Add key_updated().

src/keys.c

@@ -568,8 +568,13 @@ KEY_Exists(uint8_t *id, uint8_t idlen)
 	return (ret);
 }
 
-VCL_TIME
-KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
+enum time {
+	ADDED = 0,
+	UPDATED,
+};
+
+static VCL_TIME
+key_time(VRT_CTX, uint8_t *id, uint8_t idlen, enum time t)
 {
 	struct key_tree *tree_h;
 	struct key *k;
@@ -585,8 +590,23 @@ KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
 		VRT_fail(ctx, "key \"%.*s\" not found", idlen, id);
 		return (0);
 	}
-	ret = k->added;
+	if (t == ADDED)
+		ret = k->added;
+	else
+		ret = k->updated;
 	KEY_Unlock(idlen);
 
 	return (ret);
 }
+
+VCL_TIME
+KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen)
+{
+	return (key_time(ctx, id, idlen, ADDED));
+}
+
+VCL_TIME
+KEY_Updated(VRT_CTX, uint8_t *id, uint8_t idlen)
+{
+	return (key_time(ctx, id, idlen, UPDATED));
+}

src/keys.h

@@ -44,3 +44,4 @@ void KEY_Wipe(void * const key);
 int KEY_Delete(VRT_CTX, uint8_t *id, uint8_t idlen);
 VCL_BOOL KEY_Exists(uint8_t *id, uint8_t idlen);
 VCL_TIME KEY_Added(VRT_CTX, uint8_t *id, uint8_t idlen);
+VCL_TIME KEY_Updated(VRT_CTX, uint8_t *id, uint8_t idlen);

src/tests/keys.vtc

@@ -84,12 +84,19 @@ varnish v1 -vcl+backend {
 
 	sub vcl_backend_response {
 		set beresp.filters = "ece_decrypt";
+		set beresp.uncacheable = true;
 	}
 
 	sub vcl_deliver {
 		set resp.http.Exists-Before = req.http.Exists-Before;
 		set resp.http.Added = ece.key_added("");
 		set resp.http.Delta-Added = now - ece.key_added("");
+		if (ece.key_added("") != ece.key_updated("")) {
+			# The key was never updated, so these should be the
+			# same
+			return (fail);
+		}
+		set resp.http.Updated = ece.key_updated("");
 	}
 }
 
@@ -113,6 +120,7 @@ client c1 {
 	expect resp.http.Added ~ "GMT$"
 	expect resp.http.Delta-Added >= 0
 	expect resp.http.Delta-Added < 1
+	expect resp.http.Updated == resp.http.Added
 
 	txreq -url /add
 	rxresp
@@ -147,6 +155,9 @@ varnish v1 -vcl+backend {
 			ece.update_key("foo", blob.decode(BASE64,
 					   encoded="oAAt/UDfkbY8F26rypiFtQ=="));
 		}
+		if (req.url == "/updated") {
+			set req.http.U = ece.key_updated("foo");
+		}
 	}
 
 	sub vcl_backend_response {
@@ -154,6 +165,17 @@ varnish v1 -vcl+backend {
 		ece.update_key("", blob.decode(BASE64URLNOPAD,
 		                             encoded="yqdlZ-tYemfogSmv7Ws5PQ"));
 		set beresp.filters = "ece_decrypt";
+		set beresp.uncacheable = true;
+	}
+
+	sub vcl_deliver {
+		set resp.http.Updated = ece.key_updated("");
+		if (ece.key_updated("") <= ece.key_added("")) {
+			# Update should be timestamped after add.
+			return (fail);
+		}
+		set resp.http.Delta-Updated =
+		    ece.key_updated("") - ece.key_added("");
 	}
 }
 
