debian-mirror-gitlab/app/models/pages_domain.rb

# frozen_string_literal: true

class PagesDomain < ApplicationRecord
  include Presentable
  include FromUnion
  include AfterCommitQueue

  VERIFICATION_KEY = 'gitlab-pages-verification-code'
  VERIFICATION_THRESHOLD = 3.days.freeze
  SSL_RENEWAL_THRESHOLD = 30.days.freeze

  enum certificate_source: { user_provided: 0, gitlab_provided: 1 }, _prefix: :certificate
  enum scope: { instance: 0, group: 1, project: 2 }, _prefix: :scope
  enum usage: { pages: 0, serverless: 1 }, _prefix: :usage

  belongs_to :project
  has_many :acme_orders, class_name: "PagesDomainAcmeOrder"
  has_many :serverless_domain_clusters, class_name: 'Serverless::DomainCluster', inverse_of: :pages_domain

  before_validation :clear_auto_ssl_failure, unless: :auto_ssl_enabled

  validates :domain, hostname: { allow_numeric_hostname: true }
  validates :domain, uniqueness: { case_sensitive: false }
  validates :certificate, :key, presence: true, if: :usage_serverless?
  validates :certificate, presence: { message: 'must be present if HTTPS-only is enabled' },
            if: :certificate_should_be_present?
  validates :certificate, certificate: true, if: ->(domain) { domain.certificate.present? }
  validates :key, presence: { message: 'must be present if HTTPS-only is enabled' },
            if: :certificate_should_be_present?
  validates :key, certificate_key: true, named_ecdsa_key: true, if: ->(domain) { domain.key.present? }
  validates :verification_code, presence: true, allow_blank: false

  validate :validate_pages_domain
  validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
  validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? }

  default_value_for(:auto_ssl_enabled, allows_nil: false) { ::Gitlab::LetsEncrypt.enabled? }
  default_value_for :scope, allows_nil: false, value: :project
  default_value_for :wildcard, allows_nil: false, value: false
  default_value_for :usage, allows_nil: false, value: :pages

  attr_encrypted :key,
    mode: :per_attribute_iv_and_salt,
    insecure_mode: true,
    key: Settings.attr_encrypted_db_key_base,
    algorithm: 'aes-256-cbc'

  after_initialize :set_verification_code

  scope :for_project, ->(project) { where(project: project) }

  scope :enabled, -> { where('enabled_until >= ?', Time.current ) }
  scope :needs_verification, -> do
    verified_at = arel_table[:verified_at]
    enabled_until = arel_table[:enabled_until]
    threshold = Time.current + VERIFICATION_THRESHOLD

    where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))
  end

  scope :need_auto_ssl_renewal, -> do
    enabled_and_not_failed = where(auto_ssl_enabled: true, auto_ssl_failed: false)

    user_provided = enabled_and_not_failed.certificate_user_provided
    certificate_not_valid = enabled_and_not_failed.where(certificate_valid_not_after: nil)
    certificate_expiring = enabled_and_not_failed
                             .where(arel_table[:certificate_valid_not_after].lt(SSL_RENEWAL_THRESHOLD.from_now))

    from_union([user_provided, certificate_not_valid, certificate_expiring])
  end

  scope :for_removal, -> { where("remove_at < ?", Time.current) }

  scope :with_logging_info, -> { includes(project: [:namespace, :route]) }

  scope :instance_serverless, -> { where(wildcard: true, scope: :instance, usage: :serverless) }

  def self.find_by_domain_case_insensitive(domain)
    find_by("LOWER(domain) = LOWER(?)", domain)
  end

  def verified?
    !!verified_at
  end

  def unverified?
    !verified?
  end

  def enabled?
    !Gitlab::CurrentSettings.pages_domain_verification_enabled? || enabled_until.present?
  end

  def https?
    certificate.present?
  end

  def to_param
    domain
  end

  def url
    return unless domain

    if certificate.present?
      "https://#{domain}"
    else
      "http://#{domain}"
    end
  end

  def has_matching_key?
    return false unless x509
    return false unless pkey

    # We compare the public key stored in certificate with public key from certificate key
    x509.check_private_key(pkey)
  end

  def has_intermediates?
    return false unless x509

    # self-signed certificates doesn't have the certificate chain
    return true if x509.verify(x509.public_key)

    store = OpenSSL::X509::Store.new
    store.set_default_paths

    store.verify(x509, untrusted_ca_certs_bundle)
  rescue OpenSSL::X509::StoreError
    false
  end

  def untrusted_ca_certs_bundle
    ::Gitlab::X509::Certificate.load_ca_certs_bundle(certificate)
  end

  def expired?
    return false unless x509

    current = Time.current
    current < x509.not_before || x509.not_after < current
  end

  def expiration
    x509&.not_after
  end

  def subject
    return unless x509

    x509.subject.to_s
  end

  def certificate_text
    @certificate_text ||= x509.try(:to_text)
  end

  # Verification codes may be TXT records for domain or verification_domain, to
  # support the use of CNAME records on domain.
  def verification_domain
    return unless domain.present?

