From f6350faca1a9680c3ab8f68a05f289c89a4a2272 Mon Sep 17 00:00:00 2001
From: Drew Blessing <drew@gitlab.com>
Date: Tue, 29 May 2018 15:33:13 -0500
Subject: Allow raw `tls_options` to be passed in LDAP configuration

We've previously exposed ca_file and ssl_version but there are many
possible options that can be used inside tls_options. Instead of
exposing individual ones, simply expose the entire hash so it can
be passed in and we won't have to add things in the future.
---
 config/gitlab.yml.example         | 65 ++++++++++++++++++++++++++++++---------
 config/initializers/1_settings.rb | 18 +++++++++++
 2 files changed, 68 insertions(+), 15 deletions(-)

(limited to 'config')

diff --git a/config/gitlab.yml.example b/config/gitlab.yml.example
index 1a5b9ec3f02..2ad992a059c 100644
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -379,19 +379,54 @@ production: &base
         # "start_tls" or "simple_tls". Defaults to true.
         verify_certificates: true
 
-        # Specifies the path to a file containing a PEM-format CA certificate,
-        # e.g. if you need to use an internal CA.
-        #
-        #   Example: '/etc/ca.pem'
-        #
-        ca_file: ''
-
-        # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
-        # is not appropriate.
-        #
-        #   Example: 'TLSv1_1'
-        #
-        ssl_version: ''
+        # OpenSSL::SSL::SSLContext options.
+        tls_options:
+          # Specifies the path to a file containing a PEM-format CA certificate,
+          # e.g. if you need to use an internal CA.
+          #
+          #   Example: '/etc/ca.pem'
+          #
+          ca_file: ''
+
+          # Specifies the SSL version for OpenSSL to use, if the OpenSSL default
+          # is not appropriate.
+          #
+          #   Example: 'TLSv1_1'
+          #
+          ssl_version: ''
+
+          # Specific SSL ciphers to use in communication with LDAP servers.
+          #
+          # Example: 'ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2'
+          ciphers: ''
+
+          # Client certificate
+          #
+          # Example:
+          #   cert: |
+          #     -----BEGIN CERTIFICATE-----
+          #     MIIDbDCCAlSgAwIBAgIGAWkJxLmKMA0GCSqGSIb3DQEBCwUAMHcxFDASBgNVBAoTC0dvb2dsZSBJ
+          #     bmMuMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQDEwtMREFQIENsaWVudDEPMA0GA1UE
+          #     CxMGR1N1aXRlMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTAeFw0xOTAyMjAwNzE4
+          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+          #     ...
+          #     4SbuJPAiJxC1LQ0t39dR6oMCAMab3hXQqhL56LrR6cRBp6Mtlphv7alu9xb/x51y2x+g2zWtsf80
+          #     Jrv/vKMsIh/sAyuogb7hqMtp55ecnKxceg==
+          #     -----END CERTIFICATE -----
+          cert: ''
+
+          # Client private key
+          #   key: |
+          #     -----BEGIN PRIVATE KEY-----
+          #     MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC3DmJtLRmJGY4xU1QtI3yjvxO6
+          #     bNuyE4z1NF6Xn7VSbcAaQtavWQ6GZi5uukMo+W5DHVtEkgDwh92ySZMuJdJogFbNvJvHAayheCdN
+          #     7mCQ2UUT9jGXIbmksUn9QMeJVXTZjgJWJzPXToeUdinx9G7+lpVa62UATEd1gaI3oyL72WmpDy/C
+          #     rntnF4d+0dd7zP3jrWkbdtoqjLDT/5D7NYRmVCD5vizV98FJ5//PIHbD1gL3a9b2MPAc6k7NV8tl
+          #     ...
+          #     +9IhSYX+XIg7BZOVDeYqlPfxRvQh8vy3qjt/KUihmEPioAjLaGiihs1Fk5ctLk9A2hIUyP+sEQv9
+          #     l6RG+a/mW+0rCWn8JAd464Ps9hE=
+          #     -----END PRIVATE KEY-----
+          key: ''
 
         # Set a timeout, in seconds, for LDAP queries. This helps avoid blocking
         # a request if the LDAP server becomes unresponsive.
@@ -653,8 +688,8 @@ production: &base
     #   # Turns on AWS Server-Side Encryption with Amazon S3-Managed Keys for backups, this is optional
     #   # encryption: 'AES256'
     #   # Turns on AWS Server-Side Encryption with Amazon Customer-Provided Encryption Keys for backups, this is optional
-    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data. 
-    #   #   'encryption' must also be set in order for this to have any effect. 
+    #   #   This should be set to the 256-bit, base64-encoded encryption key for Amazon S3 to use to encrypt or decrypt your data.
+    #   #   'encryption' must also be set in order for this to have any effect.
     #   # encryption_key: '<base64 key>'
     #   # Specifies Amazon S3 storage class to use for backups, this is optional
     #   # storage_class: 'STANDARD'
diff --git a/config/initializers/1_settings.rb b/config/initializers/1_settings.rb
index 1344b3cb1f6..03800f3d9d2 100644
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -40,6 +40,24 @@ if Settings.ldap['enabled'] || Rails.env.test?
     # Since GitLab 10.0, verify_certificates defaults to true for security.
     server['verify_certificates'] = true if server['verify_certificates'].nil?
 
+    # Expose ability to set `tls_options` directly. Deprecate `ca_file` and
+    # `ssl_version` in favor of `tls_options` hash option.
+    server['tls_options'] ||= {}
+
+    if server['ssl_version'] || server['ca_file']
+      Rails.logger.warn 'DEPRECATED: LDAP options `ssl_version` and `ca_file` should be nested within `tls_options`'
+    end
+
+    if server['ssl_version']
+      server['tls_options']['ssl_version'] ||= server['ssl_version']
+      server.delete('ssl_version')
+    end
+
+    if server['ca_file']
+      server['tls_options']['ca_file'] ||= server['ca_file']
+      server.delete('ca_file')
+    end
+
     Settings.ldap['servers'][key] = server
   end
 end
-- 
cgit v1.2.3