Commit dcc12505 authored by Michael Kozono's avatar Michael Kozono

Set `Net::LDAP` `ca_file` option

parent b67c0078
...@@ -179,11 +179,21 @@ module Gitlab ...@@ -179,11 +179,21 @@ module Gitlab
end end
def tls_options(method) def tls_options(method)
if method && options['verify_certificates'] return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method
opts = if options['verify_certificates']
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
else else
# It is important to explicitly set verify_mode for two reasons:
# 1. The behavior of OpenSSL is undefined when verify_mode is not set.
# 2. The net-ldap gem implementation verifies the certificate hostname
# unless verify_mode is set to VERIFY_NONE.
{ verify_mode: OpenSSL::SSL::VERIFY_NONE } { verify_mode: OpenSSL::SSL::VERIFY_NONE }
end end
opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
opts
end end
def auth_options def auth_options
......
...@@ -138,6 +138,36 @@ describe Gitlab::LDAP::Config, lib: true do ...@@ -138,6 +138,36 @@ describe Gitlab::LDAP::Config, lib: true do
}) })
end end
end end
context 'when ca_file is specified' do
it 'passes it through in tls_options' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'simple_tls',
'ca_file' => '/etc/ca.pem'
}
)
expect(config.adapter_options[:encryption][:tls_options]).to include({ ca_file: '/etc/ca.pem' })
end
end
context 'when ca_file is a blank string' do
it 'does not add the ca_file key to tls_options' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'simple_tls',
'ca_file' => ' '
}
)
expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ca_file)
end
end
end end
describe '#omniauth_options' do describe '#omniauth_options' do
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment