2018-07-25 05:30:33 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
2019-03-28 09:17:42 -04:00
|
|
|
class PagesDomain < ApplicationRecord
|
2020-04-14 17:09:52 -04:00
|
|
|
include Presentable
|
2020-04-22 05:09:36 -04:00
|
|
|
include FromUnion
|
2020-08-12 17:09:54 -04:00
|
|
|
include AfterCommitQueue
|
2020-04-14 17:09:52 -04:00
|
|
|
|
2019-08-31 15:57:00 -04:00
|
|
|
VERIFICATION_KEY = 'gitlab-pages-verification-code'
|
2018-02-06 08:25:46 -05:00
|
|
|
VERIFICATION_THRESHOLD = 3.days.freeze
|
2019-06-24 16:35:12 -04:00
|
|
|
SSL_RENEWAL_THRESHOLD = 30.days.freeze
|
2018-02-06 08:25:46 -05:00
|
|
|
|
2019-06-21 08:06:12 -04:00
|
|
|
enum certificate_source: { user_provided: 0, gitlab_provided: 1 }, _prefix: :certificate
|
2020-01-31 19:08:41 -05:00
|
|
|
enum scope: { instance: 0, group: 1, project: 2 }, _prefix: :scope
|
|
|
|
enum usage: { pages: 0, serverless: 1 }, _prefix: :usage
|
2019-06-21 08:06:12 -04:00
|
|
|
|
2016-02-10 06:07:46 -05:00
|
|
|
belongs_to :project
|
2019-06-06 14:55:31 -04:00
|
|
|
has_many :acme_orders, class_name: "PagesDomainAcmeOrder"
|
2020-02-25 13:09:02 -05:00
|
|
|
has_many :serverless_domain_clusters, class_name: 'Serverless::DomainCluster', inverse_of: :pages_domain
|
2016-02-10 06:07:46 -05:00
|
|
|
|
2020-04-14 17:09:52 -04:00
|
|
|
before_validation :clear_auto_ssl_failure, unless: :auto_ssl_enabled
|
|
|
|
|
2017-05-19 10:07:38 -04:00
|
|
|
validates :domain, hostname: { allow_numeric_hostname: true }
|
2017-02-21 19:40:04 -05:00
|
|
|
validates :domain, uniqueness: { case_sensitive: false }
|
2020-02-17 19:09:20 -05:00
|
|
|
validates :certificate, :key, presence: true, if: :usage_serverless?
|
2019-07-12 10:19:01 -04:00
|
|
|
validates :certificate, presence: { message: 'must be present if HTTPS-only is enabled' },
|
|
|
|
if: :certificate_should_be_present?
|
2018-01-03 03:07:03 -05:00
|
|
|
validates :certificate, certificate: true, if: ->(domain) { domain.certificate.present? }
|
2019-07-12 10:19:01 -04:00
|
|
|
validates :key, presence: { message: 'must be present if HTTPS-only is enabled' },
|
|
|
|
if: :certificate_should_be_present?
|
2019-09-06 20:29:03 -04:00
|
|
|
validates :key, certificate_key: true, named_ecdsa_key: true, if: ->(domain) { domain.key.present? }
|
2018-02-06 08:25:46 -05:00
|
|
|
validates :verification_code, presence: true, allow_blank: false
|
2016-02-10 06:07:46 -05:00
|
|
|
|
2016-02-12 10:05:17 -05:00
|
|
|
validate :validate_pages_domain
|
|
|
|
validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
|
2019-07-22 11:38:08 -04:00
|
|
|
validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? }
|
2016-02-10 09:06:31 -05:00
|
|
|
|
2020-11-23 10:09:37 -05:00
|
|
|
default_value_for(:auto_ssl_enabled, allows_nil: false) { ::Gitlab::LetsEncrypt.enabled? }
|
|
|
|
default_value_for :scope, allows_nil: false, value: :project
|
|
|
|
default_value_for :wildcard, allows_nil: false, value: false
|
|
|
|
default_value_for :usage, allows_nil: false, value: :pages
|
2019-11-15 16:06:14 -05:00
|
|
|
|
2016-06-03 15:01:54 -04:00
|
|
|
attr_encrypted :key,
|
|
|
|
