Add latest changes from gitlab-org/gitlab@master

author: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-22 18:09:48 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2022-06-22 18:09:48 +0300
commit: 640007842a876dfa551578feccfd0fe2307c522a (patch)
tree: 4204c45a13b9beac3040df00572ffe0ecdb0ca40 /lib/gitlab/x509
parent: 421f6c92d5984d035a7a6687d70277ba88f5f92b (diff)
2 files changed, 20 insertions, 3 deletions
diff --git a/lib/gitlab/x509/certificate.rb b/lib/gitlab/x509/certificate.rb
index 752f3c6b004..98688f504eb 100644
--- a/lib/gitlab/x509/certificate.rb
+++ b/lib/gitlab/x509/certificate.rb
@@ -23,6 +23,18 @@ module Gitlab
         include ::Gitlab::Utils::StrongMemoize
       end
 
+      def self.default_cert_dir
+        strong_memoize(:default_cert_dir) do
+          ENV.fetch('SSL_CERT_DIR', OpenSSL::X509::DEFAULT_CERT_DIR)
+        end
+      end
+
+      def self.default_cert_file
+        strong_memoize(:default_cert_file) do
+          ENV.fetch('SSL_CERT_FILE', OpenSSL::X509::DEFAULT_CERT_FILE)
+        end
+      end
+
       def self.from_strings(key_string, cert_string, ca_certs_string = nil)
         key = OpenSSL::PKey::RSA.new(key_string)
         cert = OpenSSL::X509::Certificate.new(cert_string)
@@ -39,10 +51,10 @@ module Gitlab
 
       # Returns all top-level, readable files in the default CA cert directory
       def self.ca_certs_paths
-        cert_paths = Dir["#{OpenSSL::X509::DEFAULT_CERT_DIR}/*"].select do |path|
+        cert_paths = Dir["#{default_cert_dir}/*"].select do |path|
           !File.directory?(path) && File.readable?(path)
         end
-        cert_paths << OpenSSL::X509::DEFAULT_CERT_FILE if File.exist? OpenSSL::X509::DEFAULT_CERT_FILE
+        cert_paths << default_cert_file if File.exist? default_cert_file
         cert_paths
       end
 
@@ -61,6 +73,11 @@ module Gitlab
         clear_memoization(:ca_certs_bundle)
       end
 
+      def self.reset_default_cert_paths
+        clear_memoization(:default_cert_dir)
+        clear_memoization(:default_cert_file)
+      end
+
       # Returns an array of OpenSSL::X509::Certificate objects, empty array if none found
       #
       # Ruby OpenSSL::X509::Certificate.new will only load the first
diff --git a/lib/gitlab/x509/signature.rb b/lib/gitlab/x509/signature.rb
index a6761e211fa..8acbfc144e9 100644
--- a/lib/gitlab/x509/signature.rb
+++ b/lib/gitlab/x509/signature.rb
@@ -59,7 +59,7 @@ module Gitlab
 
           if Feature.enabled?(:x509_forced_cert_loading, type: :ops)
             # Forcibly load the default cert file because the OpenSSL library seemingly ignores it
-            store.add_file(OpenSSL::X509::DEFAULT_CERT_FILE) if File.exist?(OpenSSL::X509::DEFAULT_CERT_FILE)
+            store.add_file(Gitlab::X509::Certificate.default_cert_file) if File.exist?(Gitlab::X509::Certificate.default_cert_file) # rubocop:disable Layout/LineLength
           end
 
           # valid_signing_time? checks the time attributes already
author	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-22 18:09:48 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2022-06-22 18:09:48 +0300
commit	640007842a876dfa551578feccfd0fe2307c522a (patch)
tree	4204c45a13b9beac3040df00572ffe0ecdb0ca40 /lib/gitlab/x509
parent	421f6c92d5984d035a7a6687d70277ba88f5f92b (diff)