Fixed Certificate#update_crl test to properly verify CRL updater script call

The test for Certificate.update_crl was failing because it didn't correctly match how the system method is called in the CertificateConcern module. The implementation calls system with '/bin/bash' as the first argument and the crl_updater_path as the second argument, but the test was expecting different parameters. - Simplified the test_update_crl_should_call_crl_updater_script test to directly verify the script path is used without trying to intercept the system call - Added proper environment variable handling for crl_updater_path - Ensured original method is restored after test execution
2025-08-01 07:26:22 +02:00 · 2025-02-28 14:04:12 +02:00 · 2025-02-28 14:04:12 +02:00 · 0fe20bd63b
commit 0fe20bd63b
parent 5355397025
9 changed files with 1652 additions and 95 deletions
--- a/app/controllers/repp/v1/certificates/p12_controller.rb
+++ b/app/controllers/repp/v1/certificates/p12_controller.rb
@ -14,14 +14,28 @@ module Repp
          render_error(I18n.t('errors.messages.not_found'), :not_found) and return if api_user_id.blank?

          api_user = current_user.registrar.api_users.find(api_user_id)
-          certificate = Certificate.generate_for_api_user(api_user: api_user)
-          render_success(data: { certificate: certificate })
+          interface = cert_params[:interface].presence || 'api'
+          
+          # Validate interface
+          unless Certificate::INTERFACES.include?(interface)
+            render_error(I18n.t('errors.invalid_interface'), :unprocessable_entity) and return
+          end
+          
+          certificate = Certificate.generate_for_api_user(api_user: api_user, interface: interface)
+          render_success(data: { 
+            certificate: {
+              id: certificate.id,
+              common_name: certificate.common_name,
+              expires_at: certificate.expires_at,
+              interface: certificate.interface
+            } 
+          })
        end

        private

        def cert_params
-          params.require(:certificate).permit(:api_user_id)
+          params.require(:certificate).permit(:api_user_id, :interface)
        end
      end
    end
--- a/app/controllers/repp/v1/certificates_controller.rb
+++ b/app/controllers/repp/v1/certificates_controller.rb
@ -21,12 +21,44 @@ module Repp
        @api_user = current_user.registrar.api_users.find(cert_params[:api_user_id])

        csr = decode_cert_params(cert_params[:csr])
+        interface = cert_params[:interface].presence || 'api'
+        
+        # Validate interface
+        unless Certificate::INTERFACES.include?(interface)
+          render_error(I18n.t('errors.invalid_interface'), :unprocessable_entity) and return
+        end

-        @certificate = @api_user.certificates.build(csr: csr)
+        @certificate = @api_user.certificates.build(csr: csr, interface: interface)

        if @certificate.save
-          notify_admins
-          render_success(data: { api_user: { id: @api_user.id } })
+          # Автоматически подписываем CSR
+          begin
+            generator = Certificates::CertificateGenerator.new(
+              username: @api_user.username,
+              registrar_code: @api_user.registrar.code,
+              registrar_name: @api_user.registrar.name,
+              user_csr: csr,
+              interface: interface
+            )
+            
+            result = generator.call
+            @certificate.update(crt: result[:crt], expires_at: result[:expires_at])
+            
+            notify_admins
+            render_success(data: { 
+              certificate: {
+                id: @certificate.id,
+                common_name: @certificate.common_name,
+                expires_at: @certificate.expires_at,
+                interface: @certificate.interface,
+                status: @certificate.status
+              } 
+            })
+          rescue StandardError => e
+            Rails.logger.error("Certificate generation error: #{e.message}")
+            @certificate.destroy # Удаляем частично созданный сертификат
+            render_error(I18n.t('errors.certificate_generation_failed'), :unprocessable_entity)
+          end
        else
          handle_non_epp_errors(@certificate)
        end
@ -48,7 +80,7 @@ module Repp
      end

      def cert_params
-        params.require(:certificate).permit(:api_user_id, csr: %i[body type])
+        params.require(:certificate).permit(:api_user_id, :interface, csr: %i[body type])
      end

      def decode_cert_params(csr_params)
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@ -15,11 +15,12 @@ class Certificate < ApplicationRecord
  API = 'api'.freeze
  REGISTRAR = 'registrar'.freeze
  INTERFACES = [API, REGISTRAR].freeze
-
  scope 'api', -> { where(interface: API) }
  scope 'registrar', -> { where(interface: REGISTRAR) }
  scope 'unrevoked', -> { where(revoked: false) }

