Merge branch 'master' of github.com:domify/registry

2025-05-30 17:33:57 +02:00 · 2015-07-20 17:23:14 +03:00 · 2015-07-20 17:23:14 +03:00 · 5f32c1cfd4
commit 5f32c1cfd4
parent c10ad96947 1b9bc92660
11 changed files with 1231 additions and 882 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,6 @@
 20.07.2015
 * New syntax for setting webclient IP-s (see config/application-example.yml)
 14.07.2015
 * Updated que init script doc example, now status and stop works faster
--- a/app/api/repp/api.rb
+++ b/app/api/repp/api.rb
@ -8,7 +8,8 @@ module Repp
    end
    before do
-      if request.ip != ENV['webclient_ip']
+      webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
      unless webclient_request
        error! I18n.t('ip_is_not_whitelisted'), 401 unless @current_user.registrar.api_ip_white?(request.ip)
      end
@ -20,7 +21,7 @@ module Repp
      message = 'Certificate mismatch! Cert common name should be:'
      request_name = env['HTTP_SSL_CLIENT_S_DN_CN']
-      if request.ip == ENV['webclient_ip']
+      if webclient_request
        webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
        error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
      else
--- a/app/controllers/epp/domains_controller.rb
+++ b/app/controllers/epp/domains_controller.rb
@ -91,17 +91,12 @@ class Epp::DomainsController < EppController
    render_epp_response '/epp/domains/check'
  end
  # rubocop: disable Metrics/MethodLength
  def renew
    authorize! :renew, @domain
-    period = params[:parsed_frame].css('period').text.presence || 1
+    period_element = params[:parsed_frame].css('period').text
-    period_unit = 'y'
+    period = (period_element.to_i == 0) ? 1 : period_element.to_i
-    period_element = params[:parsed_frame].css('period').first
+    period_unit = Epp::Domain.parse_period_unit_from_frame(params[:parsed_frame]) || 'y'
    if period_element.present? && period_element['unit'].present?
      period_unit = period_element['unit']
    end
    ActiveRecord::Base.transaction do
      success = @domain.renew(
@ -128,7 +123,6 @@ class Epp::DomainsController < EppController
      end
    end
  end
  # rubocop: enable Metrics/MethodLength
  def transfer
    authorize! :transfer, @domain, @password
@ -161,6 +155,8 @@ class Epp::DomainsController < EppController
    @prefix = nil
    requires 'extension > extdata > legalDocument'
    optional_attribute 'period', 'unit', values: %w(d m y)
    status_editing_disabled
  end
--- a/app/controllers/epp/sessions_controller.rb
+++ b/app/controllers/epp/sessions_controller.rb
@ -13,7 +13,8 @@ class Epp::SessionsController < EppController
    success = true
    @api_user = ApiUser.find_by(login_params)
-    if request.ip == ENV['webclient_ip'] && !Rails.env.test? && !Rails.env.development?
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
    if webclient_request && !Rails.env.test? && !Rails.env.development?
      client_md5 = Certificate.parse_md_from_string(request.env['HTTP_SSL_CLIENT_CERT'])
      server_md5 = Certificate.parse_md_from_string(File.read(ENV['cert_path']))
      if client_md5 != server_md5
@ -26,7 +27,7 @@ class Epp::SessionsController < EppController
      end
    end
-    if request.ip != ENV['webclient_ip'] && @api_user
+    if !webclient_request && @api_user
      unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
        epp_errors << {
          msg: 'Authentication error; server closing connection (certificate is not valid)',
@ -76,7 +77,7 @@ class Epp::SessionsController < EppController
    if success
      if parsed_frame.css('newPW').first
        unless @api_user.update(password: parsed_frame.css('newPW').first.text)
-          response.headers['X-EPP-Returncode'] = '2200'
+          response.headers['X-EPP-Returncode'] = '2500'
          handle_errors(@api_user) and return
        end
      end
@ -85,7 +86,7 @@ class Epp::SessionsController < EppController
      epp_session.update_column(:registrar_id, @api_user.registrar_id)
      render_epp_response('login_success')
    else
-      response.headers['X-EPP-Returncode'] = '2200'
+      response.headers['X-EPP-Returncode'] = '2500'
      handle_errors
    end
  end
@ -95,7 +96,8 @@ class Epp::SessionsController < EppController
  # rubocop: enable Metrics/CyclomaticComplexity
  def ip_white?
