Merge remote-tracking branch 'dev/master'

# Conflicts: # Gemfile # Gemfile.lock
author: Douwe Maan <douwe@selenight.nl> 2017-07-26 14:47:50 +0200
committer: Douwe Maan <douwe@selenight.nl> 2017-07-26 14:47:50 +0200
commit: d29598e69190d6bc3a7d3cea44892d2db69d20e0 (patch)
tree: 7b130b29dd5c4042846b51791ce1e09d7ea48326 /lib
parent: 5f35901a01ff822ba1e637251d9726a41e73ed17 (diff)
parent: 2f825cad72cfc6fd25df3a57c5f3c138bb47f89d (diff)
download: gitlab-ce-d29598e69190d6bc3a7d3cea44892d2db69d20e0.tar.gz
1 files changed, 44 insertions, 12 deletions
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb
index 6fdf68641e2..8eda3ea03f9 100644
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -2,6 +2,12 @@
 module Gitlab
   module LDAP
     class Config
+      NET_LDAP_ENCRYPTION_METHOD = {
+        simple_tls: :simple_tls,
+        start_tls:  :start_tls,
+        plain:      nil
+      }.freeze
+
       attr_accessor :provider, :options
 
       def self.enabled?
@@ -39,7 +45,7 @@ module Gitlab
 
       def adapter_options
         opts = base_options.merge(
-          encryption: encryption
+          encryption: encryption_options
         )
 
         opts.merge!(auth_options) if has_auth?
@@ -50,9 +56,10 @@ module Gitlab
       def omniauth_options
         opts = base_options.merge(
           base: base,
-          method: options['method'],
+          encryption: options['encryption'],
           filter: omniauth_user_filter,
-          name_proc: name_proc
+          name_proc: name_proc,
+          disable_verify_certificates: !options['verify_certificates']
         )
 
         if has_auth?
@@ -62,6 +69,9 @@ module Gitlab
           )
         end
 
+        opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+        opts[:ssl_version] = options['ssl_version'] if options['ssl_version'].present?
+
         opts
       end
 
@@ -157,15 +167,37 @@ module Gitlab
         base_config.servers.values.find { |server| server['provider_name'] == provider }
       end
 
-      def encryption
-        case options['method'].to_s
-        when 'ssl'
-          :simple_tls
-        when 'tls'
-          :start_tls
-        else
-          nil
-        end
+      def encryption_options
+        method = translate_method(options['encryption'])
+        return nil unless method
+
+        {
+          method: method,
+          tls_options: tls_options(method)
+        }
+      end
+
+      def translate_method(method_from_config)
+        NET_LDAP_ENCRYPTION_METHOD[method_from_config.to_sym]
+      end
+
+      def tls_options(method)
+        return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method
+
+        opts = if options['verify_certificates']
+                 OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+               else
+                 # It is important to explicitly set verify_mode for two reasons:
+                 # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                 # 2. The net-ldap gem implementation verifies the certificate hostname
+                 #    unless verify_mode is set to VERIFY_NONE.
+                 { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+               end
+
+        opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+        opts[:ssl_version] = options['ssl_version'] if options['ssl_version'].present?
+
+        opts
       end
 
       def auth_options
author	Douwe Maan <douwe@selenight.nl>	2017-07-26 14:47:50 +0200
committer	Douwe Maan <douwe@selenight.nl>	2017-07-26 14:47:50 +0200
commit	d29598e69190d6bc3a7d3cea44892d2db69d20e0 (patch)
tree	7b130b29dd5c4042846b51791ce1e09d7ea48326 /lib
parent	5f35901a01ff822ba1e637251d9726a41e73ed17 (diff)
parent	2f825cad72cfc6fd25df3a57c5f3c138bb47f89d (diff)
download	gitlab-ce-d29598e69190d6bc3a7d3cea44892d2db69d20e0.tar.gz