Merge branch 'master' into status-refactor

Conflicts: app/models/domain.rb db/schema.rb
2025-08-11 20:19:34 +02:00 · 2015-06-16 16:20:59 +03:00 · 2015-06-16 16:20:59 +03:00 · 4bf5a968bd
commit 4bf5a968bd
parent 238b3aa5e0 444f20b6e6
29 changed files with 4911 additions and 49 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,11 @@
+16.06.2015
+
+* Application time_zone should be defined at application.yml, updated application-exaple.yml 
+
+15.06.2015
+
+* Apache config update: now only TLSv1.2 allowed with whitelisted chipers, please review all SSL config parameters
+
 08.06.2015

 * Add sk service name to application.yml
--- a/4
+++ b/4
@ -76,6 +76,10 @@ gem 'epp', '~> 1.4.2', github: 'gitlabeu/epp'
 gem 'epp-xml',   '~> 1.0.2'  # EPP XMLs
 gem 'uuidtools', '~> 2.1.4' # For unique IDs (used by the epp gem)

+# que
+gem 'que', '~> 0.10.0'
+gem 'que-web', '~> 0.4.0'
+
 # for importing legacy db
 gem 'activerecord-import', '~> 0.7.0' # for inserting dummy data

--- a/Gemfile.lock
+++ b/Gemfile.lock
@ -317,11 +317,18 @@ GEM
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
      slop (~> 3.4)
+    que (0.10.0)
+    que-web (0.4.0)
+      erubis
+      que (~> 0.8)
+      sinatra
    rack (1.6.1)
    rack-accept (0.4.5)
      rack (>= 0.4)
    rack-mount (0.8.3)
      rack (>= 1.0.0)
+    rack-protection (1.5.3)
+      rack
    rack-test (0.6.3)
      rack (>= 1.0)
    railroady (1.3.0)
@ -444,6 +451,10 @@ GEM
      simplecov-html (~> 0.9.0)
    simplecov-html (0.9.0)
    simpleidn (0.0.5)
+    sinatra (1.4.6)
+      rack (~> 1.4)
+      rack-protection (~> 1.4)
+      tilt (>= 1.3, < 3)
    slim (2.1.0)
      temple (~> 0.6.9)
      tilt (>= 1.3.3, < 2.1)
@ -562,6 +573,8 @@ DEPENDENCIES
  phantomjs-binaries (~> 1.9.2.4)
  poltergeist (~> 1.5.1)
  pry (~> 0.10.1)
+  que (~> 0.10.0)
+  que-web (~> 0.4.0)
  railroady (~> 1.3.0)
  rails (= 4.2.1)
  rails-settings-cached (~> 0.4.1)
--- a/README.md
+++ b/README.md
@ -97,9 +97,10 @@ For Apache, registry admin goes to port 443 in production, /etc/apache2/sites-en
  SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
  SSLCACertificateFile /etc/ssl/certs/ca.pem

-  SSLProtocol TLSv1
+  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
-  SSLCipherSuite RC4-SHA:HIGH:!ADH
+  SSLCompression off
+  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  RewriteEnginriteEngine on
  RedirectMatch ^/$ /admin
@ -157,9 +158,10 @@ Registrar configuration (/etc/apache2/sites-enabled/registrar.conf) is as follow
  SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
  SSLCACertificateFile /etc/ssl/certs/ca.pem

-  SSLProtocol TLSv1
+  SSLProtocol -all +TLSv1.2
  SSLHonorCipherOrder On
-  SSLCipherSuite RC4-SHA:HIGH:!ADH
+  SSLCompression off
+  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

  RewriteEngine on
  RedirectMatch ^/$ /registrar
@ -240,9 +242,10 @@ Registrant configuration (/etc/apache2/sites-enabled/registrant.conf) is as foll
    SSLCertificateChainFile /etc/ssl/certs/your-chain-fail.pem
    SSLCACertificateFile /etc/ssl/certs/ca.pem

-    SSLProtocol TLSv1
+    SSLProtocol -all +TLSv1.2
    SSLHonorCipherOrder On
-    SSLCipherSuite RC4-SHA:HIGH:!ADH
+    SSLCompression off
+    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

    RewriteEngine on
    RedirectMatch ^/$ /registrant
--- a/app/assets/stylesheets/shared/general.sass
+++ b/app/assets/stylesheets/shared/general.sass
@ -58,4 +58,7 @@ body > .container
 .text-grey
  color: grey

