Commit 1ef6e93d authored by Imre Farkas's avatar Imre Farkas

Load multiple root certificates in Auth::Smartcard::Base.store

OpenSSL already supports this, we just need to call
OpenSSL::X509::Store#add_file instead of OpenSSL::X509::Store#add_cert.
When multiple certificates are loaded, validation checks the whole
certificate chain. If a root certificate is missing and only the
intermediate is loaded, validation fails.
parent 79499705
...@@ -770,7 +770,7 @@ production: &base ...@@ -770,7 +770,7 @@ production: &base
# Allow smartcard authentication # Allow smartcard authentication
enabled: false enabled: false
# Path to a file containing a CA certificate # Path to a file containing a CA certificate bundle
ca_file: '/etc/ssl/certs/CA.pem' ca_file: '/etc/ssl/certs/CA.pem'
# Host and port where the client side certificate is requested by the # Host and port where the client side certificate is requested by the
......
---
title: Allow multiple root certificates for smartcard auth
merge_request: 26812
author:
type: added
...@@ -4,7 +4,6 @@ module Gitlab ...@@ -4,7 +4,6 @@ module Gitlab
module Auth module Auth
module Smartcard module Smartcard
class Base class Base
InvalidCAFilePath = Class.new(StandardError)
InvalidCertificate = Class.new(StandardError) InvalidCertificate = Class.new(StandardError)
delegate :allow_signup?, delegate :allow_signup?,
...@@ -12,17 +11,10 @@ module Gitlab ...@@ -12,17 +11,10 @@ module Gitlab
def self.store def self.store
@store ||= OpenSSL::X509::Store.new.tap do |store| @store ||= OpenSSL::X509::Store.new.tap do |store|
store.add_cert( store.add_file(Gitlab.config.smartcard.ca_file)
OpenSSL::X509::Certificate.new(
File.read(Gitlab.config.smartcard.ca_file)))
end end
rescue Errno::ENOENT => ex rescue OpenSSL::X509::StoreError => ex
logger.error(message: 'Failed to open Gitlab.config.smartcard.ca_file', logger.error(message: 'Gitlab.config.smartcard.ca_file is invalid or does not exist',
error: ex)
raise InvalidCAFilePath
rescue OpenSSL::X509::CertificateError => ex
logger.error(message: 'Gitlab.config.smartcard.ca_file is not a valid certificate',
error: ex) error: ex)
raise InvalidCertificate raise InvalidCertificate
......
...@@ -16,17 +16,18 @@ RSpec.shared_examples 'a certificate store' do ...@@ -16,17 +16,18 @@ RSpec.shared_examples 'a certificate store' do
subject { described_class.store } subject { described_class.store }
context 'file does not exist' do context 'loads CA bundle' do
it 'raises error' do it 'uses correct method' do
expect { subject }.to( expect_next_instance_of(OpenSSL::X509::Store) do |store|
raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCAFilePath)) expect(store).to receive(:add_file).and_return(true)
end
subject
end end
end end
context 'smartcard ca_file is not a valid certificate' do context 'without valid CA file' do
it 'raises error' do it 'raises error' do
expect(File).to(
receive(:read).with('ca_file').and_return('invalid certificate'))
expect { subject }.to( expect { subject }.to(
raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCertificate)) raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCertificate))
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment