internetee · vohmar · May 14, 2020 · May 5, 2020 · May 5, 2020 · May 5, 2020
diff --git a/app/api/repp/api.rb b/app/api/repp/api.rb
@@ -30,7 +30,8 @@ class API < Grape::API
         webclient_cert_name = ENV['webclient_cert_common_name'] || 'webclient'
         error! "Webclient #{message} #{webclient_cert_name}", 401 if webclient_cert_name != request_name
       else
-        unless @current_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                     request.env['HTTP_SSL_CLIENT_S_DN_CN'])
           error! "#{message} #{@current_user.username}", 401
         end
       end

diff --git a/app/controllers/epp/sessions_controller.rb b/app/controllers/epp/sessions_controller.rb
@@ -26,7 +26,8 @@ def login
       end
 
       if !Rails.env.development? && (!webclient_request && @api_user)
-        unless @api_user.api_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'])
           epp_errors << {
             msg: 'Authentication error; server closing connection (certificate is not valid)',
             code: '2501'

diff --git a/app/controllers/registrar/sessions_controller.rb b/app/controllers/registrar/sessions_controller.rb
@@ -31,7 +31,8 @@ def create
       end
 
       if @depp_user.pki
-        unless @api_user.registrar_pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'], request.env['HTTP_SSL_CLIENT_S_DN_CN'])
+        unless @api_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                                 request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
           @depp_user.errors.add(:base, :invalid_cert)
         end
       end
@@ -205,4 +206,4 @@ def show_error
       redirect_to new_registrar_user_session_url, alert: @depp_user.errors.full_messages.first
     end
   end
-end
+end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
@@ -64,24 +64,14 @@ def unread_notifications
     registrar.notifications.unread
   end
 
-  def registrar_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
-    md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.registrar.exists?(md5: md5, common_name: cn)
-  end
+  def pki_ok?(crt, com, api: true)
+    return false if crt.blank? || com.blank?
 
-  def api_pki_ok?(crt, cn)
-    return false if crt.blank? || cn.blank?
-    crt = crt.split(' ').join("\n")
-    crt.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
-    crt.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
-    cert = OpenSSL::X509::Certificate.new(crt)
+    origin = api ? certificates.api : certificates.registrar
+    cert = machine_readable_certificate(crt)
     md5 = OpenSSL::Digest::MD5.new(cert.to_der).to_s
-    certificates.api.exists?(md5: md5, common_name: cn)
+
+    origin.exists?(md5: md5, common_name: com, revoked: false)
   end
 
   def linked_users
@@ -93,4 +83,14 @@ def linked_users
   def linked_with?(another_api_user)
     another_api_user.identity_code == self.identity_code
   end
+
+  private
+
+  def machine_readable_certificate(cert)
+    cert = cert.split(' ').join("\n")
+    cert.gsub!("-----BEGIN\nCERTIFICATE-----\n", "-----BEGIN CERTIFICATE-----\n")
+    cert.gsub!("\n-----END\nCERTIFICATE-----", "\n-----END CERTIFICATE-----")
+
+    OpenSSL::X509::Certificate.new(cert)
+  end
 end
diff --git a/app/models/certificate.rb b/app/models/certificate.rb
@@ -116,6 +116,7 @@ def revoke!
       -revoke #{crt_file.path} -key '#{ENV['ca_key_password']}' -batch")
 
     if err.match(/Data Base Updated/) || err.match(/ERROR:Already revoked/)
+      self.revoked = true
       save!
       @cached_status = REVOKED
     else

diff --git a/db/migrate/20200505103316_add_revoked_to_certificate.rb b/db/migrate/20200505103316_add_revoked_to_certificate.rb
@@ -0,0 +1,5 @@
+class AddRevokedToCertificate < ActiveRecord::Migration[5.2]
+  def change
+    add_column :certificates, :revoked, :boolean, null: false, default: false
+  end
+end
diff --git a/db/structure.sql b/db/structure.sql
@@ -476,7 +476,8 @@ CREATE TABLE public.certificates (
     updated_at timestamp without time zone,
     common_name character varying,
     md5 character varying,
-    interface character varying
+    interface character varying,
+    revoked boolean DEFAULT false NOT NULL
 );
 
 
@@ -4463,5 +4464,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('20200130092113'),
 ('20200203143458'),
 ('20200204103125'),
-('20200311114649');
+('20200311114649'),
+('20200505103316');
+
 
diff --git a/test/fixtures/certificates.yml b/test/fixtures/certificates.yml
@@ -0,0 +1,7 @@
+one:
+  api_user: api_bestnames
+  common_name: registry.test
+  crt: "-----BEGIN CERTIFICATE-----\nMIICYjCCAcugAwIBAgIBADANBgkqhkiG9w0BAQ0FADBNMQswCQYDVQQGEwJ1czEO\nMAwGA1UECAwFVGV4YXMxFjAUBgNVBAoMDVJlZ2lzdHJ5IHRlc3QxFjAUBgNVBAMM\nDXJlZ2lzdHJ5LnRlc3QwIBcNMjAwNTA1MTIzNzQxWhgPMjEyMDA0MTExMjM3NDFa\nME0xCzAJBgNVBAYTAnVzMQ4wDAYDVQQIDAVUZXhhczEWMBQGA1UECgwNUmVnaXN0\ncnkgdGVzdDEWMBQGA1UEAwwNcmVnaXN0cnkudGVzdDCBnzANBgkqhkiG9w0BAQEF\nAAOBjQAwgYkCgYEAyn+GCkUJIhdXVBOPrZH+Zj2B/tQfL5TLZwVYZQt38x6GQT+4\n6ndty467IJvKSUlHej7uMpsCzC8Ffmda4cZm16jO1vUb4hXIrmeKP84zLrrUpKag\ngZR4rBDbG2+uL4SzMyy3yeQysYuTiQ4N1i4vdhvkKYPSWIht/QFvuzdFq+0CAwEA\nAaNQME4wHQYDVR0OBBYEFD6B5j6NnMCDBnfbtjBYKBJM7sCRMB8GA1UdIwQYMBaA\nFD6B5j6NnMCDBnfbtjBYKBJM7sCRMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEN\nBQADgYEArtCR6VOabD3nM/KlZTmHMZVT4ntenYlNTM9FS0RatzPmdh4REhykvmZs\nOlBcpoV5tN5Y8bHOVRqY9V2e903QEhQgoccQhbt0Py6uFwfLv+WLKAUbeGnPqK9d\ndL3wXN9BQs0hJA6IZNFyz2F/gSTURrD1zWW2na3ipRzhupW5+98=\n-----END CERTIFICATE-----\n"
+  md5: e6771ed5dc857a1dbcc1e0a36baa1fee
+  interface: api
+  revoked: false
diff --git a/test/models/api_user_test.rb b/test/models/api_user_test.rb
@@ -63,6 +63,21 @@ def test_finds_user_by_id_card
     assert_nil ApiUser.find_by_id_card(id_card)
   end
 
+  def test_verifies_pki_status
+    certificate = certificates(:one)
+
+    assert @user.pki_ok?(certificate.crt, certificate.common_name, api: true)
+    assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: true)
+
+    certificate.update(interface: 'registrar')
+
+    assert @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
+    assert_not @user.pki_ok?(certificate.crt, 'invalid-cn', api: false)
+
+    certificate.update(revoked: true)
+    assert_not @user.pki_ok?(certificate.crt, certificate.common_name, api: false)
+  end
+
   private
 
   def valid_user