Pages domain model specs

author: Kamil Trzcinski <ayufan@ayufan.eu> 2016-02-12 16:05:17 +0100
committer: James Edwards-Jones <jedwardsjones@gitlab.com> 2017-01-31 22:53:57 +0000
commit: d3b828487647f106a8947864e18ac1ad7bd9d6f4 (patch)
tree: a70cf6d14fbe4a111e657a4fe3335381ef73d234 /app
parent: 0552c0b6f185433ad0a7caac321f0a6d445a0b63 (diff)
download: gitlab-ce-d3b828487647f106a8947864e18ac1ad7bd9d6f4.tar.gz
4 files changed, 50 insertions, 29 deletions
diff --git a/app/models/pages_domain.rb b/app/models/pages_domain.rb
index 985329bb856..b594957493a 100644
--- a/app/models/pages_domain.rb
+++ b/app/models/pages_domain.rb
@@ -6,7 +6,8 @@ class PagesDomain < ActiveRecord::Base
   validates :certificate, certificate: true, allow_nil: true, allow_blank: true
   validates :key, certificate_key: true, allow_nil: true, allow_blank: true
 
-  validate :validate_matching_key, if: ->(domain) { domain.certificate.present? && domain.key.present? }
+  validate :validate_pages_domain
+  validate :validate_matching_key, if: ->(domain) { domain.certificate.present? || domain.key.present? }
   validate :validate_intermediates, if: ->(domain) { domain.certificate.present? }
 
   attr_encrypted :key, mode: :per_attribute_iv_and_salt, key: Gitlab::Application.secrets.db_key_base
@@ -30,8 +31,8 @@ class PagesDomain < ActiveRecord::Base
   end
 
   def has_matching_key?
-    return unless x509
-    return unless pkey
+    return false unless x509
+    return false unless pkey
 
     # We compare the public key stored in certificate with public key from certificate key
     x509.check_private_key(pkey)
@@ -40,6 +41,9 @@ class PagesDomain < ActiveRecord::Base
   def has_intermediates?
     return false unless x509
 
+    # self-signed certificates doesn't have the certificate chain
+    return true if x509.verify(x509.public_key)
+
     store = OpenSSL::X509::Store.new
     store.set_default_paths
 
@@ -66,23 +70,8 @@ class PagesDomain < ActiveRecord::Base
     return x509.subject.to_s
   end
 
-  def fingerprint
-    return unless x509
-    @fingeprint ||= OpenSSL::Digest::SHA256.new(x509.to_der).to_s
-  end
-
-  def x509
-    return unless certificate
-    @x509 ||= OpenSSL::X509::Certificate.new(certificate)
-  rescue OpenSSL::X509::CertificateError
-    nil
-  end
-
-  def pkey
-    return unless key
-    @pkey ||= OpenSSL::PKey::RSA.new(key)
-  rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
-    nil
+  def certificate_text
+    @certificate_text ||= x509.try(:to_text)
   end
 
   private
@@ -102,4 +91,25 @@ class PagesDomain < ActiveRecord::Base
       self.errors.add(:certificate, 'misses intermediates')
     end
   end
+
+  def validate_pages_domain
+    return unless domain
+    if domain.downcase.ends_with?(".#{Settings.pages.host}".downcase)
+      self.errors.add(:domain, "*.#{Settings.pages.host} is restricted")
+    end
+  end
+
+  def x509
+    return unless certificate
+    @x509 ||= OpenSSL::X509::Certificate.new(certificate)
+  rescue OpenSSL::X509::CertificateError
+    nil
+  end
+
+  def pkey
+    return unless key
+    @pkey ||= OpenSSL::PKey::RSA.new(key)
+  rescue OpenSSL::PKey::PKeyError, OpenSSL::Cipher::CipherError
+    nil
+  end
 end
diff --git a/app/services/projects/update_pages_configuration_service.rb b/app/services/projects/update_pages_configuration_service.rb
index 53e9d9e2757..b5324587d0e 100644
--- a/app/services/projects/update_pages_configuration_service.rb
+++ b/app/services/projects/update_pages_configuration_service.rb
@@ -35,7 +35,7 @@ module Projects
     def reload_daemon
       # GitLab Pages daemon constantly watches for modification time of `pages.path`
       # It reloads configuration when `pages.path` is modified
-      File.touch(Settings.pages.path)
+      update_file(pages_update_file, SecureRandom.hex(64))
     end
 
     def pages_path
@@ -46,14 +46,24 @@ module Projects
       File.join(pages_path, 'config.json')
     end
 
+    def pages_update_file
+      File.join(Settings.pages.path, '.update')
+    end
+
     def update_file(file, data)
-      if data
-        File.open(file, 'w') do |file|
-          file.write(data)
-        end
-      else
+      unless data
         File.rm(file, force: true)
+        return
+      end
+
+      temp_file = "#{file}.#{SecureRandom.hex(16)}"
+      File.open(temp_file, 'w') do |file|
+        file.write(data)
       end
+      File.mv(temp_file, file, force: true)
+    ensure
+      # In case if the updating fails
+      File.rm(temp_file, force: true)
     end
   end
 end
diff --git a/app/services/projects/update_pages_service.rb b/app/services/projects/update_pages_service.rb
index ceabd29fd52..a9979bf1e96 100644
--- a/app/services/projects/update_pages_service.rb
+++ b/app/services/projects/update_pages_service.rb
@@ -1,5 +1,6 @@
 module Projects
-  class UpdatePagesService < BaseService
+  class
+  UpdatePagesService < BaseService
     BLOCK_SIZE = 32.kilobytes
     MAX_SIZE = 1.terabyte
     SITE_PATH = 'public/'
diff --git a/app/views/projects/pages/show.html.haml b/app/views/projects/pages/show.html.haml
index 52493b1959b..8b7010b75b2 100644
--- a/app/views/projects/pages/show.html.haml
+++ b/app/views/projects/pages/show.html.haml
@@ -14,9 +14,9 @@
       %td
         Certificate
       %td
-        - if @domain.x509
+        - if @domain.certificate_text
           %pre
-            = @domain.x509.to_text
+            = @domain.certificate_text
         - else
           .light
             missing
author	Kamil Trzcinski <ayufan@ayufan.eu>	2016-02-12 16:05:17 +0100
committer	James Edwards-Jones <jedwardsjones@gitlab.com>	2017-01-31 22:53:57 +0000
commit	d3b828487647f106a8947864e18ac1ad7bd9d6f4 (patch)
tree	a70cf6d14fbe4a111e657a4fe3335381ef73d234 /app
parent	0552c0b6f185433ad0a7caac321f0a6d445a0b63 (diff)
download	gitlab-ce-d3b828487647f106a8947864e18ac1ad7bd9d6f4.tar.gz