gitlab-org--gitlab-foss/app/models/pages_domain.rb

class PagesDomain < ActiveRecord::Base
  belongs_to :project

  validates :domain, hostname: true
  validates_uniqueness_of :domain, case_sensitive: false
  validates :certificate, certificate: true, allow_nil: true, allow_blank: true
  validates :key, certificate_key: true, allow_nil: true, allow_blank: true

  validate :validate_pages_domain
  validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
  validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }

  attr_encrypted :key, mode: :per_attribute_iv_and_salt, key: Gitlab::Application.secrets.db_key_base

  after_create :update
  after_save :update
  after_destroy :update

  def to_param
    domain
  end

  def url
    return unless domain

    if certificate
      return "https://#{domain}"
    else
      return "http://#{domain}"
    end
  end

  def has_matching_key?
    return false unless x509
    return false unless pkey

    # We compare the public key stored in certificate with public key from certificate key
    x509.check_private_key(pkey)
  end

  def has_intermediates?
    return false unless x509

    # self-signed certificates doesn't have the certificate chain
    return true if x509.verify(x509.public_key)

    store = OpenSSL::X509::Store.new
    store.set_default_paths

    # This forces to load all intermediate certificates stored in `certificate`
    Tempfile.open('certificate_chain') do |f|
      f.write(certificate)
      f.flush
      store.add_file(f.path)
    end

    store.verify(x509)
  rescue OpenSSL::X509::StoreError
    false
  end

  def expired?
    return false unless x509
    current = Time.new
    current < x509.not_before || x509.not_after < current
  end

  def subject
    return unless x509
    x509.subject.to_s
  end

  def certificate_text
    @certificate_text ||= x509.try(:to_text)
  end

  private

  def update
    ::Projects::UpdatePagesConfigurationService.new(project).execute
  end

  def validate_matching_key
    unless has_matching_key?
      self.errors.add(:key, "doesn't match the certificate")
    end
  end

  def validate_intermediates
    unless has_intermediates?
      self.errors.add(:certificate, 'misses intermediates')
    end
  end

  def validate_pages_domain
    return unless domain
    if domain.downcase.ends_with?(".#{Settings.pages.host}".downcase)
      self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")
    end
  end

  def x509
    return unless certificate
    @x509 ||= OpenSSL::X509::Certificate.new(certificate)
  rescue OpenSSL::X509::CertificateError
    nil
  end

  def pkey
    return unless key
    @pkey ||= OpenSSL::PKey::RSA.new(key)
  rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
    nil
  end
end
Added PagesDomain 2016-02-10 11:07:46 +00:00			`class PagesDomain < ActiveRecord::Base`
			`belongs_to :project`

			`validates :domain, hostname: true`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`validates_uniqueness_of :domain, case_sensitive: false`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`validates :certificate, certificate: true, allow_nil: true, allow_blank: true`
			`validates :key, certificate_key: true, allow_nil: true, allow_blank: true`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`validate :validate_pages_domain`
			`validate :validate_matching_key, if: ->(domain) { domain.certificate.present? \|\| domain.key.present? }`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }`

			`attr_encrypted :key, mode: :per_attribute_iv_and_salt, key: Gitlab::Application.secrets.db_key_base`
Added PagesDomain 2016-02-10 11:07:46 +00:00
			`after_create :update`
			`after_save :update`
			`after_destroy :update`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`def to_param`
			`domain`
			`end`

Added PagesDomain 2016-02-10 11:07:46 +00:00			`def url`
			`return unless domain`

			`if certificate`
			`return "https://#{domain}"`
			`else`
			`return "http://#{domain}"`
			`end`
			`end`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`def has_matching_key?`
Pages domain model specs 2016-02-12 15:05:17 +00:00			`return false unless x509`
			`return false unless pkey`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00
			`# We compare the public key stored in certificate with public key from certificate key`
			`x509.check_private_key(pkey)`
			`end`

			`def has_intermediates?`
			`return false unless x509`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`# self-signed certificates doesn't have the certificate chain`
			`return true if x509.verify(x509.public_key)`

Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`store = OpenSSL::X509::Store.new`
			`store.set_default_paths`

			# This forces to load all intermediate certificates stored in `certificate`
			`Tempfile.open('certificate_chain') do \|f\|`
			`f.write(certificate)`
			`f.flush`
			`store.add_file(f.path)`
			`end`

			`store.verify(x509)`
			`rescue OpenSSL::X509::StoreError`
			`false`
			`end`

			`def expired?`
			`return false unless x509`
			`current = Time.new`
Fix rubocop complains 2016-02-14 18:58:45 +00:00			`current < x509.not_before \|\| x509.not_after < current`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

			`def subject`
			`return unless x509`
Fix rubocop complains 2016-02-14 18:58:45 +00:00			`x509.subject.to_s`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

Pages domain model specs 2016-02-12 15:05:17 +00:00			`def certificate_text`
			`@certificate_text \|\|= x509.try(:to_text)`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`end`

Fix views 2016-02-10 15:45:59 +00:00			`private`

Added PagesDomain 2016-02-10 11:07:46 +00:00			`def update`
Implement extra domains and save pages configuration 2016-02-10 14:06:31 +00:00			`::Projects::UpdatePagesConfigurationService.new(project).execute`
			`end`

			`def validate_matching_key`
			`unless has_matching_key?`
			`self.errors.add(:key, "doesn't match the certificate")`
			`end`
			`end`

			`def validate_intermediates`
			`unless has_intermediates?`
			`self.errors.add(:certificate, 'misses intermediates')`
			`end`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`end`
Pages domain model specs 2016-02-12 15:05:17 +00:00
			`def validate_pages_domain`
			`return unless domain`
			`if domain.downcase.ends_with?(".#{Settings.pages.host}".downcase)`
			`self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")`
			`end`
			`end`

			`def x509`
			`return unless certificate`
			`@x509 \|\|= OpenSSL::X509::Certificate.new(certificate)`
			`rescue OpenSSL::X509::CertificateError`
			`nil`
			`end`

			`def pkey`
			`return unless key`
			`@pkey \|\|= OpenSSL::PKey::RSA.new(key)`
			`rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError`
			`nil`
			`end`
Added PagesDomain 2016-02-10 11:07:46 +00:00			`end`