    "_#{VERIFICATION_KEY}.#{domain}"
  end

  def keyed_verification_code
    return unless verification_code.present?

    "#{VERIFICATION_KEY}=#{verification_code}"
  end

  def certificate=(certificate)
    super(certificate)

    # set nil, if certificate is nil
    self.certificate_valid_not_before = x509&.not_before
    self.certificate_valid_not_after = x509&.not_after
  end

  def user_provided_key
    key if certificate_user_provided?
  end

  def user_provided_key=(key)
    self.key = key
    self.certificate_source = 'user_provided' if attribute_changed?(:key)
  end

  def user_provided_certificate
    certificate if certificate_user_provided?
  end

  def user_provided_certificate=(certificate)
    self.certificate = certificate
    self.certificate_source = 'user_provided' if certificate_changed?
  end

  def gitlab_provided_certificate=(certificate)
    self.certificate = certificate
    self.certificate_source = 'gitlab_provided' if certificate_changed?
  end

  def gitlab_provided_key=(key)
    self.key = key
    self.certificate_source = 'gitlab_provided' if attribute_changed?(:key)
  end

  def pages_virtual_domain
    return unless pages_deployed?

    Pages::VirtualDomain.new([project], domain: self)
  end

  def clear_auto_ssl_failure
    self.auto_ssl_failed = false
  end

  private

  def pages_deployed?
    return false unless project

    project.pages_metadatum&.deployed?
  end

  def set_verification_code
    return if self.verification_code.present?

    self.verification_code = SecureRandom.hex(16)
  end

  def validate_matching_key
    unless has_matching_key?
      self.errors.add(:key, "doesn't match the certificate")
    end
  end

  def validate_intermediates
    unless has_intermediates?
      self.errors.add(:certificate, 'misses intermediates')
    end
  end

  def validate_pages_domain
    return unless domain

    if domain.downcase.ends_with?(".#{Settings.pages.host.downcase}") || domain.casecmp(Settings.pages.host) == 0
      self.errors.add(:domain, "#{Settings.pages.host} and its subdomains cannot be used as custom pages domains. Please compare our documentation at https://docs.gitlab.com/ee/administration/pages/#advanced-configuration against your configuration.")
    end
  end

  def x509
    return unless certificate.present?

    @x509 ||= OpenSSL::X509::Certificate.new(certificate)
  rescue OpenSSL::X509::CertificateError
    nil
  end

  def pkey
    return unless key

    @pkey ||= OpenSSL::PKey.read(key)
  rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
    nil
  end

  def certificate_should_be_present?
    !auto_ssl_enabled? && project&.pages_https_only?
  end
end

PagesDomain.prepend_mod_with('PagesDomain')
New upstream version 11.2.8+dfsg 2018-11-18 11:00:15 +05:30			`# frozen_string_literal: true`

New upstream version 11.10.8+dfsg 2019-07-07 11:18:12 +05:30			`class PagesDomain < ApplicationRecord`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`include Presentable`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`include FromUnion`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`include AfterCommitQueue`
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`VERIFICATION_KEY = 'gitlab-pages-verification-code'`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`VERIFICATION_THRESHOLD = 3.days.freeze`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`SSL_RENEWAL_THRESHOLD = 30.days.freeze`

			`enum certificate_source: { user_provided: 0, gitlab_provided: 1 }, _prefix: :certificate`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`enum scope: { instance: 0, group: 1, project: 2 }, _prefix: :scope`
			`enum usage: { pages: 0, serverless: 1 }, _prefix: :usage`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`belongs_to :project`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`has_many :acme_orders, class_name: "PagesDomainAcmeOrder"`
New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`has_many :serverless_domain_clusters, class_name: 'Serverless::DomainCluster', inverse_of: :pages_domain`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`before_validation :clear_auto_ssl_failure, unless: :auto_ssl_enabled`

New upstream version 9.5.4+dfsg 2017-09-10 17:25:29 +05:30			`validates :domain, hostname: { allow_numeric_hostname: true }`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`validates :domain, uniqueness: { case_sensitive: false }`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`validates :certificate, :key, presence: true, if: :usage_serverless?`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`validates :certificate, presence: { message: 'must be present if HTTPS-only is enabled' },`
			`if: :certificate_should_be_present?`
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`validates :certificate, certificate: true, if: ->(domain) { domain.certificate.present? }`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`validates :key, presence: { message: 'must be present if HTTPS-only is enabled' },`
			`if: :certificate_should_be_present?`
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`validates :key, certificate_key: true, named_ecdsa_key: true, if: ->(domain) { domain.key.present? }`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`validates :verification_code, presence: true, allow_blank: false`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
			`validate :validate_pages_domain`
			`validate :validate_matching_key, if: ->(domain) { domain.certificate.present? \|\| domain.key.present? }`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`validate :validate_intermediates, if: ->(domain) { domain.certificate.present? && domain.certificate_changed? }`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`default_value_for(:auto_ssl_enabled, allows_nil: false) { ::Gitlab::LetsEncrypt.enabled? }`
			`default_value_for :scope, allows_nil: false, value: :project`
			`default_value_for :wildcard, allows_nil: false, value: false`
			`default_value_for :usage, allows_nil: false, value: :pages`
New upstream version 12.5.4 2019-12-26 22:10:19 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`attr_encrypted :key,`
			`mode: :per_attribute_iv_and_salt,`
			`insecure_mode: true,`
New upstream version 11.1.8+dfsg 2018-11-08 19:23:39 +05:30			`key: Settings.attr_encrypted_db_key_base,`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`algorithm: 'aes-256-cbc'`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`after_initialize :set_verification_code`

New upstream version 14.0.10 2021-09-04 01:27:46 +05:30			`scope :for_project, ->(project) { where(project: project) }`

New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`scope :enabled, -> { where('enabled_until >= ?', Time.current ) }`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`scope :needs_verification, -> do`
			`verified_at = arel_table[:verified_at]`
			`enabled_until = arel_table[:enabled_until]`
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`threshold = Time.current + VERIFICATION_THRESHOLD`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
			`where(verified_at.eq(nil).or(enabled_until.eq(nil).or(enabled_until.lt(threshold))))`
			`end`

New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`scope :need_auto_ssl_renewal, -> do`
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`enabled_and_not_failed = where(auto_ssl_enabled: true, auto_ssl_failed: false)`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`user_provided = enabled_and_not_failed.certificate_user_provided`
			`certificate_not_valid = enabled_and_not_failed.where(certificate_valid_not_after: nil)`
			`certificate_expiring = enabled_and_not_failed`
			`.where(arel_table[:certificate_valid_not_after].lt(SSL_RENEWAL_THRESHOLD.from_now))`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30
New upstream version 13.0.0 2020-05-24 23:13:21 +05:30			`from_union([user_provided, certificate_not_valid, certificate_expiring])`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`end`

New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`scope :for_removal, -> { where("remove_at < ?", Time.current) }`
New upstream version 11.11.7+dfsg 2019-07-31 22:56:46 +05:30
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30			`scope :with_logging_info, -> { includes(project: [:namespace, :route]) }`

			`scope :instance_serverless, -> { where(wildcard: true, scope: :instance, usage: :serverless) }`

New upstream version 12.9.2 2020-04-08 14:13:33 +05:30			`def self.find_by_domain_case_insensitive(domain)`
			`find_by("LOWER(domain) = LOWER(?)", domain)`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def verified?`
			`!!verified_at`
			`end`

			`def unverified?`
			`!verified?`
			`end`

			`def enabled?`
			`!Gitlab::CurrentSettings.pages_domain_verification_enabled? \|\| enabled_until.present?`
			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30
New upstream version 10.7.3+dfsg 2018-05-09 12:01:36 +05:30			`def https?`
			`certificate.present?`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def to_param`
			`domain`
			`end`

			`def url`
			`return unless domain`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`if certificate.present?`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`"https://#{domain}"`
			`else`
			`"http://#{domain}"`
			`end`
			`end`

			`def has_matching_key?`
			`return false unless x509`
			`return false unless pkey`

			`# We compare the public key stored in certificate with public key from certificate key`
			`x509.check_private_key(pkey)`
			`end`

			`def has_intermediates?`
			`return false unless x509`

			`# self-signed certificates doesn't have the certificate chain`
			`return true if x509.verify(x509.public_key)`

			`store = OpenSSL::X509::Store.new`
			`store.set_default_paths`

New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`store.verify(x509, untrusted_ca_certs_bundle)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`rescue OpenSSL::X509::StoreError`
			`false`
			`end`

