Merge branch 'if-8805-smartcard_support_for_older_nginx' into 'master'

Support older NGINX version forwarding the client certificate for smartcard auth See merge request gitlab-org/gitlab-ee!8784

Merge branch 'if-8805-smartcard_support_for_older_nginx' into 'master'
Support older NGINX version forwarding the client certificate for smartcard auth See merge request gitlab-org/gitlab-ee!8784
59197275 · Robert Speicher · b635df70 · 4f0418a2 · 59197275 · 59197275
Commit 59197275 authored Dec 12, 2018 by Robert Speicher
3 changed files
--- a/ee/app/controllers/smartcard_controller.rb
+++ b/ee/app/controllers/smartcard_controller.rb
@@ -8,7 +8,7 @@ class SmartcardController < ApplicationController
  before_action :check_certificate_headers

  def auth
-    certificate = Gitlab::Auth::Smartcard::Certificate.new(CGI.unescape(certificate_header))
+    certificate = Gitlab::Auth::Smartcard::Certificate.new(certificate_header)

    user = certificate.find_or_create_user
    unless user
@@ -40,7 +40,17 @@ class SmartcardController < ApplicationController
  end

  def certificate_header
-    request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
+    header = request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
+    return unless header
+
+    unescaped_header = CGI.unescape(header)
+    if unescaped_header.include?("\n")
+      # NGINX forwarding the $ssl_client_escaped_cert variable
+      unescaped_header
+    else
+      # older version of NGINX forwarding the now deprecated $ssl_client_cert variable
+      header.gsub(/ (?!CERTIFICATE)/, "\n")
+    end
  end

  def after_sign_in_path_for(resource)

--- a/ee/changelogs/unreleased/ee-8805-smartcard_support_for_older_nginx.yml
+++ b/ee/changelogs/unreleased/ee-8805-smartcard_support_for_older_nginx.yml
+---
+title: Support older NGINX version forwarding the client certificate for smartcard
+  auth
+merge_request: 8784
+author:
+type: fixed
--- a/ee/spec/requests/smartcard_controller_spec.rb
+++ b/ee/spec/requests/smartcard_controller_spec.rb
@@ -76,6 +76,32 @@ describe SmartcardController, type: :request  do
        end
      end

+      context 'certificate header formats from NGINX' do
+        shared_examples 'valid certificate header' do
+          it 'authenticates user' do
+            expect(Gitlab::Auth::Smartcard::Certificate).to receive(:new).with(expected_certificate).and_call_original
+
+            subject
+
+            expect(request.env['warden']).to be_authenticated
+          end
+        end
+
+        let(:expected_certificate) { "-----BEGIN CERTIFICATE-----\nrow\nrow\n-----END CERTIFICATE-----" }
+
+        context 'escaped format' do
+          let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN%20CERTIFICATE-----%0Arow%0Arow%0A-----END%20CERTIFICATE-----' } }
+
+          it_behaves_like 'valid certificate header'
+        end
+
+        context 'deprecated format' do
+          let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN CERTIFICATE----- row row -----END CERTIFICATE-----' } }
+
+          it_behaves_like 'valid certificate header'
+        end
+      end
+
      context 'missing certificate headers' do
        let(:certificate_headers) { nil }