-
+.partially-hidden
+  border: 1px solid #dddddd
+  padding-left: 4px
+  padding-right: 4px
--- a/app/controllers/registrant/domain_update_confirms_controller.rb
+++ b/app/controllers/registrant/domain_update_confirms_controller.rb
@ -20,7 +20,6 @@ class Registrant::DomainUpdateConfirmsController < RegistrantController
    @registrant_verification = RegistrantVerification.new(domain_id: @domain.id,
                                                          domain_name: @domain.name,
                                                          verification_token: params[:token])
-
    if params[:rejected]
      if @registrant_verification.domain_registrant_change_reject!
        flash[:notice] = t(:registrant_domain_verification_rejected)
--- a/app/jobs/domain_confirm_job.rb
+++ b/app/jobs/domain_confirm_job.rb
@ -0,0 +1,16 @@
+class DomainConfirmJob < Que::Job
+  def run(domain_id, action)
+    # it's recommended to keep transaction against job table as short as possible.
+    ActiveRecord::Base.transaction do
+      domain = Epp::Domain.find(domain_id)
+      case action
+      when RegistrantVerification::CONFIRMED
+        domain.apply_pending_update!
+        domain.clean_pendings!
+      when RegistrantVerification::REJECTED
+        domain.clean_pendings!
+      end
+      destroy # it's best to destroy the job in the same transaction
+    end
+  end
+end
--- a/app/models/domain.rb
+++ b/app/models/domain.rb
@ -54,6 +54,11 @@ class Domain < ActiveRecord::Base
  delegate :name,   to: :registrar, prefix: true
  delegate :street, to: :registrar, prefix: true

+  after_initialize :init_default_values
+  def init_default_values
+    self.pending_json = {} if pending_json.blank?
+  end
+
  before_create :generate_auth_info
  before_create :set_validity_dates
  before_update :manage_statuses
@ -275,6 +280,19 @@ class Domain < ActiveRecord::Base
    true
  end

+  def preclean_pendings
+    self.registrant_verification_token = nil
+    self.registrant_verification_asked_at = nil
+  end
+
+  def clean_pendings!
+    preclean_pendings
+    self.pending_json = {}
+    domain_statuses.where(value: DomainStatus::PENDING_UPDATE).destroy_all
+    domain_statuses.where(value: DomainStatus::PENDING_DELETE).destroy_all
+    save
+  end
+
  def pending_update?
    statuses.include?(DomainStatus::PENDING_UPDATE)
  end
@ -284,9 +302,10 @@ class Domain < ActiveRecord::Base
    self.epp_pending_update = true # for epp

    return true unless registrant_verification_asked?
-    pending_json_cache = all_changes
+    pending_json_cache = pending_json
    token = registrant_verification_token
    asked_at = registrant_verification_asked_at
+    changes_cache = changes

    DomainMailer.registrant_pending_updated(self).deliver_now

@ -296,9 +315,11 @@ class Domain < ActiveRecord::Base
    self.registrant_verification_token = token
    self.registrant_verification_asked_at = asked_at
    self.statuses = [DomainStatus::PENDING_UPDATE]
+    self.pending_json[:domain] = changes_cache
  end

  def registrant_update_confirmable?(token)
+    return true if Rails.env.development?
    return false unless pending_update?
    return false if registrant_verification_token.blank?
    return false if registrant_verification_asked_at.blank?
@ -308,6 +329,7 @@ class Domain < ActiveRecord::Base
  end

  def registrant_delete_confirmable?(token)
+    return true if Rails.env.development?
    return false unless pending_delete?
    return false if registrant_verification_token.blank?
    return false if registrant_verification_asked_at.blank?
@ -324,7 +346,9 @@ class Domain < ActiveRecord::Base
    registrant_verification_asked_at.present? && registrant_verification_token.present?
  end

-  def registrant_verification_asked!
+  def registrant_verification_asked!(frame_str, current_user_id)
+    self.pending_json['frame'] = frame_str
+    self.pending_json['current_user_id'] = current_user_id
    self.registrant_verification_asked_at = Time.zone.now
    self.registrant_verification_token = SecureRandom.hex(42)
  end
@ -397,12 +421,10 @@ class Domain < ActiveRecord::Base
    name
  end

-  def pending_registrant_name
+  def pending_registrant
    return '' if pending_json.blank?
-    return '' if pending_json['domain'].blank?
    return '' if pending_json['domain']['registrant_id'].blank?
-    registrant = Registrant.find_by(id: pending_json['domain']['registrant_id'].last)
-    registrant.try(:name)
+    Registrant.find_by(id: pending_json['domain']['registrant_id'].last)
  end

