diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 17:34:42 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-05-20 17:34:42 +0300 |
commit | 9f46488805e86b1bc341ea1620b866016c2ce5ed (patch) | |
tree | f9748c7e287041e37d6da49e0a29c9511dc34768 /lib/gitlab/email | |
parent | dfc92d081ea0332d69c8aca2f0e745cb48ae5e6d (diff) |
Add latest changes from gitlab-org/gitlab@13-0-stable-ee
Diffstat (limited to 'lib/gitlab/email')
-rw-r--r-- | lib/gitlab/email/handler.rb | 10 | ||||
-rw-r--r-- | lib/gitlab/email/hook/smime_signature_interceptor.rb | 7 | ||||
-rw-r--r-- | lib/gitlab/email/message/repository_push.rb | 2 | ||||
-rw-r--r-- | lib/gitlab/email/smime/certificate.rb | 40 | ||||
-rw-r--r-- | lib/gitlab/email/smime/signer.rb | 25 |
5 files changed, 63 insertions, 21 deletions
diff --git a/lib/gitlab/email/handler.rb b/lib/gitlab/email/handler.rb index e9a7c9bcf5c..7f8dd815103 100644 --- a/lib/gitlab/email/handler.rb +++ b/lib/gitlab/email/handler.rb @@ -3,18 +3,16 @@ module Gitlab module Email module Handler - prepend_if_ee('::EE::Gitlab::Email::Handler') # rubocop: disable Cop/InjectEnterpriseEditionModule - def self.handlers @handlers ||= load_handlers end def self.load_handlers [ - UnsubscribeHandler, CreateNoteHandler, - CreateMergeRequestHandler, - CreateIssueHandler + CreateIssueHandler, + UnsubscribeHandler, + CreateMergeRequestHandler ] end @@ -27,3 +25,5 @@ module Gitlab end end end + +Gitlab::Email::Handler.prepend_if_ee('::EE::Gitlab::Email::Handler') diff --git a/lib/gitlab/email/hook/smime_signature_interceptor.rb b/lib/gitlab/email/hook/smime_signature_interceptor.rb index 61c9c984f8e..fe39589d019 100644 --- a/lib/gitlab/email/hook/smime_signature_interceptor.rb +++ b/lib/gitlab/email/hook/smime_signature_interceptor.rb @@ -10,6 +10,7 @@ module Gitlab signed_message = Gitlab::Email::Smime::Signer.sign( cert: certificate.cert, key: certificate.key, + ca_certs: certificate.ca_certs, data: message.encoded) signed_email = Mail.new(signed_message) @@ -21,7 +22,7 @@ module Gitlab private def certificate - @certificate ||= Gitlab::Email::Smime::Certificate.from_files(key_path, cert_path) + @certificate ||= Gitlab::Email::Smime::Certificate.from_files(key_path, cert_path, ca_certs_path) end def key_path @@ -32,6 +33,10 @@ module Gitlab Gitlab.config.gitlab.email_smime.cert_file end + def ca_certs_path + Gitlab.config.gitlab.email_smime.ca_certs_file + end + def overwrite_body(message, signed_email) # since this is a multipart email, assignment to nil is important, # otherwise Message#body will add a new mail part diff --git a/lib/gitlab/email/message/repository_push.rb b/lib/gitlab/email/message/repository_push.rb index ec412e7a8b1..d55cf3202a6 100644 --- a/lib/gitlab/email/message/repository_push.rb +++ b/lib/gitlab/email/message/repository_push.rb @@ -52,7 +52,7 @@ module Gitlab end def compare - @opts[:compare] if @opts[:compare] + @opts[:compare] end def diff_refs diff --git a/lib/gitlab/email/smime/certificate.rb b/lib/gitlab/email/smime/certificate.rb index 59d7b0c3c5b..3607b95b4bc 100644 --- a/lib/gitlab/email/smime/certificate.rb +++ b/lib/gitlab/email/smime/certificate.rb @@ -4,29 +4,53 @@ module Gitlab module Email module Smime class Certificate - attr_reader :key, :cert + CERT_REGEX = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze + + attr_reader :key, :cert, :ca_certs def key_string - @key.to_s + key.to_s end def cert_string - @cert.to_pem + cert.to_pem + end + + def ca_certs_string + ca_certs.map(&:to_pem).join('\n') unless ca_certs.blank? end - def self.from_strings(key_string, cert_string) + def self.from_strings(key_string, cert_string, ca_certs_string = nil) key = OpenSSL::PKey::RSA.new(key_string) cert = OpenSSL::X509::Certificate.new(cert_string) - new(key, cert) + ca_certs = load_ca_certs_bundle(ca_certs_string) + + new(key, cert, ca_certs) end - def self.from_files(key_path, cert_path) - from_strings(File.read(key_path), File.read(cert_path)) + def self.from_files(key_path, cert_path, ca_certs_path = nil) + ca_certs_string = File.read(ca_certs_path) if ca_certs_path + + from_strings(File.read(key_path), File.read(cert_path), ca_certs_string) + end + + # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found + # + # Ruby OpenSSL::X509::Certificate.new will only load the first + # certificate if a bundle is presented, this allows to parse multiple certs + # in the same file + def self.load_ca_certs_bundle(ca_certs_string) + return [] unless ca_certs_string + + ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string| + OpenSSL::X509::Certificate.new(ca_cert_string) + end end - def initialize(key, cert) + def initialize(key, cert, ca_certs = nil) @key = key @cert = cert + @ca_certs = ca_certs end end end diff --git a/lib/gitlab/email/smime/signer.rb b/lib/gitlab/email/smime/signer.rb index db03e383ecf..6a445730463 100644 --- a/lib/gitlab/email/smime/signer.rb +++ b/lib/gitlab/email/smime/signer.rb @@ -7,19 +7,32 @@ module Gitlab module Smime # Tooling for signing and verifying data with SMIME class Signer - def self.sign(cert:, key:, data:) - signed_data = OpenSSL::PKCS7.sign(cert, key, data, nil, OpenSSL::PKCS7::DETACHED) + # The `ca_certs` parameter, if provided, is an array of CA certificates + # that will be attached in the signature together with the main `cert`. + # This will be typically intermediate CAs + def self.sign(cert:, key:, ca_certs: nil, data:) + signed_data = OpenSSL::PKCS7.sign(cert, key, data, Array.wrap(ca_certs), OpenSSL::PKCS7::DETACHED) OpenSSL::PKCS7.write_smime(signed_data) end - # return nil if data cannot be verified, otherwise the signed content data - def self.verify_signature(cert:, ca_cert: nil, signed_data:) + # Return nil if data cannot be verified, otherwise the signed content data + # + # Be careful with the `ca_certs` parameter, it will implicitly trust all the CAs + # in the array by creating a trusted store, stopping validation at the first match + # This is relevant when using intermediate CAs, `ca_certs` should only + # include the trusted, root CA + def self.verify_signature(ca_certs: nil, signed_data:) store = OpenSSL::X509::Store.new store.set_default_paths - store.add_cert(ca_cert) if ca_cert + Array.wrap(ca_certs).compact.each { |ca_cert| store.add_cert(ca_cert) } signed_smime = OpenSSL::PKCS7.read_smime(signed_data) - signed_smime if signed_smime.verify([cert], store) + + # The S/MIME certificate(s) are included in the message and the trusted + # CAs are in the store parameter, so we pass no certs as parameters + # to `PKCS7.verify` + # See https://www.openssl.org/docs/manmaster/man3/PKCS7_verify.html + signed_smime if signed_smime.verify(nil, store) end end end |