app/services/verify_pages_domain_service.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116

# frozen_string_literal: true

require 'resolv'

class VerifyPagesDomainService < BaseService
  # The maximum number of seconds to be spent on each DNS lookup
  RESOLVER_TIMEOUT_SECONDS = 15

  # How long verification lasts for
  VERIFICATION_PERIOD = 7.days
  REMOVAL_DELAY = 1.week.freeze

  attr_reader :domain

  def initialize(domain)
    @domain = domain
  end

  def execute
    return error("No verification code set for #{domain.domain}") unless domain.verification_code.present?

    if !verification_enabled? || dns_record_present?
      verify_domain!
    elsif expired?
      disable_domain!
    else
      unverify_domain!
    end
  end

  private

  def verify_domain!
    was_disabled = !domain.enabled?
    was_unverified = domain.unverified?

    # Prevent any pre-existing grace period from being truncated
    reverify = [domain.enabled_until, VERIFICATION_PERIOD.from_now].compact.max

    domain.assign_attributes(verified_at: Time.current, enabled_until: reverify, remove_at: nil)
    domain.save!(validate: false)

    if was_disabled
      notify(:enabled)
    elsif was_unverified
      notify(:verification_succeeded)
    end

    success
  end

  def unverify_domain!
    was_verified = domain.verified?

    domain.assign_attributes(verified_at: nil)
    domain.remove_at ||= REMOVAL_DELAY.from_now unless domain.enabled?
    domain.save!(validate: false)

    notify(:verification_failed) if was_verified

    error("Couldn't verify #{domain.domain}")
  end

  def disable_domain!
    domain.assign_attributes(verified_at: nil, enabled_until: nil)
    domain.remove_at ||= REMOVAL_DELAY.from_now
    domain.save!(validate: false)

    notify(:disabled)

    error("Couldn't verify #{domain.domain}. It is now disabled.")
  end

  # A domain is only expired until `disable!` has been called
  def expired?
    domain.enabled_until && domain.enabled_until < Time.current
  end

  def dns_record_present?
    Resolv::DNS.open do |resolver|
      resolver.timeouts = RESOLVER_TIMEOUT_SECONDS

      check(domain.domain, resolver) || check(domain.verification_domain, resolver)
    end
  end

  def check(domain_name, resolver)
    records = parse(txt_records(domain_name, resolver))

    records.any? do |record|
      record == domain.keyed_verification_code || record == domain.verification_code
    end
  rescue StandardError => err
    log_error("Failed to check TXT records on #{domain_name} for #{domain.domain}: #{err}")
    false
  end

  def txt_records(domain_name, resolver)
    resolver.getresources(domain_name, Resolv::DNS::Resource::IN::TXT)
  end

  def parse(records)
    records.flat_map(&:strings).flat_map(&:split)
  end

  def verification_enabled?
    Gitlab::CurrentSettings.pages_domain_verification_enabled?
  end

  def notify(type)
    return unless verification_enabled?

    Gitlab::AppLogger.info("Pages domain '#{domain.domain}' changed state to '#{type}'")
    notification_service.public_send("pages_domain_#{type}", domain) # rubocop:disable GitlabSecurity/PublicSend
  end
end