mode: :per_attribute_iv_and_salt,
|
2016-06-28 04:14:24 -04:00
|
|
|
insecure_mode: true,
|
2018-05-19 09:03:29 -04:00
|
|
|
key: Settings.attr_encrypted_db_key_base,
|
2016-06-03 15:01:54 -04:00
|
|
|
algorithm: 'aes-256-cbc'
|
2016-02-10 06:07:46 -05:00
|
|
|
|
2018-02-06 08:25:46 -05:00
|
|
|
after_initialize :set_verification_code
|
2016-02-10 06:07:46 -05:00
|
|
|
|
2021-05-26 11:10:57 -04:00
|
|
|
scope :for_project, ->(project) { where(project: project) }
|
|
|
|
|
2020-05-22 05:08:09 -04:00
|
|
|
scope :enabled, -> { where('enabled_until >= ?', Time.current ) }
|
2018-02-06 08:25:46 -05:00
|
|
|
scope :needs_verification, -> do
|
|
|
|
verified_at = arel_table[:verified_at]
|
|
|
|
enabled_until = arel_table[:enabled_until]
|
2020-05-22 05:08:09 -04:00
|
|
|
threshold = Time.current + VERIFICATION_THRESHOLD
|
2018-02-06 08:25:46 -05:00
|
|
|
|
|
|
|
where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))
|
|
|
|
end
|
|
|
|
|
2019-06-24 16:35:12 -04:00
|
|
|
scope :need_auto_ssl_renewal, -> do
|
2020-04-22 05:09:36 -04:00
|
|
|
enabled_and_not_failed = where(auto_ssl_enabled: true, auto_ssl_failed: false)
|
2019-06-24 16:35:12 -04:00
|
|
|
|
2020-04-22 05:09:36 -04:00
|
|
|
user_provided = enabled_and_not_failed.certificate_user_provided
|
|
|
|
certificate_not_valid = enabled_and_not_failed.where(certificate_valid_not_after: nil)
|
|
|
|
certificate_expiring = enabled_and_not_failed
|
|
|
|
.where(arel_table[:certificate_valid_not_after].lt(SSL_RENEWAL_THRESHOLD.from_now))
|
2019-06-24 16:35:12 -04:00
|
|
|
|
2020-04-22 05:09:36 -04:00
|
|
|
from_union([user_provided, certificate_not_valid, certificate_expiring])
|
2019-06-24 16:35:12 -04:00
|
|
|
end
|
|
|
|
|
2020-05-22 05:08:09 -04:00
|
|
|
scope :for_removal, -> { where("remove_at < ?", Time.current) }
|
2019-04-30 08:05:54 -04:00
|
|
|
|
2020-02-11 13:08:58 -05:00
|
|
|
scope :with_logging_info, -> { includes(project: [:namespace, :route]) }
|
|
|
|
|
2020-02-17 19:09:20 -05:00
|
|
|
scope :instance_serverless, -> { where(wildcard: true, scope: :instance, usage: :serverless) }
|
|
|
|
|
2020-02-25 16:09:23 -05:00
|
|
|
def self.find_by_domain_case_insensitive(domain)
|
|
|
|
find_by("LOWER(domain) = LOWER(?)", domain)
|
|
|
|
end
|
|
|
|
|
2018-02-06 08:25:46 -05:00
|
|
|
def verified?
|
|
|
|
!!verified_at
|
|
|
|
end
|
|
|
|
|
|
|
|
def unverified?
|
|
|
|
!verified?
|
|
|
|
end
|
|
|
|
|
|
|
|
def enabled?
|
|
|
|
!Gitlab::CurrentSettings.pages_domain_verification_enabled? || enabled_until.present?
|
|
|
|
end
|
|
|
|
|
2018-01-03 03:07:03 -05:00
|
|
|
def https?
|
|
|
|
certificate.present?
|
|
|
|
end
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
def to_param
|
|
|
|
domain
|
|
|
|
end
|
|
|
|
|
2016-02-10 06:07:46 -05:00
|
|
|
def url
|
|
|
|
return unless domain
|
|
|
|
|
2018-01-07 20:27:19 -05:00
|
|
|
if certificate.present?
|
2016-02-15 09:01:42 -05:00
|
|
|
"https://#{domain}"
|
2016-02-10 06:07:46 -05:00
|
|
|
else
|
2016-02-15 09:01:42 -05:00
|
|
|
"http://#{domain}"
|
2016-02-10 06:07:46 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
def has_matching_key?
