Put back password for pki login

2025-05-17 09:57:23 +02:00 · 2015-02-23 11:53:23 +02:00 · 2015-02-23 11:53:23 +02:00 · 00ecdba699
commit 00ecdba699
parent fe67c51436
3 changed files with 12 additions and 16 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,7 @@ mkdir certs crl newcerts private csrs
 chmod 700 private
 touch index.txt
 echo 1000 > serial
+echo 1000 > crlnumber
 ```

 Generate the root key (prompts for pass phrase): 
@ -26,6 +27,8 @@ exit

 Make sure the following options are in place:
 ```
+crl_extensions = crl_ext
+
 [ CA_default ]
 # Where everything is kept
 dir = /home/registry/registry/shared/ca
@ -71,6 +74,12 @@ openssl req -sha256 -new -key private/webclient.key.pem -out csrs/webclient.csr.
 Sign the request and create certificate:
 ```
 openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -extensions usr_cert -notext -md sha256 -in csrs/webclient.csr.pem -out certs/webclient.crt.pem
+chmod 444 certs/webclient.crt.pem
+```
+
+Create certificate revocation list (prompts for pass phrase):
+```
+openssl ca -keyfile private/ca.key.pem -cert certs/ca.crt.pem -gencrl -out crl/crl.pem
 ```

 Configure EPP virtual host:
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -3,18 +3,8 @@ module Repp
    format :json
    prefix :repp

-    before do
-      auth_param = request.headers['Authorization'].split(' ', 2).second
-      username, password = ::Base64.decode64(auth_param || '').split(':', 2)
-
-      # allow user lookup only by username if request came from webclient
-      if request.ip == APP_CONFIG['webclient_ip'] && password.blank?
-        login_params = { username: username }
-      else
-        login_params = { username: username, password: password }
-      end
-
-      @current_user ||= ApiUser.find_by(login_params)
+    http_basic do |username, password|
+      @current_user ||= ApiUser.find_by(username: username, password: password)
    end

    helpers do
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -9,10 +9,7 @@ class Epp::SessionsController < EppController
  # rubocop: disable Metrics/CyclomaticComplexity
  def login
    cert_valid = true
-    # Allow login with only username
-    if request.ip == APP_CONFIG['webclient_ip'] && login_params[:password].nil?
-      @api_user = ApiUser.find_by(username: login_params[:username])
-    elsif request.ip == APP_CONFIG['webclient_ip']
+    if request.ip == APP_CONFIG['webclient_ip']
      @api_user = ApiUser.find_by(login_params)
    else
      if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username]