Commit 5cce7172 authored by James Lopez's avatar James Lopez

Merge branch 'if-197463-smartcard_multiple_root_certificates' into 'master'

Load multiple root certificates in Auth::Smartcard::Base.store

See merge request gitlab-org/gitlab!26812
parents 2bd0ab09 1ef6e93d
......@@ -770,7 +770,7 @@ production: &base
# Allow smartcard authentication
enabled: false
# Path to a file containing a CA certificate
# Path to a file containing a CA certificate bundle
ca_file: '/etc/ssl/certs/CA.pem'
# Host and port where the client side certificate is requested by the
......
---
title: Allow multiple root certificates for smartcard auth
merge_request: 26812
author:
type: added
......@@ -4,7 +4,6 @@ module Gitlab
module Auth
module Smartcard
class Base
InvalidCAFilePath = Class.new(StandardError)
InvalidCertificate = Class.new(StandardError)
delegate :allow_signup?,
......@@ -12,17 +11,10 @@ module Gitlab
def self.store
@store ||= OpenSSL::X509::Store.new.tap do |store|
store.add_cert(
OpenSSL::X509::Certificate.new(
File.read(Gitlab.config.smartcard.ca_file)))
store.add_file(Gitlab.config.smartcard.ca_file)
end
rescue Errno::ENOENT => ex
logger.error(message: 'Failed to open Gitlab.config.smartcard.ca_file',
error: ex)
raise InvalidCAFilePath
rescue OpenSSL::X509::CertificateError => ex
logger.error(message: 'Gitlab.config.smartcard.ca_file is not a valid certificate',
rescue OpenSSL::X509::StoreError => ex
logger.error(message: 'Gitlab.config.smartcard.ca_file is invalid or does not exist',
error: ex)
raise InvalidCertificate
......
......@@ -16,17 +16,18 @@ RSpec.shared_examples 'a certificate store' do
subject { described_class.store }
context 'file does not exist' do
it 'raises error' do
expect { subject }.to(
raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCAFilePath))
context 'loads CA bundle' do
it 'uses correct method' do
expect_next_instance_of(OpenSSL::X509::Store) do |store|
expect(store).to receive(:add_file).and_return(true)
end
subject
end
end
context 'smartcard ca_file is not a valid certificate' do
context 'without valid CA file' do
it 'raises error' do
expect(File).to(
receive(:read).with('ca_file').and_return('invalid certificate'))
expect { subject }.to(
raise_error(Gitlab::Auth::Smartcard::Certificate::InvalidCertificate))
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment