Merge branch 'master' into add-machine-readable-list-of-blocked-domains

This commit is contained in:
Maciej Szlosarczyk 2020-05-14 15:06:15 +03:00
commit 26858a7e8f
No known key found for this signature in database
GPG key ID: 41D62D42D3B0D765
9 changed files with 82 additions and 36 deletions

View file

@ -30,7 +30,8 @@ module Repp
webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
else
unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
request.env['HTTP_SSL_CLIENT_S_DN_CN'])
error! "#{message} #{@current_user.username}", 401
end
end

View file

@ -26,7 +26,8 @@ module Epp
end
if !Rails.env.development? && (!webclient_request && @api_user)
unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
request.env['HTTP_SSL_CLIENT_S_DN_CN'])
epp_errors << {
msg: 'Authentication error; server closing connection (certificate is not valid)',
code: '2501'

View file

@ -31,7 +31,8 @@ class Registrar
end
if @depp_user.pki
unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
@depp_user.errors.add(:base, :invalid_cert)
end
end
@ -205,4 +206,4 @@ class Registrar
redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
end
end
end
end

View file

@ -64,24 +64,14 @@ class ApiUser < User
registrar.notifications.unread
end
def registrar_pki_ok?(crt, cn)
return false if crt.blank? || cn.blank?
crt = crt.split(' ').join("\n")
crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
cert = OpenSSL::X509::Certificate.new(crt)
md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
certificates.registrar.exists?(md5: md5, common_name: cn)
end
def pki_ok?(crt, com, api: true)
return false if crt.blank? || com.blank?
def api_pki_ok?(crt, cn)
return false if crt.blank? || cn.blank?
crt = crt.split(' ').join("\n")
crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
cert = OpenSSL::X509::Certificate.new(crt)
origin = api ? certificates.api : certificates.registrar
cert = machine_readable_certificate(crt)
md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
certificates.api.exists?(md5: md5, common_name: cn)
origin.exists?(md5: md5, common_name: com, revoked: false)
end
def linked_users
@ -93,4 +83,14 @@ class ApiUser < User
def linked_with?(another_api_user)
another_api_user.identity_code == self.identity_code
end
private
def machine_readable_certificate(cert)
cert = cert.split(' ').join("\n")
cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
OpenSSL::X509::Certificate.new(cert)
end
end

View file

@ -32,20 +32,21 @@ class Certificate < ApplicationRecord
errors.add(:base, I18n.t(:invalid_csr_or_crt))
end
before_create :parse_metadata
def parse_metadata
if crt
pc = parsed_crt.try(:subject).try(:to_s) || ''
cn = pc.scan(/\/CN=(.+)/).flatten.first
self.common_name = cn.split('/').first
self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
self.interface = API
elsif csr
pc = parsed_csr.try(:subject).try(:to_s) || ''
cn = pc.scan(/\/CN=(.+)/).flatten.first
self.common_name = cn.split('/').first
self.interface = REGISTRAR
end
validate :assign_metadata, on: :create
def assign_metadata
origin = crt ? parsed_crt : parsed_csr
parse_metadata(origin)
rescue NoMethodError
errors.add(:base, I18n.t(:invalid_csr_or_crt))
end
def parse_metadata(origin)
pc = origin.subject.to_s
cn = pc.scan(%r{\/CN=(.+)}).flatten.first
self.common_name = cn.split('/').first
self.md5 = OpenSSL::Digest::MD5.new(origin.to_der).to_s if crt
self.interface = crt ? API : REGISTRAR
end
def parsed_crt
@ -116,6 +117,7 @@ class Certificate < ApplicationRecord
-revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
self.revoked = true
save!
@cached_status = REVOKED
else