summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--certs/app/controllers/certs_controller.rb43
-rw-r--r--certs/app/models/client_certificate.rb6
-rw-r--r--certs/test/functional/certs_controller_test.rb40
-rw-r--r--certs/test/unit/client_certificate_test.rb12
-rw-r--r--config/defaults.yml7
5 files changed, 72 insertions, 36 deletions
diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb
index 977e03e..62ef3fd 100644
--- a/certs/app/controllers/certs_controller.rb
+++ b/certs/app/controllers/certs_controller.rb
@@ -1,16 +1,51 @@
class CertsController < ApplicationController
- before_filter :logged_in_or_free_certs
+ before_filter :login_if_required
# GET /cert
def show
- @cert = ClientCertificate.new(free: !logged_in?)
+ @cert = ClientCertificate.new(:prefix => certificate_prefix)
render text: @cert.to_s, content_type: 'text/plain'
end
protected
- def logged_in_or_free_certs
- authorize unless APP_CONFIG[:free_certs_enabled]
+ def login_if_required
+ authorize unless APP_CONFIG[:allow_anonymous_certs]
+ end
+
+ #
+ # this is some temporary logic until we store the service level in the user db.
+ #
+ # better logic might look like this:
+ #
+ # if logged_in?
+ # service_level = user.service_level
+ # elsif allow_anonymous?
+ # service_level = service_levels[:anonymous]
+ # else
+ # service_level = nil
+ # end
+ #
+ # if service_level.bandwidth == 'limited' && allow_limited?
+ # prefix = limited
+ # elsif allow_unlimited?
+ # prefix = unlimited
+ # else
+ # prefix = nil
+ # end
+ #
+ def certificate_prefix
+ if logged_in?
+ if APP_CONFIG[:allow_unlimited_certs]
+ APP_CONFIG[:unlimited_cert_prefix]
+ elsif APP_CONFIG[:allow_limited_certs]
+ APP_CONFIG[:limited_cert_prefix]
+ end
+ elsif !APP_CONFIG[:allow_limited_certs]
+ APP_CONFIG[:unlimited_cert_prefix]
+ else
+ APP_CONFIG[:limited_cert_prefix]
+ end
end
end
diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb
index 13e0318..76b07a2 100644
--- a/certs/app/models/client_certificate.rb
+++ b/certs/app/models/client_certificate.rb
@@ -21,7 +21,7 @@ class ClientCertificate
cert = CertificateAuthority::Certificate.new
# set subject
- cert.subject.common_name = common_name(options[:free])
+ cert.subject.common_name = common_name(options[:prefix])
# set expiration
cert.not_before = yesterday
@@ -65,8 +65,8 @@ class ClientCertificate
Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16)
end
- def common_name(for_free_cert = false)
- (for_free_cert ? APP_CONFIG[:free_cert_prefix] : '') + random_common_name
+ def common_name(prefix = nil)
+ [prefix, random_common_name].join
end
#
diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb
index 7826dd6..503e74b 100644
--- a/certs/test/functional/certs_controller_test.rb
+++ b/certs/test/functional/certs_controller_test.rb
@@ -2,35 +2,39 @@ require 'test_helper'
class CertsControllerTest < ActionController::TestCase
- test "send free cert without login" do
- cert = stub :to_s => "free cert"
- ClientCertificate.expects(:new).with(free: true).returns(cert)
- get :show
- assert_response :success
- assert_equal cert.to_s, @response.body
+ test "send limited cert without login" do
+ with_config allow_limited_certs: true, allow_anonymous_certs: true do
+ cert = stub :to_s => "limited cert"
+ ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert)
+ get :show
+ assert_response :success
+ assert_equal cert.to_s, @response.body
+ end
end
- test "send cert" do
- login
- cert = stub :to_s => "real cert"
- ClientCertificate.expects(:new).with(free: false).returns(cert)
- get :show
- assert_response :success
- assert_equal cert.to_s, @response.body
+ test "send unlimited cert" do
+ with_config allow_unlimited_certs: true do
+ login
+ cert = stub :to_s => "unlimited cert"
+ ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:unlimited_cert_prefix]).returns(cert)
+ get :show
+ assert_response :success
+ assert_equal cert.to_s, @response.body
+ end
end
- test "login required if free certs disabled" do
- with_config free_certs_enabled: false do
+ test "login required if anonymous certs disabled" do
+ with_config allow_anonymous_certs: false do
get :show
assert_response :redirect
end
end
- test "get paid cert if free certs disabled" do
- with_config free_certs_enabled: false do
+ test "send limited cert" do
+ with_config allow_limited_certs: true, allow_unlimited_certs: false do
login
cert = stub :to_s => "real cert"
- ClientCertificate.expects(:new).with(free: false).returns(cert)
+ ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert)
get :show
assert_response :success
assert_equal cert.to_s, @response.body
diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb
index abb5560..036e724 100644
--- a/certs/test/unit/client_certificate_test.rb
+++ b/certs/test/unit/client_certificate_test.rb
@@ -9,18 +9,12 @@ class ClientCertificateTest < ActiveSupport::TestCase
assert sample.to_s
end
- test "free cert has configured prefix" do
- sample = ClientCertificate.new(free: true)
- prefix = APP_CONFIG[:free_cert_prefix]
+ test "cert has configured prefix" do
+ prefix = "PREFIX"
+ sample = ClientCertificate.new(:prefix => prefix)
assert sample.cert.subject.common_name.starts_with?(prefix)
end
- test "real cert has no free cert prefix" do
- sample = ClientCertificate.new
- prefix = APP_CONFIG[:free_cert_prefix]
- assert !sample.cert.subject.common_name.starts_with?(prefix)
- end
-
test "cert issuer matches ca subject" do
sample = ClientCertificate.new
cert = OpenSSL::X509::Certificate.new(sample.cert.to_pem)
diff --git a/config/defaults.yml b/config/defaults.yml
index d0fb52f..cca827a 100644
--- a/config/defaults.yml
+++ b/config/defaults.yml
@@ -7,8 +7,11 @@ cert_options: &cert_options
client_cert_lifespan: 2
client_cert_bit_size: 2024
client_cert_hash: "SHA256"
- free_certs_enabled: true
- free_cert_prefix: "FREE"
+ allow_limited_certs: false
+ allow_unlimited_certs: true
+ allow_anonymous_certs: false
+ limited_cert_prefix: "LIMITED"
+ unlimited_cert_prefix: "UNLIMITED"
development:
<<: *dev_ca