debian-mirror-gitlab/app/models/pages_domain.rb

276 lines
7.6 KiB
Ruby
Raw Normal View History

2018-11-18 11:00:15 +05:30
# frozen_string_literal: true
2019-07-07 11:18:12 +05:30
class PagesDomain < ApplicationRecord
2020-04-22 19:07:51 +05:30
include Presentable
2020-05-24 23:13:21 +05:30
include FromUnion
2020-10-24 23:57:45 +05:30
include AfterCommitQueue
2020-04-22 19:07:51 +05:30
2019-12-04 20:38:33 +05:30
VERIFICATION_KEY = 'gitlab-pages-verification-code'
2018-03-17 18:26:18 +05:30
VERIFICATION_THRESHOLD = 3.days.freeze
2019-09-30 21:07:59 +05:30
SSL_RENEWAL_THRESHOLD = 30.days.freeze
enum certificate_source: { user_provided: 0, gitlab_provided: 1 }, _prefix: :certificate
2020-03-13 15:44:24 +05:30
enum scope: { instance: 0, group: 1, project: 2 }, _prefix: :scope
enum usage: { pages: 0, serverless: 1 }, _prefix: :usage
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
belongs_to :project
2019-09-04 21:01:54 +05:30
has_many :acme_orders, class_name: "PagesDomainAcmeOrder"
2020-04-08 14:13:33 +05:30
has_many :serverless_domain_clusters, class_name: 'Serverless::DomainCluster', inverse_of: :pages_domain
2017-08-17 22:00:37 +05:30
2020-04-22 19:07:51 +05:30
before_validation :clear_auto_ssl_failure, unless: :auto_ssl_enabled
2017-09-10 17:25:29 +05:30
validates :domain, hostname: { allow_numeric_hostname: true }
2017-08-17 22:00:37 +05:30
validates :domain, uniqueness: { case_sensitive: false }
2020-03-13 15:44:24 +05:30
validates :certificate, :key, presence: true, if: :usage_serverless?
2019-09-30 21:07:59 +05:30
validates :certificate, presence: { message: 'must be present if HTTPS-only is enabled' },
if: :certificate_should_be_present?
2018-05-09 12:01:36 +05:30
validates :certificate, certificate: true, if: ->(domain) { domain.certificate.present? }
2019-09-30 21:07:59 +05:30
validates :key, presence: { message: 'must be present if HTTPS-only is enabled' },
if: :certificate_should_be_present?
2019-12-04 20:38:33 +05:30
validates :key, certificate_key: true, named_ecdsa_key: true, if: ->(domain) { domain.key.present? }
2018-03-17 18:26:18 +05:30
validates :verification_code, presence: true, allow_blank: false
2017-08-17 22:00:37 +05:30
validate :validate_pages_domain
validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
2019-09-30 21:07:59 +05:30
validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? }
2017-08-17 22:00:37 +05:30
2021-02-22 17:27:13 +05:30
default_value_for(:auto_ssl_enabled, allows_nil: false) { ::Gitlab::LetsEncrypt.enabled? }
default_value_for :scope, allows_nil: false, value: :project
default_value_for :wildcard, allows_nil: false, value: false
default_value_for :usage, allows_nil: false, value: :pages
2019-12-26 22:10:19 +05:30
2017-08-17 22:00:37 +05:30
attr_encrypted :key,
mode: :per_attribute_iv_and_salt,
insecure_mode: true,
2018-11-08 19:23:39 +05:30
key: Settings.attr_encrypted_db_key_base,
2017-08-17 22:00:37 +05:30
algorithm: 'aes-256-cbc'
2018-03-17 18:26:18 +05:30
after_initialize :set_verification_code
2021-09-04 01:27:46 +05:30
scope :for_project, ->(project) { where(project: project) }
2020-06-23 00:09:42 +05:30
scope :enabled, -> { where('enabled_until >= ?', Time.current ) }
2018-03-17 18:26:18 +05:30
scope :needs_verification, -> do
verified_at = arel_table[:verified_at]
enabled_until = arel_table[:enabled_until]
2020-06-23 00:09:42 +05:30
threshold = Time.current + VERIFICATION_THRESHOLD
2018-03-17 18:26:18 +05:30
where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))
end
2019-09-30 21:07:59 +05:30
scope :need_auto_ssl_renewal, -> do
2020-05-24 23:13:21 +05:30
enabled_and_not_failed = where(auto_ssl_enabled: true, auto_ssl_failed: false)
2019-09-30 21:07:59 +05:30
2020-05-24 23:13:21 +05:30
user_provided = enabled_and_not_failed.certificate_user_provided
certificate_not_valid = enabled_and_not_failed.where(certificate_valid_not_after: nil)
certificate_expiring = enabled_and_not_failed
.where(arel_table[:certificate_valid_not_after].lt(SSL_RENEWAL_THRESHOLD.from_now))
2019-09-30 21:07:59 +05:30
2020-05-24 23:13:21 +05:30
from_union([user_provided, certificate_not_valid, certificate_expiring])
2019-09-30 21:07:59 +05:30
end
2020-06-23 00:09:42 +05:30
scope :for_removal, -> { where("remove_at < ?", Time.current) }
2019-07-31 22:56:46 +05:30
2020-03-13 15:44:24 +05:30
scope :with_logging_info, -> { includes(project: [:namespace, :route]) }
scope :instance_serverless, -> { where(wildcard: true, scope: :instance, usage: :serverless) }
2020-04-08 14:13:33 +05:30
def self.find_by_domain_case_insensitive(domain)
find_by("LOWER(domain) = LOWER(?)", domain)
end
2018-03-17 18:26:18 +05:30
def verified?
