Add new resource for certs

app/models/ability.rb

@@ -5,7 +5,7 @@ class Ability
     alias_action :show, :create, :update, :destroy, to: :crud
 
     @user = user || AdminUser.new
-    
+
     case @user.class.to_s
     when 'AdminUser'
       @user.roles.each { |role| send(role) } if @user.roles
@@ -18,11 +18,11 @@ class Ability
 
   def epp
     # Epp::Contact
-    can(:info,   Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw } 
+    can(:info,   Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id || c.auth_info == pw }
     can(:check,  Epp::Contact)
     can(:create, Epp::Contact)
-    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw } 
-    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw } 
+    can(:update, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
+    can(:delete, Epp::Contact) { |c, pw| c.registrar_id == @user.registrar_id && c.auth_info == pw }
     can(:renew,  Epp::Contact)
     can(:view_password, Epp::Contact) { |c| c.registrar_id == @user.registrar_id }
   end
@@ -45,6 +45,7 @@ class Ability
     can :manage, DomainVersion
     can :manage, User
     can :manage, ApiUser
+    can :manage, Certificate
     can :manage, Keyrelay
     can :manage, LegalDocument
     can :read, ApiLog::EppLog

app/models/api_user.rb

@@ -5,6 +5,7 @@ class ApiUser < User
   # TODO: should have max request limit per day
   belongs_to :registrar
   has_many :contacts
+  has_many :certificates
 
   validates :username, :password, :registrar, presence: true
   validates :username, uniqueness: true

app/models/certificate.rb

@@ -0,0 +1,83 @@
+class Certificate < ActiveRecord::Base
+  SIGNED = 'signed'
+  UNSIGNED = 'unsigned'
+  EXPIRED = 'expired'
+  REVOKED = 'revoked'
+  VALID = 'valid'
+
+  validates :csr, presence: true
+
+  def parsed_crt
+    @p_crt ||= OpenSSL::X509::Certificate.new(crt) if crt
+  end
+
+  def parsed_csr
+    @p_csr ||= OpenSSL::X509::Request.new(csr) if csr
+  end
+
+  def revoked?
+    status == REVOKED
+  end
+
+  def status
+    return UNSIGNED if crt.blank?
+    return @cached_status if @cached_status
+
+    @cached_status = SIGNED
+
+    if parsed_crt.not_before > Time.now.utc && parsed_crt.not_after < Time.now.utc
+      @cached_status = EXPIRED
+    end
+
+    crl = OpenSSL::X509::CRL.new(File.open(APP_CONFIG['crl_path']).read)
+    return @cached_status unless crl.revoked.map(&:serial).include?(parsed_crt.serial)
+
+    @cached_status = REVOKED
+  end
+
+  def sign!
+    csr_file = Tempfile.new('client_csr')
+    csr_file.write(csr)
+    csr_file.rewind
+
+    crt_file = Tempfile.new('client_crt')
+    _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \
+    -cert #{APP_CONFIG['ca_cert_path']} \
+    -extensions usr_cert -notext -md sha256 \
+    -in #{csr_file.path} -out #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch")
+
+    if err.match(/Data Base Updated/)
+      crt_file.rewind
+      self.crt = crt_file.read
+      save!
+    else
+      errors.add(:base, I18n.t('failed_to_create_certificate'))
+      logger.error('FAILED TO CREATE CLIENT CERTIFICATE')
+      logger.error(err)
+      return false
+    end
+  end
+
+  def revoke!
+    crt_file = Tempfile.new('client_crt')
+    crt_file.write(crt)
+    crt_file.rewind
+
+    _out, err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \
+      -cert #{APP_CONFIG['ca_cert_path']} \
+      -revoke #{crt_file.path} -key '#{APP_CONFIG['ca_key_password']}' -batch")
+
+    if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
+      save!
+    else
+      errors.add(:base, I18n.t('failed_to_revoke_certificate'))
+      logger.error('FAILED TO REVOKE CLIENT CERTIFICATE')
+      logger.error(err)
+      return false
+    end
+
+    _out, _err, _st = Open3.capture3("openssl ca -keyfile #{APP_CONFIG['ca_key_path']} \
+      -cert #{APP_CONFIG['ca_cert_path']} \
+      -gencrl -out #{APP_CONFIG['crl_path']} -key '#{APP_CONFIG['ca_key_password']}' -batch")
+  end
+end