From 0e9c41a286b49b5ce52abcf0e014668d0167bbae Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 7 Jul 2014 10:05:37 +0200
Subject: store expiry with cert fingerprints

We used to store the creation date but this way it's easier to query for non expired certs
---
 app/models/client_certificate.rb | 6 +++++-
 app/models/identity.rb           | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

(limited to 'app/models')

diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index d5bb1e0..6b57985 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -25,7 +25,7 @@ class ClientCertificate
 
     # set expiration
     cert.not_before = last_month
-    cert.not_after = months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+    cert.not_after = expiry
 
     # generate key
     cert.serial_number.number = cert_serial_number
@@ -47,6 +47,10 @@ class ClientCertificate
     OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':')
   end
 
+  def expiry
+    @expiry ||= months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+  end
+
   private
 
   def openssl_cert
diff --git a/app/models/identity.rb b/app/models/identity.rb
index eb67b1b..1d69437 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -146,9 +146,9 @@ class Identity < CouchRest::Model::Base
   end
 
   def register_cert(cert)
-    today = DateTime.now.to_date.to_s
+    expiry = cert.expiry.to_data.to_s
     write_attribute 'cert_fingerprints',
-      cert_fingerprints.merge(cert.fingerprint => today)
+      cert_fingerprints.merge(cert.fingerprint => expiry)
   end
 
   # for LoginFormatValidation
-- 
cgit v1.2.3


From cc1666d9832415058bf0b22bb5912e432261af4f Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 7 Jul 2014 10:12:53 +0200
Subject: Identity view cert_fingerprints_by_expiry

Also move complex identity views into js designs.
Includes test.

Here's how you would query it from outside rails:
```
$ curl
'localhost:5984/identities/_design/Identity/_view/cert_fingerprints_by_expiry?startkey="2014-07-05"'
{"total_rows":4,"offset":1,"rows":[
{"id":"6c9091d4f13eaeaa6062c9d0528fd34d","key":"2014-07-05","value":"fingerprint"},
{"id":"6f3aa93828b4f6978d551f2623b9d103","key":"2014-07-05","value":"fingerprint"},
{"id":"b6cafacfa65042679691cd5065fb19e3","key":"2014-07-07","value":"fp"}
]}
```

Note that the expiry will be used as the key. So you should use the
current data (or yesterday) as the startkey to get all fingerprints that
have not expired yet.

The fingerprint itself is in the value. No need to include docs.
---
 app/models/identity.rb | 27 +++------------------------
 1 file changed, 3 insertions(+), 24 deletions(-)

(limited to 'app/models')

diff --git a/app/models/identity.rb b/app/models/identity.rb
index 1d69437..9dc9c7a 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -18,32 +18,11 @@ class Identity < CouchRest::Model::Base
   validate :destination_email
 
   design do
+    own_path = Pathname.new(File.dirname(__FILE__))
+    load_views(own_path.join('..', 'designs', 'identity'), nil)
     view :by_user_id
     view :by_address_and_destination
     view :by_address
-    view :pgp_key_by_email,
-      map: <<-EOJS
-      function(doc) {
-        if (doc.type != 'Identity') {
-          return;
-        }
-        if (typeof doc.keys === "object") {
-          emit(doc.address, doc.keys["pgp"]);
-        }
-      }
-    EOJS
-    view :disabled,
-      map: <<-EOJS
-      function(doc) {
-        if (doc.type != 'Identity') {
-          return;
-        }
-        if (typeof doc.user_id === "undefined") {
-          emit(doc._id, 1);
-        }
-      }
-    EOJS
-
   end
 
   def self.address_starts_with(query)
@@ -146,7 +125,7 @@ class Identity < CouchRest::Model::Base
   end
 
   def register_cert(cert)
-    expiry = cert.expiry.to_data.to_s
+    expiry = cert.expiry.to_date.to_s
     write_attribute 'cert_fingerprints',
       cert_fingerprints.merge(cert.fingerprint => expiry)
   end
-- 
cgit v1.2.3


From bdd5060ccc13951524c171e2d3b81eeddec1625d Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Wed, 9 Jul 2014 22:53:05 +0200
Subject: fix tests and simplify time calculations

---
 app/models/client_certificate.rb | 30 ++++++++++--------------------
 1 file changed, 10 insertions(+), 20 deletions(-)

(limited to 'app/models')

diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index 6b57985..815801e 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -48,7 +48,7 @@ class ClientCertificate
   end
 
   def expiry
-    @expiry ||= months_from_yesterday(APP_CONFIG[:client_cert_lifespan])
+    @expiry ||= lifespan.months.from_now.utc.at_midnight
   end
 
   private
@@ -103,28 +103,18 @@ class ClientCertificate
     }
   end
 
-  ##
-  ## TIME HELPERS
-  ##
-  ## note: we use 'yesterday' instead of 'today', because times are in UTC, and some people on the planet
-  ## are behind UTC.
-  ##
-
-  def yesterday
-    t = Time.now - 24*60*60
-    Time.utc t.year, t.month, t.day
-  end
+  #
+  # TIME HELPERS
+  #
+  # We normalize timestamps at utc and midnight
+  # to reduce the fingerprinting possibilities.
+  #
 
   def last_month
-    t = Time.now - 24*60*60*30
-    Time.utc t.year, t.month, t.day
+    1.month.ago.utc.at_midnight
   end
 
-  def months_from_yesterday(num)
-    t = yesterday
-    date = Date.new t.year, t.month, t.day
-    date = date >> num # >> is months in the future operator
-    Time.utc date.year, date.month, date.day
+  def lifespan
+    APP_CONFIG[:client_cert_lifespan]
   end
-
 end
-- 
cgit v1.2.3