onto the public parts for some specified amount of time. // holding onto the public parts for some specified amount of time.
func defaultRotationStrategy(rotationPeriod, verifyFor time.Duration) rotationStrategy { func defaultRotationStrategy(rotationFrequency, verifyFor time.Duration) rotationStrategy {
return rotationStrategy{ return rotationStrategy{
period: rotationPeriod, rotationFrequency: rotationFrequency,
verifyFor: verifyFor, verifyFor: verifyFor,
key: func() (*rsa.PrivateKey, error) { key: func() (*rsa.PrivateKey, error) {
return rsa.GenerateKey(rand.Reader, 2048) return rsa.GenerateKey(rand.Reader, 2048)
}, },
@ -76,7 +76,7 @@ func startKeyRotation(ctx context.Context, s storage.Storage, strategy rotationS
select { select {
case <-ctx.Done(): case <-ctx.Done():
return return
case <-time.After(strategy.period): case <-time.After(time.Second * 30):
if err := rotater.rotate(); err != nil { if err := rotater.rotate(); err != nil {
log.Printf("failed to rotate keys: %v", err) log.Printf("failed to rotate keys: %v", err)
} }
@ -145,7 +145,7 @@ func (k keyRotater) rotate() error {
keys.VerificationKeys = append(keys.VerificationKeys, verificationKey) keys.VerificationKeys = append(keys.VerificationKeys, verificationKey)
} }
nextRotation = k.now().Add(k.strategy.period) nextRotation = k.now().Add(k.strategy.rotationFrequency)
keys.SigningKey = priv keys.SigningKey = priv
keys.SigningKeyPub = pub keys.SigningKeyPub = pub
keys.NextRotation = nextRotation keys.NextRotation = nextRotation