From: INOPIAE <m.maengel@inopiae.de>
Date: Mon, 13 May 2019 14:04:45 +0000 (+0200)
Subject: add: ensure to revoke certificates if domain is deleted
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=305cf1415218d3d55a7e4106d39f35d70f09b117

add: ensure to revoke certificates if domain is deleted

Make sure all certificates that are not expired containing domain are
revoked if domain is deleted from user account.

Related to issue 60

Change-Id: If36f5b0a22d3384a1748f55b75f7c6b588183d5c
---

diff --git a/src/club/wpia/gigi/dbObjects/Domain.java b/src/club/wpia/gigi/dbObjects/Domain.java
index 9b356e60..1d3ba17d 100644
--- a/src/club/wpia/gigi/dbObjects/Domain.java
+++ b/src/club/wpia/gigi/dbObjects/Domain.java
@@ -7,6 +7,7 @@ import java.util.List;
 import club.wpia.gigi.GigiApiException;
 import club.wpia.gigi.database.GigiPreparedStatement;
 import club.wpia.gigi.database.GigiResultSet;
+import club.wpia.gigi.dbObjects.Certificate.RevocationType;
 import club.wpia.gigi.util.DomainAssessment;
 
 public class Domain implements IdCachable, Verifyable {
@@ -72,6 +73,19 @@ public class Domain implements IdCachable, Verifyable {
                 ps.setInt(1, id);
                 ps.execute();
             }
+            LinkedList<Job> revokes = new LinkedList<Job>();
+            for (Certificate cert : fetchActiveCertificates()) {
+                revokes.add(cert.revoke(RevocationType.USER));
+            }
+            long start = System.currentTimeMillis();
+            for (Job job : revokes) {
+                int toWait = (int) (60000 + start - System.currentTimeMillis());
+                if (toWait > 0) {
+                    job.waitFor(toWait);
+                } else {
+                    break; // canceled... waited too log
+                }
+            }
         }
     }
 
diff --git a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ
index d022c271..c4507f2e 100644
--- a/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ
+++ b/src/club/wpia/gigi/pages/account/domain/DomainManagementForm.templ
@@ -10,7 +10,7 @@
   </tr>
   <? foreach($domains) { ?>
   <tr>
-  	<td><? if($buttonvisible) { ?><button class="btn btn-danger btn-confirm" data-confirm="<?=_Do you really want to delete this domain??>" data-reply="<?=_Cancel?>,<?=_Confirm?>" type="submit" name="delete" value="<?=$id?>">Delete</button><? } ?></td>
+  	<td><? if($buttonvisible) { ?><button class="btn btn-danger btn-confirm" data-confirm="<?=_All certificates that reference the affected domain (including those where several different domains appear) will be revoked.?>" data-reply="<?=_Cancel?>,<?=_Confirm?>" type="submit" name="delete" value="<?=$id?>">Delete</button><? } ?></td>
   	<td><?=$status?></td>
   	<td><? if($domainhref) { ?><a href='<?=$domainhref?>'><?=$domain?><? } else { ?><?=$domain?><? } ?></a></td>
   </tr>
diff --git a/tests/club/wpia/gigi/dbObjects/TestDomain.java b/tests/club/wpia/gigi/dbObjects/TestDomain.java
new file mode 100644
index 00000000..93afd635
--- /dev/null
+++ b/tests/club/wpia/gigi/dbObjects/TestDomain.java
@@ -0,0 +1,43 @@
+package club.wpia.gigi.dbObjects;
+
+import static org.junit.Assert.*;
+
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+
+import org.junit.Test;
+
+import club.wpia.gigi.GigiApiException;
+import club.wpia.gigi.dbObjects.Certificate.CSRType;
+import club.wpia.gigi.dbObjects.Certificate.SANType;
+import club.wpia.gigi.testUtils.ManagedTest;
+
+public class TestDomain extends ManagedTest {
+
+    @Test
+    public void testDeleteDomainWithCertificate() throws GigiApiException, GeneralSecurityException, IOException, InterruptedException {
+        User u = User.getById(createVerificationUser("Kurti", "Hansel", createUniqueName() + "@email.com", TEST_PASSWORD));
+        String domain = createUniqueName() + ".org";
+        Domain d = new Domain(u, u, domain);
+        KeyPair kp = generateKeypair();
+        String key = generatePEMCSR(kp, "CN=" + domain);
+        Certificate c = new Certificate(u, u, Certificate.buildDN("CN", domain), Digest.SHA256, key, CSRType.CSR, getClientProfile(), new Certificate.SubjectAlternateName(SANType.DNS, domain));
+        c.issue(null, "2y", u).waitFor(60000);
+
+        c = new Certificate(u, u, Certificate.buildDN("CN", domain), Digest.SHA256, key, CSRType.CSR, getClientProfile(), new Certificate.SubjectAlternateName(SANType.DNS, "www." + domain));
+        c.issue(null, "2y", u).waitFor(60000);
+
+        Certificate[] certs = d.fetchActiveCertificates();
+        assertEquals(2, certs.length);
+
+        d.delete();
+
+        certs = u.getCertificates(false);
+        assertEquals(0, certs.length);
+        certs = d.fetchActiveCertificates();
+        assertEquals(0, certs.length);
+
+    }
+
+}