Class: FrontEndBuilds::Pubkey

Inherits:

ActiveRecord::Base

• Object
• ActiveRecord::Base
• FrontEndBuilds::Pubkey

Defined in:

app/models/front_end_builds/pubkey.rb

Instance Method Summary

• #fingerprint ⇒ Object
• #last_build ⇒ Object
• #serialize ⇒ Object
• #ssh_pubkey? ⇒ Boolean
• #to_rsa_pkey ⇒ Object

  Public: In order to verify a signature we need the key to be an OpenSSL RSA PKey and not a string that you would find in an ssh pubkey key.

• #verify(build) ⇒ Object

  Public: Will verify that the sigurate has access to deploy the build object.

Instance Method Details

#fingerprint ⇒ Object

# File 'app/models/front_end_builds/pubkey.rb', line 17

def fingerprint
  content = pubkey.split(/\s/)[1]

  if content
    Digest::MD5.hexdigest(Base64.decode64(content))
      .scan(/.{1,2}/)
      .join(":")
  else
    'Unknown'
  end
end

#last_build ⇒ Object

# File 'app/models/front_end_builds/pubkey.rb', line 83

def last_build
  builds
    .order('created_at desc')
    .limit(1)
    .first
end

#serialize ⇒ Object

# File 'app/models/front_end_builds/pubkey.rb', line 90

def serialize
  {
    id: id,
    name: name,
    fingerprint: fingerprint,
    lastUsedAt: last_build.try(:created_at)
  }
end

#ssh_pubkey? ⇒ Boolean

Returns:

• (Boolean)

# File 'app/models/front_end_builds/pubkey.rb', line 29

def ssh_pubkey?
  (type, b64, _) = pubkey.split(/\s/)
  %w{ssh-rsa ssh-dss}.include?(type) && b64.present?
end

#to_rsa_pkey ⇒ Object

Public: In order to verify a signature we need the key to be an OpenSSL RSA PKey and not a string that you would find in an ssh pubkey key. Most people are going to be adding ssh public keys to their build system, this method will covert them to OpenSSL RSA if needed.

# File 'app/models/front_end_builds/pubkey.rb', line 38

def to_rsa_pkey
  FrontEndBuilds::Utils::SSHPubKeyConvert
    .convert(pubkey)
end

#verify(build) ⇒ Object

Public: Will verify that the sigurate has access to deploy the build object. The signature includes the endpoint and app name.

Returns boolean

# File 'app/models/front_end_builds/pubkey.rb', line 47

def verify(build)
  # TODO might as well cache this and store in the db so we dont have to
  # convert every time
  pkey = to_rsa_pkey
  signature = Base64.decode64(build.signature)
  digest = OpenSSL::Digest::SHA256.new

  # If the user submits html were going to expect the
  # signature to match the html they are submitting.
  # However, if the user gives a url where we can download
  # the html, we're going to expect the signature to match
  # the app name and the url.
  if build.endpoint.present?
    expected = "#{build.app.name}-#{build.endpoint}"
  else
    expected = build.html
  end

  match = expected &&
    signature &&
    pkey.verify(digest, signature, expected)
  # Bug in ruby's OpenSSL implementation.
  # SSL connection with PostgreSQL can fail, after a call to
  # OpenSSL::X509::Certificate#verify with result 'false'. Root cause is
  # the thread local error queue of OpenSSL, that is used to transmit
  # textual error messages to the application after a failed crypto
  # operation. A failure in Certificate#verify leaves some messages on the
  # error queue, which can lead to errors in a SSL communication of other
  # parts of the application. The only solution at the moment is running:
  # OpenSSL.errors.clear after certificate verifying. This clears OpenSSL
  # errors array and keeps database connection alive.
  # From https://bugs.ruby-lang.org/issues/7215
  OpenSSL.errors.clear
  match # return true/false
end