108 lines
2.6 KiB
Ruby
108 lines
2.6 KiB
Ruby
|
require 'resolv'
|
||
|
|
||
|
class VerifyPagesDomainService < BaseService
|
||
|
# The maximum number of seconds to be spent on each DNS lookup
|
||
|
RESOLVER_TIMEOUT_SECONDS = 15
|
||
|
|
||
|
# How long verification lasts for
|
||
|
VERIFICATION_PERIOD = 7.days
|
||
|
|
||
|
attr_reader :domain
|
||
|
|
||
|
def initialize(domain)
|
||
|
@domain = domain
|
||
|
end
|
||
|
|
||
|
def execute
|
||
|
return error("No verification code set for #{domain.domain}") unless domain.verification_code.present?
|
||
|
|
||
|
if !verification_enabled? || dns_record_present?
|
||
|
verify_domain!
|
||
|
elsif expired?
|
||
|
disable_domain!
|
||
|
else
|
||
|
unverify_domain!
|
||
|
end
|
||
|
end
|
||
|
|
||
|
private
|
||
|
|
||
|
def verify_domain!
|
||
|
was_disabled = !domain.enabled?
|
||
|
was_unverified = domain.unverified?
|
||
|
|
||
|
# Prevent any pre-existing grace period from being truncated
|
||
|
reverify = [domain.enabled_until, VERIFICATION_PERIOD.from_now].compact.max
|
||
|
|
||
|
domain.update!(verified_at: Time.now, enabled_until: reverify)
|
||
|
|
||
|
if was_disabled
|
||
|
notify(:enabled)
|
||
|
elsif was_unverified
|
||
|
notify(:verification_succeeded)
|
||
|
end
|
||
|
|
||
|
success
|
||
|
end
|
||
|
|
||
|
def unverify_domain!
|
||
|
if domain.verified?
|
||
|
domain.update!(verified_at: nil)
|
||
|
notify(:verification_failed)
|
||
|
end
|
||
|
|
||
|
error("Couldn't verify #{domain.domain}")
|
||
|
end
|
||
|
|
||
|
def disable_domain!
|
||
|
domain.update!(verified_at: nil, enabled_until: nil)
|
||
|
|
||
|
notify(:disabled)
|
||
|
|
||
|
error("Couldn't verify #{domain.domain}. It is now disabled.")
|
||
|
end
|
||
|
|
||
|
# A domain is only expired until `disable!` has been called
|
||
|
def expired?
|
||
|
domain.enabled_until && domain.enabled_until < Time.now
|
||
|
end
|
||
|
|
||
|
def dns_record_present?
|
||
|
Resolv::DNS.open do |resolver|
|
||
|
resolver.timeouts = RESOLVER_TIMEOUT_SECONDS
|
||
|
|
||
|
check(domain.domain, resolver) || check(domain.verification_domain, resolver)
|
||
|
end
|
||
|
end
|
||
|
|
||
|
def check(domain_name, resolver)
|
||
|
records = parse(txt_records(domain_name, resolver))
|
||
|
|
||
|
records.any? do |record|
|
||
|
record == domain.keyed_verification_code || record == domain.verification_code
|
||
|
end
|
||
|
rescue => err
|
||
|
log_error("Failed to check TXT records on #{domain_name} for #{domain.domain}: #{err}")
|
||
|
false
|
||
|
end
|
||
|
|
||
|
def txt_records(domain_name, resolver)
|
||
|
resolver.getresources(domain_name, Resolv::DNS::Resource::IN::TXT)
|
||
|
end
|
||
|
|
||
|
def parse(records)
|
||
|
records.flat_map(&:strings).flat_map(&:split)
|
||
|
end
|
||
|
|
||
|
def verification_enabled?
|
||
|
Gitlab::CurrentSettings.pages_domain_verification_enabled?
|
||
|
end
|
||
|
|
||
|
def notify(type)
|
||
|
return unless verification_enabled?
|
||
|
|
||
|
Gitlab::AppLogger.info("Pages domain '#{domain.domain}' changed state to '#{type}'")
|
||
|
notification_service.public_send("pages_domain_#{type}", domain) # rubocop:disable GitlabSecurity/PublicSend
|
||
|
end
|
||
|
end
|