class EppController < ApplicationController include Iptable layout false protect_from_forgery with: :null_session skip_before_action :verify_authenticity_token before_action :generate_svtrid before_action :latin_only before_action :validate_against_schema def validate_against_schema return if ['hello', 'error', 'keyrelay', 'not_found'].include?(params[:action]) params[:schema] = 'epp-1.0.xsd' unless params[:schema] xsd = Nokogiri::XML::Schema(File.read("lib/schemas/#{params[:schema]}")) xsd.validate(params[:nokogiri_frame]).each do |error| epp_errors << { code: 2001, msg: error } end handle_errors and return if epp_errors.any? end before_action :validate_request before_action :update_epp_session around_action :catch_epp_errors def catch_epp_errors err = catch(:epp_error) do yield nil end return unless err @errors = [err] handle_errors end helper_method :current_user rescue_from StandardError do |e| @errors ||= [] if e.class == CanCan::AccessDenied if @errors.blank? @errors = [{ msg: t('errors.messages.epp_authorization_error'), code: '2201' }] end else if @errors.blank? @errors = [{ msg: 'Internal error.', code: '2400' }] end if Rails.env.test? || Rails.env.development? # rubocop:disable Rails/Output puts e.backtrace.reverse.join("\n") puts "\nFROM-EPP-RESCUE: #{e.message}\n" # rubocop:enable Rails/Output else logger.error "FROM-EPP-RESCUE: #{e.message}" logger.error e.backtrace.join("\n") # TODO: NOITFY AIRBRAKE / ERRBIT HERE NewRelic::Agent.notice_error(e) end end render_epp_response '/epp/error' end def generate_svtrid # rubocop: disable Style/VariableName @svTRID = "ccReg-#{format('%010d', rand(10**10))}" # rubocop: enable Style/VariableName end def params_hash # TODO: THIS IS DEPRECATED AND WILL BE REMOVED IN FUTURE @params_hash ||= Hash.from_xml(params[:frame]).with_indifferent_access end # SESSION MANAGEMENT def epp_session cookie = env['rack.request.cookie_hash'] || {} EppSession.find_or_initialize_by(session_id: cookie['session']) end def update_epp_session iptables_counter_update e_s = epp_session return if e_s.new_record? if e_s.updated_at < Time.zone.now - 5.minutes @api_user = current_user # cache current_user for logging e_s.destroy response.headers['X-EPP-Returncode'] = '1500' epp_errors << { msg: t('session_timeout'), code: '2201' } handle_errors and return else e_s.update_column(:updated_at, Time.zone.now) end end def current_user @current_user ||= ApiUser.find_by_id(epp_session[:api_user_id]) # by default PaperTrail uses before filter and at that # time current_user is not yet present ::PaperTrail.whodunnit = api_user_log_str(@current_user) ::PaperSession.session = epp_session.session_id if epp_session.session_id.present? @current_user end # ERROR + RESPONSE HANDLING def epp_errors @errors ||= [] end def handle_errors(obj = nil) @errors ||= [] if obj obj.construct_epp_errors @errors += obj.errors[:epp_errors] end # for debugging if @errors.blank? @errors << { code: '1', msg: 'handle_errors was executed when there were actually no errors' } # rubocop:disable Rails/Output puts "FULL MESSAGE: #{obj.errors.full_messages} #{obj.errors.inspect}" if Rails.env.test? # rubocop: enable Rails/Output end @errors.uniq! # Requested by client, ticket #2688 # Known issues: error request is exactly 1 second slower and server can handle less load sleep 1 if !Rails.env.test? || !Rails.env.development? render_epp_response '/epp/error' end def render_epp_response(*args) @response = render_to_string(*args) render xml: @response write_to_epp_log end # VALIDATION def latin_only return true if params['frame'].blank? return true if params['frame'].match(/\A[\p{Latin}\p{Z}\p{P}\p{S}\p{Cc}\p{Cf}\w_\'\+\-\.\(\)\/]*\Z/i) epp_errors << { msg: 'Parameter value policy error. Allowed only Latin characters.', code: '2306' } handle_errors and return false end # VALIDATION def validate_request validation_method = "validate_#{params[:action]}" return unless respond_to?