diff options
| -rw-r--r-- | README.md | 10 | ||||
| -rw-r--r-- | users/app/models/user.rb | 15 | ||||
| -rw-r--r-- | users/config/routes.rb | 14 | ||||
| -rw-r--r-- | users/test/unit/user_test.rb | 11 |
4 files changed, 40 insertions, 10 deletions
@@ -21,6 +21,14 @@ For more information, see these files in the ``doc`` directory: * DEVELOP -- for developer notes. * CUSTOM -- how to customize. +Known problems +--------------------------- + +* Client certificates are generated without a CSR. The problem is that this makes the web +application extremely vulnerable to denial of service attacks. This was not an issue until we +started to allow the possibility of anonymously fetching a client certificate without +authenticating first. + Installation --------------------------- @@ -75,4 +83,4 @@ To run all tests To run an individual test: - rake test TEST=certs/test/unit/client_certificate_test.rb
\ No newline at end of file + rake test TEST=certs/test/unit/client_certificate_test.rb diff --git a/users/app/models/user.rb b/users/app/models/user.rb index 62c5054..5c849f0 100644 --- a/users/app/models/user.rb +++ b/users/app/models/user.rb @@ -51,7 +51,20 @@ class User < CouchRest::Model::Base load_views(own_path.join('..', 'designs', 'user')) view :by_login view :by_created_at - end + view :pgp_key_by_handle, + map: <<-EOJS + function(doc) { + if (doc.type != 'User') { + return; + } + emit(doc.login, doc.public_key); + doc.email_aliases.forEach(function(alias){ + emit(alias.username, doc.public_key); + }); + } + EOJS + + end # end of design class << self alias_method :find_by_param, :find diff --git a/users/config/routes.rb b/users/config/routes.rb index c50cb15..9a9a40e 100644 --- a/users/config/routes.rb +++ b/users/config/routes.rb @@ -1,13 +1,11 @@ Rails.application.routes.draw do - constraints :subdomain => "api" do - namespace "api", { module: "v1", - path: "/1/", - defaults: {format: 'json'} } do - resources :sessions, :only => [:new, :create, :update] - delete "logout" => "sessions#destroy", :as => "logout" - resources :users, :only => [:create, :update] - end + namespace "api", { module: "v1", + path: "/1/", + defaults: {format: 'json'} } do + resources :sessions, :only => [:new, :create, :update] + delete "logout" => "sessions#destroy", :as => "logout" + resources :users, :only => [:create, :update] end get "login" => "sessions#new", :as => "login" diff --git a/users/test/unit/user_test.rb b/users/test/unit/user_test.rb index 10c8b46..c8c837b 100644 --- a/users/test/unit/user_test.rb +++ b/users/test/unit/user_test.rb @@ -64,4 +64,15 @@ class UserTest < ActiveSupport::TestCase other_user.destroy end + test "pgp key view" do + @user.public_key = SecureRandom.base64(4096) + @user.save + + view = User.pgp_key_by_handle.key(@user.login) + + assert_equal 1, view.rows.count + assert result = view.rows.first + assert_equal @user.login, result["key"] + assert_equal @user.public_key, result["value"] + end end |