Remove redundant api check blocks

2025-06-05 20:27:30 +02:00 · 2020-05-05 14:06:02 +03:00 · 2020-05-05 14:06:02 +03:00 · 2dbcbf1c29
commit 2dbcbf1c29
parent 0fa7fcc771
4 changed files with 22 additions and 21 deletions
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -30,7 +30,8 @@ module Repp
        webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
        error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
      else
-        unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                     request.env['HTTP_SSL_CLIENT_S_DN_CN'])
          error! "#{message} #{@current_user.username}", 401
        end
      end
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -26,7 +26,8 @@ module Epp
      end

      if !Rails.env.development? && (!webclient_request && @api_user)
-        unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'])
          epp_errors << {
            msg: 'Authentication error; server closing connection (certificate is not valid)',
            code: '2501'
--- a/app/controllers/registrar/sessions_controller.rb
+++ b/app/controllers/registrar/sessions_controller.rb
@ -31,7 +31,8 @@ class Registrar
      end

      if @depp_user.pki
-        unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
          @depp_user.errors.add(:base, :invalid_cert)
        end
      end
@ -205,4 +206,4 @@ class Registrar
      redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
    end
  end
-end
+end
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@ -64,26 +64,14 @@ class ApiUser < User
    registrar.notifications.unread
  end

-  def registrar_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
+  def pki_ok?(crt, com, api: true)
+    return false if crt.blank? || com.blank?

-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
+    origin = api ? certificates.api : certificates.registrar
+    cert = machine_readable_certificate(crt)
    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.registrar.exists?(md5: md5, common_name: cn, revoked: false)
-  end

-  def api_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
-
-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
-    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.api.exists?(md5: md5, common_name: cn, revoked: false)
+    origin.exists?(md5: md5, common_name: com, revoked: false)
  end

  def linked_users
@ -95,4 +83,14 @@ class ApiUser < User
  def linked_with?(another_api_user)
    another_api_user.identity_code == self.identity_code
  end
+
+  private
+
+  def machine_readable_certificate(cert)
+    cert = cert.split(' ').join("\n")
+    cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+    cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+
+    OpenSSL::X509::Certificate.new(cert)
+  end
 end