Merge branch 'master' into add-machine-readable-list-of-blocked-domains

2025-08-05 17:28:18 +02:00 · 2020-05-14 15:06:15 +03:00 · 2020-05-14 15:06:15 +03:00 · 26858a7e8f
commit 26858a7e8f
parent 88a3a2ebac 2730ba1c2f
9 changed files with 82 additions and 36 deletions
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -30,7 +30,8 @@ module Repp
        webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
        error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
      else
-        unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                     request.env['HTTP_SSL_CLIENT_S_DN_CN'])
          error! "#{message} #{@current_user.username}", 401
        end
      end
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -26,7 +26,8 @@ module Epp
      end

      if !Rails.env.development? && (!webclient_request && @api_user)
-        unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'])
          epp_errors << {
            msg: 'Authentication error; server closing connection (certificate is not valid)',
            code: '2501'
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -31,7 +31,8 @@ class Registrar
      end

      if @depp_user.pki
-        unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
          @depp_user.errors.add(:base, :invalid_cert)
        end
      end
@ -205,4 +206,4 @@ class Registrar
      redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
    end
  end
-end
+end
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@ -64,24 +64,14 @@ class ApiUser < User
    registrar.notifications.unread
  end

-  def registrar_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
-    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.registrar.exists?(md5: md5, common_name: cn)
-  end
+  def pki_ok?(crt, com, api: true)
+    return false if crt.blank? || com.blank?

-  def api_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
+    origin = api ? certificates.api : certificates.registrar
+    cert = machine_readable_certificate(crt)
    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.api.exists?(md5: md5, common_name: cn)
+
+    origin.exists?(md5: md5, common_name: com, revoked: false)
  end

  def linked_users
@ -93,4 +83,14 @@ class ApiUser < User
  def linked_with?(another_api_user)
    another_api_user.identity_code == self.identity_code
  end
+
+  private
+
+  def machine_readable_certificate(cert)
+    cert = cert.split(' ').join("\n")
+    cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+    cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+
+    OpenSSL::X509::Certificate.new(cert)
+  end
 end
--- a/app/models/certificate.rb
+++ b/app/models/certificate.rb
@ -32,20 +32,21 @@ class Certificate < ApplicationRecord
      errors.add(:base, I18n.t(:invalid_csr_or_crt))
  end

-  before_create :parse_metadata
-  def parse_metadata
-    if crt
-      pc = parsed_crt.try(:subject).try(:to_s) || ''
-      cn = pc.scan(/\/CN=(.+)/).flatten.first
-      self.common_name = cn.split('/').first
-      self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s
-      self.interface = API
-    elsif csr
-      pc = parsed_csr.try(:subject).try(:to_s) || ''
-      cn = pc.scan(/\/CN=(.+)/).flatten.first
-      self.common_name = cn.split('/').first
-      self.interface = REGISTRAR
-    end
+  validate :assign_metadata, on: :create
+
+  def assign_metadata
+    origin = crt ? parsed_crt : parsed_csr
+    parse_metadata(origin)
+  rescue NoMethodError
+    errors.add(:base, I18n.t(:invalid_csr_or_crt))
+  end
+
+  def parse_metadata(origin)
+    pc = origin.subject.to_s
+    cn = pc.scan(%r{\/CN=(.+)}).flatten.first
+    self.common_name = cn.split('/').first
+    self.md5 = OpenSSL::Digest::MD5.new(origin.to_der).to_s if crt
+    self.interface = crt ? API : REGISTRAR
  end

  def parsed_crt
@ -116,6 +117,7 @@ class Certificate < ApplicationRecord
      -revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")

    if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
+      self.revoked = true
      save!
      @cached_status = REVOKED
    else