diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb index e5bda46f5..af6864cfa 100644 --- a/app/api/repp/api.rb +++ b/app/api/repp/api.rb @@ -30,7 +30,8 @@ module Repp webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient' error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name else - unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN']) + unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], + request.env['HTTP_SSL_CLIENT_S_DN_CN']) error! "#{message} #{@current_user.username}", 401 end end diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index ef8f125ee..cf24feb33 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -26,7 +26,8 @@ module Epp end if !Rails.env.development? && (!webclient_request && @api_user) - unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN']) + unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], + request.env['HTTP_SSL_CLIENT_S_DN_CN']) epp_errors << { msg: 'Authentication error; server closing connection (certificate is not valid)', code: '2501' diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb index 2ca8f5cc7..5bebe5619 100644 --- a/app/controllers/registrar/sessions_controller.rb +++ b/app/controllers/registrar/sessions_controller.rb @@ -31,7 +31,8 @@ class Registrar end if @depp_user.pki - unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN']) + unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], + request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false) @depp_user.errors.add(:base, :invalid_cert) end end @@ -205,4 +206,4 @@ class Registrar redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first end end -end \ No newline at end of file +end diff --git a/app/models/api_user.rb b/app/models/api_user.rb index 99f14ad6c..b5efa7235 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -64,26 +64,14 @@ class ApiUser < User registrar.notifications.unread end - def registrar_pki_ok?(crt, cn) - return false if crt.blank? || cn.blank? + def pki_ok?(crt, com, api: true) + return false if crt.blank? || com.blank? - crt = crt.split(' ').join("\n") - crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n") - crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----") - cert = OpenSSL::X509::Certificate.new(crt) + origin = api ? certificates.api : certificates.registrar + cert = machine_readable_certificate(crt) md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s - certificates.registrar.exists?(md5: md5, common_name: cn, revoked: false) - end - def api_pki_ok?(crt, cn) - return false if crt.blank? || cn.blank? - - crt = crt.split(' ').join("\n") - crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n") - crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----") - cert = OpenSSL::X509::Certificate.new(crt) - md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s - certificates.api.exists?(md5: md5, common_name: cn, revoked: false) + origin.exists?(md5: md5, common_name: com, revoked: false) end def linked_users @@ -95,4 +83,14 @@ class ApiUser < User def linked_with?(another_api_user) another_api_user.identity_code == self.identity_code end + + private + + def machine_readable_certificate(cert) + cert = cert.split(' ').join("\n") + cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n") + cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----") + + OpenSSL::X509::Certificate.new(cert) + end end