(validation_method, true) send(validation_method) # validate legal document's type here because it may be in most of the requests @prefix = nil if element_count('extdata > legalDocument') > 0 requires_attribute('extdata > legalDocument', 'type', values: LegalDocument::TYPES, policy: true) end handle_errors and return if epp_errors.any? end # let's follow grape's validations: https://github.com/intridea/grape/#parameter-validation-and-coercion # Adds error to epp_errors if element is missing or blank # Returns last element of selectors if it exists # # requires 'transfer' # # TODO: Add possibility to pass validations / options in the method def requires(*selectors) options = selectors.extract_options! allow_blank = options[:allow_blank] ||= false # allow_blank is false by default el, missing = nil, nil selectors.each do |selector| full_selector = [@prefix, selector].compact.join(' ') attr = selector.split('>').last.strip.underscore el = params[:parsed_frame].css(full_selector).first if allow_blank missing = el.nil? else missing = el.present? ? el.text.blank? : true end epp_errors << { code: '2003', msg: I18n.t('errors.messages.required_parameter_missing', key: "#{full_selector} [#{attr}]") } if missing end missing ? false : el # return last selector if it was present end # Adds error to epp_errors if element or attribute is missing or attribute attribute is not one # of the values # # requires_attribute 'transfer', 'op', values: %(approve, query, reject) def requires_attribute(element_selector, attribute_selector, options) element = requires(element_selector, allow_blank: options[:allow_blank]) return unless element attribute = element[attribute_selector] unless attribute epp_errors << { code: '2003', msg: I18n.t('errors.messages.required_parameter_missing', key: attribute_selector) } return end return if options[:values].include?(attribute) if options[:policy] epp_errors << { code: '2306', msg: I18n.t('attribute_is_invalid', attribute: attribute_selector) } else epp_errors << { code: '2004', msg: I18n.t('parameter_value_range_error', key: attribute_selector) } end end def optional_attribute(element_selector, attribute_selector, options) full_selector = [@prefix, element_selector].compact.join(' ') element = params[:parsed_frame].css(full_selector).first return unless element attribute = element[attribute_selector] return if (attribute && options[:values].include?(attribute)) || !attribute epp_errors << { code: '2306', msg: I18n.t('attribute_is_invalid', attribute: attribute_selector) } end def exactly_one_of(*selectors) full_selectors = create_full_selectors(*selectors) return if element_count(*full_selectors, use_prefix: false) == 1 epp_errors << { code: '2306', msg: I18n.t(:exactly_one_parameter_required, params: full_selectors.join(' OR ')) } end def mutually_exclusive(*selectors) full_selectors = create_full_selectors(*selectors) return if element_count(*full_selectors, use_prefix: false) <= 1 epp_errors << { code: '2306', msg: I18n.t(:mutally_exclusive_params, params: full_selectors.join(', ')) } end def optional(selector, *validations) full_selector = [@prefix, selector].compact.join(' ') el = params[:parsed_frame].css(full_selector).first return unless el && el.text.present? value = el.text validations.each do |x| validator = "#{x.first[0]}_validator".camelize.constantize err = validator.validate_epp(selector.split(' ').last, value) epp_errors << err if err end end # Returns how many elements were present in the request # if use_prefix is true, @prefix will be prepended to selectors e.g create > create > name # default is true # # @prefix = 'create > create >' # element_count 'name', 'registrar', use_prefix: false # => 2 def element_count(*selectors) options = selectors.extract_options! use_prefix = options[:use_prefix] != false # use_prefix is true by default present_count = 0 selectors.each do |selector| full_selector = use_prefix ? [@prefix, selector].compact.join(' ') : selector el = params[:parsed_frame].css(full_selector).first present_count += 1 if el && el.text.present? end present_count end def create_full_selectors(*selectors) selectors.map { |x| [@prefix, x].compact.join(' ') } end def xml_attrs_present?(ph, attributes) # TODO: THIS IS DEPRECATED AND WILL BE REMOVED IN FUTURE attributes.each do |x| epp_errors << { code: '2003', msg: I18n.t('errors.messages.required_parameter_missing', key: x.last) } unless has_attribute(ph, x) end epp_errors.empty? end # rubocop: disable Style/PredicateName def has_attribute(ph, path) # TODO: THIS IS DEPRECATED AND WILL BE REMOVED IN FUTURE path.reduce(ph) do |location, key| location.respond_to?(:keys) ? location[key] : nil end end # rubocop: enable Style/PredicateName # rubocop: disable Metrics/CyclomaticComplexity def write_to_epp_log # return nil if EPP_LOG_ENABLED request_command = params[:command] || params[:action] # error receives :command, other methods receive :action frame = params[:raw_frame] || params[:frame] # filter pw if request_command == 'login' && frame.present? frame.gsub!(/pw>.+<\//, 'pw>[FILTERED]