  # rubocop:disable Lint/Loop
@ -466,17 +488,6 @@ class Domain < ActiveRecord::Base
    log
  end

-  def all_changes
-    all_changes = HashWithIndifferentAccess.new
-    all_changes[:domain] = changes
-    all_changes[:admin_contacts]  = admin_contacts.map(&:changes)
-    all_changes[:tech_contacts]   = tech_contacts.map(&:changes)
-    all_changes[:nameservers]     = nameservers.map(&:changes)
-    all_changes[:registrant]      = registrant.try(:changes)
-    all_changes[:domain_statuses] = domain_statuses.map(&:changes)
-    all_changes
-  end
-
  def update_whois_record
    whois_record.blank? ? create_whois_record : whois_record.save
  end
--- a/app/models/epp/domain.rb
+++ b/app/models/epp/domain.rb
@ -358,7 +358,7 @@ class Epp::Domain < Domain
    }]
  end

-  def update(frame, current_user)
+  def update(frame, current_user, verify = true)
    return super if frame.blank?
    at = {}.with_indifferent_access
    at.deep_merge!(attrs_from(frame.css('chg'), current_user))
@ -372,13 +372,24 @@ class Epp::Domain < Domain
    at[:statuses] = statuses - domain_statuses_attrs(frame.css('rem'), 'rem') + domain_statuses_attrs(frame.css('add'), 'add')
    # at[:statuses] += at_add[:domain_statuses_attributes]

-    if frame.css('registrant').present? && frame.css('registrant').attr('verified').to_s.downcase != 'yes'
-      registrant_verification_asked!
+    if verify && frame.css('registrant').present? && frame.css('registrant').attr('verified').to_s.downcase != 'yes'
+      registrant_verification_asked!(frame.to_s, current_user.id)
    end
    self.deliver_emails = true # turn on email delivery for epp
    errors.empty? && super(at)
  end

+  def apply_pending_update!
+    preclean_pendings
+    user  = ApiUser.find(pending_json['current_user_id'])
+    frame = Nokogiri::XML(pending_json['frame'])
+    domain_statuses.where(value: DomainStatus::PENDING_UPDATE).destroy_all
+    domain_statuses.reload
+    if update(frame, user, false)
+      clean_pendings!
+    end
+  end
+
  def attach_legal_document(legal_document_data)
    return unless legal_document_data

--- a/app/models/registrant_verification.rb
+++ b/app/models/registrant_verification.rb
@ -17,12 +17,16 @@ class RegistrantVerification < ActiveRecord::Base
  def domain_registrant_change_confirm!
    self.action_type = DOMAIN_REGISTRANT_CHANGE
    self.action = CONFIRMED
-    save
+    if save
+      DomainConfirmJob.enqueue domain.id, CONFIRMED
+    end
  end

  def domain_registrant_change_reject!
    self.action_type = DOMAIN_REGISTRANT_CHANGE
    self.action = REJECTED
-    save
+    if save
+      DomainConfirmJob.enqueue domain.id, REJECTED
+    end
  end
 end
--- a/app/views/admin/contacts/partials/_general.haml
+++ b/app/views/admin/contacts/partials/_general.haml
@ -7,7 +7,8 @@
      %dd= @contact.code

      %dt= t(:password)
-      %dd= @contact.auth_info
+      %dd
+        = text_field_tag :auth_info, @contact.auth_info, readonly: true, class: 'partially-hidden'

      %br

--- a/app/views/admin/domains/partials/_general.haml
+++ b/app/views/admin/domains/partials/_general.haml
@ -13,7 +13,8 @@
      %dd= link_to(@domain.registrar, root_path)

      %dt= t(:password)
-      %dd= @domain.auth_info
+      %dd
+        = text_field_tag :password, @domain.auth_info, readonly: true, class: 'partially-hidden'