-    return true if request.ip == ENV['webclient_ip']
+    webclient_request = ENV['webclient_ips'].split(',').map(&:strip).include?(request.ip)
    return true if webclient_request
    if @api_user
      return false unless @api_user.registrar.api_ip_white?(request.ip)
    end
--- a/config/application-example.yml
+++ b/config/application-example.yml
@ -25,7 +25,7 @@ ca_key_path:  '/home/registry/registry/shared/ca/private/ca.key.pem'
 ca_key_password: 'your-root-key-password'
 # EPP server configuration
-webclient_ip: '127.0.0.1'
+webclient_ips: '127.0.0.1,0.0.0.0' #ips, separated with commas
 webclient_cert_common_name: 'webclient'
 # Contact epp will not accept org value by default
 # and returns 2306 "Parameter value policy error"
@ -72,7 +72,7 @@ sk_digi_doc_service_name: 'EIS test'
 # Autotest config overwrites
 test:
-  webclient_ip: '127.0.0.1' # it should match to localhost ip address
+  webclient_ips: '127.0.0.1' # it should match to localhost ip address
  crl_dir:      '/var/lib/jenkins/workspace/registry/ca/crl'
  crl_path:     '/var/lib/jenkins/workspace/registry/ca/crl/crl.pem'
  ca_cert_path: '/var/lib/jenkins/workspace/registry/ca/certs/ca.crt.pem'
--- a/config/initializers/env_required.rb
+++ b/config/initializers/env_required.rb
@ -7,7 +7,7 @@ required = %w(
  ca_cert_path
  ca_key_path
  ca_key_password
-  webclient_ip
+  webclient_ips
  legal_documents_dir
  bank_statement_import_dir
  time_zone
--- a/doc/certificates.md
+++ b/doc/certificates.md
@ -100,7 +100,7 @@ Configure registry registry/shared/config/application.yml to match the CA settin
 Configure registry epp registry-epp/shared/config/application.yml:
-    webclient_ip: '54.154.91.240'
+    webclient_ips: '54.154.91.240'
 Configure EPP port 700 virtual host:
--- a/doc/epp-examples.md
+++ b/doc/epp-examples.md
--- a/doc/epp/domain.md
+++ b/doc/epp/domain.md
@ -18,6 +18,7 @@ Domain name mapping protocol short version:
        <domain:period>        0-1      Registration period for domain. 
                                        Must add up to 1 / 2 / 3 years.
                                        Attribute: unit="y/m/d"
                                        Default is 1 year.
        <domain:registrant>    1        Contact reference to the registrant
                                          Attribute:
                                            "verified"  # optional, allowed values 'yes', 'no'
--- a/spec/epp/domain_spec.rb
+++ b/spec/epp/domain_spec.rb
@ -435,6 +435,24 @@ describe 'EPP Domain', epp: true do
      a.activity_type = AccountActivity::CREATE
    end
    it 'creates a domain without period' do
      old_balance = @registrar1.balance
      old_activities = @registrar1.cash_account.account_activities.count
      xml = domain_create_xml(period: nil)
      response = epp_plain_request(xml)
      response[:msg].should == 'Command completed successfully'
      response[:result_code].should == '1000'
      Domain.last.valid_to.should be_within(60).of(1.years.since)
      @registrar1.balance.should be < old_balance
      @registrar1.cash_account.account_activities.count.should == old_activities + 1
      a = @registrar1.cash_account.account_activities.last
      a.description.should == "Create #{Domain.last.name}"
      a.sum.should == -BigDecimal.new('10.0')
      a.activity_type = AccountActivity::CREATE
      a.log_pricelist_id.should == @pricelist_reg_1_year.id
    end
    it 'does not create a domain with invalid period' do
      old_balance = @registrar1.balance
      old_activities = @registrar1.cash_account.account_activities.count
@ -450,6 +468,24 @@ describe 'EPP Domain', epp: true do
      @registrar1.cash_account.account_activities.count.should == old_activities
    end
    it 'does not create a domain with invalid period unit' do
      xml = domain_create_xml({
        period: { value: '1', attrs: { unit: '' } }
      })
      response = epp_plain_request(xml, validate_input: false)
      response[:results][0][:msg].should == 'Attribute is invalid: unit'
      response[:results][0][:result_code].should == '2306'
      xml = domain_create_xml({
        period: { value: '1', attrs: { unit: 'bla' } }
      })
      response = epp_plain_request(xml, validate_input: false)
      response[:results][0][:msg].should == 'Attribute is invalid: unit'
      response[:results][0][:result_code].should == '2306'
    end
    it 'creates a domain with multiple dnskeys' do
      xml = domain_create_xml({}, {
        _anonymus: [
--- a/spec/requests/v1/account_spec.rb
+++ b/spec/requests/v1/account_spec.rb
@ -2,7 +2,7 @@ require 'rails_helper'
 describe Repp::AccountV1 do
  it 'should fail without whitelisted IP' do
-    ENV['webclient_ip'] = '192.188.1.1'
+    ENV['webclient_ips'] = '192.188.1.1'
    @registrar1 = Fabricate(:registrar, white_ips: [Fabricate(:white_ip_registrar)])
    @api_user = Fabricate(:api_user, registrar: @registrar1)
@ -11,7 +11,7 @@ describe Repp::AccountV1 do
    body = JSON.parse(response.body)
    body['error'].should == 'IP is not whitelisted'
-    ENV['webclient_ip'] = '127.0.0.1'
+    ENV['webclient_ips'] = '127.0.0.1'
  end
  context 'with valid registrar' do