e744336385
C-6: ConnectorRuntime enforces capability_mask per operation.
READ-only ACs cannot invoke MUTATE operations (wipe, lock, retire).
C-7: AC validated against database (exists, active, not expired)
before connector invocation.
C-9: Delegated AC capability bounded by delegator's capability.
C-10: Command counter uses atomic SQL increment with limit check.
M-23: expire_stale() uses same atomic SQL pattern.
H-1: Sensitive credential fields hidden from repr/logs via repr=False.
H-2: Stub backend requires ALLOW_STUB_CREDENTIALS=true to activate.
H-3: Kerberos backend raises CredentialResolutionError instead of
returning stub ticket.
H-4: Chronicle INTENT emitted before execution, RESULT after.
H-5: device_id validated as UUID before Graph API URL interpolation.
H-8: ConnectorRuntime enforces governance for all connector invocations.
Signed-off-by: Tyler King <tking@guildhouse.dev>
31 lines
961 B
Python
31 lines
961 B
Python
import time
|
|
from typing import Optional
|
|
|
|
from .api_jwk import PyJWKSet, PyJWTSetWithTimestamp
|
|
|
|
|
|
class JWKSetCache:
|
|
def __init__(self, lifespan: float) -> None:
|
|
self.jwk_set_with_timestamp: Optional[PyJWTSetWithTimestamp] = None
|
|
self.lifespan = lifespan
|
|
|
|
def put(self, jwk_set: PyJWKSet) -> None:
|
|
if jwk_set is not None:
|
|
self.jwk_set_with_timestamp = PyJWTSetWithTimestamp(jwk_set)
|
|
else:
|
|
# clear cache
|
|
self.jwk_set_with_timestamp = None
|
|
|
|
def get(self) -> Optional[PyJWKSet]:
|
|
if self.jwk_set_with_timestamp is None or self.is_expired():
|
|
return None
|
|
|
|
return self.jwk_set_with_timestamp.get_jwk_set()
|
|
|
|
def is_expired(self) -> bool:
|
|
return (
|
|
self.jwk_set_with_timestamp is not None
|
|
and self.lifespan > -1
|
|
and time.monotonic()
|
|
> self.jwk_set_with_timestamp.get_timestamp() + self.lifespan
|
|
)
|