mirror of
https://github.com/google/nomulus.git
synced 2025-07-23 19:20:44 +02:00
Don't check cert validation if we're not changing the certs in the console (#2178)
If the cert(s) are invalid or expired that's a problem, but that shouldn't necessarily prevent us from changing other things. If we're not changing the certs, leave them alone.
This commit is contained in:
parent
a63916b08e
commit
da04caeea2
2 changed files with 22 additions and 33 deletions
|
@ -166,6 +166,7 @@ public class RequestHandler<C> {
|
|||
} catch (Exception e) {
|
||||
rsp.setStatus(SC_INTERNAL_SERVER_ERROR);
|
||||
rsp.getWriter().write("Internal server error, please try again later");
|
||||
logger.atSevere().withCause(e).log("Encountered internal server error");
|
||||
} finally {
|
||||
requestMetrics.record(
|
||||
new Duration(startTime, clock.nowUtc()),
|
||||
|
|
|
@ -17,7 +17,6 @@ package google.registry.ui.server.console.settings;
|
|||
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
|
||||
import static google.registry.request.Action.Method.POST;
|
||||
|
||||
import avro.shaded.com.google.common.collect.ImmutableList;
|
||||
import com.google.api.client.http.HttpStatusCodes;
|
||||
import com.google.gson.Gson;
|
||||
import google.registry.flows.certs.CertificateChecker;
|
||||
|
@ -103,42 +102,31 @@ public class SecurityAction implements JsonGetAction {
|
|||
.asBuilder()
|
||||
.setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
|
||||
|
||||
boolean hasInvalidCerts =
|
||||
ImmutableList.of(
|
||||
registrarParameter.getClientCertificate(),
|
||||
registrarParameter.getFailoverClientCertificate())
|
||||
.stream()
|
||||
.filter(Optional::isPresent)
|
||||
.map(Optional::get)
|
||||
.anyMatch(
|
||||
cert -> {
|
||||
try {
|
||||
certificateChecker.validateCertificate(cert);
|
||||
return false;
|
||||
} catch (InsecureCertificateException e) {
|
||||
return true;
|
||||
}
|
||||
});
|
||||
|
||||
if (hasInvalidCerts) {
|
||||
try {
|
||||
if (!savedRegistrar
|
||||
.getClientCertificate()
|
||||
.equals(registrarParameter.getClientCertificate())) {
|
||||
if (registrarParameter.getClientCertificate().isPresent()) {
|
||||
String newClientCert = registrarParameter.getClientCertificate().get();
|
||||
certificateChecker.validateCertificate(newClientCert);
|
||||
updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime());
|
||||
}
|
||||
}
|
||||
if (!savedRegistrar
|
||||
.getFailoverClientCertificate()
|
||||
.equals(registrarParameter.getFailoverClientCertificate())) {
|
||||
if (registrarParameter.getFailoverClientCertificate().isPresent()) {
|
||||
String newFailoverCert = registrarParameter.getFailoverClientCertificate().get();
|
||||
certificateChecker.validateCertificate(newFailoverCert);
|
||||
updatedRegistrar.setFailoverClientCertificate(newFailoverCert, tm().getTransactionTime());
|
||||
}
|
||||
}
|
||||
} catch (InsecureCertificateException e) {
|
||||
response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
|
||||
response.setPayload("Insecure Certificate in parameter");
|
||||
response.setPayload("Invalid certificate in parameter");
|
||||
return;
|
||||
}
|
||||
|
||||
registrarParameter
|
||||
.getClientCertificate()
|
||||
.ifPresent(
|
||||
newClientCert ->
|
||||
updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime()));
|
||||
|
||||
registrarParameter
|
||||
.getFailoverClientCertificate()
|
||||
.ifPresent(
|
||||
failoverCert ->
|
||||
updatedRegistrar.setFailoverClientCertificate(
|
||||
failoverCert, tm().getTransactionTime()));
|
||||
|
||||
tm().put(updatedRegistrar.build());
|
||||
response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue