diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb index 7651eace5..b6b75fcfd 100644 --- a/app/controllers/epp/sessions_controller.rb +++ b/app/controllers/epp/sessions_controller.rb @@ -9,13 +9,12 @@ class Epp::SessionsController < EppController # rubocop: disable Metrics/CyclomaticComplexity def login cert_valid = true - if request.ip == ENV['webclient_ip'] - @api_user = ApiUser.find_by(login_params) - else - if request.env['HTTP_SSL_CLIENT_S_DN_CN'] != login_params[:username] + @api_user = ApiUser.find_by(login_params) + + if request.ip != ENV['webclient_ip'] && @api_user + unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN']) cert_valid = false end - @api_user = ApiUser.find_by(login_params) end if @api_user.try(:active) && cert_valid && ip_white? && connection_limit_ok? diff --git a/app/models/api_user.rb b/app/models/api_user.rb index efc3c5de5..75746d340 100644 --- a/app/models/api_user.rb +++ b/app/models/api_user.rb @@ -54,8 +54,13 @@ class ApiUser < User certificates.registrar.exists?(md5: md5, common_name: cn) end - def api_pki_ok?(crt) - certificates.api.exists?(crt: crt) + def api_pki_ok?(crt, cn) + crt = crt.split(' ').join("\n") + crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n") + crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----") + cert = OpenSSL::X509::Certificate.new(crt) + md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s + certificates.api.exists?(md5: md5, common_name: cn) end class << self