From c1486cb9688d53c5ae266ff22ab279ead12eaa36 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 10 Apr 2014 12:45:21 +0200 Subject: move certs into toplevel cleaned up all the engine stuff that was never really used. Afterwards there is not that much left that makes it into the toplevel. --- Gemfile | 1 - Gemfile.lock | 7 -- app/controllers/v1/certs_controller.rb | 50 +++++++++ app/models/client_certificate.rb | 113 +++++++++++++++++++++ certs/Gemfile | 14 --- certs/Rakefile | 44 -------- certs/Readme.md | 9 -- certs/app/assets/images/leap_web_certs/.gitkeep | 0 .../app/assets/javascripts/leap_web_certs/.gitkeep | 0 .../app/assets/stylesheets/leap_web_certs/.gitkeep | 0 certs/app/controllers/.gitkeep | 0 certs/app/controllers/certs_controller.rb | 50 --------- certs/app/helpers/.gitkeep | 0 certs/app/helpers/certs_helper.rb | 2 - certs/app/mailers/.gitkeep | 0 certs/app/models/.gitkeep | 0 certs/app/models/client_certificate.rb | 113 --------------------- certs/app/views/.gitkeep | 0 certs/config/locales/en.yml | 2 - certs/config/routes.rb | 5 - certs/leap_web_certs.gemspec | 20 ---- certs/lib/leap_web_certs.rb | 4 - certs/lib/leap_web_certs/engine.rb | 5 - certs/lib/tasks/leap_web_certs_tasks.rake | 4 - certs/script/rails | 8 -- certs/test/files/ca.crt | 15 --- certs/test/files/ca.key | 16 --- certs/test/functional/certs_controller_test.rb | 44 -------- certs/test/integration/navigation_test.rb | 9 -- certs/test/leap_web_certs_test.rb | 7 -- certs/test/test_helper.rb | 10 -- certs/test/unit/client_certificate_test.rb | 24 ----- config/defaults.yml | 4 +- config/routes.rb | 1 + leap_web.gemspec | 3 - test/files/ca.crt | 15 +++ test/files/ca.key | 16 +++ test/functional/v1/certs_controller_test.rb | 44 ++++++++ test/unit/client_certificate_test.rb | 24 +++++ 39 files changed, 265 insertions(+), 418 deletions(-) create mode 100644 app/controllers/v1/certs_controller.rb create mode 100644 app/models/client_certificate.rb delete mode 100644 certs/Gemfile delete mode 100644 certs/Rakefile delete mode 100644 certs/Readme.md delete mode 100644 certs/app/assets/images/leap_web_certs/.gitkeep delete mode 100644 certs/app/assets/javascripts/leap_web_certs/.gitkeep delete mode 100644 certs/app/assets/stylesheets/leap_web_certs/.gitkeep delete mode 100644 certs/app/controllers/.gitkeep delete mode 100644 certs/app/controllers/certs_controller.rb delete mode 100644 certs/app/helpers/.gitkeep delete mode 100644 certs/app/helpers/certs_helper.rb delete mode 100644 certs/app/mailers/.gitkeep delete mode 100644 certs/app/models/.gitkeep delete mode 100644 certs/app/models/client_certificate.rb delete mode 100644 certs/app/views/.gitkeep delete mode 100644 certs/config/locales/en.yml delete mode 100644 certs/config/routes.rb delete mode 100644 certs/leap_web_certs.gemspec delete mode 100644 certs/lib/leap_web_certs.rb delete mode 100644 certs/lib/leap_web_certs/engine.rb delete mode 100644 certs/lib/tasks/leap_web_certs_tasks.rake delete mode 100755 certs/script/rails delete mode 100644 certs/test/files/ca.crt delete mode 100644 certs/test/files/ca.key delete mode 100644 certs/test/functional/certs_controller_test.rb delete mode 100644 certs/test/integration/navigation_test.rb delete mode 100644 certs/test/leap_web_certs_test.rb delete mode 100644 certs/test/test_helper.rb delete mode 100644 certs/test/unit/client_certificate_test.rb create mode 100644 test/files/ca.crt create mode 100644 test/files/ca.key create mode 100644 test/functional/v1/certs_controller_test.rb create mode 100644 test/unit/client_certificate_test.rb diff --git a/Gemfile b/Gemfile index b19d119..50c4b00 100644 --- a/Gemfile +++ b/Gemfile @@ -10,7 +10,6 @@ gem "json" gem "ruby-srp", "~> 0.2.1" gem "rails_warden" -gem 'leap_web_certs', :path => 'certs' gem 'leap_web_help', :path => 'help' gem 'leap_web_billing', :path => 'billing' diff --git a/Gemfile.lock b/Gemfile.lock index 0967bd6..537dafd 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -11,12 +11,6 @@ PATH leap_web_billing (0.5.0) braintree -PATH - remote: certs - specs: - leap_web_certs (0.5.0) - certificate_authority (>= 0.2.0) - PATH remote: help specs: @@ -265,7 +259,6 @@ DEPENDENCIES kaminari (= 0.13.0) launchy leap_web_billing! - leap_web_certs! leap_web_help! minitest-stub-const mocha (~> 0.13.0) diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb new file mode 100644 index 0000000..64cfa7f --- /dev/null +++ b/app/controllers/v1/certs_controller.rb @@ -0,0 +1,50 @@ +class V1::CertsController < ApplicationController + + before_filter :require_login, :unless => :anonymous_certs_allowed? + + # GET /cert + def show + @cert = ClientCertificate.new(:prefix => certificate_prefix) + render text: @cert.to_s, content_type: 'text/plain' + end + + protected + + def anonymous_certs_allowed? + APP_CONFIG[:allow_anonymous_certs] + end + # + # this is some temporary logic until we store the service level in the user db. + # + # better logic might look like this: + # + # if logged_in? + # service_level = user.service_level + # elsif allow_anonymous? + # service_level = service_levels[:anonymous] + # else + # service_level = nil + # end + # + # if service_level.bandwidth == 'limited' && allow_limited? + # prefix = limited + # elsif allow_unlimited? + # prefix = unlimited + # else + # prefix = nil + # end + # + def certificate_prefix + if logged_in? + if APP_CONFIG[:allow_unlimited_certs] + APP_CONFIG[:unlimited_cert_prefix] + elsif APP_CONFIG[:allow_limited_certs] + APP_CONFIG[:limited_cert_prefix] + end + elsif !APP_CONFIG[:allow_limited_certs] + APP_CONFIG[:unlimited_cert_prefix] + else + APP_CONFIG[:limited_cert_prefix] + end + end +end diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb new file mode 100644 index 0000000..76b07a2 --- /dev/null +++ b/app/models/client_certificate.rb @@ -0,0 +1,113 @@ +# +# Model for certificates +# +# This file must be loaded after Config has been loaded. +# +require 'base64' +require 'digest/md5' +require 'openssl' +require 'certificate_authority' +require 'date' + +class ClientCertificate + + attr_accessor :key # the client private RSA key + attr_accessor :cert # the client x509 certificate, signed by the CA + + # + # generate the private key and client certificate + # + def initialize(options = {}) + cert = CertificateAuthority::Certificate.new + + # set subject + cert.subject.common_name = common_name(options[:prefix]) + + # set expiration + cert.not_before = yesterday + cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) + + # generate key + cert.serial_number.number = cert_serial_number + cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size]) + + # sign + cert.parent = ClientCertificate.root_ca + cert.sign! client_signing_profile + + self.key = cert.key_material.private_key + self.cert = cert + end + + def to_s + self.key.to_pem + self.cert.to_pem + end + + private + + def self.root_ca + @root_ca ||= begin + crt = File.read(APP_CONFIG[:client_ca_cert]) + key = File.read(APP_CONFIG[:client_ca_key]) + openssl_cert = OpenSSL::X509::Certificate.new(crt) + cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) + cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password]) + cert + end + end + + # + # For cert serial numbers, we need a non-colliding number less than 160 bits. + # md5 will do nicely, since there is no need for a secure hash, just a short one. + # (md5 is 128 bits) + # + def cert_serial_number + Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) + end + + def common_name(prefix = nil) + [prefix, random_common_name].join + end + + # + # for the random common name, we need a text string that will be unique across all certs. + # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid + # + def random_common_name + cert_serial_number.to_s(36) + end + + def client_signing_profile + { + "digest" => APP_CONFIG[:client_cert_hash], + "extensions" => { + "keyUsage" => { + "usage" => ["digitalSignature"] + }, + "extendedKeyUsage" => { + "usage" => ["clientAuth"] + } + } + } + end + + ## + ## TIME HELPERS + ## + ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet + ## are behind UTC. + ## + + def yesterday + t = Time.now - 24*60*60 + Time.utc t.year, t.month, t.day + end + + def months_from_yesterday(num) + t = yesterday + date = Date.new t.year, t.month, t.day + date = date >> num # >> is months in the future operator + Time.utc date.year, date.month, date.day + end + +end diff --git a/certs/Gemfile b/certs/Gemfile deleted file mode 100644 index 992f236..0000000 --- a/certs/Gemfile +++ /dev/null @@ -1,14 +0,0 @@ -source "https://rubygems.org" - -eval(File.read(File.dirname(__FILE__) + '/../common_dependencies.rb')) - -# We require leap_web_core from here so we can use the path option. -gem "leap_web_core", :path => '../core' - -# Declare your gem's dependencies in leap_web_users.gemspec. -# Bundler will treat runtime dependencies like base dependencies, and -# development dependencies will be added by default to the :development group. -gemspec - -# To use debugger -# gem 'ruby-debug' diff --git a/certs/Rakefile b/certs/Rakefile deleted file mode 100644 index 54ed86d..0000000 --- a/certs/Rakefile +++ /dev/null @@ -1,44 +0,0 @@ -#!/usr/bin/env rake - -require 'rake/packagetask' -require 'rubygems/package_task' - -begin - require 'bundler/setup' -rescue LoadError - puts 'You must `gem install bundler` and `bundle install` to run rake tasks' -end -begin - require 'rdoc/task' -rescue LoadError - require 'rdoc/rdoc' - require 'rake/rdoctask' - RDoc::Task = Rake::RDocTask -end - -RDoc::Task.new(:rdoc) do |rdoc| - rdoc.rdoc_dir = 'rdoc' - rdoc.title = 'LeapWebCerts' - rdoc.options << '--line-numbers' - rdoc.rdoc_files.include('README.rdoc') - rdoc.rdoc_files.include('lib/**/*.rb') -end - -spec = eval(File.read('leap_web_certs.gemspec')) -Gem::PackageTask.new(spec) do |p| - p.gem_spec = spec -end - -Bundler::GemHelper.install_tasks - -require 'rake/testtask' - -Rake::TestTask.new(:test) do |t| - t.libs << 'lib' - t.libs << 'test' - t.pattern = 'test/**/*_test.rb' - t.verbose = false -end - - -task :default => :test diff --git a/certs/Readme.md b/certs/Readme.md deleted file mode 100644 index 4ea8d9d..0000000 --- a/certs/Readme.md +++ /dev/null @@ -1,9 +0,0 @@ -LeapWebCerts -========= - - -Configuration -------------- - - -Currently LeapWebCerts falls back to handing out a cert in /config/cert if the cert pool is empty. You need to add that file in the application that includes this engine. diff --git a/certs/app/assets/images/leap_web_certs/.gitkeep b/certs/app/assets/images/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/assets/javascripts/leap_web_certs/.gitkeep b/certs/app/assets/javascripts/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/assets/stylesheets/leap_web_certs/.gitkeep b/certs/app/assets/stylesheets/leap_web_certs/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/controllers/.gitkeep b/certs/app/controllers/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/controllers/certs_controller.rb b/certs/app/controllers/certs_controller.rb deleted file mode 100644 index 82cbc44..0000000 --- a/certs/app/controllers/certs_controller.rb +++ /dev/null @@ -1,50 +0,0 @@ -class CertsController < ApplicationController - - before_filter :require_login, :unless => :anonymous_certs_allowed? - - # GET /cert - def show - @cert = ClientCertificate.new(:prefix => certificate_prefix) - render text: @cert.to_s, content_type: 'text/plain' - end - - protected - - def anonymous_certs_allowed? - APP_CONFIG[:allow_anonymous_certs] - end - # - # this is some temporary logic until we store the service level in the user db. - # - # better logic might look like this: - # - # if logged_in? - # service_level = user.service_level - # elsif allow_anonymous? - # service_level = service_levels[:anonymous] - # else - # service_level = nil - # end - # - # if service_level.bandwidth == 'limited' && allow_limited? - # prefix = limited - # elsif allow_unlimited? - # prefix = unlimited - # else - # prefix = nil - # end - # - def certificate_prefix - if logged_in? - if APP_CONFIG[:allow_unlimited_certs] - APP_CONFIG[:unlimited_cert_prefix] - elsif APP_CONFIG[:allow_limited_certs] - APP_CONFIG[:limited_cert_prefix] - end - elsif !APP_CONFIG[:allow_limited_certs] - APP_CONFIG[:unlimited_cert_prefix] - else - APP_CONFIG[:limited_cert_prefix] - end - end -end diff --git a/certs/app/helpers/.gitkeep b/certs/app/helpers/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/helpers/certs_helper.rb b/certs/app/helpers/certs_helper.rb deleted file mode 100644 index 94e76b8..0000000 --- a/certs/app/helpers/certs_helper.rb +++ /dev/null @@ -1,2 +0,0 @@ -module CertsHelper -end diff --git a/certs/app/mailers/.gitkeep b/certs/app/mailers/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/models/.gitkeep b/certs/app/models/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/app/models/client_certificate.rb b/certs/app/models/client_certificate.rb deleted file mode 100644 index 76b07a2..0000000 --- a/certs/app/models/client_certificate.rb +++ /dev/null @@ -1,113 +0,0 @@ -# -# Model for certificates -# -# This file must be loaded after Config has been loaded. -# -require 'base64' -require 'digest/md5' -require 'openssl' -require 'certificate_authority' -require 'date' - -class ClientCertificate - - attr_accessor :key # the client private RSA key - attr_accessor :cert # the client x509 certificate, signed by the CA - - # - # generate the private key and client certificate - # - def initialize(options = {}) - cert = CertificateAuthority::Certificate.new - - # set subject - cert.subject.common_name = common_name(options[:prefix]) - - # set expiration - cert.not_before = yesterday - cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan]) - - # generate key - cert.serial_number.number = cert_serial_number - cert.key_material.generate_key(APP_CONFIG[:client_cert_bit_size]) - - # sign - cert.parent = ClientCertificate.root_ca - cert.sign! client_signing_profile - - self.key = cert.key_material.private_key - self.cert = cert - end - - def to_s - self.key.to_pem + self.cert.to_pem - end - - private - - def self.root_ca - @root_ca ||= begin - crt = File.read(APP_CONFIG[:client_ca_cert]) - key = File.read(APP_CONFIG[:client_ca_key]) - openssl_cert = OpenSSL::X509::Certificate.new(crt) - cert = CertificateAuthority::Certificate.from_openssl(openssl_cert) - cert.key_material.private_key = OpenSSL::PKey::RSA.new(key, APP_CONFIG[:ca_key_password]) - cert - end - end - - # - # For cert serial numbers, we need a non-colliding number less than 160 bits. - # md5 will do nicely, since there is no need for a secure hash, just a short one. - # (md5 is 128 bits) - # - def cert_serial_number - Digest::MD5.hexdigest("#{rand(10**10)} -- #{Time.now}").to_i(16) - end - - def common_name(prefix = nil) - [prefix, random_common_name].join - end - - # - # for the random common name, we need a text string that will be unique across all certs. - # ruby 1.8 doesn't have a built-in uuid generator, or we would use SecureRandom.uuid - # - def random_common_name - cert_serial_number.to_s(36) - end - - def client_signing_profile - { - "digest" => APP_CONFIG[:client_cert_hash], - "extensions" => { - "keyUsage" => { - "usage" => ["digitalSignature"] - }, - "extendedKeyUsage" => { - "usage" => ["clientAuth"] - } - } - } - end - - ## - ## TIME HELPERS - ## - ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet - ## are behind UTC. - ## - - def yesterday - t = Time.now - 24*60*60 - Time.utc t.year, t.month, t.day - end - - def months_from_yesterday(num) - t = yesterday - date = Date.new t.year, t.month, t.day - date = date >> num # >> is months in the future operator - Time.utc date.year, date.month, date.day - end - -end diff --git a/certs/app/views/.gitkeep b/certs/app/views/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/certs/config/locales/en.yml b/certs/config/locales/en.yml deleted file mode 100644 index 18e4f47..0000000 --- a/certs/config/locales/en.yml +++ /dev/null @@ -1,2 +0,0 @@ -en: - cert_pool_empty: "Sorry the Cert pool is empty, please check back later." diff --git a/certs/config/routes.rb b/certs/config/routes.rb deleted file mode 100644 index cb97757..0000000 --- a/certs/config/routes.rb +++ /dev/null @@ -1,5 +0,0 @@ -Rails.application.routes.draw do - scope '/1' do - resource :cert, :only => [:show] - end -end diff --git a/certs/leap_web_certs.gemspec b/certs/leap_web_certs.gemspec deleted file mode 100644 index 87b5be4..0000000 --- a/certs/leap_web_certs.gemspec +++ /dev/null @@ -1,20 +0,0 @@ -$:.push File.expand_path("../lib", __FILE__) - -require File.expand_path('../../lib/leap_web/version.rb', __FILE__) - -# Describe your gem and declare its dependencies: -Gem::Specification.new do |s| - s.name = "leap_web_certs" - s.version = LeapWeb::VERSION - s.authors = ["Azul"] - s.email = ["azul@leap.se"] - s.homepage = "http://www.leap.se" - s.summary = "Cert distribution for the leap platform" - s.description = "This plugin for the leap platform distributes certs for the EIP client. It fetches the certs from a pool in CouchDB that is filled by leap-ca." - - s.files = Dir["{app,config,db,lib}/**/*"] + ["Rakefile", "Readme.md"] - s.test_files = Dir["test/**/*"] - - s.add_dependency "certificate_authority", [">= 0.2.0"] - -end diff --git a/certs/lib/leap_web_certs.rb b/certs/lib/leap_web_certs.rb deleted file mode 100644 index beb683d..0000000 --- a/certs/lib/leap_web_certs.rb +++ /dev/null @@ -1,4 +0,0 @@ -require "leap_web_certs/engine" - -module LeapWebCerts -end diff --git a/certs/lib/leap_web_certs/engine.rb b/certs/lib/leap_web_certs/engine.rb deleted file mode 100644 index 33a446e..0000000 --- a/certs/lib/leap_web_certs/engine.rb +++ /dev/null @@ -1,5 +0,0 @@ -module LeapWebCerts - class Engine < ::Rails::Engine - - end -end diff --git a/certs/lib/tasks/leap_web_certs_tasks.rake b/certs/lib/tasks/leap_web_certs_tasks.rake deleted file mode 100644 index e8fb7ff..0000000 --- a/certs/lib/tasks/leap_web_certs_tasks.rake +++ /dev/null @@ -1,4 +0,0 @@ -# desc "Explaining what the task does" -# task :leap_web_certs do -# # Task goes here -# end diff --git a/certs/script/rails b/certs/script/rails deleted file mode 100755 index 616d3c9..0000000 --- a/certs/script/rails +++ /dev/null @@ -1,8 +0,0 @@ -#!/usr/bin/env ruby1.8 -# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application. - -ENGINE_ROOT = File.expand_path('../..', __FILE__) -ENGINE_PATH = File.expand_path('../../lib/leap_web_certs/engine', __FILE__) - -require 'rails/all' -require 'rails/engine/commands' diff --git a/certs/test/files/ca.crt b/certs/test/files/ca.crt deleted file mode 100644 index 8393eee..0000000 --- a/certs/test/files/ca.crt +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICYDCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA7MREwDwYDVQQKDAh0ZXN0 -IG9yZzESMBAGA1UECwwJdGVzdCB1bml0MRIwEAYDVQQDDAl0ZXN0IG5hbWUwIBcN -MTMwMjA1MDAwMDAwWhgPMjExMzAyMDUwMDAwMDBaMDsxETAPBgNVBAoMCHRlc3Qg -b3JnMRIwEAYDVQQLDAl0ZXN0IHVuaXQxEjAQBgNVBAMMCXRlc3QgbmFtZTCBqDAN -BgkqhkiG9w0BAQEFAAOBlgAwgZICgYoAx076Dz8zswvCLuz0HP3Y3PWOgFDo9+8o -H4uXRcTpd+yw+5B79xjtQ7ojQy2465Jq00nkzHI6V1otM2uvVVIOcNk0t1HEjmK0 -T/r96dDHc59YvVQ+XPrzuQ4t3iREy8IAPNbc3r29PVZkMdGpeSYxyY1mUKza4DcY -My4SVko9pcP8zJBD4bHgEa0CAwEAAaNgMF4wHQYDVR0OBBYEFOQ+d2EUwBpi93TJ -9AX4Okew5/UIMA4GA1UdDwEB/wQEAwICBDAMBgNVHRMEBTADAQH/MB8GA1UdIwQY -MBaAFOQ+d2EUwBpi93TJ9AX4Okew5/UIMA0GCSqGSIb3DQEBDQUAA4GKAJW9/39P -VbVjH9C7F0XMOpd9nWBe9NUoiw36ZFZw95dqfUm6j5f3nejWG4lEtyMFu5i5rAw6 -GdDSXmq4sUqWTaJmQmZyY+WggQR4UGWJ0I18HRDiPxuA++OfkGzA20Gmvk+CIw/J -QLHlVjLyyUwaA+EO88rEcdc9VnGL/Xgjh8C/PYH2DpWw/kJa ------END CERTIFICATE----- diff --git a/certs/test/files/ca.key b/certs/test/files/ca.key deleted file mode 100644 index 125997f..0000000 --- a/certs/test/files/ca.key +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIChAIBAAKBigDHTvoPPzOzC8Iu7PQc/djc9Y6AUOj37ygfi5dFxOl37LD7kHv3 -GO1DuiNDLbjrkmrTSeTMcjpXWi0za69VUg5w2TS3UcSOYrRP+v3p0Mdzn1i9VD5c -+vO5Di3eJETLwgA81tzevb09VmQx0al5JjHJjWZQrNrgNxgzLhJWSj2lw/zMkEPh -seARrQIDAQABAoGJIvn0HircOsaMfEmvCUtu/E/HgzMvvxrkMqz/jgnhYt9Rq8QO -TS29rY4D1C0473ZRcuTb1xkQrfWwSv7R1SpCSIGFo8obtGb0NjNaYGyQ0IrYDjk8 -H5kYFEY4X4oqFhgy3owewaZZLxLD336ARRj2HhsLzA+4nD/wF7Q+bggpuMdkM2Uj -tn12rIECRQ/XqIGF8jLw9IDMkr9kkfT+n03p8sOd4g7iSw0sknlzaZZpIDvibkyN -SDKM7VX4VQa7u58+sCF4ylwi0UQu7/VT7Smp4QJFDJSoEOKplBvaT9fTfdVKjE4P -QyCAWEsb6Up8KKswhtDqiWeFtktIvx1Mkxn25erLms3cUEBde//rwNB+6ItBR/N8 -4RlNAkUPLsc3Gn+7gmFQ7r3U3zViboON0B/wiWcUjJsQzR6zdoBCvg0+VwsOIniG -ubjbI1uZUGHHg/SYn4KQOm4DwlgF7aDkxQECRQjVZMEedlXxzLOdZvoHBuZHdT38 -F0Jn0rxXOaDQuy0eimBamS+r4vOWngr4Az3jRH15KMYMu9dyllX3z/R2uyrLVBc2 -TQJFBEHIjoMVgP2h+N6VUDgPOhnxnnLvowOtX23J1y2foKwfZrHH38LNcWmuaGUi -fz6EYeUO20D174GfhqB0j6yR50ejPjYD ------END RSA PRIVATE KEY----- diff --git a/certs/test/functional/certs_controller_test.rb b/certs/test/functional/certs_controller_test.rb deleted file mode 100644 index 503e74b..0000000 --- a/certs/test/functional/certs_controller_test.rb +++ /dev/null @@ -1,44 +0,0 @@ -require 'test_helper' - -class CertsControllerTest < ActionController::TestCase - - test "send limited cert without login" do - with_config allow_limited_certs: true, allow_anonymous_certs: true do - cert = stub :to_s => "limited cert" - ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) - get :show - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "send unlimited cert" do - with_config allow_unlimited_certs: true do - login - cert = stub :to_s => "unlimited cert" - ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:unlimited_cert_prefix]).returns(cert) - get :show - assert_response :success - assert_equal cert.to_s, @response.body - end - end - - test "login required if anonymous certs disabled" do - with_config allow_anonymous_certs: false do - get :show - assert_response :redirect - end - end - - test "send limited cert" do - with_config allow_limited_certs: true, allow_unlimited_certs: false do - login - cert = stub :to_s => "real cert" - ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) - get :show - assert_response :success - assert_equal cert.to_s, @response.body - end - end - -end diff --git a/certs/test/integration/navigation_test.rb b/certs/test/integration/navigation_test.rb deleted file mode 100644 