BigW Consortium Gitlab
Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
G
gitlab-ce
Project
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Open sidebar
Forest Godfrey
gitlab-ce
Commits
b67c0078
Commit
b67c0078
authored
Jun 08, 2017
by
Michael Kozono
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Set `Net::LDAP` encryption properly
parent
94b4c9f3
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
117 additions
and
19 deletions
+117
-19
config.rb
lib/gitlab/ldap/config.rb
+26
-8
config_spec.rb
spec/lib/gitlab/ldap/config_spec.rb
+91
-11
No files found.
lib/gitlab/ldap/config.rb
View file @
b67c0078
...
@@ -2,6 +2,16 @@
...
@@ -2,6 +2,16 @@
module
Gitlab
module
Gitlab
module
LDAP
module
LDAP
class
Config
class
Config
NET_LDAP_ENCRYPTION_METHOD
=
{
:simple_tls
=>
:simple_tls
,
:start_tls
=>
:start_tls
,
:plain
=>
nil
,
# Deprecated. Better to pass-through the actual `Net::LDAP` encryption type.
:ssl
=>
:simple_tls
,
:tls
=>
:start_tls
,
}
attr_accessor
:provider
,
:options
attr_accessor
:provider
,
:options
def
self
.
enabled?
def
self
.
enabled?
...
@@ -39,7 +49,7 @@ module Gitlab
...
@@ -39,7 +49,7 @@ module Gitlab
def
adapter_options
def
adapter_options
opts
=
base_options
.
merge
(
opts
=
base_options
.
merge
(
encryption:
encryption
encryption:
encryption
_options
)
)
opts
.
merge!
(
auth_options
)
if
has_auth?
opts
.
merge!
(
auth_options
)
if
has_auth?
...
@@ -157,14 +167,22 @@ module Gitlab
...
@@ -157,14 +167,22 @@ module Gitlab
base_config
.
servers
.
values
.
find
{
|
server
|
server
[
'provider_name'
]
==
provider
}
base_config
.
servers
.
values
.
find
{
|
server
|
server
[
'provider_name'
]
==
provider
}
end
end
def
encryption
def
encryption_options
case
options
[
'encryption'
].
to_s
method
=
translate_method
(
options
[
'encryption'
])
when
'ssl'
options
=
{
method:
method
}
:simple_tls
options
.
merge!
(
tls_options:
tls_options
(
method
))
if
method
when
'tls'
options
:start_tls
end
def
translate_method
(
method_from_config
)
NET_LDAP_ENCRYPTION_METHOD
[
method_from_config
.
to_sym
]
end
def
tls_options
(
method
)
if
method
&&
options
[
'verify_certificates'
]
OpenSSL
::
SSL
::
SSLContext
::
DEFAULT_PARAMS
else
else
nil
{
verify_mode:
OpenSSL
::
SSL
::
VERIFY_NONE
}
end
end
end
end
...
...
spec/lib/gitlab/ldap/config_spec.rb
View file @
b67c0078
...
@@ -5,7 +5,7 @@ describe Gitlab::LDAP::Config, lib: true do
...
@@ -5,7 +5,7 @@ describe Gitlab::LDAP::Config, lib: true do
let
(
:config
)
{
Gitlab
::
LDAP
::
Config
.
new
(
'ldapmain'
)
}
let
(
:config
)
{
Gitlab
::
LDAP
::
Config
.
new
(
'ldapmain'
)
}
describe
'#initalize'
do
describe
'#init
i
alize'
do
it
'requires a provider'
do
it
'requires a provider'
do
expect
{
Gitlab
::
LDAP
::
Config
.
new
}.
to
raise_error
ArgumentError
expect
{
Gitlab
::
LDAP
::
Config
.
new
}.
to
raise_error
ArgumentError
end
end
...
@@ -32,31 +32,111 @@ describe Gitlab::LDAP::Config, lib: true do
...
@@ -32,31 +32,111 @@ describe Gitlab::LDAP::Config, lib: true do
expect
(
config
.
adapter_options
).
to
eq
(
expect
(
config
.
adapter_options
).
to
eq
(
host:
'ldap.example.com'
,
host:
'ldap.example.com'
,
port:
386
,
port:
386
,
encryption:
nil
encryption:
{
method:
nil
}
)
)
end
end
it
'includes authentication options when auth is configured'
do
it
'includes authentication options when auth is configured'
do
stub_ldap_config
(
stub_ldap_config
(
options:
{
options:
{
'host'
=>
'ldap.example.com'
,
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'port'
=>
686
,
'encryption'
=>
'ssl'
,
'encryption'
=>
'simple_tls'
,
'bind_dn'
=>
'uid=admin,dc=example,dc=com'
,
'verify_certificates'
=>
true
,
'password'
=>
'super_secret'
'bind_dn'
=>
'uid=admin,dc=example,dc=com'
,
'password'
=>
'super_secret'
}
}
)
)
expect
(
config
.
adapter_options
).
to
eq
(
expect
(
config
.
adapter_options
).
to
include
({
host:
'ldap.example.com'
,
port:
686
,
encryption: :simple_tls
,
auth:
{
auth:
{
method: :simple
,
method: :simple
,
username:
'uid=admin,dc=example,dc=com'
,
username:
'uid=admin,dc=example,dc=com'
,
password:
'super_secret'
password:
'super_secret'
}
}
})
end
it
'sets encryption method to simple_tls when configured as simple_tls'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'simple_tls'
}
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
method: :simple_tls
})
end
it
'sets encryption method to simple_tls when configured as ssl, for backwards compatibility'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'ssl'
}
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
method: :simple_tls
})
end
it
'sets encryption method to start_tls when configured as start_tls'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'start_tls'
}
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
method: :start_tls
})
end
it
'sets encryption method to start_tls when configured as tls, for backwards compatibility'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'tls'
}
)
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
method: :start_tls
})
end
context
'when verify_certificates is enabled'
do
it
'sets tls_options to OpenSSL defaults'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'simple_tls'
,
'verify_certificates'
=>
true
}
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
tls_options:
OpenSSL
::
SSL
::
SSLContext
::
DEFAULT_PARAMS
})
end
end
context
'when verify_certificates is disabled'
do
it
'sets verify_mode to OpenSSL VERIFY_NONE'
do
stub_ldap_config
(
options:
{
'host'
=>
'ldap.example.com'
,
'port'
=>
686
,
'encryption'
=>
'simple_tls'
,
'verify_certificates'
=>
false
}
)
expect
(
config
.
adapter_options
[
:encryption
]).
to
include
({
tls_options:
{
verify_mode:
OpenSSL
::
SSL
::
VERIFY_NONE
}
})
end
end
end
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment