Class: X509CertificateCredentialsValidator

Inherits:

ActiveModel::Validator

Object
ActiveModel::Validator
X509CertificateCredentialsValidator

show all

Defined in:: app/validators/x509_certificate_credentials_validator.rb

Overview

X509CertificateCredentialsValidator

Custom validator to check if certificate-attribute was signed using the private key stored in an attrebute.

This can be used as an ‘ActiveModel::Validator` as follows:

validates_with X509CertificateCredentialsValidator,
               certificate: :client_certificate,
               pkey: :decrypted_private_key,
               pass: :decrypted_passphrase

Required attributes:

certificate: The name of the accessor that returns the certificate to check
pkey: The name of the accessor that returns the private key

Optional:

pass: The name of the accessor that returns the passphrase to decrypt the
```
private key
```

Instance Method Summary collapse

#initialize(*args) ⇒ X509CertificateCredentialsValidator constructor

A new instance of X509CertificateCredentialsValidator.
#validate(record) ⇒ Object

Constructor Details

#initialize(*args) ⇒ `X509CertificateCredentialsValidator`

Returns a new instance of X509CertificateCredentialsValidator.

# File 'app/validators/x509_certificate_credentials_validator.rb', line 23

def initialize(*args)
  super

  # We can't validate if we don't have a private key or certificate attributes
  # in which case this validator is useless.
  if options[:pkey].nil? || options[:certificate].nil?
    raise 'Provide at least `certificate` and `pkey` attribute names'
  end
end

Instance Method Details

#validate(record) ⇒ `Object`

# File 'app/validators/x509_certificate_credentials_validator.rb', line 33

def validate(record)
  unless certificate = read_certificate(record)
    record.errors.add(options[:certificate], _('is not a valid X509 certificate.'))
  end

  unless private_key = read_private_key(record)
    record.errors.add(options[:pkey], _('could not read private key, is the passphrase correct?'))
  end

  return if private_key.nil? || certificate.nil?

  unless certificate.check_private_key(private_key)
    record.errors.add(options[:pkey], _('private key does not match certificate.'))
  end
end