G-Research · suprjinx · Aug 29, 2024 · Aug 26, 2024 · Aug 27, 2024 · Aug 27, 2024
diff --git a/Gemfile b/Gemfile
@@ -29,6 +29,9 @@ gem "bootsnap", require: false
 # Use Rack CORS for handling Cross-Origin Resource Sharing (CORS), making cross-origin Ajax possible
 # gem "rack-cors"
 
+# High-level app logic
+gem "interactor", "~> 3.0"
+
 # Use the vault-ruby gem to interact with HashiCorp Vault
 gem "vault"
 

diff --git a/Gemfile.lock b/Gemfile.lock
@@ -95,6 +95,7 @@ GEM
       activesupport (>= 6.1)
     i18n (1.14.5)
       concurrent-ruby (~> 1.0)
+    interactor (3.1.2)
     io-console (0.7.2)
     irb (1.14.0)
       rdoc (>= 4.0.0)
@@ -270,6 +271,7 @@ DEPENDENCIES
   bootsnap
   brakeman
   debug
+  interactor (~> 3.0)
   jwt
   puma (>= 5.0)
   rails (~> 7.2.1)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -14,9 +14,12 @@ def info
   end
 
   def authenticate_request
-    token = request.headers["Authorization"]
-    token = token.split(" ").last if token
-    @identity = Services::AuthService.new.authenticate!(token)
+    result = AuthenticateIdentity.call(request: request)
+    if result.success?
+      @identity = result.identity
+    else
+      raise AuthError.new result.message
+    end
   end
 
   private

diff --git a/app/controllers/certificates_controller.rb b/app/controllers/certificates_controller.rb
@@ -5,9 +5,13 @@ def create
     req = CertIssueRequest.new(params_permitted)
     if !req.valid?
       render json: { error: req.errors }, status: :bad_request
+    end
+    result = IssueCert.call(request: req)
+    if result.success?
+      # TODO use jbuilder to make the json
+      render json: result.cert
     else
-      cert = Services::CertificateService.new.issue_cert(req)
-      render json: cert
+      raise StandardError.new result.message
     end
   end
 

diff --git a/app/interactors/authenticate_identity.rb b/app/interactors/authenticate_identity.rb
@@ -0,0 +1,16 @@
+class AuthenticateIdentity
+  include Interactor
+
+  before do
+    token = context.request.headers["Authorization"]
+    context.token = token.split(" ").last if token
+  end
+
+  def call
+    if identity = Services::AuthService.new.authenticate!(context.token)
+      context.identity = identity
+    else
+      context.fail!(message: "Invalid token")
+    end
+  end
+end
diff --git a/app/interactors/check_policy.rb b/app/interactors/check_policy.rb
@@ -0,0 +1,6 @@
+class CheckPolicy
+  include Interactor
+
+  def call
+  end
+end
diff --git a/app/interactors/issue_cert.rb b/app/interactors/issue_cert.rb
@@ -0,0 +1,5 @@
+class IssueCert
+  include Interactor::Organizer
+
+  organize CheckPolicy, ObtainCert, Log
+end
diff --git a/app/interactors/log.rb b/app/interactors/log.rb
@@ -0,0 +1,6 @@
+class Log
+  include Interactor
+
+  def call
+  end
+end
diff --git a/app/interactors/obtain_cert.rb b/app/interactors/obtain_cert.rb
@@ -0,0 +1,11 @@
+class ObtainCert
+  include Interactor
+
+  def call
+    if cert = Services::CertificateService.new.issue_cert(context.request)
+      context.cert = cert
+    else
+      context.fail!(message: "Failed to issue certificate")
+    end
+  end
+end
diff --git a/app/models/cert_issue_request.rb b/app/models/cert_issue_request.rb
@@ -22,9 +22,22 @@ class CertIssueRequest
   validates :common_name, presence: true
   validates :format, presence: true, inclusion: { in: %w[pem der pem_bundle] }
   validates :private_key_format, presence: true, inclusion: { in: %w[pem der pkcs8] }
-
+  validates :ttl, numericality: {
+              less_than_or_equal_to: Rails.configuration.astral[:cert_ttl],
+              greater_than: 0
+            }
+  validate :validate_no_wildcards
 
   def fqdns
     alt_names + [ common_name ]
   end
+
+  def validate_no_wildcards
+    if common_name.present?
+      errors.add(:common_name, "cannot be a wildcard") if common_name.start_with? "*"
+    end
+    alt_names.each do |fqdn|
+      errors.add(:alt_names, "cannot include a wildcard") if fqdn.start_with? "*"
+    end
+  end
 end
diff --git a/test/interactors/authenticate_identity_test.rb b/test/interactors/authenticate_identity_test.rb
@@ -0,0 +1,30 @@
+require "test_helper"
+
+class AuthenticateIdentityTest < ActiveSupport::TestCase
+  def setup
+    @interactor = AuthenticateIdentity
+    @identity = Identity.new(subject: "[email protected]", groups: [ "admin_group" ])
+  end
+
+  test "successful authentication" do
+    request = OpenStruct.new(headers: { "Authorization" => "Bearer valid_token" })
+    srv = Minitest::Mock.new
+    srv.expect :authenticate!, @identity, [ "valid_token" ]
+    Services::AuthService.stub :new, srv do
+      context = @interactor.call(request: request)
+      assert context.success?
+      assert_equal @identity, context.identity
+    end
+  end
+
+  test "failed authentication" do
+    request = OpenStruct.new(headers: { "Authorization" => "Bearer invalid_token" })
+    srv = Minitest::Mock.new
+    srv.expect :authenticate!, nil, [ "invalid_token" ]
+    Services::AuthService.stub :new, srv do
+      context = @interactor.call(request: request)
+      assert_not context.success?
+      assert_nil context.identity
+    end
+  end
+end
diff --git a/test/interactors/obtain_cert_test.rb b/test/interactors/obtain_cert_test.rb
@@ -0,0 +1,30 @@
+require "test_helper"
+
+class ObtainCertTest < ActiveSupport::TestCase
+  def setup
+    @interactor = ObtainCert
+    @cert = OpenStruct.new(certificate: "certificate", ca_chain: "ca_chain")
+  end
+
+  test "successful issue" do
+    request = CertIssueRequest.new
+    srv = Minitest::Mock.new
+    srv.expect :issue_cert, @cert, [ request ]
+    Services::CertificateService.stub :new, srv do
+      context = @interactor.call(request: request)
+      assert context.success?
+      assert_equal @cert, context.cert
+    end
+  end
+
+  test "unsuccessful issue" do
+    request = CertIssueRequest.new
+    srv = Minitest::Mock.new
+    srv.expect :issue_cert, nil, [ request ]
+    Services::CertificateService.stub :new, srv do
+      context = @interactor.call(request: request)
+      assert context.failure?
+      assert_equal nil, context.cert
+    end
+  end
+end