diff options
| author | David Lord <davidism@gmail.com> | 2020-05-02 08:51:27 -0700 |
|---|---|---|
| committer | David Lord <davidism@gmail.com> | 2020-05-12 16:13:11 -0700 |
| commit | 4fef308d571f34eab709c52f689c16eb65a402c1 (patch) | |
| tree | 29a8658b6a4ae199d905facaca6e09572ba2e0d7 | |
| parent | a0872fc4928b250d8b05d8c1b53a2e21957aacd9 (diff) | |
| download | itsdangerous-4fef308d571f34eab709c52f689c16eb65a402c1.tar.gz | |
add secret_key compat property
| -rw-r--r-- | src/itsdangerous/serializer.py | 19 | ||||
| -rw-r--r-- | src/itsdangerous/signer.py | 21 |
2 files changed, 33 insertions, 7 deletions
diff --git a/src/itsdangerous/serializer.py b/src/itsdangerous/serializer.py index f80ca21..d0142ce 100644 --- a/src/itsdangerous/serializer.py +++ b/src/itsdangerous/serializer.py @@ -83,10 +83,16 @@ class Serializer: fallback_signers=None, ): if isinstance(secret_key, list): - self.secret_keys = [want_bytes(s) for s in secret_key] + secret_keys = [want_bytes(s) for s in secret_key] else: - self.secret_keys = [want_bytes(secret_key)] - + secret_keys = [want_bytes(secret_key)] + + #: The list of secret keys to try for verifying signatures, from + #: oldest to newest. The newest (last) key is used for signing. + #: + #: This allows a key rotation system to keep a list of allowed + #: keys and remove expired ones. + self.secret_keys = secret_keys self.salt = want_bytes(salt) if serializer is None: @@ -107,6 +113,13 @@ class Serializer: self.fallback_signers = fallback_signers self.serializer_kwargs = serializer_kwargs or {} + @property + def secret_key(self): + """The newest (last) entry in the :attr:`secret_keys` list. This + is for compatibility from before key rotation support was added. + """ + return self.secret_keys[-1] + def load_payload(self, payload, serializer=None): """Loads the encoded object. This function raises :class:`.BadPayload` if the payload is not valid. The diff --git a/src/itsdangerous/signer.py b/src/itsdangerous/signer.py index d72123e..3378a5a 100644 --- a/src/itsdangerous/signer.py +++ b/src/itsdangerous/signer.py @@ -98,10 +98,16 @@ class Signer: algorithm=None, ): if isinstance(secret_key, list): - self.secret_keys = [want_bytes(s) for s in secret_key] + secret_keys = [want_bytes(s) for s in secret_key] else: - self.secret_keys = [want_bytes(secret_key)] - + secret_keys = [want_bytes(secret_key)] + + #: The list of secret keys to try for verifying signatures, from + #: oldest to newest. The newest (last) key is used for signing. + #: + #: This allows a key rotation system to keep a list of allowed + #: keys and remove expired ones. + self.secret_keys = secret_keys self.sep = want_bytes(sep) if self.sep in _base64_alphabet: @@ -128,6 +134,13 @@ class Signer: self.algorithm = algorithm + @property + def secret_key(self): + """The newest (last) entry in the :attr:`secret_keys` list. This + is for compatibility from before key rotation support was added. + """ + return self.secret_keys[-1] + def derive_key(self, secret_key=None): """This method is called to derive the key. The default key derivation choices can be overridden here. Key derivation is not @@ -173,7 +186,7 @@ class Signer: except Exception: return False - for secret_key in self.secret_keys[::-1]: + for secret_key in reversed(self.secret_keys): key = self.derive_key(secret_key) if self.algorithm.verify_signature(key, value, sig): |