Commit 59197275 authored by Robert Speicher's avatar Robert Speicher

Merge branch 'if-8805-smartcard_support_for_older_nginx' into 'master'

Support older NGINX version forwarding the client certificate for smartcard auth

See merge request gitlab-org/gitlab-ee!8784
parents b635df70 4f0418a2
...@@ -8,7 +8,7 @@ class SmartcardController < ApplicationController ...@@ -8,7 +8,7 @@ class SmartcardController < ApplicationController
before_action :check_certificate_headers before_action :check_certificate_headers
def auth def auth
certificate = Gitlab::Auth::Smartcard::Certificate.new(CGI.unescape(certificate_header)) certificate = Gitlab::Auth::Smartcard::Certificate.new(certificate_header)
user = certificate.find_or_create_user user = certificate.find_or_create_user
unless user unless user
...@@ -40,7 +40,17 @@ class SmartcardController < ApplicationController ...@@ -40,7 +40,17 @@ class SmartcardController < ApplicationController
end end
def certificate_header def certificate_header
request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE'] header = request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
return unless header
unescaped_header = CGI.unescape(header)
if unescaped_header.include?("\n")
# NGINX forwarding the $ssl_client_escaped_cert variable
unescaped_header
else
# older version of NGINX forwarding the now deprecated $ssl_client_cert variable
header.gsub(/ (?!CERTIFICATE)/, "\n")
end
end end
def after_sign_in_path_for(resource) def after_sign_in_path_for(resource)
......
---
title: Support older NGINX version forwarding the client certificate for smartcard
auth
merge_request: 8784
author:
type: fixed
...@@ -76,6 +76,32 @@ describe SmartcardController, type: :request do ...@@ -76,6 +76,32 @@ describe SmartcardController, type: :request do
end end
end end
context 'certificate header formats from NGINX' do
shared_examples 'valid certificate header' do
it 'authenticates user' do
expect(Gitlab::Auth::Smartcard::Certificate).to receive(:new).with(expected_certificate).and_call_original
subject
expect(request.env['warden']).to be_authenticated
end
end
let(:expected_certificate) { "-----BEGIN CERTIFICATE-----\nrow\nrow\n-----END CERTIFICATE-----" }
context 'escaped format' do
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN%20CERTIFICATE-----%0Arow%0Arow%0A-----END%20CERTIFICATE-----' } }
it_behaves_like 'valid certificate header'
end
context 'deprecated format' do
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN CERTIFICATE----- row row -----END CERTIFICATE-----' } }
it_behaves_like 'valid certificate header'
end
end
context 'missing certificate headers' do context 'missing certificate headers' do
let(:certificate_headers) { nil } let(:certificate_headers) { nil }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment