diff options
-rw-r--r-- | certs/app/controllers/certs_controller.rb | 43 | ||||
-rw-r--r-- | certs/app/models/client_certificate.rb | 6 | ||||
-rw-r--r-- | certs/test/functional/certs_controller_test.rb | 40 | ||||
-rw-r--r-- | certs/test/unit/client_certificate_test.rb | 12 | ||||
-rw-r--r-- | config/defaults.yml | 7 |
5 files changed, 72 insertions, 36 deletions
diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb index 977e03e..62ef3fd 100644 --- a/certs/app/controllers/certs_controller.rb +++ b/certs/app/controllers/certs_controller.rb @@ -1,16 +1,51 @@ class CertsController < ApplicationController - before_filter :logged_in_or_free_certs + before_filter :login_if_required # GET /cert def show - @cert = ClientCertificate.new(free: !logged_in?) + @cert = ClientCertificate.new(:prefix => certificate_prefix) render text: @cert.to_s, content_type: 'text/plain' end protected - def logged_in_or_free_certs - authorize unless APP_CONFIG[:free_certs_enabled] + def login_if_required + authorize unless APP_CONFIG[:allow_anonymous_certs] + end + + # + # this is some temporary logic until we store the service level in the user db. + # + # better logic might look like this: + # + # if logged_in? + # service_level = user.service_level + # elsif allow_anonymous? + # service_level = service_levels[:anonymous] + # else + # service_level = nil + # end + # + # if service_level.bandwidth == 'limited' && allow_limited? + # prefix = limited + # elsif allow_unlimited? + # prefix = unlimited + # else + # prefix = nil + # end + # + def certificate_prefix + if logged_in? + if APP_CONFIG[:allow_unlimited_certs] + APP_CONFIG[:unlimited_cert_prefix] + elsif APP_CONFIG[:allow_limited_certs] + APP_CONFIG[:limited_cert_prefix] + end + elsif !APP_CONFIG[:allow_limited_certs] + APP_CONFIG[:unlimited_cert_prefix] + else + APP_CONFIG[:limited_cert_prefix] + end end end diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb index 13e0318..76b07a2 100644 --- a/certs/app/models/client_certificate.rb +++ b/certs/app/models/client_certificate.rb @@ -21,7 +21,7 @@ class ClientCertificate cert = CertificateAuthority::Certificate.new # set subject - cert.subject.common_name = common_name(options[:free]) + cert.subject.common_name = common_name(options[:prefix]) # set expiration cert.not_before = yesterday @@ -65,8 +65,8 @@ class ClientCertificate Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) end - def common_name(for_free_cert = false) - (for_free_cert ? APP_CONFIG[:free_cert_prefix] : '') + random_common_name + def common_name(prefix = nil) + [prefix, random_common_name].join end # diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb index 7826dd6..503e74b 100644 --- a/certs/test/functional/certs_controller_test.rb +++ b/certs/test/functional/certs_controller_test.rb @@ -2,35 +2,39 @@ require 'test_helper' class CertsControllerTest < ActionController::TestCase - test "send free cert without login" do - cert = stub :to_s => "free cert" - ClientCertificate.expects(:new).with(free: true).returns(cert) - get :show - assert_response :success - assert_equal cert.to_s, @response.body + test "send limited cert without login" do + with_config allow_limited_certs: true, allow_anonymous_certs: true do + cert = stub :to_s => "limited cert" + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end end - test "send cert" do - login - cert = stub :to_s => "real cert" - ClientCertificate.expects(:new).with(free: false).returns(cert) - get :show - assert_response :success - assert_equal cert.to_s, @response.body + test "send unlimited cert" do + with_config allow_unlimited_certs: true do + login + cert = stub :to_s => "unlimited cert" + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:unlimited_cert_prefix]).returns(cert) + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end end - test "login required if free certs disabled" do - with_config free_certs_enabled: false do + test "login required if anonymous certs disabled" do + with_config allow_anonymous_certs: false do get :show assert_response :redirect end end - test "get paid cert if free certs disabled" do - with_config free_certs_enabled: false do + test "send limited cert" do + with_config allow_limited_certs: true, allow_unlimited_certs: false do login cert = stub :to_s => "real cert" - ClientCertificate.expects(:new).with(free: false).returns(cert) + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) get :show assert_response :success assert_equal cert.to_s, @response.body diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb index abb5560..036e724 100644 --- a/certs/test/unit/client_certificate_test.rb +++ b/certs/test/unit/client_certificate_test.rb @@ -9,18 +9,12 @@ class ClientCertificateTest < ActiveSupport::TestCase assert sample.to_s end - test "free cert has configured prefix" do - sample = ClientCertificate.new(free: true) - prefix = APP_CONFIG[:free_cert_prefix] + test "cert has configured prefix" do + prefix = "PREFIX" + sample = ClientCertificate.new(:prefix => prefix) assert sample.cert.subject.common_name.starts_with?(prefix) end - test "real cert has no free cert prefix" do - sample = ClientCertificate.new - prefix = APP_CONFIG[:free_cert_prefix] - assert !sample.cert.subject.common_name.starts_with?(prefix) - end - test "cert issuer matches ca subject" do sample = ClientCertificate.new cert = OpenSSL::X509::Certificate.new(sample.cert.to_pem) diff --git a/config/defaults.yml b/config/defaults.yml index d0fb52f..cca827a 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -7,8 +7,11 @@ cert_options: &cert_options client_cert_lifespan: 2 client_cert_bit_size: 2024 client_cert_hash: "SHA256" - free_certs_enabled: true - free_cert_prefix: "FREE" + allow_limited_certs: false + allow_unlimited_certs: true + allow_anonymous_certs: false + limited_cert_prefix: "LIMITED" + unlimited_cert_prefix: "UNLIMITED" development: <<: *dev_ca |