diff options
Diffstat (limited to 'certs/app')
-rw-r--r-- | certs/app/assets/images/leap_web_certs/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/assets/javascripts/leap_web_certs/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/assets/stylesheets/leap_web_certs/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/controllers/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/controllers/certs_controller.rb | 51 | ||||
-rw-r--r-- | certs/app/helpers/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/helpers/certs_helper.rb | 2 | ||||
-rw-r--r-- | certs/app/mailers/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/models/.gitkeep | 0 | ||||
-rw-r--r-- | certs/app/models/client_certificate.rb | 113 | ||||
-rw-r--r-- | certs/app/views/.gitkeep | 0 |
11 files changed, 0 insertions, 166 deletions
diff --git a/certs/app/assets/images/leap_web_certs/.gitkeep b/certs/app/assets/images/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/assets/images/leap_web_certs/.gitkeep +++ /dev/null diff --git a/certs/app/assets/javascripts/leap_web_certs/.gitkeep b/certs/app/assets/javascripts/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/assets/javascripts/leap_web_certs/.gitkeep +++ /dev/null diff --git a/certs/app/assets/stylesheets/leap_web_certs/.gitkeep b/certs/app/assets/stylesheets/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/assets/stylesheets/leap_web_certs/.gitkeep +++ /dev/null diff --git a/certs/app/controllers/.gitkeep b/certs/app/controllers/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/controllers/.gitkeep +++ /dev/null diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb deleted file mode 100644 index 62ef3fd..0000000 --- a/certs/app/controllers/certs_controller.rb +++ /dev/null @@ -1,51 +0,0 @@ -class CertsController < ApplicationController - - before_filter :login_if_required - - # GET /cert - def show - @cert = ClientCertificate.new(:prefix => certificate_prefix) - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - def login_if_required - authorize unless APP_CONFIG[:allow_anonymous_certs] - end - - # - # this is some temporary logic until we store the service level in the user db. - # - # better logic might look like this: - # - # if logged_in? - # service_level = user.service_level - # elsif allow_anonymous? - # service_level = service_levels[:anonymous] - # else - # service_level = nil - # end - # - # if service_level.bandwidth == 'limited' && allow_limited? - # prefix = limited - # elsif allow_unlimited? - # prefix = unlimited - # else - # prefix = nil - # end - # - def certificate_prefix - if logged_in? - if APP_CONFIG[:allow_unlimited_certs] - APP_CONFIG[:unlimited_cert_prefix] - elsif APP_CONFIG[:allow_limited_certs] - APP_CONFIG[:limited_cert_prefix] - end - elsif !APP_CONFIG[:allow_limited_certs] - APP_CONFIG[:unlimited_cert_prefix] - else - APP_CONFIG[:limited_cert_prefix] - end - end -end diff --git a/certs/app/helpers/.gitkeep b/certs/app/helpers/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/helpers/.gitkeep +++ /dev/null diff --git a/certs/app/helpers/certs_helper.rb b/certs/app/helpers/certs_helper.rb deleted file mode 100644 index 94e76b8..0000000 --- a/certs/app/helpers/certs_helper.rb +++ /dev/null @@ -1,2 +0,0 @@ -module CertsHelper -end diff --git a/certs/app/mailers/.gitkeep b/certs/app/mailers/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/mailers/.gitkeep +++ /dev/null diff --git a/certs/app/models/.gitkeep b/certs/app/models/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/models/.gitkeep +++ /dev/null diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb deleted file mode 100644 index 76b07a2..0000000 --- a/certs/app/models/client_certificate.rb +++ /dev/null @@ -1,113 +0,0 @@ -# -# Model for certificates -# -# This file must be loaded after Config has been loaded. -# -require 'base64' -require 'digest/md5' -require 'openssl' -require 'certificate_authority' -require 'date' - -class ClientCertificate - - attr_accessor :key # the client private RSA key - attr_accessor :cert # the client x509 certificate, signed by the CA - - # - # generate the private key and client certificate - # - def initialize(options = {}) - cert = CertificateAuthority::Certificate.new - - # set subject - cert.subject.common_name = common_name(options[:prefix]) - - # set expiration - cert.not_before = yesterday - cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) - - # generate key - cert.serial_number.number = cert_serial_number - cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size]) - - # sign - cert.parent = ClientCertificate.root_ca - cert.sign! client_signing_profile - - self.key = cert.key_material.private_key - self.cert = cert - end - - def to_s - self.key.to_pem + self.cert.to_pem - end - - private - - def self.root_ca - @root_ca ||= begin - crt = File.read(APP_CONFIG[:client_ca_cert]) - key = File.read(APP_CONFIG[:client_ca_key]) - openssl_cert = OpenSSL::X509::Certificate.new(crt) - cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) - cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password]) - cert - end - end - - # - # For cert serial numbers, we need a non-colliding number less than 160 bits. - # md5 will do nicely, since there is no need for a secure hash, just a short one. - # (md5 is 128 bits) - # - def cert_serial_number - Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) - end - - def common_name(prefix = nil) - [prefix, random_common_name].join - end - - # - # for the random common name, we need a text string that will be unique across all certs. - # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid - # - def random_common_name - cert_serial_number.to_s(36) - end - - def client_signing_profile - { - "digest" => APP_CONFIG[:client_cert_hash], - "extensions" => { - "keyUsage" => { - "usage" => ["digitalSignature"] - }, - "extendedKeyUsage" => { - "usage" => ["clientAuth"] - } - } - } - end - - ## - ## TIME HELPERS - ## - ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet - ## are behind UTC. - ## - - def yesterday - t = Time.now - 24*60*60 - Time.utc t.year, t.month, t.day - end - - def months_from_yesterday(num) - t = yesterday - date = Date.new t.year, t.month, t.day - date = date >> num # >> is months in the future operator - Time.utc date.year, date.month, date.day - end - -end diff --git a/certs/app/views/.gitkeep b/certs/app/views/.gitkeep deleted file mode 100644 index e69de29..0000000 --- a/certs/app/views/.gitkeep +++ /dev/null |