From e94b9471c0bc30cd6a1a5bf5b6b22b746d242e31 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Fri, 9 May 2014 16:11:20 +0200
Subject: calculate cert fingerprints to store for leap_mx

stelfox.net/blog/2014/04/calculating-rsa-key-fingerprints-in-ruby/
---
 app/models/client_certificate.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'app')

diff --git a/app/models/client_certificate.rb b/app/models/client_certificate.rb
index 76b07a2..63de9e1 100644
--- a/app/models/client_certificate.rb
+++ b/app/models/client_certificate.rb
@@ -43,8 +43,16 @@ class ClientCertificate
     self.key.to_pem + self.cert.to_pem
   end
 
+  def fingerprint
+    OpenSSL::Digest::SHA1.hexdigest(openssl_cert.to_der).scan(/../).join(':')
+  end
+
   private
 
+  def openssl_cert
+    cert.openssl_body
+  end
+
   def self.root_ca
     @root_ca ||= begin
                    crt = File.read(APP_CONFIG[:client_ca_cert])
-- 
cgit v1.2.3


From 5dd6c1529f8f4fc5089c71b0a44e360acaea900d Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 15 May 2014 11:04:56 +0200
Subject: fix Email so User.new.valid? does not crash

Email.new(nil) now returns an invalid email rather than crashing.
---
 app/models/email.rb | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'app')

diff --git a/app/models/email.rb b/app/models/email.rb
index a9a503f..4090275 100644
--- a/app/models/email.rb
+++ b/app/models/email.rb
@@ -7,6 +7,11 @@ class Email < String
       :message => "needs to be a valid email address"
     }
 
+  # Make sure we can call Email.new(nil) and get an invalid email address
+  def initialize(s)
+    super(s.to_s)
+  end
+
   def to_partial_path
     "emails/email"
   end
-- 
cgit v1.2.3


From 71dcf3f4e5d423b78b47f675297fc98b28ef3442 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 15 May 2014 11:17:47 +0200
Subject: SmtpCertsController, routes and tests

---
 app/controllers/v1/smtp_certs_controller.rb | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)
 create mode 100644 app/controllers/v1/smtp_certs_controller.rb

(limited to 'app')

diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
new file mode 100644
index 0000000..001425d
--- /dev/null
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -0,0 +1,21 @@
+class V1::SmtpCertsController < ApplicationController
+
+  before_filter :require_login
+  before_filter :require_email_account
+
+  # GET /cert
+  def show
+    @cert = ClientCertificate.new prefix: current_user.email_address
+    render text: @cert.to_s, content_type: 'text/plain'
+  end
+
+  protected
+
+  def require_email_account
+    access_denied unless service_level.provides? 'email'
+  end
+
+  def service_level
+    current_user.effective_service_level
+  end
+end
-- 
cgit v1.2.3


From 17b67aeda81dee2273ce1161ac7292a328c3efaa Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Thu, 15 May 2014 16:29:49 +0200
Subject: store cert fingerprint with main user identity

---
 app/controllers/v1/smtp_certs_controller.rb | 2 ++
 app/models/identity.rb                      | 1 +
 2 files changed, 3 insertions(+)

(limited to 'app')

diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 001425d..258b391 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -6,6 +6,8 @@ class V1::SmtpCertsController < ApplicationController
   # GET /cert
   def show
     @cert = ClientCertificate.new prefix: current_user.email_address
+    current_user.identity.cert_fingerprints << @cert.fingerprint
+    current_user.identity.save
     render text: @cert.to_s, content_type: 'text/plain'
   end
 
diff --git a/app/models/identity.rb b/app/models/identity.rb
index ad8c01e..2f8d4eb 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -8,6 +8,7 @@ class Identity < CouchRest::Model::Base
   property :address, LocalEmail
   property :destination, Email
   property :keys, HashWithIndifferentAccess
+  property :cert_fingerprints, [String]
 
   validate :unique_forward
   validate :alias_available
-- 
cgit v1.2.3


From e8ba98df64cb537e85de8624c0ebb08c4135ccca Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 19 May 2014 14:50:16 +0200
Subject: minor: fix tests

---
 app/controllers/v1/smtp_certs_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 258b391..533a19a 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -3,7 +3,7 @@ class V1::SmtpCertsController < ApplicationController
   before_filter :require_login
   before_filter :require_email_account
 
-  # GET /cert
+  # GET /1/smtp_cert
   def show
     @cert = ClientCertificate.new prefix: current_user.email_address
     current_user.identity.cert_fingerprints << @cert.fingerprint
-- 
cgit v1.2.3


From 3a84578cf33685800c9216cfb4da12ea1fb0032f Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 19 May 2014 15:07:02 +0200
Subject: store fingerprints with timestamp

Only storing the date as that should suffice for normal expiry and is less useful for identifying users by timestamps
---
 app/controllers/v1/smtp_certs_controller.rb | 18 ++++++++++++++++--
 app/models/identity.rb                      | 12 +++++++++++-
 2 files changed, 27 insertions(+), 3 deletions(-)

(limited to 'app')

diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 533a19a..fcc00b8 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -2,22 +2,36 @@ class V1::SmtpCertsController < ApplicationController
 
   before_filter :require_login
   before_filter :require_email_account
+  before_filter :fetch_identity
 
   # GET /1/smtp_cert
   def show
     @cert = ClientCertificate.new prefix: current_user.email_address
-    current_user.identity.cert_fingerprints << @cert.fingerprint
-    current_user.identity.save
+    @identity.register_cert(@cert)
+    @identity.save
     render text: @cert.to_s, content_type: 'text/plain'
   end
 
   protected
 
+  #
+  # Filters
+  #
+
   def require_email_account
     access_denied unless service_level.provides? 'email'
   end
 
+  def fetch_identity
+    @identity = current_user.identity
+  end
+
+  #
+  # Helper methods
+  #
+
   def service_level
     current_user.effective_service_level
   end
+
 end
diff --git a/app/models/identity.rb b/app/models/identity.rb
index 2f8d4eb..a4225e7 100644
--- a/app/models/identity.rb
+++ b/app/models/identity.rb
@@ -8,7 +8,7 @@ class Identity < CouchRest::Model::Base
   property :address, LocalEmail
   property :destination, Email
   property :keys, HashWithIndifferentAccess
-  property :cert_fingerprints, [String]
+  property :cert_fingerprints, Hash
 
   validate :unique_forward
   validate :alias_available
@@ -108,6 +108,16 @@ class Identity < CouchRest::Model::Base
     write_attribute('keys', keys.merge(type => key.to_s))
   end
 
+  def cert_fingerprints
+    read_attribute('cert_fingerprints') || Hash.new
+  end
+
+  def register_cert(cert)
+    today = DateTime.now.to_date.to_s
+    write_attribute 'cert_fingerprints',
+      cert_fingerprints.merge(cert.fingerprint => today)
+  end
+
   # for LoginFormatValidation
   def login
     self.address.handle
-- 
cgit v1.2.3


From 00d5adc90ccadc7f4a2a0d54a5a31a1ad02f05be Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 26 May 2014 09:31:36 +0200
Subject: change from GET to POST for certs

We create them. let's reflect that in the verb.
---
 app/controllers/v1/certs_controller.rb      | 8 ++++++++
 app/controllers/v1/smtp_certs_controller.rb | 4 ++--
 2 files changed, 10 insertions(+), 2 deletions(-)

(limited to 'app')

diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
index 73409ef..b6d1d0b 100644
--- a/app/controllers/v1/certs_controller.rb
+++ b/app/controllers/v1/certs_controller.rb
@@ -3,7 +3,15 @@ class V1::CertsController < ApplicationController
   before_filter :require_login, :unless => :anonymous_certs_allowed?
 
   # GET /cert
+  # deprecated - we actually create a new cert and that can
+  # be reflected in the action. GET /cert will eventually go
+  # away and be replaced by POST /cert
   def show
+    create
+  end
+
+  # POST /cert
+  def create
     @cert = ClientCertificate.new(:prefix => service_level.cert_prefix)
     render text: @cert.to_s, content_type: 'text/plain'
   end
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index fcc00b8..377a49c 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -4,8 +4,8 @@ class V1::SmtpCertsController < ApplicationController
   before_filter :require_email_account
   before_filter :fetch_identity
 
-  # GET /1/smtp_cert
-  def show
+  # POST /1/smtp_cert
+  def create
     @cert = ClientCertificate.new prefix: current_user.email_address
     @identity.register_cert(@cert)
     @identity.save
-- 
cgit v1.2.3