New upstream version 14.4.2+ds1 2021-11-18 22:05:49 +05:30			`def untrusted_ca_certs_bundle`
			`::Gitlab::X509::Certificate.load_ca_certs_bundle(certificate)`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def expired?`
			`return false unless x509`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 13.1.0 2020-06-23 00:09:42 +05:30			`current = Time.current`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`current < x509.not_before \|\| x509.not_after < current`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def expiration`
			`x509&.not_after`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def subject`
			`return unless x509`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`x509.subject.to_s`
			`end`

			`def certificate_text`
			`@certificate_text \|\|= x509.try(:to_text)`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`# Verification codes may be TXT records for domain or verification_domain, to`
			`# support the use of CNAME records on domain.`
			`def verification_domain`
			`return unless domain.present?`

			`"_#{VERIFICATION_KEY}.#{domain}"`
			`end`

			`def keyed_verification_code`
			`return unless verification_code.present?`

			`"#{VERIFICATION_KEY}=#{verification_code}"`
			`end`

New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`def certificate=(certificate)`
			`super(certificate)`

			`# set nil, if certificate is nil`
			`self.certificate_valid_not_before = x509&.not_before`
			`self.certificate_valid_not_after = x509&.not_after`
			`end`

New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`def user_provided_key`
			`key if certificate_user_provided?`
			`end`

			`def user_provided_key=(key)`
			`self.key = key`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`self.certificate_source = 'user_provided' if attribute_changed?(:key)`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`end`

			`def user_provided_certificate`
			`certificate if certificate_user_provided?`
			`end`

			`def user_provided_certificate=(certificate)`
			`self.certificate = certificate`
			`self.certificate_source = 'user_provided' if certificate_changed?`
			`end`

			`def gitlab_provided_certificate=(certificate)`
			`self.certificate = certificate`
			`self.certificate_source = 'gitlab_provided' if certificate_changed?`
			`end`

			`def gitlab_provided_key=(key)`
			`self.key = key`
New upstream version 13.8.5+ds1 2021-03-08 18:12:59 +05:30			`self.certificate_source = 'gitlab_provided' if attribute_changed?(:key)`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30			`end`

New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`def pages_virtual_domain`
New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`return unless pages_deployed?`

New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`Pages::VirtualDomain.new([project], domain: self)`
			`end`

New upstream version 12.10.0 2020-04-22 19:07:51 +05:30			`def clear_auto_ssl_failure`
			`self.auto_ssl_failed = false`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`private`

New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`def pages_deployed?`
New upstream version 13.3.8 2020-10-24 23:57:45 +05:30			`return false unless project`

New upstream version 12.4.6 2019-12-21 20:55:43 +05:30			`project.pages_metadatum&.deployed?`
			`end`

New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30			`def set_verification_code`
			`return if self.verification_code.present?`

			`self.verification_code = SecureRandom.hex(16)`
			`end`

New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`def validate_matching_key`
			`unless has_matching_key?`
			`self.errors.add(:key, "doesn't match the certificate")`
			`end`
			`end`

			`def validate_intermediates`
			`unless has_intermediates?`
			`self.errors.add(:certificate, 'misses intermediates')`
			`end`
			`end`

			`def validate_pages_domain`
			`return unless domain`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 14.8.5+ds1 2022-04-04 11:22:00 +05:30			`if domain.downcase.ends_with?(".#{Settings.pages.host.downcase}") \|\| domain.casecmp(Settings.pages.host) == 0`
			`self.errors.add(:domain, "#{Settings.pages.host} and its subdomains cannot be used as custom pages domains. Please compare our documentation at https://docs.gitlab.com/ee/administration/pages/#advanced-configuration against your configuration.")`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`
			`end`

			`def x509`
New upstream version 12.0.8 2019-09-04 21:01:54 +05:30			`return unless certificate.present?`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`@x509 \|\|= OpenSSL::X509::Certificate.new(certificate)`
			`rescue OpenSSL::X509::CertificateError`
			`nil`
			`end`

			`def pkey`
			`return unless key`
New upstream version 10.5.5+dfsg 2018-03-17 18:26:18 +05:30
New upstream version 12.3.8 2019-12-04 20:38:33 +05:30			`@pkey \|\|= OpenSSL::PKey.read(key)`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError`
			`nil`
			`end`
New upstream version 12.1.11 2019-09-30 21:07:59 +05:30
			`def certificate_should_be_present?`
			`!auto_ssl_enabled? && project&.pages_https_only?`
			`end`
New upstream version 9.2.10+dfsg 2017-08-17 22:00:37 +05:30			`end`
New upstream version 12.8.6 2020-03-13 15:44:24 +05:30
New upstream version 13.12.3+ds1 2021-06-08 01:23:25 +05:30			`PagesDomain.prepend_mod_with('PagesDomain')`