mirror of
https://github.com/internetee/registry.git
synced 2025-08-04 17:01:44 +02:00
Merge branch 'master' into add-machine-readable-list-of-blocked-domains
This commit is contained in:
commit
26858a7e8f
9 changed files with 82 additions and 36 deletions
|
@ -30,7 +30,8 @@ module Repp
|
|||
webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
|
||||
error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
|
||||
else
|
||||
unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
|
||||
unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
|
||||
request.env['HTTP_SSL_CLIENT_S_DN_CN'])
|
||||
error! "#{message} #{@current_user.username}", 401
|
||||
end
|
||||
end
|
||||
|
|
|
@ -26,7 +26,8 @@ module Epp
|
|||
end
|
||||
|
||||
if !Rails.env.development? && (!webclient_request && @api_user)
|
||||
unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
|
||||
unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
|
||||
request.env['HTTP_SSL_CLIENT_S_DN_CN'])
|
||||
epp_errors << {
|
||||
msg: 'Authentication error; server closing connection (certificate is not valid)',
|
||||
code: '2501'
|
||||
|
|
|
@ -31,7 +31,8 @@ class Registrar
|
|||
end
|
||||
|
||||
if @depp_user.pki
|
||||
unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
|
||||
unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
|
||||
request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
|
||||
@depp_user.errors.add(:base, :invalid_cert)
|
||||
end
|
||||
end
|
||||
|
@ -205,4 +206,4 @@ class Registrar
|
|||
redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
@ -64,24 +64,14 @@ class ApiUser < User
|
|||
registrar.notifications.unread
|
||||
end
|
||||
|
||||
def registrar_pki_ok?(crt, cn)
|
||||
return false if crt.blank? || cn.blank?
|
||||
crt = crt.split(' ').join("\n")
|
||||
crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
|
||||
crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
|
||||
cert = OpenSSL::X509::Certificate.new(crt)
|
||||
md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
|
||||
certificates.registrar.exists?(md5: md5, common_name: cn)
|
||||
end
|
||||
def pki_ok?(crt, com, api: true)
|
||||
return false if crt.blank? || com.blank?
|
||||
|
||||
def api_pki_ok?(crt, cn)
|
||||
return false if crt.blank? || cn.blank?
|
||||
crt = crt.split(' ').join("\n")
|
||||
crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
|
||||
crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
|
||||
cert = OpenSSL::X509::Certificate.new(crt)
|
||||
origin = api ? certificates.api : certificates.registrar
|
||||
cert = machine_readable_certificate(crt)
|
||||
md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
|
||||
certificates.api.exists?(md5: md5, common_name: cn)
|
||||
|
||||
origin.exists?(md5: md5, common_name: com, revoked: false)
|
||||
end
|
||||
|
||||
def linked_users
|
||||
|
@ -93,4 +83,14 @@ class ApiUser < User
|
|||
def linked_with?(another_api_user)
|
||||
another_api_user.identity_code == self.identity_code
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def machine_readable_certificate(cert)
|
||||
cert = cert.split(' ').join("\n")
|
||||
cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
|
||||
cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
|
||||
|
||||
OpenSSL::X509::Certificate.new(cert)
|
||||
end
|
||||
end
|
||||
|
|
|
@ -32,20 +32,21 @@ class Certificate < ApplicationRecord
|
|||
errors.add(:base, I18n.t(:invalid_csr_or_crt))
|
||||
end
|
||||
|
||||
before_create :parse_metadata
|
||||
def parse_metadata
|
||||
if crt
|
||||
pc = parsed_crt.try(:subject).try(:to_s) || ''
|
||||
cn = pc.scan(/\/CN=(.+)/).flatten.first
|
||||
self.common_name = cn.split('/').first
|
||||
self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
|
||||
self.interface = API
|
||||
elsif csr
|
||||
pc = parsed_csr.try(:subject).try(:to_s) || ''
|
||||
cn = pc.scan(/\/CN=(.+)/).flatten.first
|
||||
self.common_name = cn.split('/').first
|
||||
self.interface = REGISTRAR
|
||||
end
|
||||
validate :assign_metadata, on: :create
|
||||
|
||||
def assign_metadata
|
||||
origin = crt ? parsed_crt : parsed_csr
|
||||
parse_metadata(origin)
|
||||
rescue NoMethodError
|
||||
errors.add(:base, I18n.t(:invalid_csr_or_crt))
|
||||
end
|
||||
|
||||
def parse_metadata(origin)
|
||||
pc = origin.subject.to_s
|
||||
cn = pc.scan(%r{\/CN=(.+)}).flatten.first
|
||||
self.common_name = cn.split('/').first
|
||||
self.md5 = OpenSSL::Digest::MD5.new(origin.to_der).to_s if crt
|
||||
self.interface = crt ? API : REGISTRAR
|
||||
end
|
||||
|
||||
def parsed_crt
|
||||
|
@ -116,6 +117,7 @@ class Certificate < ApplicationRecord
|
|||
-revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
|
||||
|
||||
if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
|
||||
self.revoked = true
|
||||
save!
|
||||
@cached_status = REVOKED
|
||||
else
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue