Merge tag '0.5.2'

8 files changed, 91 insertions, 38 deletions

diff --git a/app/models/account.rb b/app/models/account.rb
index cf998e4..32ed445 100644
--- a/app/models/account.rb
+++ b/app/models/account.rb
@@ -16,9 +16,13 @@ class Account
 
   # Returns the user record so it can be used in views.
   def self.create(attrs)
-    @user = User.create(attrs).tap do |user|
-      Identity.create_for user
+    @user = User.create(attrs)
+    if @user.persisted?
+      identity = @user.identity
+      identity.user_id = @user.id
+      identity.save
     end
+    return @user
   end
 
   def update(attrs)
diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index 76b07a2..63de9e1 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -43,8 +43,16 @@ class ClientCertificate
     self.key.to_pem + self.cert.to_pem
   end
 
+  def fingerprint
+    OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':')
+  end
+
   private
 
+  def openssl_cert
+    cert.openssl_body
+  end
+
   def self.root_ca
     @root_ca ||= begin
                    crt = File.read(APP_CONFIG[:client_ca_cert])
diff --git a/app/models/email.rb b/app/models/email.rb
index a9a503f..4090275 100644
--- a/app/models/email.rb
+++ b/app/models/email.rb
@@ -7,6 +7,11 @@ class Email < String
       :message => "needs to be a valid email address"
     }
 
+  # Make sure we can call Email.new(nil) and get an invalid email address
+  def initialize(s)
+    super(s.to_s)
+  end
+
   def to_partial_path
     "emails/email"
   end
diff --git a/app/models/identity.rb b/app/models/identity.rb
index ad8c01e..2f6241c 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -8,9 +8,12 @@ class Identity < CouchRest::Model::Base
   property :address, LocalEmail
   property :destination, Email
   property :keys, HashWithIndifferentAccess
+  property :cert_fingerprints, Hash
 
-  validate :unique_forward
-  validate :alias_available
+  validates :address, presence: true
+  validate :address_available
+  validates :destination, presence: true, if: :enabled?
+  validates :destination, uniqueness: {scope: :address}
   validate :address_local_email
   validate :destination_email
 
@@ -49,7 +52,8 @@ class Identity < CouchRest::Model::Base
 
   def self.find_for(user, attributes = {})
     attributes.reverse_merge! attributes_from_user(user)
-    find_by_address_and_destination [attributes[:address], attributes[:destination]]
+    id = find_by_address_and_destination attributes.values_at(:address, :destination)
+    return id if id && id.user == user
   end
 
   def self.build_for(user, attributes = {})
@@ -66,7 +70,9 @@ class Identity < CouchRest::Model::Base
   def self.disable_all_for(user)
     Identity.by_user_id.key(user.id).each do |identity|
       identity.disable
-      identity.save
+      # if the identity is not unique anymore because the destination
+      # was reset to nil we destroy it.
+      identity.save || identity.destroy
     end
   end
 
@@ -90,7 +96,11 @@ class Identity < CouchRest::Model::Base
   end
 
   def enabled?
-    self.destination && self.user_id
+    self.user_id
+  end
+
+  def disabled?
+    !enabled?
   end
 
   def disable
@@ -107,36 +117,50 @@ class Identity < CouchRest::Model::Base
     write_attribute('keys', keys.merge(type => key.to_s))
   end
 
+  def cert_fingerprints
+    read_attribute('cert_fingerprints') || Hash.new
+  end
+
+  def register_cert(cert)
+    today = DateTime.now.to_date.to_s
+    write_attribute 'cert_fingerprints',
+      cert_fingerprints.merge(cert.fingerprint => today)
+  end
+
   # for LoginFormatValidation
   def login
-    self.address.handle
+    address.handle if address.present?
   end
 
   protected
 
-  def unique_forward
-    same = Identity.find_by_address_and_destination([address, destination])
-    if same && same != self
-      errors.add :base, "This alias already exists"
+  def address_available
+    blocking_identities = Identity.by_address.key(address).all
+    blocking_identities.delete self
+    if self.user
+      blocking_identities.reject! { |other| other.user == self.user }
     end
-  end
-
-  def alias_available
-    same = Identity.find_by_address(address)
-    if same && same.user != self.user
-      errors.add :base, "This email has already been taken"
+    if blocking_identities.any?
+      errors.add :address, :taken
     end
   end
 
