summaryrefslogtreecommitdiff
path: root/app
diff options
context:
space:
mode:
Diffstat (limited to 'app')
-rw-r--r--app/designs/identity/cert_expiry_by_fingerprint.js12
-rw-r--r--app/designs/identity/cert_fingerprints_by_expiry.js12
-rw-r--r--app/designs/identity/disabled.js8
-rw-r--r--app/designs/identity/pgp_key_by_email.js8
-rw-r--r--app/models/client_certificate.rb34
-rw-r--r--app/models/identity.rb29
6 files changed, 58 insertions, 45 deletions
diff --git a/app/designs/identity/cert_expiry_by_fingerprint.js b/app/designs/identity/cert_expiry_by_fingerprint.js
new file mode 100644
index 0000000..0636da5
--- /dev/null
+++ b/app/designs/identity/cert_expiry_by_fingerprint.js
@@ -0,0 +1,12 @@
+function(doc) {
+ if (doc.type != 'Identity') {
+ return;
+ }
+ if (typeof doc.cert_fingerprints === "object") {
+ for (fp in doc.cert_fingerprints) {
+ if (doc.cert_fingerprints.hasOwnProperty(fp)) {
+ emit(fp, doc.cert_fingerprints[fp]);
+ }
+ }
+ }
+}
diff --git a/app/designs/identity/cert_fingerprints_by_expiry.js b/app/designs/identity/cert_fingerprints_by_expiry.js
new file mode 100644
index 0000000..995219b
--- /dev/null
+++ b/app/designs/identity/cert_fingerprints_by_expiry.js
@@ -0,0 +1,12 @@
+function(doc) {
+ if (doc.type != 'Identity') {
+ return;
+ }
+ if (typeof doc.cert_fingerprints === "object") {
+ for (fp in doc.cert_fingerprints) {
+ if (doc.cert_fingerprints.hasOwnProperty(fp)) {
+ emit(doc.cert_fingerprints[fp], fp);
+ }
+ }
+ }
+}
diff --git a/app/designs/identity/disabled.js b/app/designs/identity/disabled.js
new file mode 100644
index 0000000..5509575
--- /dev/null
+++ b/app/designs/identity/disabled.js
@@ -0,0 +1,8 @@
+function(doc) {
+ if (doc.type != 'Identity') {
+ return;
+ }
+ if (typeof doc.user_id === "undefined") {
+ emit(doc._id, 1);
+ }
+}
diff --git a/app/designs/identity/pgp_key_by_email.js b/app/designs/identity/pgp_key_by_email.js
new file mode 100644
index 0000000..f783908
--- /dev/null
+++ b/app/designs/identity/pgp_key_by_email.js
@@ -0,0 +1,8 @@
+function(doc) {
+ if (doc.type != 'Identity') {
+ return;
+ }
+ if (typeof doc.keys === "object") {
+ emit(doc.address, doc.keys["pgp"]);
+ }
+}
diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index d5bb1e0..815801e 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -25,7 +25,7 @@ class ClientCertificate
# set expiration
cert.not_before = last_month
- cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+ cert.not_after = expiry
# generate key
cert.serial_number.number = cert_serial_number
@@ -47,6 +47,10 @@ class ClientCertificate
OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':')
end
+ def expiry
+ @expiry ||= lifespan.months.from_now.utc.at_midnight
+ end
+
private
def openssl_cert
@@ -99,28 +103,18 @@ class ClientCertificate
}
end
- ##
- ## TIME HELPERS
- ##
- ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
- ## are behind UTC.
- ##
-
- def yesterday
- t = Time.now - 24*60*60
- Time.utc t.year, t.month, t.day
- end
+ #
+ # TIME HELPERS
+ #
+ # We normalize timestamps at utc and midnight
+ # to reduce the fingerprinting possibilities.
+ #
def last_month
- t = Time.now - 24*60*60*30
- Time.utc t.year, t.month, t.day
+ 1.month.ago.utc.at_midnight
end
- def months_from_yesterday(num)
- t = yesterday
- date = Date.new t.year, t.month, t.day
- date = date >> num # >> is months in the future operator
- Time.utc date.year, date.month, date.day
+ def lifespan
+ APP_CONFIG[:client_cert_lifespan]
end
-
end
diff --git a/app/models/identity.rb b/app/models/identity.rb
index eb67b1b..9dc9c7a 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -18,32 +18,11 @@ class Identity < CouchRest::Model::Base
validate :destination_email
design do
+ own_path = Pathname.new(File.dirname(__FILE__))
+ load_views(own_path.join('..', 'designs', 'identity'), nil)
view :by_user_id
view :by_address_and_destination
view :by_address
- view :pgp_key_by_email,
- map: <<-EOJS
- function(doc) {
- if (doc.type != 'Identity') {
- return;
- }
- if (typeof doc.keys === "object") {
- emit(doc.address, doc.keys["pgp"]);
- }
- }
- EOJS
- view :disabled,
- map: <<-EOJS
- function(doc) {
- if (doc.type != 'Identity') {
- return;
- }
- if (typeof doc.user_id === "undefined") {
- emit(doc._id, 1);
- }
- }
- EOJS
-
end
def self.address_starts_with(query)
@@ -146,9 +125,9 @@ class Identity < CouchRest::Model::Base
end
def register_cert(cert)
- today = DateTime.now.to_date.to_s
+ expiry = cert.expiry.to_date.to_s
write_attribute 'cert_fingerprints',
- cert_fingerprints.merge(cert.fingerprint => today)
+ cert_fingerprints.merge(cert.fingerprint => expiry)
end
# for LoginFormatValidation