diff options
author | Drew Blessing <drew@gitlab.com> | 2018-05-29 15:33:13 -0500 |
---|---|---|
committer | Drew Blessing <drew@blessing.io> | 2019-03-04 10:27:43 -0600 |
commit | f6350faca1a9680c3ab8f68a05f289c89a4a2272 (patch) | |
tree | ab808414294048953eb33f746e93c59ae82bb329 /config | |
parent | bc4ee49ecb1e562543cd196e51eac9a61c016de3 (diff) | |
download | gitlab-ce-f6350faca1a9680c3ab8f68a05f289c89a4a2272.tar.gz |
Allow raw `tls_options` to be passed in LDAP configuration
We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.
Diffstat (limited to 'config')
-rw-r--r-- | config/gitlab.yml.example | 65 | ||||
-rw-r--r-- | config/initializers/1_settings.rb | 18 |
2 files changed, 68 insertions, 15 deletions
diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example index 1a5b9ec3f02..2ad992a059c 100644 --- a/config/gitlab.yml.example +++ b/config/gitlab.yml.example @@ -379,19 +379,54 @@ production: &base # "start_tls" or "simple_tls". Defaults to true. verify_certificates: true - # Specifies the path to a file containing a PEM-format CA certificate, - # e.g. if you need to use an internal CA. - # - # Example: '/etc/ca.pem' - # - ca_file: '' - - # Specifies the SSL version for OpenSSL to use, if the OpenSSL default - # is not appropriate. - # - # Example: 'TLSv1_1' - # - ssl_version: '' + # OpenSSL::SSL::SSLContext options. + tls_options: + # Specifies the path to a file containing a PEM-format CA certificate, + # e.g. if you need to use an internal CA. + # + # Example: '/etc/ca.pem' + # + ca_file: '' + + # Specifies the SSL version for OpenSSL to use, if the OpenSSL default + # is not appropriate. + # + # Example: 'TLSv1_1' + # + ssl_version: '' + + # Specific SSL ciphers to use in communication with LDAP servers. + # + # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2' + ciphers: '' + + # Client certificate + # + # Example: + # cert: | + # -----BEGIN CERTIFICATE----- + # MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ + # bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE + # CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4 + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # 4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80 + # Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg== + # -----END CERTIFICATE ----- + cert: '' + + # Client private key + # key: | + # -----BEGIN PRIVATE KEY----- + # MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6 + # bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN + # 7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C + # rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl + # ... + # +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9 + # l6RG+a/mW+0rCWn8JAd464Ps9hE= + # -----END PRIVATE KEY----- + key: '' # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking # a request if the LDAP server becomes unresponsive. @@ -653,8 +688,8 @@ production: &base # # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional # # encryption: 'AES256' # # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional - # # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. - # # 'encryption' must also be set in order for this to have any effect. + # # This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. + # # 'encryption' must also be set in order for this to have any effect. # # encryption_key: '<base64 key>' # # Specifies Amazon S3 storage class to use for backups, this is optional # # storage_class: 'STANDARD' diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb index 1344b3cb1f6..03800f3d9d2 100644 --- a/config/initializers/1_settings.rb +++ b/config/initializers/1_settings.rb @@ -40,6 +40,24 @@ if Settings.ldap['enabled'] || Rails.env.test? # Since GitLab 10.0, verify_certificates defaults to true for security. server['verify_certificates'] = true if server['verify_certificates'].nil? + # Expose ability to set `tls_options` directly. Deprecate `ca_file` and + # `ssl_version` in favor of `tls_options` hash option. + server['tls_options'] ||= {} + + if server['ssl_version'] || server['ca_file'] + Rails.logger.warn 'DEPRECATED: LDAP options `ssl_version` and `ca_file` should be nested within `tls_options`' + end + + if server['ssl_version'] + server['tls_options']['ssl_version'] ||= server['ssl_version'] + server.delete('ssl_version') + end + + if server['ca_file'] + server['tls_options']['ca_file'] ||= server['ca_file'] + server.delete('ca_file') + end + Settings.ldap['servers'][key] = server end end |