   def address_local_email
-    return if address.valid? #this ensures it is LocalEmail
-    self.errors.add(:address, address.errors.messages[:email].first) #assumes only one error
+    # caught by presence validation
+    return if address.blank?
+    return if address.valid?
+    address.errors.each do |attribute, error|
+      self.errors.add(:address, error)
+    end
   end
 
   def destination_email
-    return if destination.nil?   # this identity is disabled
-    return if destination.valid? # this ensures it is Email
-    self.errors.add(:destination, destination.errors.messages[:email].first) #assumes only one error #TODO
+    # caught by presence validation or this identity is disabled
+    return if destination.blank?
+    return if destination.valid?
+    destination.errors.each do |attribute, error|
+      self.errors.add(:destination, error)
+    end
   end
 
 end
diff --git a/app/models/local_email.rb b/app/models/local_email.rb
index 2b4c65e..ded7baf 100644
--- a/app/models/local_email.rb
+++ b/app/models/local_email.rb
@@ -58,11 +58,9 @@ class LocalEmail < Email
   end
 
   def handle_in_passwd?
-    begin
-      !!Etc.getpwnam(handle)
-    rescue ArgumentError
-      # handle was not found
-      return false
-    end
+    Etc.getpwnam(handle).present?
+  rescue ArgumentError
+    # handle was not found
+    return false
   end
 end
diff --git a/app/models/pgp_key.rb b/app/models/pgp_key.rb
index 66f8660..3384f4c 100644
--- a/app/models/pgp_key.rb
+++ b/app/models/pgp_key.rb
@@ -25,9 +25,10 @@ class PgpKey
 
   # allow comparison with plain keyblock strings.
   def ==(other)
+    return false if (self.present? != other.present?)
     self.equal?(other) or
     # relax the comparison on line ends.
-    self.to_s.tr_s("\n\r", '') == other.tr_s("\r\n", '')
+    self.to_s.tr_s("\n\r", '') == other.tr_s("\n\r", '')
   end
 
   protected
diff --git a/app/models/token.rb b/app/models/token.rb
index e759ee3..ff2ad12 100644
--- a/app/models/token.rb
+++ b/app/models/token.rb
@@ -1,3 +1,5 @@
+require 'digest/sha2'
+
 class Token < CouchRest::Model::Base
 
   use_database :tokens
@@ -11,10 +13,16 @@ class Token < CouchRest::Model::Base
 
   validates :user_id, presence: true
 
+  attr_accessor :token
+
   design do
     view :by_last_seen_at
   end
 
+  def self.find_by_token(token)
+    self.find Digest::SHA512.hexdigest(token)
+  end
+
   def self.expires_after
     APP_CONFIG[:auth] && APP_CONFIG[:auth][:token_expires_after]
   end
@@ -31,7 +39,7 @@ class Token < CouchRest::Model::Base
   end
 
   def to_s
-    id
+    token
   end
 
   def authenticate
@@ -65,7 +73,8 @@ class Token < CouchRest::Model::Base
   def initialize(*args)
     super
     if new_record?
-      self.id = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.token = SecureRandom.urlsafe_base64(32).gsub(/^_*/, '')
+      self.id = Digest::SHA512.hexdigest(self.token)
       self.last_seen_at = Time.now
     end
   end
diff --git a/app/models/user.rb b/app/models/user.rb
index 6678de6..f8b9ddc 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -24,7 +24,7 @@ class User < CouchRest::Model::Base
     :uniqueness => true,
     :if => :serverside?
 
-  validate :login_is_unique_alias
+  validate :identity_is_valid
 
   validates :password_salt, :password_verifier,
     :format => { :with => /\A[\dA-Fa-f]+\z/, :message => "Only hex numbers allowed" }
@@ -42,6 +42,11 @@ class User < CouchRest::Model::Base
     view :by_created_at
   end # end of design
 
+  def reload
+    @identity = nil
+    super
+  end
+
   def to_json(options={})
     {
       :login => login,
@@ -161,11 +166,10 @@ class User < CouchRest::Model::Base
   #  Validation Functions
   ##
 
-  def login_is_unique_alias
-    alias_identity = Identity.find_by_address(self.email_address)
-    return if alias_identity.blank?
-    if alias_identity.user != self
-      errors.add(:login, "has already been taken")
+  def identity_is_valid
+    return if identity.valid?
+    identity.errors.each do |attribute, error|
+      self.errors.add(:login, error)
     end
   end