gitlab-org--gitlab-foss/app/models/pages_domain.rb

129 lines
2.9 KiB
Ruby
Raw Normal View History

2016-02-10 06:07:46 -05:00
class PagesDomain < ActiveRecord::Base
belongs_to :project
validates :domain, hostname: { allow_numeric_hostname: true }
2017-02-21 19:40:04 -05:00
validates :domain, uniqueness: { case_sensitive: false }
2016-02-10 06:07:46 -05:00
validates :certificate, certificate: true, allow_nil: true, allow_blank: true
validates :key, certificate_key: true, allow_nil: true, allow_blank: true
2016-02-12 10:05:17 -05:00
validate :validate_pages_domain
validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }
attr_encrypted :key,
mode: :per_attribute_iv_and_salt,
2016-06-28 04:14:24 -04:00
insecure_mode: true,
key: Gitlab::Application.secrets.db_key_base,
algorithm: 'aes-256-cbc'
2016-02-10 06:07:46 -05:00
after_create :update_daemon
after_save :update_daemon
after_destroy :update_daemon
2016-02-10 06:07:46 -05:00
def to_param
domain
end
2016-02-10 06:07:46 -05:00
def url
return unless domain
if certificate
2016-02-15 09:01:42 -05:00
"https://#{domain}"
2016-02-10 06:07:46 -05:00
else
2016-02-15 09:01:42 -05:00
"http://#{domain}"
2016-02-10 06:07:46 -05:00
end
end
def has_matching_key?
2016-02-12 10:05:17 -05:00
return false unless x509
return false unless pkey
# We compare the public key stored in certificate with public key from certificate key
x509.check_private_key(pkey)
end
def has_intermediates?
return false unless x509
2016-02-12 10:05:17 -05:00
# self-signed certificates doesn't have the certificate chain
return true if x509.verify(x509.public_key)
store = OpenSSL::X509::Store.new
store.set_default_paths
# This forces to load all intermediate certificates stored in `certificate`
Tempfile.open('certificate_chain') do |f|
f.write(certificate)
f.flush
store.add_file(f.path)
end
store.verify(x509)
rescue OpenSSL::X509::StoreError
false
end
def expired?
return false unless x509
current = Time.new
2016-02-14 13:58:45 -05:00
current < x509.not_before || x509.not_after < current
end
def expiration
x509&.not_after
end
def subject
return unless x509
2016-02-14 13:58:45 -05:00
x509.subject.to_s
end
2016-02-12 10:05:17 -05:00
def certificate_text
@certificate_text ||= x509.try(:to_text)
end
2016-02-10 10:45:59 -05:00
private
def update_daemon
::Projects::UpdatePagesConfigurationService.new(project).execute
end
def validate_matching_key
unless has_matching_key?
self.errors.add(:key, "doesn't match the certificate")
end
end
def validate_intermediates
unless has_intermediates?
self.errors.add(:certificate, 'misses intermediates')
end
2016-02-10 06:07:46 -05:00
end
2016-02-12 10:05:17 -05:00
def validate_pages_domain
return unless domain
if domain.downcase.ends_with?(Settings.pages.host.downcase)
2016-02-12 10:05:17 -05:00
self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")
end
end
def x509
return unless certificate
2016-02-12 10:05:17 -05:00
@x509 ||= OpenSSL::X509::Certificate.new(certificate)
rescue OpenSSL::X509::CertificateError
nil
end
def pkey
return unless key
2016-02-12 10:05:17 -05:00
@pkey ||= OpenSSL::PKey::RSA.new(key)
rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
nil
end
2016-02-10 06:07:46 -05:00
end