Load multiple root certificates in Auth::Smartcard::Base.store

OpenSSL already supports this, we just need to call OpenSSL::X509::Store#add_file instead of OpenSSL::X509::Store#add_cert. When multiple certificates are loaded, validation checks the whole certificate chain. If a root certificate is missing and only the intermediate is loaded, validation fails.

Load multiple root certificates in Auth::Smartcard::Base.store
OpenSSL already supports this, we just need to call OpenSSL::X509::Store#add_file instead of OpenSSL::X509::Store#add_cert. When multiple certificates are loaded, validation checks the whole certificate chain. If a root certificate is missing and only the intermediate is loaded, validation fails.
1ef6e93d · Imre Farkas · 79499705 · 1ef6e93d · 1ef6e93d · 1ef6e93d
Commit 1ef6e93d authored Mar 09, 2020 by Imre Farkas
4 changed files
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -770,7 +770,7 @@ production: &base
    # Allow smartcard authentication
    enabled: false

-    # Path to a file containing a CA certificate
+    # Path to a file containing a CA certificate bundle
    ca_file: '/etc/ssl/certs/CA.pem'

    # Host and port where the client side certificate is requested by the

--- a/ee/changelogs/unreleased/197463-smartcard_multiple_root_certificates.yml
+++ b/ee/changelogs/unreleased/197463-smartcard_multiple_root_certificates.yml
+---
+title: Allow multiple root certificates for smartcard auth
+merge_request: 26812
+author:
+type: added
--- a/ee/lib/gitlab/auth/smartcard/base.rb
+++ b/ee/lib/gitlab/auth/smartcard/base.rb
@@ -4,7 +4,6 @@ module Gitlab
  module Auth
    module Smartcard
      class Base
-        InvalidCAFilePath = Class.new(StandardError)
        InvalidCertificate = Class.new(StandardError)

        delegate :allow_signup?,
@@ -12,17 +11,10 @@ module Gitlab

        def self.store
          @store ||= OpenSSL::X509::Store.new.tap do |store|
-            store.add_cert(
-              OpenSSL::X509::Certificate.new(
-                File.read(Gitlab.config.smartcard.ca_file)))
+            store.add_file(Gitlab.config.smartcard.ca_file)
          end
-        rescue Errno::ENOENT => ex
-          logger.error(message: 'Failed to open Gitlab.config.smartcard.ca_file',
-                       error: ex)
-
-          raise InvalidCAFilePath
-        rescue OpenSSL::X509::CertificateError => ex
-          logger.error(message: 'Gitlab.config.smartcard.ca_file is not a valid certificate',
+        rescue OpenSSL::X509::StoreError => ex
+          logger.error(message: 'Gitlab.config.smartcard.ca_file is invalid or does not exist',
                       error: ex)

          raise InvalidCertificate

--- a/ee/spec/support/shared_examples/lib/gitlab/smartcard_certificate_store_shared_examples.rb
+++ b/ee/spec/support/shared_examples/lib/gitlab/smartcard_certificate_store_shared_examples.rb
@@ -16,17 +16,18 @@ RSpec.shared_examples 'a certificate store' do

    subject { described_class.store }

-    context 'file does not exist' do
-      it 'raises error' do
-        expect { subject }.to(
-          raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCAFilePath))
+    context 'loads CA bundle' do
+      it 'uses correct method' do
+        expect_next_instance_of(OpenSSL::X509::Store) do |store|
+          expect(store).to receive(:add_file).and_return(true)
+        end
+
+        subject
      end
    end

-    context 'smartcard ca_file is not a valid certificate' do
+    context 'without valid CA file' do
      it 'raises error' do
-        expect(File).to(
-          receive(:read).with('ca_file').and_return('invalid certificate'))
        expect { subject }.to(
          raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCertificate))
      end