Set `Net::LDAP` `ca_file` option

author: Michael Kozono <mkozono@gmail.com> 2017-06-08 16:57:13 -0700
committer: Michael Kozono <mkozono@gmail.com> 2017-06-09 09:48:32 -0700
commit: 60c5e2155f970f965002972c15b620590c421cb2 (patch)
tree: c07dd5b56c952a3ecfbb95ba83f4fb54b212b929
parent: 1660045321cf616bf2c519f2f3ad17e6d4436de9 (diff)
download: gitlab-ce-60c5e2155f970f965002972c15b620590c421cb2.tar.gz
2 files changed, 45 insertions, 5 deletions
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index 383e0a09e42..983c79a6364 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -179,11 +179,21 @@ module Gitlab
       end
 
       def tls_options(method)
-        if method && options['verify_certificates']
-          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-        else
-          { verify_mode: OpenSSL::SSL::VERIFY_NONE }
-        end
+        return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method
+
+        opts = if options['verify_certificates']
+                 OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+               else
+                 # It is important to explicitly set verify_mode for two reasons:
+                 # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                 # 2. The net-ldap gem implementation verifies the certificate hostname
+                 #    unless verify_mode is set to VERIFY_NONE.
+                 { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+               end
+
+        opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+
+        opts
       end
 
       def auth_options
diff --git a/spec/lib/gitlab/ldap/config_spec.rb b/spec/lib/gitlab/ldap/config_spec.rb
index bbd4da58252..4544a38876c 100644
--- a/spec/lib/gitlab/ldap/config_spec.rb
+++ b/spec/lib/gitlab/ldap/config_spec.rb
@@ -138,6 +138,36 @@ describe Gitlab::LDAP::Config, lib: true do
         })
       end
     end
+
+    context 'when ca_file is specified' do
+      it 'passes it through in tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ca_file'             => '/etc/ca.pem'
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).to include({ ca_file: '/etc/ca.pem' })
+      end
+    end
+
+    context 'when ca_file is a blank string' do
+      it 'does not add the ca_file key to tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ca_file'             => ' '
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ca_file)
+      end
+    end
   end
 
   describe '#omniauth_options' do
author	Michael Kozono <mkozono@gmail.com>	2017-06-08 16:57:13 -0700
committer	Michael Kozono <mkozono@gmail.com>	2017-06-09 09:48:32 -0700
commit	60c5e2155f970f965002972c15b620590c421cb2 (patch)
tree	c07dd5b56c952a3ecfbb95ba83f4fb54b212b929
parent	1660045321cf616bf2c519f2f3ad17e6d4436de9 (diff)
download	gitlab-ce-60c5e2155f970f965002972c15b620590c421cb2.tar.gz