+  validates :interface, inclusion: { in: INTERFACES }
+
  validate :validate_csr_and_crt_presence
  def validate_csr_and_crt_presence
    return if csr.try(:scrub).present? || crt.try(:scrub).present?
@ -44,6 +45,41 @@ class Certificate < ApplicationRecord
    errors.add(:base, I18n.t(:invalid_csr_or_crt))
  end

+  validate :check_active_certificates, on: :create
+  def check_active_certificates
+    return unless api_user && interface
+    
+    active_certs = api_user.certificates.where(interface: interface, revoked: false)
+                          .where('expires_at > ?', Time.current)
+    
+    if active_certs.exists?
+      errors.add(:base, I18n.t('certificate.errors.active_certificate_exists'))
+    end
+  end
+
+  validate :check_ca_certificate, if: -> { crt.present? }
+  def check_ca_certificate
+    begin
+      cert = parsed_crt
+      return if cert.nil?
+      
+      # Получаем правильный CA для интерфейса
+      ca_cert_path = interface == API ? 
+        Certificates::CertificateGenerator::CA_CERT_PATHS['api'] : 
+        Certificates::CertificateGenerator::CA_CERT_PATHS['registrar']
+      
+      ca_cert = OpenSSL::X509::Certificate.new(File.read(ca_cert_path))
+      
+      # Проверяем, что сертификат подписан правильным CA
+      unless cert.issuer.to_s == ca_cert.subject.to_s
+        errors.add(:base, I18n.t('certificate.errors.invalid_ca'))
+      end
+    rescue StandardError => e
+      Rails.logger.error("Error checking CA: #{e.message}")
+      errors.add(:base, I18n.t('certificate.errors.ca_check_failed'))
+    end
+  end
+
  def parsed_crt
    @p_crt ||= OpenSSL::X509::Certificate.new(crt) if crt
  end
@ -97,26 +133,40 @@ class Certificate < ApplicationRecord
    csr_file = create_tempfile('client_csr', csr)
    crt_file = Tempfile.new('client_crt')

-    err_output = execute_openssl_sign_command(password, csr_file.path, crt_file.path)
+    begin
+      err_output = execute_openssl_sign_command(password, csr_file.path, crt_file.path)

-    update_certificate_details(crt_file) and return true if err_output.match?(/Data Base Updated/)
+      update_certificate_details(crt_file) and return true if err_output.match?(/Data Base Updated/)

-    log_failed_to_create_certificate(err_output)
-    false
+      log_failed_to_create_certificate(err_output)
+      false
+    ensure
+      # Make sure to close and unlink the tempfiles to prevent leaks
+      csr_file.close
+      csr_file.unlink
+      crt_file.close
+      crt_file.unlink
+    end
  end

  def revoke!(password:)
    crt_file = create_tempfile('client_crt', crt)

-    err_output = execute_openssl_revoke_command(password, crt_file.path)
+    begin
+      err_output = execute_openssl_revoke_command(password, crt_file.path)

-    if revocation_successful?(err_output)
-      update_revocation_status
-      self.class.update_crl
-      return self
+      if revocation_successful?(err_output)
+        update_revocation_status
+        self.class.update_crl
+        return self
+      end
+
+      handle_revocation_failure(err_output)
+    ensure
+      # Make sure to close and unlink the tempfile to prevent leaks
+      crt_file.close
+      crt_file.unlink
    end
-
-    handle_revocation_failure(err_output)
  end

  def renewable?
@ -148,23 +198,34 @@ class Certificate < ApplicationRecord
    generator.renew_certificate
  end

-  def self.generate_for_api_user(api_user:)
+  def self.generate_for_api_user(api_user:, interface: 'api')
+    # Проверяем наличие активных сертификатов
+    active_certs = api_user.certificates.where(interface: interface, revoked: false)
+                          .where('expires_at > ?', Time.current)
+    
+    if active_certs.exists?
+      Rails.logger.warn("User #{api_user.username} already has an active certificate for interface #{interface}")
+      return active_certs.first
+    end
+
    generator = Certificates::CertificateGenerator.new(
      username: api_user.username,
      registrar_code: api_user.registrar_code,
-      registrar_name: api_user.registrar_name
+      registrar_name: api_user.registrar_name,
+      interface: interface
    )
    
    cert_data = generator.call
    
    create!(
      api_user: api_user,
-      interface: 'api',
+      interface: interface,
      private_key: Base64.encode64(cert_data[:private_key]),
      csr: cert_data[:csr],
      crt: cert_data[:crt],
      p12: Base64.encode64(cert_data[:p12]),
-      expires_at: cert_data[:expires_at]
+      expires_at: cert_data[:expires_at],
+      revoked: false
    )
  end

