Welcome to mirror list, hosted at ThFree Co, Russian Federation.

gitlab.com/gitlab-org/gitlab-foss.git - Unnamed repository; edit this file 'description' to name the repository.
summaryrefslogtreecommitdiff
path: root/app/workers/x509_issuer_crl_check_worker.rb
diff options
context:
space:
mode:
Diffstat (limited to 'app/workers/x509_issuer_crl_check_worker.rb')
-rw-r--r--app/workers/x509_issuer_crl_check_worker.rb76
1 files changed, 76 insertions, 0 deletions
diff --git a/app/workers/x509_issuer_crl_check_worker.rb b/app/workers/x509_issuer_crl_check_worker.rb
new file mode 100644
index 00000000000..5fc92da803c
--- /dev/null
+++ b/app/workers/x509_issuer_crl_check_worker.rb
@@ -0,0 +1,76 @@
+# frozen_string_literal: true
+
+class X509IssuerCrlCheckWorker
+ include ApplicationWorker
+ include CronjobQueue
+
+ feature_category :source_code_management
+ urgency :low
+
+ idempotent!
+ worker_has_external_dependencies!
+
+ attr_accessor :logger
+
+ def perform
+ @logger = Gitlab::GitLogger.build
+
+ X509Issuer.all.find_each do |issuer|
+ with_context(related_class: X509IssuerCrlCheckWorker) do
+ update_certificates(issuer)
+ end
+ end
+ end
+
+ private
+
+ def update_certificates(issuer)
+ crl = download_crl(issuer)
+ return unless crl
+
+ serials = X509Certificate.serial_numbers(issuer)
+ return if serials.empty?
+
+ revoked_serials = serials & crl.revoked.map(&:serial).map(&:to_i)
+
+ revoked_serials.each_slice(1000) do |batch|
+ certs = issuer.x509_certificates.where(serial_number: batch, certificate_status: :good) # rubocop: disable CodeReuse/ActiveRecord
+
+ certs.find_each do |cert|
+ logger.info(message: "Certificate revoked",
+ id: cert.id,
+ email: cert.email,
+ subject: cert.subject,
+ serial_number: cert.serial_number,
+ issuer: cert.x509_issuer.id,
+ issuer_subject: cert.x509_issuer.subject,
+ issuer_crl_url: cert.x509_issuer.crl_url)
+ end
+
+ certs.update_all(certificate_status: :revoked)
+ end
+ end
+
+ def download_crl(issuer)
+ response = Gitlab::HTTP.try_get(issuer.crl_url)
+
+ if response&.code == 200
+ OpenSSL::X509::CRL.new(response.body)
+ else
+ logger.warn(message: "Failed to download certificate revocation list",
+ issuer: issuer.id,
+ issuer_subject: issuer.subject,
+ issuer_crl_url: issuer.crl_url)
+
+ nil
+ end
+
+ rescue OpenSSL::X509::CRLError
+ logger.warn(message: "Failed to parse certificate revocation list",
+ issuer: issuer.id,
+ issuer_subject: issuer.subject,
+ issuer_crl_url: issuer.crl_url)
+
+ nil
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-15 02:05:23 +0300