Fixed documentation issue for jwt activation revocation (#106)

Fixes #104

Signed-off-by: Matthias Hanel <mh@synadia.com>

exports.go

@@ -151,16 +151,16 @@ func (e *Export) ClearRevocation(pubKey string) {
 	e.Revocations.ClearRevocation(pubKey)
 }
 
-// IsRevokedAt checks if the public key is in the revoked list with a timestamp later than
-// the one passed in. Generally this method is called with time.Now() but other time's can
-// be used for testing.
+// IsRevokedAt checks if the public key is in the revoked list with a timestamp later than the one passed in.
+// Generally this method is called with the subject and issue time of the jwt to be tested.
+// DO NOT pass time.Now(), it will not produce a stable/expected response.
 func (e *Export) IsRevokedAt(pubKey string, timestamp time.Time) bool {
 	return e.Revocations.IsRevoked(pubKey, timestamp)
 }
 
-// IsRevoked checks if the public key is in the revoked list with time.Now()
-func (e *Export) IsRevoked(pubKey string) bool {
-	return e.Revocations.IsRevoked(pubKey, time.Now())
+// IsRevoked does not perform a valid check. Use IsRevokedAt instead.
+func (e *Export) IsRevoked(_ string) bool {
+	return true
 }
 
 // Exports is a slice of exports

v2/exports.go

@@ -175,16 +175,20 @@ func (e *Export) ClearRevocation(pubKey string) {
 	e.Revocations.ClearRevocation(pubKey)
 }
 
-// IsRevokedAt checks if the public key is in the revoked list with a timestamp later than
-// the one passed in. Generally this method is called with time.Now() but other time's can
-// be used for testing.
-func (e *Export) IsRevokedAt(pubKey string, timestamp time.Time) bool {
-	return e.Revocations.IsRevoked(pubKey, timestamp)
+// isRevoked checks if the public key is in the revoked list with a timestamp later than the one passed in.
+// Generally this method is called with the subject and issue time of the jwt to be tested.
+// DO NOT pass time.Now(), it will not produce a stable/expected response.
+func (e *Export) isRevoked(pubKey string, claimIssuedAt time.Time) bool {
+	return e.Revocations.IsRevoked(pubKey, claimIssuedAt)
 }
 
-// IsRevoked checks if the public key is in the revoked list with time.Now()
-func (e *Export) IsRevoked(pubKey string) bool {
-	return e.Revocations.IsRevoked(pubKey, time.Now())
+// IsClaimRevoked checks if the activation revoked the claim passed in.
+// Invalid claims (nil, no Subject or IssuedAt) will return true.
+func (e *Export) IsClaimRevoked(claim *ActivationClaims) bool {
+	if claim == nil || claim.IssuedAt == 0 || claim.Subject == "" {
+		return true
+	}
+	return e.isRevoked(claim.Subject, time.Unix(claim.IssuedAt, 0))
 }
 
 // Exports is a slice of exports

v2/exports_test.go

@@ -187,48 +187,61 @@ func TestExportRevocation(t *testing.T) {
 
 	account.Exports.Add(e)
 
-	pubKey := "bar"
+	ikp := createAccountNKey(t)
+	pubKey := publicKey(ikp, t)
+
+	ac := NewActivationClaims(pubKey)
+	ac.IssuerAccount = apk
+	ac.Name = "foo"
+	ac.Activation.ImportSubject = "foo"
+	ac.Activation.ImportType = Stream
+	aJwt, _ := ac.Encode(akp)
+	ac, err := DecodeActivationClaims(aJwt)
+	if err != nil {
+		t.Errorf("Failed to decode activation claim: %v", err)
+	}
+
 	now := time.Now()
 
 	// test that clear is safe before we add any
 	e.ClearRevocation(pubKey)
 
-	if e.IsRevokedAt(pubKey, now) {
+	if e.isRevoked(pubKey, now) {
 		t.Errorf("no revocation was added so is revoked should be false")
 	}
 
 	e.RevokeAt(pubKey, now.Add(time.Second*100))
 
-	if !e.IsRevokedAt(pubKey, now) {
+	if !e.isRevoked(pubKey, now) {
 		t.Errorf("revocation should hold when timestamp is in the future")
 	}
 
-	if e.IsRevokedAt(pubKey, now.Add(time.Second*150)) {
+	if e.isRevoked(pubKey, now.Add(time.Second*150)) {
 		t.Errorf("revocation should time out")
 	}
 
 	e.RevokeAt(pubKey, now.Add(time.Second*50)) // shouldn't change the revocation, you can't move it in
 
-	if !e.IsRevokedAt(pubKey, now.Add(time.Second*60)) {
+	if !e.isRevoked(pubKey, now.Add(time.Second*60)) {
 		t.Errorf("revocation should hold, 100 > 50")
 	}
 
 	encoded, _ := account.Encode(akp)
 	decoded, _ := DecodeAccountClaims(encoded)
 
-	if !decoded.Exports[0].IsRevokedAt(pubKey, now.Add(time.Second*60)) {
+	if !decoded.Exports[0].isRevoked(pubKey, now.Add(time.Second*60)) {
 		t.Errorf("revocation should last across encoding")
 	}
 
 	e.ClearRevocation(pubKey)
 
-	if e.IsRevokedAt(pubKey, now) {
+	if e.IsClaimRevoked(ac) {
 		t.Errorf("revocations should be cleared")
 	}
 
-	e.RevokeAt(pubKey, now.Add(time.Second*1000))
+	e.RevokeAt(pubKey, now)
 
-	if !e.IsRevoked(pubKey) {
+	if !e.IsClaimRevoked(ac) {
 		t.Errorf("revocation be true we revoked in the future")
 	}
 }