Merge branch 'if-10526-smartcard_support_different_hostname' into 'master'

Make hostname configurable for smartcard authentication See merge request gitlab-org/gitlab!26411

Merge branch 'if-10526-smartcard_support_different_hostname' into 'master'
Make hostname configurable for smartcard authentication See merge request gitlab-org/gitlab!26411
277830e9 · Nick Thomas · 7184b409 · d8df043d · 277830e9 · 277830e9
Commit 277830e9 authored Mar 12, 2020 by Nick Thomas
8 changed files
--- a/changelogs/unreleased/10526-smartcard_support_different_hostname.yml
+++ b/changelogs/unreleased/10526-smartcard_support_different_hostname.yml
+---
+title: Make hostname configurable for smartcard authentication
+merge_request: 26411
+author:
+type: added
--- a/config/gitlab.yml.example
+++ b/config/gitlab.yml.example
@@ -752,7 +752,9 @@ production: &base
    # Path to a file containing a CA certificate
    ca_file: '/etc/ssl/certs/CA.pem'
-    # Port where the client side certificate is requested by the webserver (NGINX/Apache)
+    # Host and port where the client side certificate is requested by the
+    # webserver (NGINX/Apache)
+    # client_certificate_required_host: smartcard.gitlab.example.com
    # client_certificate_required_port: 3444
    # Browser session with smartcard sign-in is required for Git access

--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -77,6 +77,7 @@ end
 Gitlab.ee do
  Settings['smartcard'] ||= Settingslogic.new({})
  Settings.smartcard['enabled'] = false if Settings.smartcard['enabled'].nil?
+  Settings.smartcard['client_certificate_required_host'] = Settings.gitlab['host'] if Settings.smartcard['client_certificate_required_host'].nil?
  Settings.smartcard['client_certificate_required_port'] = 3444 if Settings.smartcard['client_certificate_required_port'].nil?
  Settings.smartcard['required_for_git_access'] = false if Settings.smartcard['required_for_git_access'].nil?
  Settings.smartcard['san_extensions'] = false if Settings.smartcard['san_extensions'].nil?

