summaryrefslogtreecommitdiff
path: root/config
diff options
context:
space:
mode:
authorDrew Blessing <drew@gitlab.com>2018-05-29 15:33:13 -0500
committerDrew Blessing <drew@blessing.io>2019-03-04 10:27:43 -0600
commitf6350faca1a9680c3ab8f68a05f289c89a4a2272 (patch)
treeab808414294048953eb33f746e93c59ae82bb329 /config
parentbc4ee49ecb1e562543cd196e51eac9a61c016de3 (diff)
downloadgitlab-ce-f6350faca1a9680c3ab8f68a05f289c89a4a2272.tar.gz
Allow raw `tls_options` to be passed in LDAP configuration
We've previously exposed ca_file and ssl_version but there are many possible options that can be used inside tls_options. Instead of exposing individual ones, simply expose the entire hash so it can be passed in and we won't have to add things in the future.
Diffstat (limited to 'config')
-rw-r--r--config/gitlab.yml.example65
-rw-r--r--config/initializers/1_settings.rb18
2 files changed, 68 insertions, 15 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 1a5b9ec3f02..2ad992a059c 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -379,19 +379,54 @@ production: &base
# "start_tls" or "simple_tls". Defaults to true.
verify_certificates: true
- # Specifies the path to a file containing a PEM-format CA certificate,
- # e.g. if you need to use an internal CA.
- #
- # Example: '/etc/ca.pem'
- #
- ca_file: ''
-
- # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
- # is not appropriate.
- #
- # Example: 'TLSv1_1'
- #
- ssl_version: ''
+ # OpenSSL::SSL::SSLContext options.
+ tls_options:
+ # Specifies the path to a file containing a PEM-format CA certificate,
+ # e.g. if you need to use an internal CA.
+ #
+ # Example: '/etc/ca.pem'
+ #
+ ca_file: ''
+
+ # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
+ # is not appropriate.
+ #
+ # Example: 'TLSv1_1'
+ #
+ ssl_version: ''
+
+ # Specific SSL ciphers to use in communication with LDAP servers.
+ #
+ # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
+ ciphers: ''
+
+ # Client certificate
+ #
+ # Example:
+ # cert: |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
+ # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
+ # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
+ # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+ # ...
+ # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
+ # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
+ # -----END CERTIFICATE -----
+ cert: ''
+
+ # Client private key
+ # key: |
+ # -----BEGIN PRIVATE KEY-----
+ # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
+ # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
+ # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
+ # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+ # ...
+ # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
+ # l6RG+a/mW+0rCWn8JAd464Ps9hE=
+ # -----END PRIVATE KEY-----
+ key: ''
# Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
# a request if the LDAP server becomes unresponsive.
@@ -653,8 +688,8 @@ production: &base
# # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
# # encryption: 'AES256'
# # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
- # # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
- # # 'encryption' must also be set in order for this to have any effect.
+ # # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+ # # 'encryption' must also be set in order for this to have any effect.
# # encryption_key: '<base64 key>'
# # Specifies Amazon S3 storage class to use for backups, this is optional
# # storage_class: 'STANDARD'
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 1344b3cb1f6..03800f3d9d2 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -40,6 +40,24 @@ if Settings.ldap['enabled'] || Rails.env.test?
# Since GitLab 10.0, verify_certificates defaults to true for security.
server['verify_certificates'] = true if server['verify_certificates'].nil?
+ # Expose ability to set `tls_options` directly. Deprecate `ca_file` and
+ # `ssl_version` in favor of `tls_options` hash option.
+ server['tls_options'] ||= {}
+
+ if server['ssl_version'] || server['ca_file']
+ Rails.logger.warn 'DEPRECATED: LDAP options `ssl_version` and `ca_file` should be nested within `tls_options`'
+ end
+
+ if server['ssl_version']
+ server['tls_options']['ssl_version'] ||= server['ssl_version']
+ server.delete('ssl_version')
+ end
+
+ if server['ca_file']
+ server['tls_options']['ca_file'] ||= server['ca_file']
+ server.delete('ca_file')
+ end
+
Settings.ldap['servers'][key] = server
end
end