feat: SMIME signed notification emails

- Add mail interceptor the signs outgoing email with SMIME
- Add lib and helpers to work with SMIME data
- New configuration params for setting up SMIME key and cert files

4 files changed, 27 insertions, 0 deletions

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 226f2ec3722..2f6658594cc 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -95,6 +95,15 @@ production: &base
     email_display_name: GitLab
     email_reply_to: noreply@example.com
     email_subject_suffix: ''
+    email_smime:
+      # Uncomment and set to true if you need to enable email S/MIME signing (default: false)
+      # enabled: false
+      # S/MIME private key file in PEM format, unencrypted
+      # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
+      # key_file: /home/git/gitlab/.gitlab_smime_key
+      # S/MIME public certificate key in PEM format, will be attached to signed messages
+      # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
+      # cert_file: /home/git/gitlab/.gitlab_smime_cert
 
     # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
 
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 828732126b6..fdc6b0a05ab 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -1,5 +1,6 @@
 require_relative '../settings'
 require_relative '../object_store_settings'
+require_relative '../smime_signature_settings'
 
 # Default settings
 Settings['ldap'] ||= Settingslogic.new({})
@@ -171,6 +172,7 @@ Settings.gitlab['email_from'] ||= ENV['GITLAB_EMAIL_FROM'] || "gitlab@#{Settings
 Settings.gitlab['email_display_name'] ||= ENV['GITLAB_EMAIL_DISPLAY_NAME'] || 'GitLab'
 Settings.gitlab['email_reply_to'] ||= ENV['GITLAB_EMAIL_REPLY_TO'] || "noreply@#{Settings.gitlab.host}"
 Settings.gitlab['email_subject_suffix'] ||= ENV['GITLAB_EMAIL_SUBJECT_SUFFIX'] || ""
+Settings.gitlab['email_smime'] = SmimeSignatureSettings.parse(Settings.gitlab['email_smime'])
 Settings.gitlab['base_url']   ||= Settings.__send__(:build_base_gitlab_url)
 Settings.gitlab['url']        ||= Settings.__send__(:build_gitlab_url)
 Settings.gitlab['user']       ||= 'git'
diff --git a/config/initializers/action_mailer_hooks.rb b/config/initializers/action_mailer_hooks.rb
index f1b3c1f8ae8..02ca6ef13bf 100644
--- a/config/initializers/action_mailer_hooks.rb
+++ b/config/initializers/action_mailer_hooks.rb
@@ -10,3 +10,8 @@ ActionMailer::Base.register_interceptors(
 )
 
 ActionMailer::Base.register_observer(::Gitlab::Email::Hook::DeliveryMetricsObserver)
+
+if Gitlab.config.gitlab.email_enabled && Gitlab.config.gitlab.email_smime.enabled
+  ActionMailer::Base.register_interceptor(::Gitlab::Email::Hook::SmimeSignatureInterceptor)
+  Gitlab::AppLogger.debug "S/MIME signing of outgoing emails enabled"
+end
diff --git a/config/smime_signature_settings.rb b/config/smime_signature_settings.rb
new file mode 100644
index 00000000000..3d19db84c19
--- /dev/null
+++ b/config/smime_signature_settings.rb
@@ -0,0 +1,11 @@
+# Set default values for email_smime settings
+class SmimeSignatureSettings
+  def self.parse(email_smime)
+    email_smime ||= Settingslogic.new({})
+    email_smime['enabled'] = false unless email_smime['enabled']
+    email_smime['key_file'] ||= Rails.root.join('.gitlab_smime_key')
+    email_smime['cert_file'] ||= Rails.root.join('.gitlab_smime_cert')
+
+    email_smime
+  end
+end