--- a/ee/app/controllers/smartcard_controller.rb
+++ b/ee/app/controllers/smartcard_controller.rb
@@ -5,25 +5,58 @@ class SmartcardController < ApplicationController
  skip_before_action :verify_authenticity_token
  before_action :check_feature_availability
-  before_action :check_certificate_headers
+  before_action :check_certificate_required_host_and_port, only: :extract_certificate
+  before_action :check_ngingx_certificate_header, only: :extract_certificate
+  before_action :check_certificate_param, only: :verify_certificate
  def auth
-    certificate = Gitlab::Auth::Smartcard::Certificate.new(certificate_header)
+    redirect_to extract_certificate_smartcard_url(extract_certificate_url_options)
-    sign_in_with(certificate)
  end
-  def ldap_auth
+  def extract_certificate
-    certificate = Gitlab::Auth::Smartcard::LdapCertificate.new(params[:provider], certificate_header)
+    redirect_to verify_certificate_smartcard_url(verify_certificate_url_options)
-    sign_in_with(certificate)
+  end
+  def verify_certificate
+    sign_in_with(client_certificate)
  end
  private
+  def extract_certificate_url_options
+    {
+      host: ::Gitlab.config.smartcard.client_certificate_required_host,
+      port: ::Gitlab.config.smartcard.client_certificate_required_port,
+      provider: params[:provider]
+    }.compact
+  end
+  def verify_certificate_url_options
+    {
+      host: ::Gitlab.config.gitlab.host,
+      port: ::Gitlab.config.gitlab.port,
+      provider: params[:provider],
+      client_certificate: request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
+    }.compact
+  end
+  def client_certificate
+    if ldap_provider?
+      Gitlab::Auth::Smartcard::LdapCertificate.new(params[:provider], certificate_param)
+    else
+      Gitlab::Auth::Smartcard::Certificate.new(certificate_param)
+    end
+  end
+  def ldap_provider?
+    params[:provider].present?
+  end
  def sign_in_with(certificate)
    user = certificate.find_or_create_user
    unless user&.persisted?
      flash[:alert] = _('Failed to signing using smartcard authentication')
-      redirect_to new_user_session_path(port: Gitlab.config.gitlab.port)
+      redirect_to new_user_session_path
      return
    end
@@ -33,13 +66,43 @@ class SmartcardController < ApplicationController
    sign_in_and_redirect(user)
  end
+  def nginx_certificate_header
+    request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
+  end
+  def certificate_param
+    param = params[:client_certificate]
+    return unless param
+    unescaped_param = CGI.unescape(param)
+    if unescaped_param.include?("\n")
+      # NGINX forwarding the $ssl_client_escaped_cert variable
+      unescaped_param
+    else
+      # older version of NGINX forwarding the now deprecated $ssl_client_cert variable
+      param.gsub(/ (?!CERTIFICATE)/, "\n")
+    end
+  end
  def check_feature_availability
    render_404 unless ::Gitlab::Auth::Smartcard.enabled?
  end
-  def check_certificate_headers
+  def check_certificate_required_host_and_port
-    # Failing on requests coming from the port not requiring client side certificate
+    unless request.host == ::Gitlab.config.smartcard.client_certificate_required_host &&
-    unless certificate_header.present?
+      request.port == ::Gitlab.config.smartcard.client_certificate_required_port
+      render_404
+    end
+  end
+  def check_ngingx_certificate_header
+    unless nginx_certificate_header.present?
+      access_denied!(_('Smartcard authentication failed: client certificate header is missing.'), 401)
+    end
+  end
+  def check_certificate_param
+    unless certificate_param.present?
      access_denied!(_('Smartcard authentication failed: client certificate header is missing.'), 401)
    end
  end
@@ -52,20 +115,6 @@ class SmartcardController < ApplicationController
    AuditEventService.new(user, user, options).for_authentication.security_event
  end
-  def certificate_header
-    header = request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
-    return unless header
-    unescaped_header = CGI.unescape(header)
-    if unescaped_header.include?("\n")
-      # NGINX forwarding the $ssl_client_escaped_cert variable
-      unescaped_header
-    else
-      # older version of NGINX forwarding the now deprecated $ssl_client_cert variable
-      header.gsub(/ (?!CERTIFICATE)/, "\n")
-    end
-  end
  def after_sign_in_path_for(resource)
    stored_location_for(:redirect) || stored_location_for(resource) || root_url(port: Gitlab.config.gitlab.port)
  end

--- a/ee/app/views/devise/sessions/_new_smartcard.html.haml
+++ b/ee/app/views/devise/sessions/_new_smartcard.html.haml
 - if smartcard_enabled?
  .login-box.tab-pane{ id: 'smartcard', role: 'tabpanel', class: active_when(form_based_auth_provider_has_active_class?(:smartcard)) }
    .login-body
-      = form_tag(smartcard_auth_url(port: smartcard_config_port), html: { 'aria-live' => 'assertive'}) do
+      = form_tag(auth_smartcard_url, html: { 'aria-live' => 'assertive'}) do
        .submit-container
          = submit_tag _('Login with smartcard'), class: 'btn btn-success'
--- a/ee/app/views/devise/sessions/_new_smartcard_ldap.html.haml
+++ b/ee/app/views/devise/sessions/_new_smartcard_ldap.html.haml
@@ -9,8 +9,7 @@
      = _('Use your smart card to authenticate with the LDAP server.')
    .login-body
-      = form_tag(smartcard_ldap_auth_url(provider: server['provider_name'],
+      = form_tag(auth_smartcard_url(provider: server['provider_name']),
-                                         port: smartcard_config_port),
                 html: { 'aria-live' => 'assertive'}) do
        .submit-container
          = submit_tag(_('Sign in with smart card'),

--- a/ee/config/routes/smartcard.rb
+++ b/ee/config/routes/smartcard.rb
 # frozen_string_literal: true
-post 'smartcard/auth' => 'smartcard#auth'
+resource :smartcard, only: [], controller: :smartcard do
-post 'smartcard/ldap_auth' => 'smartcard#ldap_auth'
+  collection do
+    post :auth
+    get :extract_certificate
+    get :verify_certificate
+  end
+end
--- a/ee/spec/requests/smartcard_controller_spec.rb
+++ b/ee/spec/requests/smartcard_controller_spec.rb