|
2016-02-12 10:05:17 -05:00
|
|
|
return false unless x509
|
|
|
|
return false unless pkey
|
2016-02-10 09:06:31 -05:00
|
|
|
|
|
|
|
# We compare the public key stored in certificate with public key from certificate key
|
|
|
|
x509.check_private_key(pkey)
|
|
|
|
end
|
|
|
|
|
|
|
|
def has_intermediates?
|
|
|
|
return false unless x509
|
|
|
|
|
2016-02-12 10:05:17 -05:00
|
|
|
# self-signed certificates doesn't have the certificate chain
|
|
|
|
return true if x509.verify(x509.public_key)
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
store = OpenSSL::X509::Store.new
|
|
|
|
store.set_default_paths
|
|
|
|
|
2021-10-07 05:12:01 -04:00
|
|
|
store.verify(x509, untrusted_ca_certs_bundle)
|
2016-02-10 09:06:31 -05:00
|
|
|
rescue OpenSSL::X509::StoreError
|
|
|
|
false
|
|
|
|
end
|
|
|
|
|
2021-10-07 05:12:01 -04:00
|
|
|
def untrusted_ca_certs_bundle
|
|
|
|
::Gitlab::X509::Certificate.load_ca_certs_bundle(certificate)
|
|
|
|
end
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
def expired?
|
|
|
|
return false unless x509
|
2017-11-14 04:02:39 -05:00
|
|
|
|
2020-05-22 05:08:09 -04:00
|
|
|
current = Time.current
|
2016-02-14 13:58:45 -05:00
|
|
|
current < x509.not_before || x509.not_after < current
|
2016-02-10 09:06:31 -05:00
|
|
|
end
|
|
|
|
|
2017-11-13 11:05:44 -05:00
|
|
|
def expiration
|
|
|
|
x509&.not_after
|
|
|
|
end
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
def subject
|
|
|
|
return unless x509
|
2017-11-14 04:02:39 -05:00
|
|
|
|
2016-02-14 13:58:45 -05:00
|
|
|
x509.subject.to_s
|
2016-02-10 09:06:31 -05:00
|
|
|
end
|
|
|
|
|
2016-02-12 10:05:17 -05:00
|
|
|
def certificate_text
|
|
|
|
@certificate_text ||= x509.try(:to_text)
|
2016-02-10 09:06:31 -05:00
|
|
|
end
|
|
|
|
|
2018-02-06 08:25:46 -05:00
|
|
|
# Verification codes may be TXT records for domain or verification_domain, to
|
|
|
|
# support the use of CNAME records on domain.
|
|
|
|
def verification_domain
|
|
|
|
return unless domain.present?
|
|
|
|
|
|
|
|
"_#{VERIFICATION_KEY}.#{domain}"
|
|
|
|
end
|
|
|
|
|
|
|
|
def keyed_verification_code
|
|
|
|
return unless verification_code.present?
|
|
|
|
|
|
|
|
"#{VERIFICATION_KEY}=#{verification_code}"
|
|
|
|
end
|
|
|
|
|
2019-06-06 15:14:09 -04:00
|
|
|
def certificate=(certificate)
|
|
|
|
super(certificate)
|
|
|
|
|
|
|
|
# set nil, if certificate is nil
|
|
|
|
self.certificate_valid_not_before = x509&.not_before
|
|
|
|
self.certificate_valid_not_after = x509&.not_after
|
|
|
|
end
|
|
|
|
|
2019-06-21 08:06:12 -04:00
|
|
|
def user_provided_key
|
|
|
|
key if certificate_user_provided?
|
|
|
|
end
|
|
|
|
|
|
|
|
def user_provided_key=(key)
|
|
|
|
self.key = key
|
2021-01-07 22:10:42 -05:00
|
|
|
self.certificate_source = 'user_provided' if attribute_changed?(:key)
|
2019-06-21 08:06:12 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def user_provided_certificate
|
|
|
|
certificate if certificate_user_provided?
|
|
|
|
end
|
|
|
|
|
|
|
|
def user_provided_certificate=(certificate)
|
|
|
|
self.certificate = certificate
|
|
|
|
self.certificate_source = 'user_provided' if certificate_changed?
