improvement: make state res actually work

2021-03-13 16:30:12 +01:00 · 2021-03-13 16:30:12 +01:00 · 6da40225bb
commit 6da40225bb
parent 0d55964d24
13 changed files with 537 additions and 541 deletions
--- a/src/database/globals.rs
+++ b/src/database/globals.rs
@ -24,7 +24,7 @@ pub struct Globals {
    reqwest_client: reqwest::Client,
    dns_resolver: TokioAsyncResolver,
    jwt_decoding_key: Option<jsonwebtoken::DecodingKey<'static>>,
-    pub(super) servertimeout_signingkey: sled::Tree, // ServerName -> algorithm:key + pubkey
+    pub(super) servertimeout_signingkey: sled::Tree, // ServerName + Timeout Timestamp -> algorithm:key + pubkey
 }

 impl Globals {
@ -157,37 +157,31 @@ impl Globals {
    ///
    /// This doesn't actually check that the keys provided are newer than the old set.
    pub fn add_signing_key(&self, origin: &ServerName, keys: &ServerSigningKeys) -> Result<()> {
-        // Remove outdated keys
-        let now = crate::utils::millis_since_unix_epoch();
-        for item in self.servertimeout_signingkey.scan_prefix(origin.as_bytes()) {
-            let (k, _) = item?;
-            let valid_until = k
-                .splitn(2, |&b| b == 0xff)
-                .nth(1)
-                .map(crate::utils::u64_from_bytes)
-                .ok_or_else(|| Error::bad_database("Invalid signing keys."))?
-                .map_err(|_| Error::bad_database("Invalid signing key valid until bytes"))?;
+        let mut key1 = origin.as_bytes().to_vec();
+        key1.push(0xff);

-            if now > valid_until {
-                self.servertimeout_signingkey.remove(k)?;
-            }
-        }
+        let mut key2 = key1.clone();

-        let mut key = origin.as_bytes().to_vec();
-        key.push(0xff);
-        key.extend_from_slice(
-            &(keys
-                .valid_until_ts
-                .duration_since(std::time::UNIX_EPOCH)
-                .expect("time is valid")
-                .as_millis() as u64)
-                .to_be_bytes(),
-        );
+        let ts = keys
+            .valid_until_ts
+            .duration_since(std::time::UNIX_EPOCH)
+            .expect("time is valid")
+            .as_millis() as u64;
+
+        key1.extend_from_slice(&ts.to_be_bytes());
+        key2.extend_from_slice(&(ts + 1).to_be_bytes());

        self.servertimeout_signingkey.insert(
-            key,
+            key1,
            serde_json::to_vec(&keys.verify_keys).expect("ServerSigningKeys are a valid string"),
        )?;
+
+        self.servertimeout_signingkey.insert(
+            key2,
+            serde_json::to_vec(&keys.old_verify_keys)
+                .expect("ServerSigningKeys are a valid string"),
+        )?;
+
        Ok(())
    }

@ -196,7 +190,10 @@ impl Globals {
        &self,
        origin: &ServerName,
    ) -> Result<BTreeMap<ServerSigningKeyId, VerifyKey>> {
+        let mut response = BTreeMap::new();
+
        let now = crate::utils::millis_since_unix_epoch();
+
        for item in self.servertimeout_signingkey.scan_prefix(origin.as_bytes()) {
            let (k, bytes) = item?;
            let valid_until = k
@ -207,10 +204,11 @@ impl Globals {
                .map_err(|_| Error::bad_database("Invalid signing key valid until bytes"))?;
            // If these keys are still valid use em!
            if valid_until > now {
-                return serde_json::from_slice(&bytes)
-                    .map_err(|_| Error::bad_database("Invalid BTreeMap<> of signing keys"));
+                let btree: BTreeMap<_, _> = serde_json::from_slice(&bytes)
+                    .map_err(|_| Error::bad_database("Invalid BTreeMap<> of signing keys"))?;
+                response.extend(btree);
            }
        }
-        Ok(BTreeMap::default())
+        Ok(response)
    }
 }