move app to gatehouse-app

gatehouse_app/models/oidc_jwks_key.py

@@ -0,0 +1,77 @@
+"""OIDC JWKS Key model for persisting signing keys."""
+from datetime import datetime, timezone
+from gatehouse_app.extensions import db
+from gatehouse_app.models.base import BaseModel
+
+
+class OidcJwksKey(BaseModel):
+    """
+    OIDC JWKS Key model for persisting JSON Web Key Set signing keys.
+
+    This model stores RSA/ECDSA key pairs used for signing OIDC tokens.
+    Multiple keys can be stored to support key rotation scenarios.
+
+    Attributes:
+        id: Integer primary key
+        kid: Unique key ID used in JWT "kid" header
+        key_type: Type of key (e.g., "RSA", "EC")
+        private_key: PEM-encoded private key
+        public_key: PEM-encoded public key
+        algorithm: Signing algorithm (e.g., "RS256", "ES256")
+        created_at: When the key was created
+        is_active: Whether this key is currently active for signing
+        is_primary: Whether this is the primary signing key
+        expires_at: ...
+    """
+
+    __tablename__ = "oidc_jwks_keys"
+
+    # Override the default UUID id with integer primary key
+    id = db.Column(db.Integer, primary_key=True)
+
+    expires_at = db.Column(db.DateTime, nullable=True)
+
+    # Key identification and type
+    kid = db.Column(db.String(255), unique=True, nullable=False, index=True)
+    key_type = db.Column(db.String(50), nullable=False)  # e.g., "RSA", "EC"
+    algorithm = db.Column(db.String(50), nullable=False)  # e.g., "RS256", "ES256"
+
+    # Key material (PEM-encoded)
+    private_key = db.Column(db.Text, nullable=False)
+    public_key = db.Column(db.Text, nullable=False)
+
+    # Key status
+    is_active = db.Column(db.Boolean, default=True, nullable=False)
+    is_primary = db.Column(db.Boolean, default=False, nullable=False)
+
+    def __repr__(self):
+        """String representation of OidcJwksKey."""
+        return f"<OidcJwksKey kid={self.kid} key_type={self.key_type} algorithm={self.algorithm}>"
+
+    def to_dict(self, exclude_private_key=True):
+        """
+        Convert model to dictionary.
+
+        Args:
+            exclude_private_key: If True, excludes the private key from output
+
+        Returns:
+            Dictionary representation of the model
+        """
+        exclude = ["private_key"] if exclude_private_key else []
+        return super().to_dict(exclude=exclude)
+
+    @classmethod
+    def get_active_keys(cls):
+        """Get all active keys for signing operations."""
+        return cls.query.filter(cls.is_active == True).all()
+
+    @classmethod
+    def get_primary_key(cls):
+        """Get the primary signing key."""
+        return cls.query.filter(cls.is_primary == True).first()
+
+    @classmethod
+    def get_key_by_kid(cls, kid):
+        """Get a key by its key ID."""
+        return cls.query.filter(cls.kid == kid, cls.is_active == True).first()