Skip to content

Commit

Permalink
Added key expiry in policies
Browse files Browse the repository at this point in the history
  • Loading branch information
lonelycode committed Oct 19, 2015
1 parent 83c4816 commit 468e2f1
Show file tree
Hide file tree
Showing 3 changed files with 33 additions and 4 deletions.
7 changes: 4 additions & 3 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,11 @@
- Test update to reduce number of errors, cleaner output
- Healthcheck data now stored in a sorted set, much cleaner and faster, now works with redis cluster!
- Bug fixed: Empty or invalid listen path no longer crashes proxy
- Bug fixed: Basic Auth (and Oauth BA) asswords are now hashed, this is backward compatible, plaintext passwords will still work
- OAuth access token expiry can now be set (in seconds) in the `tyk.conf` file using `oauth_token_expire=3600`
- Bug fixed: Basic Auth (and Oauth BA) passwords are now hashed, this is backward compatible, plaintext passwords will still work
- OAuth access token expiry can now be set (in seconds) in the `tyk.conf` file using `oauth_token_expire:3600`
- Proxy now records accurate status codes for upstream requests for better error reporting
- Added refresh token invalidation API: `DELETE /tyk/oauth/refresh/{key}?api_id={api_id}`
- Global header injection now works, can be enabled on a er-version basis by adding `global_headers:{"header_name": "header value"}` to the version object in the API Definition, global injections also supports key metadata variables.
- Global header injection now works, can be enabled on a per-version basis by adding `global_headers:{"header_name": "header value"}` to the version object in the API Definition, global injections also supports key metadata variables.
- Added request size limiter, request size limiter middleware will insist on content-length to be set, and check first against content-length value, and then actual request size value. To implement, add this to your version info:

"size_limits": [
Expand All @@ -25,6 +25,7 @@
]

- Request size limits can also be enforced globally, these are checked first, to implement, add `"global_size_limit": 30` to your version data.
- Adding a `key_expires_in: seconds` property to a policy definition will cause any key that is created or added using this policy to have a finite lifetime, it will expire in `now()+key_expiry` seconds, handy for free trials

# 1.8.3.2

Expand Down
29 changes: 28 additions & 1 deletion api.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,19 +71,42 @@ func GetSpecForOrg(APIID string) *APISpec {
return ApiSpecRegister[aKey]
}

func checkAndApplyTrialPeriod(keyName string, apiId string, newSession *SessionState) {
// Check the policy to see if we are forcing an expiry on the key
if newSession.ApplyPolicyID != "" {
thisPolicy, foundPolicy := Policies[newSession.ApplyPolicyID]
if foundPolicy {
// Are we foring an expiry?
if thisPolicy.KeyExpiresIn > 0 {
// We are, does the key exist?
_, found := GetKeyDetail(keyName, apiId)
if !found {
// this is a new key, lets expire it
newSession.Expires = time.Now().Unix() + thisPolicy.KeyExpiresIn
}

}
}
}
}

func doAddOrUpdate(keyName string, newSession SessionState, dontReset bool) error {
if len(newSession.AccessRights) > 0 {
// We have a specific list of access rules, only add / update those
for apiId, _ := range newSession.AccessRights {
thisAPISpec := GetSpecForApi(apiId)
if thisAPISpec != nil {

checkAndApplyTrialPeriod(keyName, apiId, &newSession)

// Lets reset keys if they are edited by admin
if !thisAPISpec.DontSetQuotasOnCreate {
// Reset quote by default
if !dontReset {
thisAPISpec.SessionManager.ResetQuota(keyName, newSession)
newSession.QuotaRenews = time.Now().Unix() + newSession.QuotaRenewalRate
}

err := thisAPISpec.SessionManager.UpdateSession(keyName, newSession, thisAPISpec.SessionLifetime)
if err != nil {
return err
Expand All @@ -106,6 +129,7 @@ func doAddOrUpdate(keyName string, newSession SessionState, dontReset bool) erro
spec.SessionManager.ResetQuota(keyName, newSession)
newSession.QuotaRenews = time.Now().Unix() + newSession.QuotaRenewalRate
}
checkAndApplyTrialPeriod(keyName, spec.APIID, &newSession)
err := spec.SessionManager.UpdateSession(keyName, newSession, spec.SessionLifetime)
if err != nil {
return err
Expand All @@ -119,7 +143,8 @@ func doAddOrUpdate(keyName string, newSession SessionState, dontReset bool) erro
}

log.WithFields(logrus.Fields{
"key": keyName,
"key": keyName,
"expires": newSession.Expires,
}).Debug("New key added or updated.")
return nil
}
Expand Down Expand Up @@ -1097,6 +1122,7 @@ func createKeyHandler(w http.ResponseWriter, r *http.Request) {
for apiId, _ := range newSession.AccessRights {
thisAPISpec := GetSpecForApi(apiId)
if thisAPISpec != nil {
checkAndApplyTrialPeriod(newKey, apiId, &newSession)
// If we have enabled HMAC checking for keys, we need to generate a secret for the client to use
if !thisAPISpec.DontSetQuotasOnCreate {
// Reset quota by default
Expand All @@ -1123,6 +1149,7 @@ func createKeyHandler(w http.ResponseWriter, r *http.Request) {
// nothing defined, add key to ALL
log.Warning("No API Access Rights set, adding key to ALL.")
for _, spec := range ApiSpecRegister {
checkAndApplyTrialPeriod(newKey, spec.APIID, &newSession)
if !spec.DontSetQuotasOnCreate {
// Reset quote by default
spec.SessionManager.ResetQuota(newKey, newSession)
Expand Down
1 change: 1 addition & 0 deletions policy.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ type Policy struct {
Active bool `bson:"active" json:"active"`
IsInactive bool `bson:"is_inactive" json:"is_inactive"`
Tags []string `bson:"tags" json:"tags"`
KeyExpiresIn int64 `bson:"key_expires_in" json:"key_expires_in"`
}

func LoadPoliciesFromFile(filePath string) map[string]Policy {
Expand Down

0 comments on commit 468e2f1

Please sign in to comment.