@@ -161,6 +183,10 @@ logexpect l1 -v v1 -d 0 -g vxid -q "VCL_Error" {
 	expect 0 * Begin	req
 	expect * = VCL_Error	{^key "foo" does not exist$}
 	expect * = End
+
+	expect 0 * Begin	req
+	expect * = VCL_Error	{^key "foo" not found$}
+	expect * = End
 } -start
 
 client c1 {
@@ -169,6 +195,9 @@ client c1 {
 	expect resp.status == 200
 	expect resp.bodylen == 15
 	expect resp.body == "I am the walrus"
+	expect resp.http.Updated ~ "GMT$"
+	expect resp.http.Delta-Updated >= 0
+	expect resp.http.Delta-Updated < 1
 
 	txreq -url /update
 	rxresp
@@ -176,6 +205,13 @@ client c1 {
 	expect resp.reason == "VCL failed"
 } -run
 
+client c1 {
+	txreq -url /updated
+	rxresp
+	expect resp.status == 503
+	expect resp.reason == "VCL failed"
+} -run
+
 logexpect l1 -wait
 
 varnish v1 -vcl {
@@ -278,7 +314,6 @@ varnish v1 -vcl {
 				    encoded="75cIt3LwTqbq66pKSmp2fA=="));
 		}
 		elsif (req.url == "/added/nullid") {
-			unset req.http.No-Such-Header;
 			set req.http.T = ece.key_added(req.http.No-Such-Header);
 		}
 		elsif (req.url == "/added/toolong") {
@@ -287,6 +322,17 @@ varnish v1 -vcl {
 1234567890123456789012345678901234567890123456789012345678901234567890
 1234567890123456789012345678901234567890123456789012345678901234567890
 1234567890123456789012345678901234567890123456789012345678901234567890
+"});
+		}
+		elsif (req.url == "/updated/nullid") {
+			set req.http.U = ece.key_updated(req.http.No-Such-Header);
+		}
+		elsif (req.url == "/updated/toolong") {
+			set req.http.U = ece.key_updated({"
+1234567890123456789012345678901234567890123456789012345678901234567890
+1234567890123456789012345678901234567890123456789012345678901234567890
+1234567890123456789012345678901234567890123456789012345678901234567890
+1234567890123456789012345678901234567890123456789012345678901234567890
 "});
 		}
 	}
@@ -368,6 +414,14 @@ logexpect l1 -v v1 -d 0 -g vxid -q "VCL_Error" {
 	expect 0 * Begin	req
 	expect * = VCL_Error	{(?s)^key id .+ too long \(length \d+ > 255\)$}
 	expect * = End
+
+	expect 0 * Begin	req
+	expect * = VCL_Error	{^key id is NULL$}
+	expect * = End
+
+	expect 0 * Begin	req
+	expect * = VCL_Error	{(?s)^key id .+ too long \(length \d+ > 255\)$}
+	expect * = End
 } -start
 
 client c1 {
@@ -503,4 +557,18 @@ client c1 {
 	expect resp.reason == "VCL failed"
 } -run
 
+client c1 {
+	txreq -url /updated/nullid
+	rxresp
+	expect resp.status == 503
+	expect resp.reason == "VCL failed"
+} -run
+
+client c1 {
+	txreq -url /updated/toolong
+	rxresp
+	expect resp.status == 503
+	expect resp.reason == "VCL failed"
+} -run
+
 logexpect l1 -wait

src/vmod_ece.c

@@ -176,6 +176,17 @@ vmod_key_added(VRT_CTX, VCL_STRING id)
 	return (KEY_Added(ctx, (uint8_t *)id, (uint8_t)len));
 }
 
+VCL_TIME
+vmod_key_updated(VRT_CTX, VCL_STRING id)
+{
+	size_t len;
+
+	CHECK_OBJ_NOTNULL(ctx, VRT_CTX_MAGIC);
+	CHECK_ID(ctx, id, len, 0);
+
+	return (KEY_Updated(ctx, (uint8_t *)id, (uint8_t)len));
+}
+
 VCL_STRING
 vmod_libcrypto_version(VRT_CTX)
 {

src/vmod_ece.vcc

@@ -92,7 +92,15 @@ XXX ...
 
 $Function TIME key_added(STRING id)
 
-Returns time at which the keying material identified by ``id`` was added.
+Returns the time at which the keying material identified by ``id`` was
+added.
+
+XXX ...
+
+$Function TIME key_updated(STRING id)
+
+Returns the time at which the keying material identified by ``id`` was
+last updated.
 
 XXX ...