Commit b67c0078 authored by Michael Kozono's avatar Michael Kozono

Set `Net::LDAP` encryption properly

parent 94b4c9f3
...@@ -2,6 +2,16 @@ ...@@ -2,6 +2,16 @@
module Gitlab module Gitlab
module LDAP module LDAP
class Config class Config
NET_LDAP_ENCRYPTION_METHOD = {
:simple_tls => :simple_tls,
:start_tls => :start_tls,
:plain => nil,
# Deprecated. Better to pass-through the actual `Net::LDAP` encryption type.
:ssl => :simple_tls,
:tls => :start_tls,
}
attr_accessor :provider, :options attr_accessor :provider, :options
def self.enabled? def self.enabled?
...@@ -39,7 +49,7 @@ module Gitlab ...@@ -39,7 +49,7 @@ module Gitlab
def adapter_options def adapter_options
opts = base_options.merge( opts = base_options.merge(
encryption: encryption encryption: encryption_options
) )
opts.merge!(auth_options) if has_auth? opts.merge!(auth_options) if has_auth?
...@@ -157,14 +167,22 @@ module Gitlab ...@@ -157,14 +167,22 @@ module Gitlab
base_config.servers.values.find { |server| server['provider_name'] == provider } base_config.servers.values.find { |server| server['provider_name'] == provider }
end end
def encryption def encryption_options
case options['encryption'].to_s method = translate_method(options['encryption'])
when 'ssl' options = { method: method }
:simple_tls options.merge!(tls_options: tls_options(method)) if method
when 'tls' options
:start_tls end
def translate_method(method_from_config)
NET_LDAP_ENCRYPTION_METHOD[method_from_config.to_sym]
end
def tls_options(method)
if method && options['verify_certificates']
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
else else
nil { verify_mode: OpenSSL::SSL::VERIFY_NONE }
end end
end end
......
...@@ -5,7 +5,7 @@ describe Gitlab::LDAP::Config, lib: true do ...@@ -5,7 +5,7 @@ describe Gitlab::LDAP::Config, lib: true do
let(:config) { Gitlab::LDAP::Config.new('ldapmain') } let(:config) { Gitlab::LDAP::Config.new('ldapmain') }
describe '#initalize' do describe '#initialize' do
it 'requires a provider' do it 'requires a provider' do
expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError expect{ Gitlab::LDAP::Config.new }.to raise_error ArgumentError
end end
...@@ -32,31 +32,111 @@ describe Gitlab::LDAP::Config, lib: true do ...@@ -32,31 +32,111 @@ describe Gitlab::LDAP::Config, lib: true do
expect(config.adapter_options).to eq( expect(config.adapter_options).to eq(
host: 'ldap.example.com', host: 'ldap.example.com',
port: 386, port: 386,
encryption: nil encryption: { method: nil }
) )
end end
it 'includes authentication options when auth is configured' do it 'includes authentication options when auth is configured' do
stub_ldap_config( stub_ldap_config(
options: { options: {
'host' => 'ldap.example.com', 'host' => 'ldap.example.com',
'port' => 686, 'port' => 686,
'encryption' => 'ssl', 'encryption' => 'simple_tls',
'bind_dn' => 'uid=admin,dc=example,dc=com', 'verify_certificates' => true,
'password' => 'super_secret' 'bind_dn' => 'uid=admin,dc=example,dc=com',
'password' => 'super_secret'
} }
) )
expect(config.adapter_options).to eq( expect(config.adapter_options).to include({
host: 'ldap.example.com',
port: 686,
encryption: :simple_tls,
auth: { auth: {
method: :simple, method: :simple,
username: 'uid=admin,dc=example,dc=com', username: 'uid=admin,dc=example,dc=com',
password: 'super_secret' password: 'super_secret'
} }
})
end
it 'sets encryption method to simple_tls when configured as simple_tls' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'simple_tls'
}
)
expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })
end
it 'sets encryption method to simple_tls when configured as ssl, for backwards compatibility' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'ssl'
}
)
expect(config.adapter_options[:encryption]).to include({ method: :simple_tls })
end
it 'sets encryption method to start_tls when configured as start_tls' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'start_tls'
}
)
expect(config.adapter_options[:encryption]).to include({ method: :start_tls })
end
it 'sets encryption method to start_tls when configured as tls, for backwards compatibility' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'tls'
}
) )
expect(config.adapter_options[:encryption]).to include({ method: :start_tls })
end
context 'when verify_certificates is enabled' do
it 'sets tls_options to OpenSSL defaults' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'simple_tls',
'verify_certificates' => true
}
)
expect(config.adapter_options[:encryption]).to include({ tls_options: OpenSSL::SSL::SSLContext::DEFAULT_PARAMS })
end
end
context 'when verify_certificates is disabled' do
it 'sets verify_mode to OpenSSL VERIFY_NONE' do
stub_ldap_config(
options: {
'host' => 'ldap.example.com',
'port' => 686,
'encryption' => 'simple_tls',
'verify_certificates' => false
}
)
expect(config.adapter_options[:encryption]).to include({
tls_options: {
verify_mode: OpenSSL::SSL::VERIFY_NONE
}
})
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment