Retain keys in DB longer.

composer.json

@@ -38,7 +38,7 @@
         "react/dns" : ">=1.12.0",
         "react/socket" : ">=1.15.0",
 
-        "tsugi/lib": "dev-master#80999907e817b5bb3b97874ff74ea0c0e21db441",
+        "tsugi/lib": "dev-master#da95ced92a3a2222895cc06b0aeb04dd02928142",
         "koseu/lib": "dev-master#70c7ac1ca413c2dd541e078ebe07719405621b1b"
     },
     "config": {

vendor/composer/installed.json

@@ -7708,12 +7708,12 @@
             "source": {
                 "type": "git",
                 "url": "https://github.com/tsugiproject/tsugi-php.git",
-                "reference": "80999907e817b5bb3b97874ff74ea0c0e21db441"
+                "reference": "da95ced92a3a2222895cc06b0aeb04dd02928142"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/tsugiproject/tsugi-php/zipball/80999907e817b5bb3b97874ff74ea0c0e21db441",
-                "reference": "80999907e817b5bb3b97874ff74ea0c0e21db441",
+                "url": "https://api.github.com/repos/tsugiproject/tsugi-php/zipball/da95ced92a3a2222895cc06b0aeb04dd02928142",
+                "reference": "da95ced92a3a2222895cc06b0aeb04dd02928142",
                 "shasum": ""
             },
             "require": {
@@ -7727,7 +7727,7 @@
                 "phpunit/php-timer": "v5.0.3",
                 "phpunit/phpunit": "9.*"
             },
-            "time": "2024-05-15T17:27:54+00:00",
+            "time": "2024-05-15T17:56:56+00:00",
             "default-branch": true,
             "type": "library",
             "installation-source": "dist",

vendor/composer/installed.php

@@ -3,7 +3,7 @@
         'name' => '__root__',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '6cdfe85802dd137411183d441d81f9221ad6a434',
+        'reference' => 'e68ce1f87dac44b26b455eb384644ad2ee6cd4c9',
         'type' => 'library',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -13,7 +13,7 @@
         '__root__' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '6cdfe85802dd137411183d441d81f9221ad6a434',
+            'reference' => 'e68ce1f87dac44b26b455eb384644ad2ee6cd4c9',
             'type' => 'library',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),
@@ -1078,7 +1078,7 @@
         'tsugi/lib' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '80999907e817b5bb3b97874ff74ea0c0e21db441',
+            'reference' => 'da95ced92a3a2222895cc06b0aeb04dd02928142',
             'type' => 'library',
             'install_path' => __DIR__ . '/../tsugi/lib',
             'aliases' => array(

vendor/tsugi/lib/src/Core/Keyset.php

@@ -14,9 +14,10 @@
 
 class Keyset {
 
-     public static $ttl = 10*60;
-     public static $expire = 5*60;
-     // public static $expire = 0; // Debug only
+     public static $key_rotate_days = 30;
+     public static $apc_ttl = 10*60;
+     public static $apc_expire = 5*60;
+     // public static $apc_expire = 0; // Debug only
      public static $verbose = false;  // Debug only
 
      // Auto populate and/or rotate the lti_keyset data
@@ -30,12 +31,12 @@ public static function maintain() {
         $kid = U::appCacheGet('keyset_kid', null);
 
         $delta = abs($now-$apc_check);
-        if ( is_string($kid) && is_string($privkey) && $apc_check > 0 && $delta < self::$expire ) {
+        if ( is_string($kid) && is_string($privkey) && $apc_check > 0 && $delta < self::$apc_expire ) {
             if ( self::$verbose ) error_log("Keyset::maintain Last key rotation check seconds=".$delta);
             return;
         }
 
-        U::appCacheSet('keyset_last_check', $now, self::$ttl);
+        U::appCacheSet('keyset_last_check', $now, self::$apc_ttl);
 
         $sql = "SELECT *, NOW() as now FROM {$CFG->dbprefix}lti_keyset ORDER BY created_at DESC LIMIT 10";
         $rows = $PDOX->allRowsDie($sql);
@@ -48,7 +49,7 @@ public static function maintain() {
             $days = $delta->days;
         }
 
-        if ( $days == -1 || $days >= 30) {
+        if ( $days == -1 || $days >= self::$key_rotate_days) {
             error_log("Adding a row to lti_keyset days=".$days);
             // Returns those call by reference parms
             $success = \Tsugi\Util\LTI13::generatePKCS8Pair($publicKey, $privateKey);
@@ -64,21 +65,25 @@ public static function maintain() {
             );
             $stmt = $PDOX->queryReturnError($sql, $values);
 
-            if ( $stmt->rowCount() > 0 ) {
-                error_log("KeySet::maintain table cleanup rows=".$stmt->rowCount());
+            if ( ! $stmt->success ) {
+                error_log("Keyset::maintain Unable to insert new key into keyset\n");
+                return;
             }
 
+            // Reload our key
             $kid = LTIX::getKidForKey($publicKey);
             error_log("Keyset::maintain Key rotated days=".$days." new kid=".$kid);
 
-            if ( ! $stmt->success ) {
-                error_log("Keyset::maintain Unable to insert new key into keyset\n");
-                return;
-            }
+            // Clean up very old records after six periods
+            $days_to_wait = self::$key_rotate_days*6;
+            if ( $days_to_wait < 5 ) $days_to_wait = 5;
 
-            // Clean up very old records
             $stmt = $PDOX->queryDie("DELETE FROM {$CFG->dbprefix}lti_keyset WHERE
-                 created_at < (CURDATE() - INTERVAL 1 MONTH);");
+                 created_at < (CURDATE() - INTERVAL ".$days_to_wait." DAY);");
+
+            if ( $stmt->rowCount() > 0 ) {
+                error_log("KeySet::maintain table cleanup rows=".$stmt->rowCount());
+            }
 
         } else {
             if ( self::$verbose ) error_log("Keyset::maintain No key rotation necessary days=".$days);
@@ -99,7 +104,7 @@ public static function getSigning(&$privkey, &$kid) {
 
         // No more than once per expiration period
         $delta = abs($now-$last_load);
-        if ( is_string($kid) && is_string($privkey) && $delta < self::$expire ) {
+        if ( is_string($kid) && is_string($privkey) && $delta < self::$apc_expire ) {
             if ( self::$verbose ) error_log("Keyset::getSigning cache hit seconds=".$delta);
             return;
         }
@@ -114,9 +119,9 @@ public static function getSigning(&$privkey, &$kid) {
 
         // Save for later
         if ( is_string($kid) && is_string($privkey)) {
-            U::appCacheSet('keyset_last_load', $now, self::$ttl);
-            U::appCacheSet('keyset_privkey', $privkey, self::$ttl);
-            U::appCacheSet('keyset_kid', $kid, self::$ttl);
+            U::appCacheSet('keyset_last_load', $now, self::$apc_ttl);
+            U::appCacheSet('keyset_privkey', $privkey, self::$apc_ttl);
+            U::appCacheSet('keyset_kid', $kid, self::$apc_ttl);
         } else {
             U::appCacheDelete('keyset_last_load');
             U::appCacheDelete('keyset_privkey');