index eec8c0e..0000000 --- a/certs/test/integration/navigation_test.rb +++ /dev/null @@ -1,9 +0,0 @@ -require 'test_helper' - -class NavigationTest < ActionDispatch::IntegrationTest - - # test "the truth" do - # assert true - # end -end - diff --git a/certs/test/leap_web_certs_test.rb b/certs/test/leap_web_certs_test.rb deleted file mode 100644 index ee2058b..0000000 --- a/certs/test/leap_web_certs_test.rb +++ /dev/null @@ -1,7 +0,0 @@ -require 'test_helper' - -class LeapWebCertsTest < ActiveSupport::TestCase - test "truth" do - assert_kind_of Module, LeapWebCerts - end -end diff --git a/certs/test/test_helper.rb b/certs/test/test_helper.rb deleted file mode 100644 index f6b4eb8..0000000 --- a/certs/test/test_helper.rb +++ /dev/null @@ -1,10 +0,0 @@ -ENV["RAILS_ENV"] = "test" -require File.expand_path('../../../test/dummy/config/environment', __FILE__) -require 'rails/test_help' -require 'mocha/setup' - -Rails.backtrace_cleaner.remove_silencers! - -# Load support files -Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f } - diff --git a/certs/test/unit/client_certificate_test.rb b/certs/test/unit/client_certificate_test.rb deleted file mode 100644 index 036e724..0000000 --- a/certs/test/unit/client_certificate_test.rb +++ /dev/null @@ -1,24 +0,0 @@ -require 'test_helper' - -class ClientCertificateTest < ActiveSupport::TestCase - - test "new cert has all we need" do - sample = ClientCertificate.new - assert sample.key - assert sample.cert - assert sample.to_s - end - - test "cert has configured prefix" do - prefix = "PREFIX" - sample = ClientCertificate.new(:prefix => prefix) - assert sample.cert.subject.common_name.starts_with?(prefix) - end - - test "cert issuer matches ca subject" do - sample = ClientCertificate.new - cert = OpenSSL::X509::Certificate.new(sample.cert.to_pem) - assert_equal ClientCertificate.root_ca.openssl_body.subject, cert.issuer - end - -end diff --git a/config/defaults.yml b/config/defaults.yml index cb18795..e7d0f5e 100644 --- a/config/defaults.yml +++ b/config/defaults.yml @@ -1,6 +1,6 @@ dev_ca: &dev_ca - client_ca_key: "./certs/test/files/ca.key" - client_ca_cert: "./certs/test/files/ca.crt" + client_ca_key: "./test/files/ca.key" + client_ca_cert: "./test/files/ca.crt" ca_key_password: nil cert_options: &cert_options diff --git a/config/routes.rb b/config/routes.rb index 05eca9b..b930bd1 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -24,6 +24,7 @@ LeapWeb::Application.routes.draw do delete "logout" => "sessions#destroy", :as => "logout" resources :users, :only => [:create, :update, :destroy, :index] resources :messages, :only => [:index, :update] + resource :cert, :only => [:show] end scope "(:locale)", :locale => MATCH_LOCALE do diff --git a/leap_web.gemspec b/leap_web.gemspec index 44a30e0..125c930 100644 --- a/leap_web.gemspec +++ b/leap_web.gemspec @@ -19,7 +19,4 @@ Gem::Specification.new do |s| s.email = 'azul@leap.se' s.homepage = 'http://leap.se' - # s.add_dependency 'leap_web_core' - s.add_dependency 'leap_web_certs', LeapWeb::VERSION - s.add_dependency 'leap_web_users', LeapWeb::VERSION end diff --git a/test/files/ca.crt b/test/files/ca.crt new file mode 100644 index 0000000..8393eee --- /dev/null +++ b/test/files/ca.crt @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICYDCCAcCgAwIBAgIBATANBgkqhkiG9w0BAQ0FADA7MREwDwYDVQQKDAh0ZXN0 +IG9yZzESMBAGA1UECwwJdGVzdCB1bml0MRIwEAYDVQQDDAl0ZXN0IG5hbWUwIBcN +MTMwMjA1MDAwMDAwWhgPMjExMzAyMDUwMDAwMDBaMDsxETAPBgNVBAoMCHRlc3Qg +b3JnMRIwEAYDVQQLDAl0ZXN0IHVuaXQxEjAQBgNVBAMMCXRlc3QgbmFtZTCBqDAN +BgkqhkiG9w0BAQEFAAOBlgAwgZICgYoAx076Dz8zswvCLuz0HP3Y3PWOgFDo9+8o +H4uXRcTpd+yw+5B79xjtQ7ojQy2465Jq00nkzHI6V1otM2uvVVIOcNk0t1HEjmK0 +T/r96dDHc59YvVQ+XPrzuQ4t3iREy8IAPNbc3r29PVZkMdGpeSYxyY1mUKza4DcY +My4SVko9pcP8zJBD4bHgEa0CAwEAAaNgMF4wHQYDVR0OBBYEFOQ+d2EUwBpi93TJ +9AX4Okew5/UIMA4GA1UdDwEB/wQEAwICBDAMBgNVHRMEBTADAQH/MB8GA1UdIwQY +MBaAFOQ+d2EUwBpi93TJ9AX4Okew5/UIMA0GCSqGSIb3DQEBDQUAA4GKAJW9/39P +VbVjH9C7F0XMOpd9nWBe9NUoiw36ZFZw95dqfUm6j5f3nejWG4lEtyMFu5i5rAw6 +GdDSXmq4sUqWTaJmQmZyY+WggQR4UGWJ0I18HRDiPxuA++OfkGzA20Gmvk+CIw/J +QLHlVjLyyUwaA+EO88rEcdc9VnGL/Xgjh8C/PYH2DpWw/kJa +-----END CERTIFICATE----- diff --git a/test/files/ca.key b/test/files/ca.key new file mode 100644 index 0000000..125997f --- /dev/null +++ b/test/files/ca.key @@ -0,0 +1,16 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIChAIBAAKBigDHTvoPPzOzC8Iu7PQc/djc9Y6AUOj37ygfi5dFxOl37LD7kHv3 +GO1DuiNDLbjrkmrTSeTMcjpXWi0za69VUg5w2TS3UcSOYrRP+v3p0Mdzn1i9VD5c ++vO5Di3eJETLwgA81tzevb09VmQx0al5JjHJjWZQrNrgNxgzLhJWSj2lw/zMkEPh +seARrQIDAQABAoGJIvn0HircOsaMfEmvCUtu/E/HgzMvvxrkMqz/jgnhYt9Rq8QO +TS29rY4D1C0473ZRcuTb1xkQrfWwSv7R1SpCSIGFo8obtGb0NjNaYGyQ0IrYDjk8 +H5kYFEY4X4oqFhgy3owewaZZLxLD336ARRj2HhsLzA+4nD/wF7Q+bggpuMdkM2Uj +tn12rIECRQ/XqIGF8jLw9IDMkr9kkfT+n03p8sOd4g7iSw0sknlzaZZpIDvibkyN +SDKM7VX4VQa7u58+sCF4ylwi0UQu7/VT7Smp4QJFDJSoEOKplBvaT9fTfdVKjE4P +QyCAWEsb6Up8KKswhtDqiWeFtktIvx1Mkxn25erLms3cUEBde//rwNB+6ItBR/N8 +4RlNAkUPLsc3Gn+7gmFQ7r3U3zViboON0B/wiWcUjJsQzR6zdoBCvg0+VwsOIniG +ubjbI1uZUGHHg/SYn4KQOm4DwlgF7aDkxQECRQjVZMEedlXxzLOdZvoHBuZHdT38 +F0Jn0rxXOaDQuy0eimBamS+r4vOWngr4Az3jRH15KMYMu9dyllX3z/R2uyrLVBc2 +TQJFBEHIjoMVgP2h+N6VUDgPOhnxnnLvowOtX23J1y2foKwfZrHH38LNcWmuaGUi +fz6EYeUO20D174GfhqB0j6yR50ejPjYD +-----END RSA PRIVATE KEY----- diff --git a/test/functional/v1/certs_controller_test.rb b/test/functional/v1/certs_controller_test.rb new file mode 100644 index 0000000..2c70e52 --- /dev/null +++ b/test/functional/v1/certs_controller_test.rb @@ -0,0 +1,44 @@ +require 'test_helper' + +class V1::CertsControllerTest < ActionController::TestCase + + test "send limited cert without login" do + with_config allow_limited_certs: true, allow_anonymous_certs: true do + cert = stub :to_s => "limited cert" + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "send unlimited cert" do + with_config allow_unlimited_certs: true do + login + cert = stub :to_s => "unlimited cert" + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:unlimited_cert_prefix]).returns(cert) + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end + end + + test "login required if anonymous certs disabled" do + with_config allow_anonymous_certs: false do + get :show + assert_response :redirect + end + end + + test "send limited cert" do + with_config allow_limited_certs: true, allow_unlimited_certs: false do + login + cert = stub :to_s => "real cert" + ClientCertificate.expects(:new).with(:prefix => APP_CONFIG[:limited_cert_prefix]).returns(cert) + get :show + assert_response :success + assert_equal cert.to_s, @response.body + end + end + +end diff --git a/test/unit/client_certificate_test.rb b/test/unit/client_certificate_test.rb new file mode 100644 index 0000000..036e724 --- /dev/null +++ b/test/unit/client_certificate_test.rb @@ -0,0 +1,24 @@ +require 'test_helper' + +class ClientCertificateTest < ActiveSupport::TestCase + + test "new cert has all we need" do + sample = ClientCertificate.new + assert sample.key + assert sample.cert + assert sample.to_s + end + + test "cert has configured prefix" do + prefix = "PREFIX" + sample = ClientCertificate.new(:prefix => prefix) + assert sample.cert.subject.common_name.starts_with?(prefix) + end + + test "cert issuer matches ca subject" do + sample = ClientCertificate.new + cert = OpenSSL::X509::Certificate.new(sample.cert.to_pem) + assert_equal ClientCertificate.root_ca.openssl_body.subject, cert.issuer + end + +end -- cgit v1.2.3