!!verified_at
end
def unverified?
!verified?
end
def enabled?
!Gitlab::CurrentSettings.pages_domain_verification_enabled? || enabled_until.present?
end
2017-08-17 22:00:37 +05:30
2018-05-09 12:01:36 +05:30
def https?
certificate.present?
end
2017-08-17 22:00:37 +05:30
def to_param
domain
end
def url
return unless domain
2018-03-17 18:26:18 +05:30
if certificate.present?
2017-08-17 22:00:37 +05:30
"https://#{domain}"
else
"http://#{domain}"
end
end
def has_matching_key?
return false unless x509
return false unless pkey
# We compare the public key stored in certificate with public key from certificate key
x509.check_private_key(pkey)
end
def has_intermediates?
return false unless x509
# self-signed certificates doesn't have the certificate chain
return true if x509.verify(x509.public_key)
store = OpenSSL::X509::Store.new
store.set_default_paths
2021-11-18 22:05:49 +05:30
store.verify(x509, untrusted_ca_certs_bundle)
2017-08-17 22:00:37 +05:30
rescue OpenSSL::X509::StoreError
false
end
2021-11-18 22:05:49 +05:30
def untrusted_ca_certs_bundle
::Gitlab::X509::Certificate.load_ca_certs_bundle(certificate)
end
2017-08-17 22:00:37 +05:30
def expired?
return false unless x509
2018-03-17 18:26:18 +05:30
2020-06-23 00:09:42 +05:30
current = Time.current
2017-08-17 22:00:37 +05:30
current < x509.not_before || x509.not_after < current
end
2018-03-17 18:26:18 +05:30
def expiration
x509&.not_after
end
2017-08-17 22:00:37 +05:30
def subject
return unless x509
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
x509.subject.to_s
end
def certificate_text
@certificate_text ||= x509.try(:to_text)
end
2018-03-17 18:26:18 +05:30
# Verification codes may be TXT records for domain or verification_domain, to
# support the use of CNAME records on domain.
def verification_domain
return unless domain.present?
"_#{VERIFICATION_KEY}.#{domain}"
end
def keyed_verification_code
return unless verification_code.present?
"#{VERIFICATION_KEY}=#{verification_code}"
end
2019-09-04 21:01:54 +05:30
def certificate=(certificate)
super(certificate)
# set nil, if certificate is nil
self.certificate_valid_not_before = x509&.not_before
self.certificate_valid_not_after = x509&.not_after
end
2019-09-30 21:07:59 +05:30
def user_provided_key
key if certificate_user_provided?
end
def user_provided_key=(key)
self.key = key
2021-03-08 18:12:59 +05:30
self.certificate_source = 'user_provided' if attribute_changed?(:key)
2019-09-30 21:07:59 +05:30
end
def user_provided_certificate
certificate if certificate_user_provided?
end
def user_provided_certificate=(certificate)
self.certificate = certificate
self.certificate_source = 'user_provided' if certificate_changed?
end
def gitlab_provided_certificate=(certificate)
self.certificate = certificate
self.certificate_source = 'gitlab_provided' if certificate_changed?
end
def gitlab_provided_key=(key)
self.key = key
2021-03-08 18:12:59 +05:30
self.certificate_source = 'gitlab_provided' if attribute_changed?(:key)
2019-09-30 21:07:59 +05:30
end
2019-12-04 20:38:33 +05:30
def pages_virtual_domain
2019-12-21 20:55:43 +05:30
return unless pages_deployed?
2019-12-04 20:38:33 +05:30
Pages::VirtualDomain.new([project], domain: self)
end
2020-04-22 19:07:51 +05:30
def clear_auto_ssl_failure
self.auto_ssl_failed = false
end
2017-08-17 22:00:37 +05:30
private
2019-12-21 20:55:43 +05:30
def pages_deployed?
2020-10-24 23:57:45 +05:30
return false unless project
2019-12-21 20:55:43 +05:30
project.pages_metadatum&.deployed?
end
2018-03-17 18:26:18 +05:30
def set_verification_code
return if self.verification_code.present?
self.verification_code = SecureRandom.hex(16)
end
2017-08-17 22:00:37 +05:30
def validate_matching_key
unless has_matching_key?
self.errors.add(:key, "doesn't match the certificate")
end
end
def validate_intermediates
unless has_intermediates?
self.errors.add(:certificate, 'misses intermediates')
end
end
def validate_pages_domain
return unless domain
2018-03-17 18:26:18 +05:30
2022-07-16 23:28:13 +05:30
if domain.downcase.ends_with?(".#{Settings.pages.host.downcase}")
error_template = _("Subdomains of the Pages root domain %{root_domain} are reserved and cannot be used as custom Pages domains.")
self.errors.add(:domain, error_template % { root_domain: Settings.pages.host })
2017-08-17 22:00:37 +05:30
end
end
def x509
2019-09-04 21:01:54 +05:30
return unless certificate.present?
2018-03-17 18:26:18 +05:30
2017-08-17 22:00:37 +05:30
@x509 ||= OpenSSL::X509::Certificate.new(certificate)
rescue OpenSSL::X509::CertificateError
nil
end
def pkey
return unless key
2018-03-17 18:26:18 +05:30
2019-12-04 20:38:33 +05:30
@pkey ||= OpenSSL::PKey.read(key)
2017-08-17 22:00:37 +05:30
rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
nil
end
2019-09-30 21:07:59 +05:30
def certificate_should_be_present?
!auto_ssl_enabled? && project&.pages_https_only?
end
2017-08-17 22:00:37 +05:30
end
2020-03-13 15:44:24 +05:30
2021-06-08 01:23:25 +05:30
PagesDomain.prepend_mod_with('PagesDomain')