verify_pages_domain_service.rb 2.95 KB
Newer Older
1 2
# frozen_string_literal: true

3 4 5 6 7 8 9 10
require 'resolv'

class VerifyPagesDomainService < BaseService
  # The maximum number of seconds to be spent on each DNS lookup
  RESOLVER_TIMEOUT_SECONDS = 15

  # How long verification lasts for
  VERIFICATION_PERIOD = 7.days
11
  REMOVAL_DELAY = 1.week.freeze
12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39

  attr_reader :domain

  def initialize(domain)
    @domain = domain
  end

  def execute
    return error("No verification code set for #{domain.domain}") unless domain.verification_code.present?

    if !verification_enabled? || dns_record_present?
      verify_domain!
    elsif expired?
      disable_domain!
    else
      unverify_domain!
    end
  end

  private

  def verify_domain!
    was_disabled = !domain.enabled?
    was_unverified = domain.unverified?

    # Prevent any pre-existing grace period from being truncated
    reverify = [domain.enabled_until, VERIFICATION_PERIOD.from_now].compact.max

40
    domain.assign_attributes(verified_at: Time.now, enabled_until: reverify, remove_at: nil)
41
    domain.save!(validate: false)
42 43 44 45 46 47 48 49 50 51 52

    if was_disabled
      notify(:enabled)
    elsif was_unverified
      notify(:verification_succeeded)
    end

    success
  end

  def unverify_domain!
53
    was_verified = domain.verified?
54

55 56 57 58 59
    domain.assign_attributes(verified_at: nil)
    domain.remove_at ||= REMOVAL_DELAY.from_now unless domain.enabled?
    domain.save!(validate: false)

    notify(:verification_failed) if was_verified
60 61 62 63 64

    error("Couldn't verify #{domain.domain}")
  end

  def disable_domain!
65
    domain.assign_attributes(verified_at: nil, enabled_until: nil)
66
    domain.remove_at ||= REMOVAL_DELAY.from_now
67
    domain.save!(validate: false)
68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

    notify(:disabled)

    error("Couldn't verify #{domain.domain}. It is now disabled.")
  end

  # A domain is only expired until `disable!` has been called
  def expired?
    domain.enabled_until && domain.enabled_until < Time.now
  end

  def dns_record_present?
    Resolv::DNS.open do |resolver|
      resolver.timeouts = RESOLVER_TIMEOUT_SECONDS

      check(domain.domain, resolver) || check(domain.verification_domain, resolver)
    end
  end

  def check(domain_name, resolver)
    records = parse(txt_records(domain_name, resolver))

    records.any? do |record|
      record == domain.keyed_verification_code || record == domain.verification_code
    end
  rescue => err
    log_error("Failed to check TXT records on #{domain_name} for #{domain.domain}: #{err}")
    false
  end

  def txt_records(domain_name, resolver)
    resolver.getresources(domain_name, Resolv::DNS::Resource::IN::TXT)
  end

  def parse(records)
    records.flat_map(&:strings).flat_map(&:split)
  end

  def verification_enabled?
    Gitlab::CurrentSettings.pages_domain_verification_enabled?
  end

  def notify(type)
    return unless verification_enabled?

113
    Gitlab::AppLogger.info("Pages domain '#{domain.domain}' changed state to '#{type}'")
114 115 116
    notification_service.public_send("pages_domain_#{type}", domain) # rubocop:disable GitlabSecurity/PublicSend
  end
end