Commit 3f407ff8 authored by Geoff Simmons's avatar Geoff Simmons

Add key_updated().

parent bc1075a1
......@@ -568,8 +568,13 @@ KEY_Exists(uint8_t *id, uint8_t idlen)
return (ret);
}
VCL_TIME
KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
enum time {
ADDED = 0,
UPDATED,
};
static VCL_TIME
key_time(VRT_CTX, uint8_t *id, uint8_t idlen, enum time t)
{
struct key_tree *tree_h;
struct key *k;
......@@ -585,8 +590,23 @@ KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
VRT_fail(ctx, "key \"%.*s\" not found", idlen, id);
return (0);
}
ret = k->added;
if (t == ADDED)
ret = k->added;
else
ret = k->updated;
KEY_Unlock(idlen);
return (ret);
}
VCL_TIME
KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
{
return (key_time(ctx, id, idlen, ADDED));
}
VCL_TIME
KEY_Updated(VRT_CTX, uint8_t *id, uint8_t idlen)
{
return (key_time(ctx, id, idlen, UPDATED));
}
......@@ -44,3 +44,4 @@ void KEY_Wipe(void * const key);
int KEY_Delete(VRT_CTX, uint8_t *id, uint8_t idlen);
VCL_BOOL KEY_Exists(uint8_t *id, uint8_t idlen);
VCL_TIME KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen);
VCL_TIME KEY_Updated(VRT_CTX, uint8_t *id, uint8_t idlen);
......@@ -84,12 +84,19 @@ varnish v1 -vcl+backend {
sub vcl_backend_response {
set beresp.filters = "ece_decrypt";
set beresp.uncacheable = true;
}
sub vcl_deliver {
set resp.http.Exists-Before = req.http.Exists-Before;
set resp.http.Added = ece.key_added("");
set resp.http.Delta-Added = now - ece.key_added("");
if (ece.key_added("") != ece.key_updated("")) {
# The key was never updated, so these should be the
# same
return (fail);
}
set resp.http.Updated = ece.key_updated("");
}
}
......@@ -113,6 +120,7 @@ client c1 {
expect resp.http.Added ~ "GMT$"
expect resp.http.Delta-Added >= 0
expect resp.http.Delta-Added < 1
expect resp.http.Updated == resp.http.Added
txreq -url /add
rxresp
......@@ -147,6 +155,9 @@ varnish v1 -vcl+backend {
ece.update_key("foo", blob.decode(BASE64,
encoded="oAAt/UDfkbY8F26rypiFtQ=="));
}
if (req.url == "/updated") {
set req.http.U = ece.key_updated("foo");
}
}
sub vcl_backend_response {
......@@ -154,6 +165,17 @@ varnish v1 -vcl+backend {
ece.update_key("", blob.decode(BASE64URLNOPAD,
encoded="yqdlZ-tYemfogSmv7Ws5PQ"));
set beresp.filters = "ece_decrypt";
set beresp.uncacheable = true;
}
sub vcl_deliver {
set resp.http.Updated = ece.key_updated("");
if (ece.key_updated("") <= ece.key_added("")) {
# Update should be timestamped after add.
return (fail);
}
set resp.http.Delta-Updated =
ece.key_updated("") - ece.key_added("");
}
}
......@@ -161,6 +183,10 @@ logexpect l1 -v v1 -d 0 -g vxid -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error {^key "foo" does not exist$}
expect * = End
expect 0 * Begin req
expect * = VCL_Error {^key "foo" not found$}
expect * = End
} -start
client c1 {
......@@ -169,6 +195,9 @@ client c1 {
expect resp.status == 200
expect resp.bodylen == 15
expect resp.body == "I am the walrus"
expect resp.http.Updated ~ "GMT$"
expect resp.http.Delta-Updated >= 0
expect resp.http.Delta-Updated < 1
txreq -url /update
rxresp
......@@ -176,6 +205,13 @@ client c1 {
expect resp.reason == "VCL failed"
} -run
client c1 {
txreq -url /updated
rxresp
expect resp.status == 503
expect resp.reason == "VCL failed"
} -run
logexpect l1 -wait
varnish v1 -vcl {
......@@ -278,7 +314,6 @@ varnish v1 -vcl {
encoded="75cIt3LwTqbq66pKSmp2fA=="));
}
elsif (req.url == "/added/nullid") {
unset req.http.No-Such-Header;
set req.http.T = ece.key_added(req.http.No-Such-Header);
}
elsif (req.url == "/added/toolong") {
......@@ -287,6 +322,17 @@ varnish v1 -vcl {
1234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890
"});
}
elsif (req.url == "/updated/nullid") {
set req.http.U = ece.key_updated(req.http.No-Such-Header);
}
elsif (req.url == "/updated/toolong") {
set req.http.U = ece.key_updated({"
1234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890
1234567890123456789012345678901234567890123456789012345678901234567890
"});
}
}
......@@ -368,6 +414,14 @@ logexpect l1 -v v1 -d 0 -g vxid -q "VCL_Error" {
expect 0 * Begin req
expect * = VCL_Error {(?s)^key id .+ too long \(length \d+ > 255\)$}
expect * = End
expect 0 * Begin req
expect * = VCL_Error {^key id is NULL$}
expect * = End
expect 0 * Begin req
expect * = VCL_Error {(?s)^key id .+ too long \(length \d+ > 255\)$}
expect * = End
} -start
client c1 {
......@@ -503,4 +557,18 @@ client c1 {
expect resp.reason == "VCL failed"
} -run
client c1 {
txreq -url /updated/nullid
rxresp
expect resp.status == 503
expect resp.reason == "VCL failed"
} -run
client c1 {
txreq -url /updated/toolong
rxresp
expect resp.status == 503
expect resp.reason == "VCL failed"
} -run
logexpect l1 -wait
......@@ -176,6 +176,17 @@ vmod_key_added(VRT_CTX, VCL_STRING id)
return (KEY_Added(ctx, (uint8_t *)id, (uint8_t)len));
}
VCL_TIME
vmod_key_updated(VRT_CTX, VCL_STRING id)
{
size_t len;
CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
CHECK_ID(ctx, id, len, 0);
return (KEY_Updated(ctx, (uint8_t *)id, (uint8_t)len));
}
VCL_STRING
vmod_libcrypto_version(VRT_CTX)
{
......
......@@ -92,7 +92,15 @@ XXX ...
$Function TIME key_added(STRING id)
Returns time at which the keying material identified by ``id`` was added.
Returns the time at which the keying material identified by ``id`` was
added.
XXX ...
$Function TIME key_updated(STRING id)
Returns the time at which the keying material identified by ``id`` was
last updated.
XXX ...
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment