diff options
author | Michael Kozono <mkozono@gmail.com> | 2017-06-08 16:57:13 -0700 |
---|---|---|
committer | Michael Kozono <mkozono@gmail.com> | 2017-06-09 09:48:32 -0700 |
commit | 60c5e2155f970f965002972c15b620590c421cb2 (patch) | |
tree | c07dd5b56c952a3ecfbb95ba83f4fb54b212b929 | |
parent | 1660045321cf616bf2c519f2f3ad17e6d4436de9 (diff) | |
download | gitlab-ce-60c5e2155f970f965002972c15b620590c421cb2.tar.gz |
Set `Net::LDAP` `ca_file` option
-rw-r--r-- | lib/gitlab/ldap/config.rb | 20 | ||||
-rw-r--r-- | spec/lib/gitlab/ldap/config_spec.rb | 30 |
2 files changed, 45 insertions, 5 deletions
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb index 383e0a09e42..983c79a6364 100644 --- a/lib/gitlab/ldap/config.rb +++ b/lib/gitlab/ldap/config.rb @@ -179,11 +179,21 @@ module Gitlab end def tls_options(method) - if method && options['verify_certificates'] - OpenSSL::SSL::SSLContext::DEFAULT_PARAMS - else - { verify_mode: OpenSSL::SSL::VERIFY_NONE } - end + return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method + + opts = if options['verify_certificates'] + OpenSSL::SSL::SSLContext::DEFAULT_PARAMS + else + # It is important to explicitly set verify_mode for two reasons: + # 1. The behavior of OpenSSL is undefined when verify_mode is not set. + # 2. The net-ldap gem implementation verifies the certificate hostname + # unless verify_mode is set to VERIFY_NONE. + { verify_mode: OpenSSL::SSL::VERIFY_NONE } + end + + opts[:ca_file] = options['ca_file'] if options['ca_file'].present? + + opts end def auth_options diff --git a/spec/lib/gitlab/ldap/config_spec.rb b/spec/lib/gitlab/ldap/config_spec.rb index bbd4da58252..4544a38876c 100644 --- a/spec/lib/gitlab/ldap/config_spec.rb +++ b/spec/lib/gitlab/ldap/config_spec.rb @@ -138,6 +138,36 @@ describe Gitlab::LDAP::Config, lib: true do }) end end + + context 'when ca_file is specified' do + it 'passes it through in tls_options' do + stub_ldap_config( + options: { + 'host' => 'ldap.example.com', + 'port' => 686, + 'encryption' => 'simple_tls', + 'ca_file' => '/etc/ca.pem' + } + ) + + expect(config.adapter_options[:encryption][:tls_options]).to include({ ca_file: '/etc/ca.pem' }) + end + end + + context 'when ca_file is a blank string' do + it 'does not add the ca_file key to tls_options' do + stub_ldap_config( + options: { + 'host' => 'ldap.example.com', + 'port' => 686, + 'encryption' => 'simple_tls', + 'ca_file' => ' ' + } + ) + + expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ca_file) + end + end end describe '#omniauth_options' do |