zydronium/internetee-registry
1
0
Fork 0
mirror of https://github.com/internetee/registry.git synced 2025-06-07 13:15:40 +02:00
Code Issues Projects Releases Packages Wiki Activity

Verify that CN is present when uploading CSR/CRT

Browse source
This commit is contained in:
Karl Erik Õunapuu 2020-05-12 11:38:28 +03:00
parent e18942e8ee
commit c2f8589044
3 changed files with 29 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

29
app/models/certificate.rb
View file

@ -32,20 +32,21 @@ class Certificate < ApplicationRecord
errors.add(:base, I18n.t(:invalid_csr_or_crt)) errors.add(:base, I18n.t(:invalid_csr_or_crt))
end end
before_create :parse_metadata validate :assign_metadata
def parse_metadata
if crt def assign_metadata
pc = parsed_crt.try(:subject).try(:to_s) || '' origin = crt ? parsed_crt : parsed_csr
cn = pc.scan(/\/CN=(.+)/).flatten.first parse_metadata(origin)
self.common_name = cn.split('/').first rescue NoMethodError
self.md5 = OpenSSL::Digest::MD5.new(parsed_crt.to_der).to_s errors.add(:base, I18n.t(:invalid_csr_or_crt))
self.interface = API end
elsif csr
pc = parsed_csr.try(:subject).try(:to_s) || '' def parse_metadata(origin)
cn = pc.scan(/\/CN=(.+)/).flatten.first pc = origin.subject.to_s
self.common_name = cn.split('/').first cn = pc.scan(%r{\/CN=(.+)}).flatten.first
self.interface = REGISTRAR self.common_name = cn.split('/').first
end self.md5 = OpenSSL::Digest::MD5.new(origin.to_der).to_s if crt
self.interface = crt ? API : REGISTRAR
end end
def parsed_crt def parsed_crt

9
test/fixtures/certificates.yml vendored
View file

@ -1,7 +1,14 @@
one: api:
api_user: api_bestnames api_user: api_bestnames
common_name: registry.test common_name: registry.test
crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n" crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
md5: e6771ed5dc857a1dbcc1e0a36baa1fee md5: e6771ed5dc857a1dbcc1e0a36baa1fee
interface: api interface: api
revoked: false revoked: false
registrar:
api_user: api_bestnames
common_name: registry.test
crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
md5: e6771ed5dc857a1dbcc1e0a36baa1fee
interface: registrar
revoked: false

8
test/models/api_user_test.rb
View file

@ -64,18 +64,22 @@ class ApiUserTest < ActiveSupport::TestCase
end end
def test_verifies_pki_status def test_verifies_pki_status
certificate = certificates(:one) certificate = certificates(:api)
assert @user.pki_ok?(certificate.crt, certificate.common_name, api: true) assert @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: true) assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: true)
certificate.update(interface: 'registrar') certificate = certificates(:registrar)
assert @user.pki_ok?(certificate.crt, certificate.common_name, api: false) assert @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: false) assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: false)
certificate.update(revoked: true) certificate.update(revoked: true)
assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: false) assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
certificate = certificates(:api)
certificate.update(revoked: true)
assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
end end
private private