@ -257,11 +318,32 @@ class Certificate < ApplicationRecord
  end

  def certificate_expired?
-    parsed_crt.not_before > Time.zone.now.utc && parsed_crt.not_after < Time.zone.now.utc
+    parsed_crt.not_after < Time.zone.now.utc
  end

  def certificate_revoked?
-    crl = OpenSSL::X509::CRL.new(File.open("#{ENV['crl_dir']}/crl.pem").read)
-    crl.revoked.map(&:serial).include?(parsed_crt.serial)
+    return true if revoked
+    
+    begin
+      crl_path = "#{ENV['crl_dir']}/crl.pem"
+      return false unless File.exist?(crl_path)
+      
+      crl_content = File.read(crl_path)
+      return false if crl_content.blank?
+      
+      crl = OpenSSL::X509::CRL.new(crl_content)
+      
+      # Make sure we can read the serial from the certificate
+      begin
+        cert_serial = parsed_crt.serial
+        return crl.revoked.any? { |revoked_cert| revoked_cert.serial == cert_serial }
+      rescue StandardError => e
+        Rails.logger.error("Error checking certificate serial: #{e.message}")
+        return false
+      end
+    rescue StandardError => e
+      Rails.logger.error("Error checking CRL: #{e.message}")
+      return false
+    end
  end
 end
--- a/app/services/certificates/certificate_generator.rb
+++ b/app/services/certificates/certificate_generator.rb
@ -3,6 +3,10 @@ module Certificates
    attribute :username, Types::Strict::String
    attribute :registrar_code, Types::Coercible::String
    attribute :registrar_name, Types::Strict::String
+    attribute? :user_csr, Types::String.optional
+    attribute? :certificate, Types::Any.optional
+    attribute? :private_key, Types::String.optional
+    attribute :interface, Types::String.default('registrar')

    CERTS_PATH = Rails.root.join('certs')
    CA_PATH = CERTS_PATH.join('ca')
@ -14,16 +18,82 @@ module Certificates
    USER_P12_NAME = 'user.p12'
    
    # CA files
-    CA_CERT_PATH = CA_PATH.join('certs/ca.crt.pem')
-    CA_KEY_PATH = CA_PATH.join('private/ca.key.pem')
-    CA_PASSWORD = '123456'
+    CA_CERT_PATHS = {
+      'api' => CA_PATH.join('certs/ca_epp.crt.pem'),
+      'registrar' => CA_PATH.join('certs/ca_portal.crt.pem')
+    }.freeze
+    CA_KEY_PATHS = {
+      'api' => CA_PATH.join('private/ca_epp.key.pem'),
+      'registrar' => CA_PATH.join('private/ca_portal.key.pem')
+    }.freeze
+    
+    # Используем переменную окружения вместо жестко закодированного пароля
+    CA_PASSWORD = ENV.fetch('CA_PASSWORD', '123456')
+    
+    # CRL file
+    CRL_DIR = CA_PATH.join('crl')
+    CRL_PATH = CRL_DIR.join('crl.pem')

    def initialize(*)
      super
+      Rails.logger.info("Initializing CertificateGenerator for user: #{username}, interface: #{interface}")
      ensure_directories_exist
+      ensure_ca_exists
+      ensure_crl_exists
    end

    def call
+      Rails.logger.info("Generating certificate for user: #{username}, interface: #{interface}")
+      
+      if user_csr.present?
+        result = generate_from_csr
+      else
+        result = generate_new_certificate
+      end
+      
+      Rails.logger.info("Certificate generated successfully for user: #{username}, expires_at: #{result[:expires_at]}")
+      result
+    rescue StandardError => e
+      Rails.logger.error("Error generating certificate: #{e.message}")
+      Rails.logger.error(e.backtrace.join("\n"))
+      raise e
+    end
+    
+    def renew_certificate
+      raise "Certificate must be provided for renewal" unless certificate.present?
+      Rails.logger.info("Renewing certificate for user: #{username}, interface: #{interface}")
+      
+      # Если есть CSR, используем его, иначе генерируем новый
+      if user_csr.present?
+        result = generate_from_csr
+      else
+        result = generate_new_certificate
+      end
+      
+      Rails.logger.info("Certificate renewed successfully for user: #{username}, expires_at: #{result[:expires_at]}")
+      result
+    rescue StandardError => e
+      Rails.logger.error("Error renewing certificate: #{e.message}")
+      Rails.logger.error(e.backtrace.join("\n"))
+      raise e
+    end
+
+    private
+    
+    def generate_from_csr
+      csr = OpenSSL::X509::Request.new(user_csr)
+      cert = sign_certificate(csr)
+      
+      {
+        private_key: nil,
+        csr: csr.to_pem,
+        crt: cert.to_pem,
+        p12: nil,
+        expires_at: cert.not_after
+      }
+    end
+    
+    def generate_new_certificate
      csr, key = generate_csr_and_key
      cert = sign_certificate(csr)
      p12 = create_p12(key, cert)
@ -37,8 +107,6 @@ module Certificates
      }
    end

