From 77a51e1de520299afd2b33e7a3992aaafab1d6ae Mon Sep 17 00:00:00 2001 From: jessib Date: Thu, 24 Jan 2013 12:59:55 -0800 Subject: Rough start to merging leap_ca into webapp. --- certs/app/models/leap_ca/cert.rb | 104 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 99 insertions(+), 5 deletions(-) diff --git a/certs/app/models/leap_ca/cert.rb b/certs/app/models/leap_ca/cert.rb index 9d4f15e..6c59144 100644 --- a/certs/app/models/leap_ca/cert.rb +++ b/certs/app/models/leap_ca/cert.rb @@ -3,6 +3,11 @@ # # This file must be loaded after Config has been loaded. # +require 'base64' +require 'digest/md5' +require 'openssl' +require 'certificate_authority' +require 'date' module LeapCA class Cert < CouchRest::Model::Base @@ -17,7 +22,7 @@ module LeapCA property :valid_until, Time # expiration time of the client certificate property :random, Float, :accessible => false # used to help pick a random cert by the webapp - before_validation :set_random, :on => :create + before_validation :generate, :set_random, :on => :create validates :key, :presence => true validates :cert, :presence => true @@ -28,10 +33,6 @@ module LeapCA view :by_random end - def set_random - self.random = rand - end - class << self def sample self.by_random.startkey(rand).first || self.by_random.first @@ -52,5 +53,98 @@ module LeapCA end end + # + # generate the private key and client certificate + # + def generate + cert = CertificateAuthority::Certificate.new + + # set subject + cert.subject.common_name = random_common_name + + # set expiration + self.valid_until = months_from_yesterday(Config.client_cert_lifespan) + cert.not_before = yesterday + cert.not_after = self.valid_until + + # generate key + cert.serial_number.number = cert_serial_number + cert.key_material.generate_key(Config.client_cert_bit_size) + + # sign + cert.parent = Cert.root_ca + cert.sign! client_signing_profile + + self.key = cert.key_material.private_key.to_pem + self.cert = cert.to_pem + end + + private + + def set_random + self.random = rand + end + + def self.root_ca + @root_ca ||= begin + crt = File.read(Config.ca_cert_path) + key = File.read(Config.ca_key_path) + openssl_cert = OpenSSL::X509::Certificate.new(crt) + cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) + cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, Config.ca_key_password) + cert + end + end + + # + # For cert serial numbers, we need a non-colliding number less than 160 bits. + # md5 will do nicely, since there is no need for a secure hash, just a short one. + # (md5 is 128 bits) + # + def cert_serial_number + Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) + end + + # + # for the random common name, we need a text string that will be unique across all certs. + # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid + # + def random_common_name + cert_serial_number.to_s(36) + end + + def client_signing_profile + { + "digest" => Config.client_cert_hash, + "extensions" => { + "keyUsage" => { + "usage" => ["digitalSignature"] + }, + "extendedKeyUsage" => { + "usage" => ["clientAuth"] + } + } + } + end + + ## + ## TIME HELPERS + ## + ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet + ## are behind UTC. + ## + + def yesterday + t = Time.now - 24*24*60 + Time.utc t.year, t.month, t.day + end + + def months_from_yesterday(num) + t = yesterday + date = Date.new t.year, t.month, t.day + date = date >> num # >> is months in the future operator + Time.utc date.year, date.month, date.day + end + end end -- cgit v1.2.3 From 195224a989fa57e9a70fa10c0cdd6603295bb0dd Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 10:52:36 +0100 Subject: removing the leap_ca namespacing from certs --- certs/app/models/client_certificate.rb | 148 ++++++++++++++++++++++++++++ certs/app/models/leap_ca/cert.rb | 150 ----------------------------- certs/test/unit/cert_test.rb | 39 -------- certs/test/unit/client_certificate_test.rb | 39 ++++++++ 4 files changed, 187 insertions(+), 189 deletions(-) create mode 100644 certs/app/models/client_certificate.rb delete mode 100644 certs/app/models/leap_ca/cert.rb delete mode 100644 certs/test/unit/cert_test.rb create mode 100644 certs/test/unit/client_certificate_test.rb diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb new file mode 100644 index 0000000..23b66a2 --- /dev/null +++ b/certs/app/models/client_certificate.rb @@ -0,0 +1,148 @@ +# +# Model for certificates stored in CouchDB. +# +# This file must be loaded after Config has been loaded. +# +require 'base64' +require 'digest/md5' +require 'openssl' +require 'certificate_authority' +require 'date' + +class ClientCertificate < CouchRest::Model::Base + + # No config yet. use_database LeapCA::Config.db_name + use_database 'client_certificates' + + timestamps! + + property :key, String # the client private RSA key + property :cert, String # the client x509 certificate, signed by the CA + property :valid_until, Time # expiration time of the client certificate + property :random, Float, :accessible => false # used to help pick a random cert by the webapp + + before_validation :generate, :set_random, :on => :create + + validates :key, :presence => true + validates :cert, :presence => true + validates :random, :presence => true + validates :random, :numericality => {:greater_than => 0, :less_than => 1} + + design do + view :by_random + end + + class << self + def sample + self.by_random.startkey(rand).first || self.by_random.first + end + + def pick_from_pool + cert = self.sample + raise RECORD_NOT_FOUND unless cert + cert.destroy + return cert + rescue RESOURCE_NOT_FOUND + retry if self.by_random.count > 0 + raise RECORD_NOT_FOUND + end + + def valid_attributes_hash + {:key => "ABCD", :cert => "A123"} + end + end + + # + # generate the private key and client certificate + # + def generate + cert = CertificateAuthority::Certificate.new + + # set subject + cert.subject.common_name = random_common_name + + # set expiration + self.valid_until = months_from_yesterday(Config.client_cert_lifespan) + cert.not_before = yesterday + cert.not_after = self.valid_until + + # generate key + cert.serial_number.number = cert_serial_number + cert.key_material.generate_key(Config.client_cert_bit_size) + + # sign + cert.parent = Cert.root_ca + cert.sign! client_signing_profile + + self.key = cert.key_material.private_key.to_pem + self.cert = cert.to_pem + end + + private + + def set_random + self.random = rand + end + + def self.root_ca + @root_ca ||= begin + crt = File.read(Config.ca_cert_path) + key = File.read(Config.ca_key_path) + openssl_cert = OpenSSL::X509::Certificate.new(crt) + cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) + cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, Config.ca_key_password) + cert + end + end + + # + # For cert serial numbers, we need a non-colliding number less than 160 bits. + # md5 will do nicely, since there is no need for a secure hash, just a short one. + # (md5 is 128 bits) + # + def cert_serial_number + Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) + end + + # + # for the random common name, we need a text string that will be unique across all certs. + # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid + # + def random_common_name + cert_serial_number.to_s(36) + end + + def client_signing_profile + { + "digest" => Config.client_cert_hash, + "extensions" => { + "keyUsage" => { + "usage" => ["digitalSignature"] + }, + "extendedKeyUsage" => { + "usage" => ["clientAuth"] + } + } + } + end + + ## + ## TIME HELPERS + ## + ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet + ## are behind UTC. + ## + + def yesterday + t = Time.now - 24*24*60 + Time.utc t.year, t.month, t.day + end + + def months_from_yesterday(num) + t = yesterday + date = Date.new t.year, t.month, t.day + date = date >> num # >> is months in the future operator + Time.utc date.year, date.month, date.day + end + +end diff --git a/certs/app/models/leap_ca/cert.rb b/certs/app/models/leap_ca/cert.rb deleted file mode 100644 index 6c59144..0000000 --- a/certs/app/models/leap_ca/cert.rb +++ /dev/null @@ -1,150 +0,0 @@ -# -# Model for certificates stored in CouchDB. -# -# This file must be loaded after Config has been loaded. -# -require 'base64' -require 'digest/md5' -require 'openssl' -require 'certificate_authority' -require 'date' - -module LeapCA - class Cert < CouchRest::Model::Base - -# No config yet. use_database LeapCA::Config.db_name - use_database 'client_certificates' - - timestamps! - - property :key, String # the client private RSA key - property :cert, String # the client x509 certificate, signed by the CA - property :valid_until, Time # expiration time of the client certificate - property :random, Float, :accessible => false # used to help pick a random cert by the webapp - - before_validation :generate, :set_random, :on => :create - - validates :key, :presence => true - validates :cert, :presence => true - validates :random, :presence => true - validates :random, :numericality => {:greater_than => 0, :less_than => 1} - - design do - view :by_random - end - - class << self - def sample - self.by_random.startkey(rand).first || self.by_random.first - end - - def pick_from_pool - cert = self.sample - raise RECORD_NOT_FOUND unless cert - cert.destroy - return cert - rescue RESOURCE_NOT_FOUND - retry if self.by_random.count > 0 - raise RECORD_NOT_FOUND - end - - def valid_attributes_hash - {:key => "ABCD", :cert => "A123"} - end - end - - # - # generate the private key and client certificate - # - def generate - cert = CertificateAuthority::Certificate.new - - # set subject - cert.subject.common_name = random_common_name - - # set expiration - self.valid_until = months_from_yesterday(Config.client_cert_lifespan) - cert.not_before = yesterday - cert.not_after = self.valid_until - - # generate key - cert.serial_number.number = cert_serial_number - cert.key_material.generate_key(Config.client_cert_bit_size) - - # sign - cert.parent = Cert.root_ca - cert.sign! client_signing_profile - - self.key = cert.key_material.private_key.to_pem - self.cert = cert.to_pem - end - - private - - def set_random - self.random = rand - end - - def self.root_ca - @root_ca ||= begin - crt = File.read(Config.ca_cert_path) - key = File.read(Config.ca_key_path) - openssl_cert = OpenSSL::X509::Certificate.new(crt) - cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) - cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, Config.ca_key_password) - cert - end - end - - # - # For cert serial numbers, we need a non-colliding number less than 160 bits. - # md5 will do nicely, since there is no need for a secure hash, just a short one. - # (md5 is 128 bits) - # - def cert_serial_number - Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) - end - - # - # for the random common name, we need a text string that will be unique across all certs. - # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid - # - def random_common_name - cert_serial_number.to_s(36) - end - - def client_signing_profile - { - "digest" => Config.client_cert_hash, - "extensions" => { - "keyUsage" => { - "usage" => ["digitalSignature"] - }, - "extendedKeyUsage" => { - "usage" => ["clientAuth"] - } - } - } - end - - ## - ## TIME HELPERS - ## - ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet - ## are behind UTC. - ## - - def yesterday - t = Time.now - 24*24*60 - Time.utc t.year, t.month, t.day - end - - def months_from_yesterday(num) - t = yesterday - date = Date.new t.year, t.month, t.day - date = date >> num # >> is months in the future operator - Time.utc date.year, date.month, date.day - end - - end -end diff --git a/certs/test/unit/cert_test.rb b/certs/test/unit/cert_test.rb deleted file mode 100644 index 0b21d0b..0000000 --- a/certs/test/unit/cert_test.rb +++ /dev/null @@ -1,39 +0,0 @@ -require 'test_helper' - -class CertTest < ActiveSupport::TestCase - - setup do - @sample = LeapCA::Cert.new LeapCA::Cert.valid_attributes_hash - end - - test "stub cert for testing is valid" do - assert @sample.valid? - end - - test "setting random on create validation" do - @sample.random = "asdf" - assert @sample.valid? - assert @sample.random.is_a? Float - assert @sample.random >= 0 - assert @sample.random < 1 - end - - test "validates random" do - @sample.save # make sure we are past the on_create - assert @sample.valid? - ["asdf", 1, 2, -0.1, nil, "asdf"].each do |invalid| - @sample.random = invalid - assert !@sample.valid?, "#{invalid} should not be a valid value for random" - end - end - - test "validates key" do - @sample.key = nil - assert !@sample.valid?, "Cert should require key" - end - - test "validates cert" do - @sample.cert = nil - assert !@sample.valid?, "Cert should require cert" - end -end diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb new file mode 100644 index 0000000..a721483 --- /dev/null +++ b/certs/test/unit/client_certificate_test.rb @@ -0,0 +1,39 @@ +require 'test_helper' + +class ClientCertificateTest < ActiveSupport::TestCase + + setup do + @sample = ClientCertificate.new ClientCertificate.valid_attributes_hash + end + + test "stub cert for testing is valid" do + assert @sample.valid? + end + + test "setting random on create validation" do + @sample.random = "asdf" + assert @sample.valid? + assert @sample.random.is_a? Float + assert @sample.random >= 0 + assert @sample.random < 1 + end + + test "validates random" do + @sample.save # make sure we are past the on_create + assert @sample.valid? + ["asdf", 1, 2, -0.1, nil, "asdf"].each do |invalid| + @sample.random = invalid + assert !@sample.valid?, "#{invalid} should not be a valid value for random" + end + end + + test "validates key" do + @sample.key = nil + assert !@sample.valid?, "Cert should require key" + end + + test "validates cert" do + @sample.cert = nil + assert !@sample.valid?, "Cert should require cert" + end +end -- cgit v1.2.3 From 88d566a7cdb2cc427eba1a9890eedf93605c17f1 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 10:52:56 +0100 Subject: adding certificate authority dependency --- certs/leap_web_certs.gemspec | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/leap_web_certs.gemspec b/certs/leap_web_certs.gemspec index 15a45be..531afda 100644 --- a/certs/leap_web_certs.gemspec +++ b/certs/leap_web_certs.gemspec @@ -16,5 +16,6 @@ Gem::Specification.new do |s| s.test_files = Dir["test/**/*"] s.add_dependency "leap_web_core", LeapWeb::VERSION + s.add_dependency "certificate_authority" end -- cgit v1.2.3 From 4c2abd107f5959ea0f15f052acf73440648d8d52 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 11:03:18 +0100 Subject: moving leap_ca configs into defaults.yml --- certs/app/models/client_certificate.rb | 15 +++++++-------- certs/test/files/ca.crt | 14 ++++++++++++++ certs/test/files/ca.key | 18 ++++++++++++++++++ config/defaults.yml | 16 ++++++++++++++++ 4 files changed, 55 insertions(+), 8 deletions(-) create mode 100644 certs/test/files/ca.crt create mode 100644 certs/test/files/ca.key diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb index 23b66a2..0b1e43f 100644 --- a/certs/app/models/client_certificate.rb +++ b/certs/app/models/client_certificate.rb @@ -11,7 +11,6 @@ require 'date' class ClientCertificate < CouchRest::Model::Base - # No config yet. use_database LeapCA::Config.db_name use_database 'client_certificates' timestamps! @@ -62,16 +61,16 @@ class ClientCertificate < CouchRest::Model::Base cert.subject.common_name = random_common_name # set expiration - self.valid_until = months_from_yesterday(Config.client_cert_lifespan) + self.valid_until = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) cert.not_before = yesterday cert.not_after = self.valid_until # generate key cert.serial_number.number = cert_serial_number - cert.key_material.generate_key(Config.client_cert_bit_size) + cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size]) # sign - cert.parent = Cert.root_ca + cert.parent = ClientCertificate.root_ca cert.sign! client_signing_profile self.key = cert.key_material.private_key.to_pem @@ -86,11 +85,11 @@ class ClientCertificate < CouchRest::Model::Base def self.root_ca @root_ca ||= begin - crt = File.read(Config.ca_cert_path) - key = File.read(Config.ca_key_path) + crt = File.read(APP_CONFIG[:ca_cert_path]) + key = File.read(APP_CONFIG[:ca_key_path]) openssl_cert = OpenSSL::X509::Certificate.new(crt) cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) - cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, Config.ca_key_password) + cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password]) cert end end @@ -114,7 +113,7 @@ class ClientCertificate < CouchRest::Model::Base def client_signing_profile { - "digest" => Config.client_cert_hash, + "digest" => APP_CONFIG[:client_cert_hash], "extensions" => { "keyUsage" => { "usage" => ["digitalSignature"] diff --git a/certs/test/files/ca.crt b/certs/test/files/ca.crt new file mode 100644 index 0000000..cade598 --- /dev/null +++ b/certs/test/files/ca.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICPDCCAYmgAwIBAgIEUKCI4DANBgkqhkiG9w0BAQsFADAkMSIwIAYDVQQDExlS +b290IENBIGZvciBydW5uaW5nIHRlc3RzMB4XDTEyMTExMjA1MjgwMFoXDTEzMTEx +MjA1MjgwMFowJDEiMCAGA1UEAxMZUm9vdCBDQSBmb3IgcnVubmluZyB0ZXN0czCB +uzANBgkqhkiG9w0BAQEFAAOBqQAwgaUCgZ0ApeqCGQOmiHxCFxsfUKmBV6ruOYar +EsepFAycTmmakXBjNj4B9Pd3gE3Cc56rvkq0uxluRvqspzpEOQpCg8M5fkft/fxS +acw+ackj3ys7r0MrXgL66QeLnNGe8+RjBO8UHb3OPx547hqUHVg+3HqSCdn9cGQX +9//EJrnSJsLuZw9ktkN4Ytyd1deZo6AkiIeCyz0HxKQBIhdJAPRlAgMBAAGjQzBB +MA8GA1UdEwEB/wQFMAMBAf8wDwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUBe1l +BbuGErEkHLffGvkY5dDOH1YwDQYJKoZIhvcNAQELBQADgZ0ADpudncToYPS183w8 +c68dObCCvNfv/FTBg4ihCLW6PapADYuvXmCvXgHflylET+rFdcrnUfl+XjNT5IjF +ImUyyOnCiy7scRgY+9qrEb7neH4CopGZKkWBTadZLu0QZqMcsWyAZBzaI8tBwL+G ++ylSgw3xTSf/HFjmTJAlDzUieV4DufrPqz7Yx0GrTswdJOcccc/PWUvQIU1GXvto +-----END CERTIFICATE----- diff --git a/certs/test/files/ca.key b/certs/test/files/ca.key new file mode 100644 index 0000000..d266ef7 --- /dev/null +++ b/certs/test/files/ca.key @@ -0,0 +1,18 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIC2gIBAAKBnQCl6oIZA6aIfEIXGx9QqYFXqu45hqsSx6kUDJxOaZqRcGM2PgH0 +93eATcJznqu+SrS7GW5G+qynOkQ5CkKDwzl+R+39/FJpzD5pySPfKzuvQyteAvrp +B4uc0Z7z5GME7xQdvc4/HnjuGpQdWD7cepIJ2f1wZBf3/8QmudImwu5nD2S2Q3hi +3J3V15mjoCSIh4LLPQfEpAEiF0kA9GUCAwEAAQKBnAKz9FSgqO42Sq6tBBtAolkh +nBSXK2L4mmTiOQr/UMOnzLtN0qMBWRK1Bu2dRcz+0zztEs0t45wsfdS0DxYDGy+s +elBrSOhs/w34IeZ5LM6xY0u4HZDmhn0pQNo6QZcFICr0GkkYdmWDlkLvIeJ/u6+q +nmyqAQXvj3R4nA7hrKUXzJjfvN3RYrhLN+/T41zLybeJ5vLZQK3jJSiIjQJPAMhS +HTIbYTUi2pxYVSwJDY4S2klTdroNGvTCkqcTRcB4Ms70FGLPZ6+ZumrkbSohHUsj +gDRRy3e4fjA9qMSQynVr2gkUobsR0tAdQGVOKwJPANQIUPaTc2ouNYNLAiHoAXoL +qAcF5g7/vtlMOwr+16EYoG7bLbiEie7nBfg9zz/VUnvOEy6pZ89YvsZOMlGicsRs ++tfUM1g/u0ZFEoQPrwJOC6bbE+ML0G9qj9WDfsA4DZ+DGujD6yZ//uSiax1v3TYg +nnEMDoNJ4KjscvM+dkjez1QNTP3E+/27OUsc2fIiFJplYEnW7m6m+Hv7FulpAk8A +tiASk0oiV/ErLARw53jmU9PRV378lqOcZgAxswclZo3FuJLxmc3WwOuV2B4Xd+gf +epKPLYR708GR1Lp0RGS6GfjWGi9+ju3nSbuo5OCnAk5yun/UvDdtnZ6fXo9aF22/ +yoiztru7yhJdVrMx3PbbndfN2y9ctqcd6CD5fIQdyZ4K8eTr686RjH8C0XP095Ib +an3AO/TQG1c4yE2hSvQ= +-----END RSA PRIVATE KEY----- diff --git a/config/defaults.yml b/config/defaults.yml index 4ffa2c9..f5a7c07 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -1,11 +1,27 @@ +dev_ca: &dev_ca + ca_key_path: "./certs/test/files/ca.key" + ca_key_password: nil + ca_cert_path: "./certs/test/files/ca.crt" + +cert_options: &cert_options + client_cert_lifespan: 2 + client_cert_bit_size: 2024 + client_cert_hash: "SHA256" + development: + <<: *dev_ca + <<: *cert_options admins: [admin, admin2] domain: develop.me test: + <<: *dev_ca + <<: *cert_options admins: [admin, admin2] domain: test.me + production: + <<: *cert_options admins: [] domain: deploy.me -- cgit v1.2.3 From 0975583e3c6ec9d2bf0269841073031537db1c37 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 11:08:05 +0100 Subject: we're not using a cert pool anymore - remove anything related --- certs/app/controllers/certs_controller.rb | 2 +- certs/app/models/client_certificate.rb | 24 +------------- certs/test/unit/cert_pool_test.rb | 52 ------------------------------- 3 files changed, 2 insertions(+), 76 deletions(-) delete mode 100644 certs/test/unit/cert_pool_test.rb diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb index d81aea0..3ec2f68 100644 --- a/certs/app/controllers/certs_controller.rb +++ b/certs/app/controllers/certs_controller.rb @@ -4,7 +4,7 @@ class CertsController < ApplicationController # GET /cert def show - @cert = LeapCA::Cert.pick_from_pool + @cert = ClientCertificate.create render :text => @cert.key + @cert.cert, :content_type => 'text/plain' rescue RECORD_NOT_FOUND flash[:error] = t(:cert_pool_empty) diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb index 0b1e43f..6abc1ee 100644 --- a/certs/app/models/client_certificate.rb +++ b/certs/app/models/client_certificate.rb @@ -18,34 +18,16 @@ class ClientCertificate < CouchRest::Model::Base property :key, String # the client private RSA key property :cert, String # the client x509 certificate, signed by the CA property :valid_until, Time # expiration time of the client certificate - property :random, Float, :accessible => false # used to help pick a random cert by the webapp - before_validation :generate, :set_random, :on => :create + before_validation :generate, :on => :create validates :key, :presence => true validates :cert, :presence => true - validates :random, :presence => true - validates :random, :numericality => {:greater_than => 0, :less_than => 1} design do - view :by_random end class << self - def sample - self.by_random.startkey(rand).first || self.by_random.first - end - - def pick_from_pool - cert = self.sample - raise RECORD_NOT_FOUND unless cert - cert.destroy - return cert - rescue RESOURCE_NOT_FOUND - retry if self.by_random.count > 0 - raise RECORD_NOT_FOUND - end - def valid_attributes_hash {:key => "ABCD", :cert => "A123"} end @@ -79,10 +61,6 @@ class ClientCertificate < CouchRest::Model::Base private - def set_random - self.random = rand - end - def self.root_ca @root_ca ||= begin crt = File.read(APP_CONFIG[:ca_cert_path]) diff --git a/certs/test/unit/cert_pool_test.rb b/certs/test/unit/cert_pool_test.rb deleted file mode 100644 index 06f7ce0..0000000 --- a/certs/test/unit/cert_pool_test.rb +++ /dev/null @@ -1,52 +0,0 @@ -require 'test_helper' - -class CertPoolTest < ActiveSupport::TestCase - - setup do - 2.times { LeapCA::Cert.create(LeapCA::Cert.valid_attributes_hash) } - end - - teardown do - LeapCA::Cert.all.each {|c| c.destroy} - end - - test "picks random sample" do - # with 3 certs chances are pretty low we pick the same one 40 times. - LeapCA::Cert.create! LeapCA::Cert.valid_attributes_hash - picked = [] - first = LeapCA::Cert.sample.id - current = LeapCA::Cert.sample.id - 40.times do - break if current != first - current = LeapCA::Cert.sample.id - end - assert_not_equal current, first - end - - test "picks cert from the pool" do - assert_difference "LeapCA::Cert.count", -1 do - cert = LeapCA::Cert.pick_from_pool - end - end - - test "err's out if all certs have been destroyed" do - sample = LeapCA::Cert.first.tap{|c| c.destroy} - LeapCA::Cert.all.each {|c| c.destroy} - assert_raises RECORD_NOT_FOUND do - LeapCA::Cert.expects(:sample).returns(sample) - cert = LeapCA::Cert.pick_from_pool - end - end - - test "picks other cert if first pick has been destroyed" do - first = LeapCA::Cert.first.tap{|c| c.destroy} - second = LeapCA::Cert.first - LeapCA::Cert.expects(:sample).at_least_once. - returns(first). - then.returns(second) - cert = LeapCA::Cert.pick_from_pool - assert_equal second, cert - assert_nil LeapCA::Cert.first - end - -end -- cgit v1.2.3 From 0f8efed9afa480174c77c89d4d9d4a40f99bddab Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 11:13:24 +0100 Subject: adopting tests to the way certs work now. should pass. * We now generate cert and key on validate. * we don't expect the controller to pick from the pool anymore - just create instead --- certs/app/models/client_certificate.rb | 2 -- certs/test/functional/certs_controller_test.rb | 2 +- certs/test/unit/client_certificate_test.rb | 23 ++++------------------- 3 files changed, 5 insertions(+), 22 deletions(-) diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb index 6abc1ee..b664ff0 100644 --- a/certs/app/models/client_certificate.rb +++ b/certs/app/models/client_certificate.rb @@ -11,8 +11,6 @@ require 'date' class ClientCertificate < CouchRest::Model::Base - use_database 'client_certificates' - timestamps! property :key, String # the client private RSA key diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb index 3d6946e..887d5f0 100644 --- a/certs/test/functional/certs_controller_test.rb +++ b/certs/test/functional/certs_controller_test.rb @@ -13,7 +13,7 @@ class CertsControllerTest < ActionController::TestCase test "should send cert" do login cert = stub :cert => "adsf", :key => "key" - LeapCA::Cert.expects(:pick_from_pool).returns(cert) + ClientCertificate.expects(:create).returns(cert) get :show assert_response :success assert_equal cert.key + cert.cert, @response.body diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb index a721483..7dbb8a9 100644 --- a/certs/test/unit/client_certificate_test.rb +++ b/certs/test/unit/client_certificate_test.rb @@ -10,30 +10,15 @@ class ClientCertificateTest < ActiveSupport::TestCase assert @sample.valid? end - test "setting random on create validation" do - @sample.random = "asdf" - assert @sample.valid? - assert @sample.random.is_a? Float - assert @sample.random >= 0 - assert @sample.random < 1 - end - - test "validates random" do - @sample.save # make sure we are past the on_create - assert @sample.valid? - ["asdf", 1, 2, -0.1, nil, "asdf"].each do |invalid| - @sample.random = invalid - assert !@sample.valid?, "#{invalid} should not be a valid value for random" - end - end - test "validates key" do @sample.key = nil - assert !@sample.valid?, "Cert should require key" + assert @sample.valid? + assert @sample.key, "Cert should generate key" end test "validates cert" do @sample.cert = nil - assert !