|
|
|
|
end
|
|
|
|
|
|
|
|
def gitlab_provided_certificate=(certificate)
|
|
|
|
self.certificate = certificate
|
|
|
|
self.certificate_source = 'gitlab_provided' if certificate_changed?
|
|
|
|
end
|
|
|
|
|
|
|
|
def gitlab_provided_key=(key)
|
|
|
|
self.key = key
|
2021-01-07 22:10:42 -05:00
|
|
|
self.certificate_source = 'gitlab_provided' if attribute_changed?(:key)
|
2019-06-21 08:06:12 -04:00
|
|
|
end
|
|
|
|
|
2019-09-06 01:20:05 -04:00
|
|
|
def pages_virtual_domain
|
2019-09-25 05:06:04 -04:00
|
|
|
return unless pages_deployed?
|
|
|
|
|
2019-09-06 01:20:05 -04:00
|
|
|
Pages::VirtualDomain.new([project], domain: self)
|
|
|
|
end
|
|
|
|
|
2020-04-14 17:09:52 -04:00
|
|
|
def clear_auto_ssl_failure
|
|
|
|
self.auto_ssl_failed = false
|
|
|
|
end
|
|
|
|
|
2016-02-10 10:45:59 -05:00
|
|
|
private
|
|
|
|
|
2019-09-25 05:06:04 -04:00
|
|
|
def pages_deployed?
|
2020-08-12 17:09:54 -04:00
|
|
|
return false unless project
|
|
|
|
|
2019-09-25 05:06:04 -04:00
|
|
|
project.pages_metadatum&.deployed?
|
|
|
|
end
|
|
|
|
|
2018-02-06 08:25:46 -05:00
|
|
|
def set_verification_code
|
|
|
|
return if self.verification_code.present?
|
|
|
|
|
|
|
|
self.verification_code = SecureRandom.hex(16)
|
|
|
|
end
|
|
|
|
|
2016-02-10 09:06:31 -05:00
|
|
|
def validate_matching_key
|
|
|
|
unless has_matching_key?
|
|
|
|
self.errors.add(:key, "doesn't match the certificate")
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def validate_intermediates
|
|
|
|
unless has_intermediates?
|
|
|
|
self.errors.add(:certificate, 'misses intermediates')
|
|
|
|
end
|
2016-02-10 06:07:46 -05:00
|
|
|
end
|
2016-02-12 10:05:17 -05:00
|
|
|
|
|
|
|
def validate_pages_domain
|
|
|
|
return unless domain
|
2017-11-14 04:02:39 -05:00
|
|
|
|
2022-04-27 05:10:46 -04:00
|
|
|
if domain.downcase.ends_with?(".#{Settings.pages.host.downcase}")
|
|
|
|
error_template = _("Subdomains of the Pages root domain %{root_domain} are reserved and cannot be used as custom Pages domains.")
|
|
|
|
self.errors.add(:domain, error_template % { root_domain: Settings.pages.host })
|
2016-02-12 10:05:17 -05:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def x509
|
2019-06-06 15:14:09 -04:00
|
|
|
return unless certificate.present?
|
2017-11-14 04:02:39 -05:00
|
|
|
|
2016-02-12 10:05:17 -05:00
|
|
|
@x509 ||= OpenSSL::X509::Certificate.new(certificate)
|
|
|
|
rescue OpenSSL::X509::CertificateError
|
|
|
|
nil
|
|
|
|
end
|
|
|
|
|
|
|
|
def pkey
|
|
|
|
return unless key
|
2017-11-14 04:02:39 -05:00
|
|
|
|
2019-09-06 20:29:03 -04:00
|
|
|
@pkey ||= OpenSSL::PKey.read(key)
|
2016-02-12 10:05:17 -05:00
|
|
|
rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
|
|
|
|
nil
|
|
|
|
end
|
2019-07-12 10:19:01 -04:00
|
|
|
|
|
|
|
def certificate_should_be_present?
|
|
|
|
!auto_ssl_enabled? && project&.pages_https_only?
|
|
|
|
end
|
2016-02-10 06:07:46 -05:00
|
|
|
end
|
2020-02-11 13:08:58 -05:00
|
|
|
|
2021-05-11 17:10:21 -04:00
|
|
|
PagesDomain.prepend_mod_with('PagesDomain')
|