diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/designs/identity/cert_expiry_by_fingerprint.js | 12 | ||||
-rw-r--r-- | app/designs/identity/cert_fingerprints_by_expiry.js | 12 | ||||
-rw-r--r-- | app/designs/identity/disabled.js | 8 | ||||
-rw-r--r-- | app/designs/identity/pgp_key_by_email.js | 8 | ||||
-rw-r--r-- | app/models/client_certificate.rb | 34 | ||||
-rw-r--r-- | app/models/identity.rb | 29 |
6 files changed, 58 insertions, 45 deletions
diff --git a/app/designs/identity/cert_expiry_by_fingerprint.js b/app/designs/identity/cert_expiry_by_fingerprint.js new file mode 100644 index 0000000..0636da5 --- /dev/null +++ b/app/designs/identity/cert_expiry_by_fingerprint.js @@ -0,0 +1,12 @@ +function(doc) { + if (doc.type != 'Identity') { + return; + } + if (typeof doc.cert_fingerprints === "object") { + for (fp in doc.cert_fingerprints) { + if (doc.cert_fingerprints.hasOwnProperty(fp)) { + emit(fp, doc.cert_fingerprints[fp]); + } + } + } +} diff --git a/app/designs/identity/cert_fingerprints_by_expiry.js b/app/designs/identity/cert_fingerprints_by_expiry.js new file mode 100644 index 0000000..995219b --- /dev/null +++ b/app/designs/identity/cert_fingerprints_by_expiry.js @@ -0,0 +1,12 @@ +function(doc) { + if (doc.type != 'Identity') { + return; + } + if (typeof doc.cert_fingerprints === "object") { + for (fp in doc.cert_fingerprints) { + if (doc.cert_fingerprints.hasOwnProperty(fp)) { + emit(doc.cert_fingerprints[fp], fp); + } + } + } +} diff --git a/app/designs/identity/disabled.js b/app/designs/identity/disabled.js new file mode 100644 index 0000000..5509575 --- /dev/null +++ b/app/designs/identity/disabled.js @@ -0,0 +1,8 @@ +function(doc) { + if (doc.type != 'Identity') { + return; + } + if (typeof doc.user_id === "undefined") { + emit(doc._id, 1); + } +} diff --git a/app/designs/identity/pgp_key_by_email.js b/app/designs/identity/pgp_key_by_email.js new file mode 100644 index 0000000..f783908 --- /dev/null +++ b/app/designs/identity/pgp_key_by_email.js @@ -0,0 +1,8 @@ +function(doc) { + if (doc.type != 'Identity') { + return; + } + if (typeof doc.keys === "object") { + emit(doc.address, doc.keys["pgp"]); + } +} diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb index d5bb1e0..815801e 100644 --- a/app/models/client_certificate.rb +++ b/app/models/client_certificate.rb @@ -25,7 +25,7 @@ class ClientCertificate # set expiration cert.not_before = last_month - cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) + cert.not_after = expiry # generate key cert.serial_number.number = cert_serial_number @@ -47,6 +47,10 @@ class ClientCertificate OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':') end + def expiry + @expiry ||= lifespan.months.from_now.utc.at_midnight + end + private def openssl_cert @@ -99,28 +103,18 @@ class ClientCertificate } end - ## - ## TIME HELPERS - ## - ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet - ## are behind UTC. - ## - - def yesterday - t = Time.now - 24*60*60 - Time.utc t.year, t.month, t.day - end + # + # TIME HELPERS + # + # We normalize timestamps at utc and midnight + # to reduce the fingerprinting possibilities. + # def last_month - t = Time.now - 24*60*60*30 - Time.utc t.year, t.month, t.day + 1.month.ago.utc.at_midnight end - def months_from_yesterday(num) - t = yesterday - date = Date.new t.year, t.month, t.day - date = date >> num # >> is months in the future operator - Time.utc date.year, date.month, date.day + def lifespan + APP_CONFIG[:client_cert_lifespan] end - end diff --git a/app/models/identity.rb b/app/models/identity.rb index eb67b1b..9dc9c7a 100644 --- a/app/models/identity.rb +++ b/app/models/identity.rb @@ -18,32 +18,11 @@ class Identity < CouchRest::Model::Base validate :destination_email design do + own_path = Pathname.new(File.dirname(__FILE__)) + load_views(own_path.join('..', 'designs', 'identity'), nil) view :by_user_id view :by_address_and_destination view :by_address - view :pgp_key_by_email, - map: <<-EOJS - function(doc) { - if (doc.type != 'Identity') { - return; - } - if (typeof doc.keys === "object") { - emit(doc.address, doc.keys["pgp"]); - } - } - EOJS - view :disabled, - map: <<-EOJS - function(doc) { - if (doc.type != 'Identity') { - return; - } - if (typeof doc.user_id === "undefined") { - emit(doc._id, 1); - } - } - EOJS - end def self.address_starts_with(query) @@ -146,9 +125,9 @@ class Identity < CouchRest::Model::Base end def register_cert(cert) - today = DateTime.now.to_date.to_s + expiry = cert.expiry.to_date.to_s write_attribute 'cert_fingerprints', - cert_fingerprints.merge(cert.fingerprint => today) + cert_fingerprints.merge(cert.fingerprint => expiry) end # for LoginFormatValidation |