      %dt= t(:valid_from)
      %dd= l(@domain.valid_from)
--- a/app/views/domain_mailer/registrant_pending_updated.html.erb
+++ b/app/views/domain_mailer/registrant_pending_updated.html.erb
@ -9,8 +9,6 @@ Isikukood: <%= @domain.registrant_ident %><br>
 <% else %>
 Äriregistrikood: <%= @domain.registrant_ident %><br>
 <% end %>
-Epost: <%= @domain.registrant_email %><br>
-Tel: <%= @domain.registrant_phone %><br>
 Tänav: <%= @domain.registrant_street %><br>
 Linn: <%= @domain.registrant_city %><br>
 Riik: <%= @domain.registrant_country %>
@ -34,8 +32,6 @@ Personal code: <%= @domain.registrant_ident %><br>
 <% else %>
 Business Registry code: <%= @domain.registrant_ident %><br>
 <% end %>
-E-mail: <%= @domain.registrant_email %><br>
-Tel: <%= @domain.registrant_phone %><br>
 Street: <%= @domain.registrant_street %><br>
 City: <%= @domain.registrant_city %><br>
 Country: <%= @domain.registrant_country %>
--- a/app/views/domain_mailer/registrant_pending_updated.text.erb
+++ b/app/views/domain_mailer/registrant_pending_updated.text.erb
@ -9,8 +9,6 @@ Isikukood: <%= @domain.registrant_ident %>
 <% else %>
 Äriregistrikood: <%= @domain.registrant_ident %>
 <% end %>
-Epost: <%= @domain.registrant_email %>
-Tel: <%= @domain.registrant_phone %>
 Tänav: <%= @domain.registrant_street %>
 Linn: <%= @domain.registrant_city %>
 Riik: <%= @domain.registrant_country %>
@ -34,8 +32,6 @@ Personal code: <%= @domain.registrant_ident %>
 <% else %>
 Business Registry code: <%= @domain.registrant_ident %>
 <% end %>
-E-mail: <%= @domain.registrant_email %>
-Tel: <%= @domain.registrant_phone %>
 Street: <%= @domain.registrant_street %>
 City: <%= @domain.registrant_city %>
 Country: <%= @domain.registrant_country %>
--- a/app/views/layouts/admin/application.haml
+++ b/app/views/layouts/admin/application.haml
@ -65,7 +65,7 @@
                  -# %li= link_to t(:domains_history), admin_domain_versions_path
                  %li= link_to t(:epp_logs), admin_epp_logs_path
                  %li= link_to t(:repp_logs), admin_repp_logs_path
-                  -# %li= link_to t(:background_jobs), admin_delayed_jobs_path
+                  %li= link_to t(:que), '/admin/que'

          - if signed_in?
            %ul.nav.navbar-nav.navbar-right
--- a/app/views/registrant/domain_update_confirms/show.haml
+++ b/app/views/registrant/domain_update_confirms/show.haml
@ -30,8 +30,8 @@
          %p= t(:new_pending_registrant) + ':'
        .column-values
          %p= @domain.name
-          %p= @domain.registrant_name
-          %p= @domain.pending_registrant_name
+          %p= "#{@domain.registrant_name} (#{@domain.registrant.ident})"
+          %p= "#{@domain.pending_registrant.try(:name)} (#{@domain.pending_registrant.try(:ident)})" 
        
    .row
      .col-md-12.text-center
--- a/app/views/registrar/contacts/partials/_general.haml
+++ b/app/views/registrar/contacts/partials/_general.haml
@ -7,7 +7,9 @@
      %dd= @contact.id

      %dt= t(:password)
-      %dd= @contact.password
+      %dd
+        = text_field_tag :password, @contact.password, readonly: true, class: 'partially-hidden'
+

      %br

--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -4,6 +4,7 @@ app_name: '.EE Registry'
 zonefile_export_dir: 'export/zonefiles'
 bank_statement_import_dir: 'import/bank_statements'
 legal_documents_dir: 'import/legal_documents'
+time_zone: 'Tallinn' # more zones by rake time:zones:all  

 # New Relic app name, keep only current mode, remove other names.
 # Example: 'Admin, EPP, REPP' will have name 'Admin, EPP, REPP - production' at New Relic.
--- a/config/application.rb
+++ b/config/application.rb
@ -21,7 +21,8 @@ module Registry

    # Set Time.zone default to the specified zone and make Active Record auto-convert to this zone.
    # Run "rake -D time" for a list of tasks for finding time zone names. Default is UTC.
-    config.time_zone = 'UTC' # NB! It should be defined, otherwise ActiveRecord usese other class.
+    config.time_zone = ENV['time_zone']  # NB! It should be defined, 
+                                         # otherwise ActiveRecord usese other class internally.

