Merge pull request #165 from azul/feature/cert-fingerprints

Feature/cert fingerprints

5 files changed, 69 insertions, 0 deletions

diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
index 73409ef..b6d1d0b 100644
--- a/app/controllers/v1/certs_controller.rb
+++ b/app/controllers/v1/certs_controller.rb
@@ -3,7 +3,15 @@ class V1::CertsController < ApplicationController
   before_filter :require_login, :unless => :anonymous_certs_allowed?
 
   # GET /cert
+  # deprecated - we actually create a new cert and that can
+  # be reflected in the action. GET /cert will eventually go
+  # away and be replaced by POST /cert
   def show
+    create
+  end
+
+  # POST /cert
+  def create
     @cert = ClientCertificate.new(:prefix => service_level.cert_prefix)
     render text: @cert.to_s, content_type: 'text/plain'
   end
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
new file mode 100644
index 0000000..377a49c
--- /dev/null
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -0,0 +1,37 @@
+class V1::SmtpCertsController < ApplicationController
+
+  before_filter :require_login
+  before_filter :require_email_account
+  before_filter :fetch_identity
+
+  # POST /1/smtp_cert
+  def create
+    @cert = ClientCertificate.new prefix: current_user.email_address
+    @identity.register_cert(@cert)
+    @identity.save
+    render text: @cert.to_s, content_type: 'text/plain'
+  end
+
+  protected
+
+  #
+  # Filters
+  #
+
+  def require_email_account
+    access_denied unless service_level.provides? 'email'
+  end
+
+  def fetch_identity
+    @identity = current_user.identity
+  end
+
+  #
+  # Helper methods
+  #
+
+  def service_level
+    current_user.effective_service_level
+  end
+
+end
diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index 76b07a2..63de9e1 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -43,8 +43,16 @@ class ClientCertificate
     self.key.to_pem + self.cert.to_pem
   end
 
+  def fingerprint
+    OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':')
+  end
+
   private
 
+  def openssl_cert
+    cert.openssl_body
+  end
+
   def self.root_ca
     @root_ca ||= begin
                    crt = File.read(APP_CONFIG[:client_ca_cert])
diff --git a/app/models/email.rb b/app/models/email.rb
index a9a503f..4090275 100644
--- a/app/models/email.rb
+++ b/app/models/email.rb
@@ -7,6 +7,11 @@ class Email < String
       :message => "needs to be a valid email address"
     }
 
+  # Make sure we can call Email.new(nil) and get an invalid email address
+  def initialize(s)
+    super(s.to_s)
+  end
+
   def to_partial_path
     "emails/email"
   end
diff --git a/app/models/identity.rb b/app/models/identity.rb
index ad8c01e..a4225e7 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -8,6 +8,7 @@ class Identity < CouchRest::Model::Base
   property :address, LocalEmail
   property :destination, Email
   property :keys, HashWithIndifferentAccess
+  property :cert_fingerprints, Hash
 
   validate :unique_forward
   validate :alias_available
@@ -107,6 +108,16 @@ class Identity < CouchRest::Model::Base
     write_attribute('keys', keys.merge(type => key.to_s))
   end
 
+  def cert_fingerprints
+    read_attribute('cert_fingerprints') || Hash.new
+  end
+
+  def register_cert(cert)
+    today = DateTime.now.to_date.to_s
+    write_attribute 'cert_fingerprints',
+      cert_fingerprints.merge(cert.fingerprint => today)
+  end
+
   # for LoginFormatValidation
   def login
     self.address.handle