debian-mirror-gitlab/app/services/verify_pages_domain_service.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

118 lines
3 KiB
Ruby
Raw Permalink Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2018-03-17 18:26:18 +05:30
require 'resolv'
class VerifyPagesDomainService < BaseService
# The maximum number of seconds to be spent on each DNS lookup
RESOLVER_TIMEOUT_SECONDS = 15
# How long verification lasts for
VERIFICATION_PERIOD = 7.days
2019-07-31 22:56:46 +05:30
REMOVAL_DELAY = 1.week.freeze
2018-03-17 18:26:18 +05:30
attr_reader :domain
def initialize(domain)
@domain = domain
end
def execute
return error("No verification code set for #{domain.domain}") unless domain.verification_code.present?
if !verification_enabled? || dns_record_present?
verify_domain!
elsif expired?
disable_domain!
else
unverify_domain!
end
end
private
def verify_domain!
was_disabled = !domain.enabled?
was_unverified = domain.unverified?
# Prevent any pre-existing grace period from being truncated
reverify = [domain.enabled_until, VERIFICATION_PERIOD.from_now].compact.max
2020-05-24 23:13:21 +05:30
domain.assign_attributes(verified_at: Time.current, enabled_until: reverify, remove_at: nil)
2018-05-01 15:08:00 +05:30
domain.save!(validate: false)
2018-03-17 18:26:18 +05:30
if was_disabled
notify(:enabled)
elsif was_unverified
notify(:verification_succeeded)
end
success
end
def unverify_domain!
2019-07-31 22:56:46 +05:30
was_verified = domain.verified?
2018-05-01 15:08:00 +05:30
2019-07-31 22:56:46 +05:30
domain.assign_attributes(verified_at: nil)
domain.remove_at ||= REMOVAL_DELAY.from_now unless domain.enabled?
domain.save!(validate: false)
notify(:verification_failed) if was_verified
2018-03-17 18:26:18 +05:30
error("Couldn't verify #{domain.domain}")
end
def disable_domain!
2018-05-01 15:08:00 +05:30
domain.assign_attributes(verified_at: nil, enabled_until: nil)
2019-07-31 22:56:46 +05:30
domain.remove_at ||= REMOVAL_DELAY.from_now
2018-05-01 15:08:00 +05:30
domain.save!(validate: false)
2018-03-17 18:26:18 +05:30
notify(:disabled)
error("Couldn't verify #{domain.domain}. It is now disabled.")
end
# A domain is only expired until `disable!` has been called
def expired?
2020-05-24 23:13:21 +05:30
domain.enabled_until && domain.enabled_until < Time.current
2018-03-17 18:26:18 +05:30
end
def dns_record_present?
Resolv::DNS.open do |resolver|
resolver.timeouts = RESOLVER_TIMEOUT_SECONDS
check(domain.domain, resolver) || check(domain.verification_domain, resolver)
end
end
def check(domain_name, resolver)
2022-01-26 12:08:38 +05:30
# Append '.' to domain_name, indicating absolute FQDN
records = parse(txt_records(domain_name + '.', resolver))
2018-03-17 18:26:18 +05:30
records.any? do |record|
record == domain.keyed_verification_code || record == domain.verification_code
end
2021-06-08 01:23:25 +05:30
rescue StandardError => err
2018-03-17 18:26:18 +05:30
log_error("Failed to check TXT records on #{domain_name} for #{domain.domain}: #{err}")
false
end
def txt_records(domain_name, resolver)
resolver.getresources(domain_name, Resolv::DNS::Resource::IN::TXT)
end
def parse(records)
records.flat_map(&:strings).flat_map(&:split)
end
def verification_enabled?
Gitlab::CurrentSettings.pages_domain_verification_enabled?
end
def notify(type)
return unless verification_enabled?
Gitlab::AppLogger.info("Pages domain '#{domain.domain}' changed state to '#{type}'")
notification_service.public_send("pages_domain_#{type}", domain) # rubocop:disable GitlabSecurity/PublicSend
end
end