    # The default locale is :en and all translations from config/locales/*.rb,yml are auto loaded.
    # config.i18n.load_path += Dir[Rails.root.join('my', 'locales', '*.{rb,yml}').to_s]
@ -49,6 +50,8 @@ module Registry
    # Instead, the errors will propagate normally just like in other Active Record callbacks.
    config.active_record.raise_in_transactional_callbacks = true

+    config.active_record.schema_format = :sql
+
    config.generators do |g|
      g.stylesheets false
      g.javascripts false
--- a/config/initializers/env_required.rb
+++ b/config/initializers/env_required.rb
@ -10,6 +10,7 @@ required = %w(
  webclient_ip
  legal_documents_dir
  bank_statement_import_dir
+  time_zone
 )

 Figaro.require_keys(required)
--- a/config/initializers/que.rb
+++ b/config/initializers/que.rb
@ -0,0 +1 @@
+Que.mode = :off
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@ -790,8 +790,8 @@ en:
  reject_domain_registrant_update: 'Reject domain ownership change'
  domain_registrant_change_title: 'Please confirm or reject domain ownership change'
  domain_registrant_change_body: 'There is a request to change domain ownership. Before doing it we need your confirmation.'
-  new_pending_registrant: 'New owner'
-  current_registrant: 'Current owner'
+  new_pending_registrant: 'New registrant'
+  current_registrant: 'Current registrant'
  registrant_domain_verification_failed: 'Domain verification not available'
  domain_registrant_change_confirmed_title: 'Domain owner change has been confirmed'
  domain_registrant_change_confirmed_body: 'You have successfully confirmed domain owner change.'
--- a/config/routes.rb
+++ b/config/routes.rb
@ -224,6 +224,10 @@ Rails.application.routes.draw do
      get 'logout' => '/devise/sessions#destroy'
    end

+    authenticate :user do
+      mount Que::Web, at: 'que'
+    end
+
    root 'dashboards#show'
  end

--- a/config/unicorn.rb
+++ b/config/unicorn.rb
@ -1 +1,8 @@
 worker_processes 2
+
+# after_fork do |server, worker|
+  # binding.pry
+  # ActiveRecord::Base.establish_connection
+
+  # Que.mode = :async
+# end
--- a/db/migrate/20150611124920_add_que.rb
+++ b/db/migrate/20150611124920_add_que.rb
@ -0,0 +1,11 @@
+class AddQue < ActiveRecord::Migration
+  def self.up
+    # The current version as of this migration's creation.
+    Que.migrate! :version => 3
+  end
+
+  def self.down
+    # Completely removes Que's job queue.
+    Que.migrate! :version => 0
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@ -908,6 +908,17 @@ ActiveRecord::Schema.define(version: 20150612123111) do
    t.string   "operation_category"
  end

+  create_table "que_jobs", id: false, force: :cascade do |t|
+    t.integer  "priority",    limit: 2, default: 100,                                        null: false
+    t.datetime "run_at",                default: "now()",                                    null: false
+    t.integer  "job_id",      limit: 8, default: "nextval('que_jobs_job_id_seq'::regclass)", null: false
+    t.text     "job_class",                                                                  null: false
+    t.json     "args",                  default: [],                                         null: false
+    t.integer  "error_count",           default: 0,                                          null: false
+    t.text     "last_error"
+    t.text     "queue",                 default: "",                                         null: false
+  end
+
  create_table "registrant_verifications", force: :cascade do |t|
    t.string   "domain_name"
    t.string   "verification_token"
--- a/db/structure.sql
+++ b/db/structure.sql
--- a/doc/repp-doc.md
+++ b/doc/repp-doc.md
@ -1,6 +1,9 @@
 # REPP integration specification

-REPP uses currently Basic Authentication (http://tools.ietf.org/html/rfc2617#section-2) with ssl certificate and key.
+REPP uses HTTP/1.1 protocol (http://www.ietf.org/rfc/rfc2616.txt) and 
+Basic Authentication (http://tools.ietf.org/html/rfc2617#section-2) using 
+Secure Transport (https://tools.ietf.org/html/rfc5246) with certificate and key (https://tools.ietf.org/html/rfc5280).
+
 Credentials and certificate are issued by EIS (in an exchange for desired API username, CSR and IP).

 To quickly test the API, use curl:
--- a/lib/devise_custom_failure.rb
+++ b/lib/devise_custom_failure.rb
@ -2,6 +2,7 @@ class DeviseCustomFailure < Devise::FailureApp
  def redirect_url
    return registrant_login_url if request.original_fullpath.to_s.match(/^\/registrant/)
    return registrar_login_url  if request.original_fullpath.to_s.match(/^\/registrar/)
+    return '/admin'             if request.original_fullpath.to_s.match(/^\/admin\/que/)
    return admin_login_url      if request.original_fullpath.to_s.match(/^\/admin/)
    root_url
  end