gitlab-org--gitlab-foss/app/models/pages_domain.rb

class PagesDomain < ActiveRecord::Base
  belongs_to :project

  validates :domain, hostname: { allow_numeric_hostname: true }
  validates :domain, uniqueness: { case_sensitive: false }
  validates :certificate, certificate: true, allow_nil: true, allow_blank: true
  validates :key, certificate_key: true, allow_nil: true, allow_blank: true

  validate :validate_pages_domain
  validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
  validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }

  attr_encrypted :key,
    mode: :per_attribute_iv_and_salt,
    insecure_mode: true,
    key: Gitlab::Application.secrets.db_key_base,
    algorithm: 'aes-256-cbc'

  after_create :update_daemon
  after_save :update_daemon
  after_destroy :update_daemon

  def to_param
    domain
  end

  def url
    return unless domain

    if certificate
      "https://#{domain}"
    else
      "http://#{domain}"
    end
  end

  def has_matching_key?
    return false unless x509
    return false unless pkey

    # We compare the public key stored in certificate with public key from certificate key
    x509.check_private_key(pkey)
  end

  def has_intermediates?
    return false unless x509

    # self-signed certificates doesn't have the certificate chain
    return true if x509.verify(x509.public_key)

    store = OpenSSL::X509::Store.new
    store.set_default_paths

    # This forces to load all intermediate certificates stored in `certificate`
    Tempfile.open('certificate_chain') do |f|
      f.write(certificate)
      f.flush
      store.add_file(f.path)
    end

    store.verify(x509)
  rescue OpenSSL::X509::StoreError
    false
  end

  def expired?
    return false unless x509

    current = Time.new
    current < x509.not_before || x509.not_after < current
  end

  def expiration
    x509&.not_after
  end

  def subject
    return unless x509

    x509.subject.to_s
  end

  def certificate_text
    @certificate_text ||= x509.try(:to_text)
  end

  private

  def update_daemon
    ::Projects::UpdatePagesConfigurationService.new(project).execute
  end

  def validate_matching_key
    unless has_matching_key?
      self.errors.add(:key, "doesn't match the certificate")
    end
  end

  def validate_intermediates
    unless has_intermediates?
      self.errors.add(:certificate, 'misses intermediates')
    end
  end

  def validate_pages_domain
    return unless domain

    if domain.downcase.ends_with?(Settings.pages.host.downcase)
      self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")
    end
  end

  def x509
    return unless certificate

    @x509 ||= OpenSSL::X509::Certificate.new(certificate)
  rescue OpenSSL::X509::CertificateError
    nil
  end

  def pkey
    return unless key

    @pkey ||= OpenSSL::PKey::RSA.new(key)
  rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
    nil
  end
end
Added PagesDomain 2016-02-10 11:07:46 +00:00			`class PagesDomain < ActiveRecord::Base`
			`belongs_to :project`

Allow numeric pages domain Previously, `PagesDomain` would not allow a domain such as 123.example.com. With this change, this is now allowed, because it is a perfectly valid domain. 2017-05-19 14:07:38 +00:00			`validates :domain, hostname: { allow_numeric_hostname: true }`
Enable Rails/Validation 2017-02-22 00:40:04 +00:00			`validates :domain, uniqueness: { case_sensitive: false }`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`validates :certificate, certificate: true, allow_nil: true, allow_blank: true`
			`validates :key, certificate_key: true, allow_nil: true, allow_blank: true`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`validate :validate_pages_domain`
			`validate :validate_matching_key, if: ->(domain) { domain.certificate.present? \|\| domain.key.present? }`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }`

Adds algorithm to the pages domain key and remote mirror credentials encrypted attributes for forward compatibility with attr_encrypted 3.0.0. aes-256-cbc is the default algorithm for attr_encrypted 1.x, but the default is changed in 3.0 and thus must be declared explicitly. See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4216/ for more information. This will prevent OpenSSL errors once the code from that MR is merged into EE. 2016-06-03 19:01:54 +00:00			`attr_encrypted :key,`
			`mode: :per_attribute_iv_and_salt,`
fix attr_encrypted in EE 2016-06-28 08:14:24 +00:00			`insecure_mode: true,`
Adds algorithm to the pages domain key and remote mirror credentials encrypted attributes for forward compatibility with attr_encrypted 3.0.0. aes-256-cbc is the default algorithm for attr_encrypted 1.x, but the default is changed in 3.0 and thus must be declared explicitly. See https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4216/ for more information. This will prevent OpenSSL errors once the code from that MR is merged into EE. 2016-06-03 19:01:54 +00:00			`key: Gitlab::Application.secrets.db_key_base,`
			`algorithm: 'aes-256-cbc'`
Added PagesDomain 2016-02-10 11:07:46 +00:00
Rename conflicting private method in PagesDomain model 2017-10-20 06:33:52 +00:00			`after_create :update_daemon`
			`after_save :update_daemon`
			`after_destroy :update_daemon`
Added PagesDomain 2016-02-10 11:07:46 +00:00
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`def to_param`
			`domain`
			`end`