@sample.valid?, "Cert should require cert" + assert @sample.valid? + assert @sample.cert, "Cert should generate cert" end end -- cgit v1.2.3 From 8d9c2e90b77d417f9715c95de91c629e80ca6603 Mon Sep 17 00:00:00 2001 From: Azul Date: Sat, 26 Jan 2013 11:23:43 +0100 Subject: no need to store the cert anymore - just new initialize and send it --- certs/app/controllers/certs_controller.rb | 5 +---- certs/app/models/client_certificate.rb | 28 +++++--------------------- certs/test/functional/certs_controller_test.rb | 2 +- certs/test/unit/client_certificate_test.rb | 18 ++++------------- 4 files changed, 11 insertions(+), 42 deletions(-) diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb index 3ec2f68..6db270c 100644 --- a/certs/app/controllers/certs_controller.rb +++ b/certs/app/controllers/certs_controller.rb @@ -4,11 +4,8 @@ class CertsController < ApplicationController # GET /cert def show - @cert = ClientCertificate.create + @cert = ClientCertificate.new render :text => @cert.key + @cert.cert, :content_type => 'text/plain' - rescue RECORD_NOT_FOUND - flash[:error] = t(:cert_pool_empty) - redirect_to root_path end end diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb index b664ff0..b2b8c0d 100644 --- a/certs/app/models/client_certificate.rb +++ b/certs/app/models/client_certificate.rb @@ -9,41 +9,23 @@ require 'openssl' require 'certificate_authority' require 'date' -class ClientCertificate < CouchRest::Model::Base +class ClientCertificate - timestamps! - - property :key, String # the client private RSA key - property :cert, String # the client x509 certificate, signed by the CA - property :valid_until, Time # expiration time of the client certificate - - before_validation :generate, :on => :create - - validates :key, :presence => true - validates :cert, :presence => true - - design do - end - - class << self - def valid_attributes_hash - {:key => "ABCD", :cert => "A123"} - end - end + attr_accessor :key # the client private RSA key + attr_accessor :cert # the client x509 certificate, signed by the CA # # generate the private key and client certificate # - def generate + def initialize cert = CertificateAuthority::Certificate.new # set subject cert.subject.common_name = random_common_name # set expiration - self.valid_until = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) cert.not_before = yesterday - cert.not_after = self.valid_until + cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) # generate key cert.serial_number.number = cert_serial_number diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb index 887d5f0..75256ca 100644 --- a/certs/test/functional/certs_controller_test.rb +++ b/certs/test/functional/certs_controller_test.rb @@ -13,7 +13,7 @@ class CertsControllerTest < ActionController::TestCase test "should send cert" do login cert = stub :cert => "adsf", :key => "key" - ClientCertificate.expects(:create).returns(cert) + ClientCertificate.expects(:new).returns(cert) get :show assert_response :success assert_equal cert.key + cert.cert, @response.body diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb index 7dbb8a9..492a44a 100644 --- a/certs/test/unit/client_certificate_test.rb +++ b/certs/test/unit/client_certificate_test.rb @@ -3,22 +3,12 @@ require 'test_helper' class ClientCertificateTest < ActiveSupport::TestCase setup do - @sample = ClientCertificate.new ClientCertificate.valid_attributes_hash + @sample = ClientCertificate.new end - test "stub cert for testing is valid" do - assert @sample.valid? + test "new cert has all we need" do + assert @sample.key + assert @sample.cert end - test "validates key" do - @sample.key = nil - assert @sample.valid? - assert @sample.key, "Cert should generate key" - end - - test "validates cert" do - @sample.cert = nil - assert @sample.valid? - assert @sample.cert, "Cert should generate cert" - end end -- cgit v1.2.3