Don't check cert validation if we're not changing the certs in the console (#2178)

If the cert(s) are invalid or expired that's a problem, but that
shouldn't necessarily prevent us from changing other things. If we're
not changing the certs, leave them alone.
This commit is contained in:
gbrodman 2023-10-16 13:37:57 -04:00 committed by GitHub
parent a63916b08e
commit da04caeea2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 33 deletions

View file

@ -166,6 +166,7 @@ public class RequestHandler<C> {
} catch (Exception e) {
rsp.setStatus(SC_INTERNAL_SERVER_ERROR);
rsp.getWriter().write("Internal server error, please try again later");
logger.atSevere().withCause(e).log("Encountered internal server error");
} finally {
requestMetrics.record(
new Duration(startTime, clock.nowUtc()),

View file

@ -17,7 +17,6 @@ package google.registry.ui.server.console.settings;
import static google.registry.persistence.transaction.TransactionManagerFactory.tm;
import static google.registry.request.Action.Method.POST;
import avro.shaded.com.google.common.collect.ImmutableList;
import com.google.api.client.http.HttpStatusCodes;
import com.google.gson.Gson;
import google.registry.flows.certs.CertificateChecker;
@ -103,42 +102,31 @@ public class SecurityAction implements JsonGetAction {
.asBuilder()
.setIpAddressAllowList(registrarParameter.getIpAddressAllowList());
boolean hasInvalidCerts =
ImmutableList.of(
registrarParameter.getClientCertificate(),
registrarParameter.getFailoverClientCertificate())
.stream()
.filter(Optional::isPresent)
.map(Optional::get)
.anyMatch(
cert -> {
try {
certificateChecker.validateCertificate(cert);
return false;
} catch (InsecureCertificateException e) {
return true;
}
});
if (hasInvalidCerts) {
try {
if (!savedRegistrar
.getClientCertificate()
.equals(registrarParameter.getClientCertificate())) {
if (registrarParameter.getClientCertificate().isPresent()) {
String newClientCert = registrarParameter.getClientCertificate().get();
certificateChecker.validateCertificate(newClientCert);
updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime());
}
}
if (!savedRegistrar
.getFailoverClientCertificate()
.equals(registrarParameter.getFailoverClientCertificate())) {
if (registrarParameter.getFailoverClientCertificate().isPresent()) {
String newFailoverCert = registrarParameter.getFailoverClientCertificate().get();
certificateChecker.validateCertificate(newFailoverCert);
updatedRegistrar.setFailoverClientCertificate(newFailoverCert, tm().getTransactionTime());
}
}
} catch (InsecureCertificateException e) {
response.setStatus(HttpStatusCodes.STATUS_CODE_BAD_REQUEST);
response.setPayload("Insecure Certificate in parameter");
response.setPayload("Invalid certificate in parameter");
return;
}
registrarParameter
.getClientCertificate()
.ifPresent(
newClientCert ->
updatedRegistrar.setClientCertificate(newClientCert, tm().getTransactionTime()));
registrarParameter
.getFailoverClientCertificate()
.ifPresent(
failoverCert ->
updatedRegistrar.setFailoverClientCertificate(
failoverCert, tm().getTransactionTime()));
tm().put(updatedRegistrar.build());
response.setStatus(HttpStatusCodes.STATUS_CODE_OK);
}