Added PagesDomain 2016-02-10 11:07:46 +00:00			`def url`
			`return unless domain`

			`if certificate`
Updated according to comments 2016-02-15 14:01:42 +00:00			`"https://#{domain}"`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`else`
Updated according to comments 2016-02-15 14:01:42 +00:00			`"http://#{domain}"`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`end`
			`end`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`def has_matching_key?`
Pages domain model specs 2016-02-12 15:05:17 +00:00			`return false unless x509`
			`return false unless pkey`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00
			`# We compare the public key stored in certificate with public key from certificate key`
			`x509.check_private_key(pkey)`
			`end`

			`def has_intermediates?`
			`return false unless x509`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`# self-signed certificates doesn't have the certificate chain`
			`return true if x509.verify(x509.public_key)`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`store = OpenSSL::X509::Store.new`
			`store.set_default_paths`

			# This forces to load all intermediate certificates stored in `certificate`
			`Tempfile.open('certificate_chain') do \|f\|`
			`f.write(certificate)`
			`f.flush`
			`store.add_file(f.path)`
			`end`

			`store.verify(x509)`
			`rescue OpenSSL::X509::StoreError`
			`false`
			`end`

			`def expired?`
			`return false unless x509`
Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. 2017-11-14 09:02:39 +00:00
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`current = Time.new`
Fix rubocop complains 2016-02-14 18:58:45 +00:00			`current < x509.not_before \|\| x509.not_after < current`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

Add administrative endpoint to list all pages domains 2017-11-13 16:05:44 +00:00			`def expiration`
			`x509&.not_after`
			`end`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`def subject`
			`return unless x509`
Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. 2017-11-14 09:02:39 +00:00
Fix rubocop complains 2016-02-14 18:58:45 +00:00			`x509.subject.to_s`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`def certificate_text`
			`@certificate_text \|\|= x509.try(:to_text)`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

Fix views 2016-02-10 15:45:59 +00:00			`private`

Rename conflicting private method in PagesDomain model 2017-10-20 06:33:52 +00:00			`def update_daemon`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`::Projects::UpdatePagesConfigurationService.new(project).execute`
			`end`

			`def validate_matching_key`
			`unless has_matching_key?`
			`self.errors.add(:key, "doesn't match the certificate")`
			`end`
			`end`

			`def validate_intermediates`
			`unless has_intermediates?`
			`self.errors.add(:certificate, 'misses intermediates')`
			`end`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`end`
Pages domain model specs 2016-02-12 15:05:17 +00:00
			`def validate_pages_domain`
			`return unless domain`
Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. 2017-11-14 09:02:39 +00:00
Allow numeric pages domain Previously, `PagesDomain` would not allow a domain such as 123.example.com. With this change, this is now allowed, because it is a perfectly valid domain. 2017-05-19 14:07:38 +00:00			`if domain.downcase.ends_with?(Settings.pages.host.downcase)`
Pages domain model specs 2016-02-12 15:05:17 +00:00			`self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")`
			`end`
			`end`

			`def x509`
			`return unless certificate`
Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. 2017-11-14 09:02:39 +00:00
Pages domain model specs 2016-02-12 15:05:17 +00:00			`@x509 \|\|= OpenSSL::X509::Certificate.new(certificate)`
			`rescue OpenSSL::X509::CertificateError`
			`nil`
			`end`

			`def pkey`
			`return unless key`
Adds Rubocop rule for line break after guard clause Adds a rubocop rule (with autocorrect) to ensure line break after guard clauses. 2017-11-14 09:02:39 +00:00
Pages domain model specs 2016-02-12 15:05:17 +00:00			`@pkey \|\|= OpenSSL::PKey::RSA.new(key)`
			`rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError`
			`nil`
			`end`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`end`