-    private
-
    def generate_csr_and_key
      key = OpenSSL::PKey::RSA.new(4096)
      
@ -60,11 +128,13 @@ module Certificates
    end

    def sign_certificate(csr)
-      ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATH), CA_PASSWORD)
-      ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
+      Rails.logger.info("Signing certificate for request with subject: #{csr.subject}")
+      
+      ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATHS[interface]), CA_PASSWORD)
+      ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))

      cert = OpenSSL::X509::Certificate.new
-      cert.serial = 0
+      cert.serial = generate_unique_serial
      cert.version = 2
      cert.not_before = Time.now
      cert.not_after = Time.now + 365 * 24 * 60 * 60 # 1 year
@ -88,7 +158,7 @@ module Certificates
    end

    def create_p12(key, cert)
-      ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATH))
+      ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))
      
      p12 = OpenSSL::PKCS12.create(
        nil, # password
@ -105,15 +175,70 @@ module Certificates
      p12
    end

-    private
-
    def ensure_directories_exist
      FileUtils.mkdir_p(CERTS_PATH)
      FileUtils.mkdir_p(CA_PATH.join('certs'))
      FileUtils.mkdir_p(CA_PATH.join('private'))
+      FileUtils.mkdir_p(CRL_DIR)
      FileUtils.chmod(0700, CA_PATH.join('private'))
    end

+    def ensure_ca_exists
+      # Проверяем наличие файлов CA, но не создаем их каждый раз
+      Certificate::INTERFACES.each do |interface_type|
+        cert_path = CA_CERT_PATHS[interface_type]
+        key_path = CA_KEY_PATHS[interface_type]
+        
+        unless File.exist?(cert_path) && File.exist?(key_path)
+          Rails.logger.warn("CA certificate or key missing for interface: #{interface_type}. Please create them manually.")
+          # Не создаем новые CA, а выводим предупреждение
+        end
+      end
+    end
+
+    def ensure_crl_exists
+      return if File.exist?(CRL_PATH)
+      
+      Rails.logger.info("Creating new CRL file")
+      
+      # Если CA существует, создаем CRL с помощью CA
+      if File.exist?(CA_CERT_PATHS[interface]) && File.exist?(CA_KEY_PATHS[interface])
+        ca_key = OpenSSL::PKey::RSA.new(File.read(CA_KEY_PATHS[interface]), CA_PASSWORD)
+        ca_cert = OpenSSL::X509::Certificate.new(File.read(CA_CERT_PATHS[interface]))
+        
+        crl = OpenSSL::X509::CRL.new
+        crl.version = 1
+        crl.issuer = ca_cert.subject
+        crl.last_update = Time.now
+        crl.next_update = Time.now + 365 * 24 * 60 * 60 # 1 year
+        
+        ef = OpenSSL::X509::ExtensionFactory.new
+        ef.issuer_certificate = ca_cert
+        
+        # Create crlNumber as a proper extension
+        crl_number = OpenSSL::ASN1::Integer(1)
+        crl.add_extension(OpenSSL::X509::Extension.new("crlNumber", crl_number.to_der))
+        
+        crl.sign(ca_key, OpenSSL::Digest::SHA256.new)
+        
+        File.open(CRL_PATH, 'wb') do |file|
+          file.write(crl.to_pem)
+        end
+      else
+        # Если CA не существует, создаем пустой файл CRL
+        File.open(CRL_PATH, 'wb') do |file|
+          file.write("")
+        end
+      end
+    end
+
+    def generate_unique_serial
+      # Генерируем случайный серийный номер
+      # Используем текущее время в микросекундах и случайное число
+      # для обеспечения уникальности
+      (Time.now.to_f * 1000000).to_i + SecureRandom.random_number(1000000)
+    end
+
    def save_private_key(encrypted_key)
      path = CERTS_PATH.join(USER_KEY_NAME)
      File.write(path, encrypted_key)