Commit d8df043d authored by Imre Farkas's avatar Imre Farkas

Make hostname configurable for smartcard authentication

Hostname is configurable for the endpoint requiring client side
certificate.
parent ed6dbb83
---
title: Make hostname configurable for smartcard authentication
merge_request: 26411
author:
type: added
...@@ -752,7 +752,9 @@ production: &base ...@@ -752,7 +752,9 @@ production: &base
# Path to a file containing a CA certificate # Path to a file containing a CA certificate
ca_file: '/etc/ssl/certs/CA.pem' ca_file: '/etc/ssl/certs/CA.pem'
# Port where the client side certificate is requested by the webserver (NGINX/Apache) # Host and port where the client side certificate is requested by the
# webserver (NGINX/Apache)
# client_certificate_required_host: smartcard.gitlab.example.com
# client_certificate_required_port: 3444 # client_certificate_required_port: 3444
# Browser session with smartcard sign-in is required for Git access # Browser session with smartcard sign-in is required for Git access
......
...@@ -77,6 +77,7 @@ end ...@@ -77,6 +77,7 @@ end
Gitlab.ee do Gitlab.ee do
Settings['smartcard'] ||= Settingslogic.new({}) Settings['smartcard'] ||= Settingslogic.new({})
Settings.smartcard['enabled'] = false if Settings.smartcard['enabled'].nil? Settings.smartcard['enabled'] = false if Settings.smartcard['enabled'].nil?
Settings.smartcard['client_certificate_required_host'] = Settings.gitlab['host'] if Settings.smartcard['client_certificate_required_host'].nil?
Settings.smartcard['client_certificate_required_port'] = 3444 if Settings.smartcard['client_certificate_required_port'].nil? Settings.smartcard['client_certificate_required_port'] = 3444 if Settings.smartcard['client_certificate_required_port'].nil?
Settings.smartcard['required_for_git_access'] = false if Settings.smartcard['required_for_git_access'].nil? Settings.smartcard['required_for_git_access'] = false if Settings.smartcard['required_for_git_access'].nil?
Settings.smartcard['san_extensions'] = false if Settings.smartcard['san_extensions'].nil? Settings.smartcard['san_extensions'] = false if Settings.smartcard['san_extensions'].nil?
......
...@@ -5,25 +5,58 @@ class SmartcardController < ApplicationController ...@@ -5,25 +5,58 @@ class SmartcardController < ApplicationController
skip_before_action :verify_authenticity_token skip_before_action :verify_authenticity_token
before_action :check_feature_availability before_action :check_feature_availability
before_action :check_certificate_headers before_action :check_certificate_required_host_and_port, only: :extract_certificate
before_action :check_ngingx_certificate_header, only: :extract_certificate
before_action :check_certificate_param, only: :verify_certificate
def auth def auth
certificate = Gitlab::Auth::Smartcard::Certificate.new(certificate_header) redirect_to extract_certificate_smartcard_url(extract_certificate_url_options)
sign_in_with(certificate)
end end
def ldap_auth def extract_certificate
certificate = Gitlab::Auth::Smartcard::LdapCertificate.new(params[:provider], certificate_header) redirect_to verify_certificate_smartcard_url(verify_certificate_url_options)
sign_in_with(certificate) end
def verify_certificate
sign_in_with(client_certificate)
end end
private private
def extract_certificate_url_options
{
host: ::Gitlab.config.smartcard.client_certificate_required_host,
port: ::Gitlab.config.smartcard.client_certificate_required_port,
provider: params[:provider]
}.compact
end
def verify_certificate_url_options
{
host: ::Gitlab.config.gitlab.host,
port: ::Gitlab.config.gitlab.port,
provider: params[:provider],
client_certificate: request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
}.compact
end
def client_certificate
if ldap_provider?
Gitlab::Auth::Smartcard::LdapCertificate.new(params[:provider], certificate_param)
else
Gitlab::Auth::Smartcard::Certificate.new(certificate_param)
end
end
def ldap_provider?
params[:provider].present?
end
def sign_in_with(certificate) def sign_in_with(certificate)
user = certificate.find_or_create_user user = certificate.find_or_create_user
unless user&.persisted? unless user&.persisted?
flash[:alert] = _('Failed to signing using smartcard authentication') flash[:alert] = _('Failed to signing using smartcard authentication')
redirect_to new_user_session_path(port: Gitlab.config.gitlab.port) redirect_to new_user_session_path
return return
end end
...@@ -33,13 +66,43 @@ class SmartcardController < ApplicationController ...@@ -33,13 +66,43 @@ class SmartcardController < ApplicationController
sign_in_and_redirect(user) sign_in_and_redirect(user)
end end
def nginx_certificate_header
request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
end
def certificate_param
param = params[:client_certificate]
return unless param
unescaped_param = CGI.unescape(param)
if unescaped_param.include?("\n")
# NGINX forwarding the $ssl_client_escaped_cert variable
unescaped_param
else
# older version of NGINX forwarding the now deprecated $ssl_client_cert variable
param.gsub(/ (?!CERTIFICATE)/, "\n")
end
end
def check_feature_availability def check_feature_availability
render_404 unless ::Gitlab::Auth::Smartcard.enabled? render_404 unless ::Gitlab::Auth::Smartcard.enabled?
end end
def check_certificate_headers def check_certificate_required_host_and_port
# Failing on requests coming from the port not requiring client side certificate unless request.host == ::Gitlab.config.smartcard.client_certificate_required_host &&
unless certificate_header.present? request.port == ::Gitlab.config.smartcard.client_certificate_required_port
render_404
end
end
def check_ngingx_certificate_header
unless nginx_certificate_header.present?
access_denied!(_('Smartcard authentication failed: client certificate header is missing.'), 401)
end
end
def check_certificate_param
unless certificate_param.present?
access_denied!(_('Smartcard authentication failed: client certificate header is missing.'), 401) access_denied!(_('Smartcard authentication failed: client certificate header is missing.'), 401)
end end
end end
...@@ -52,20 +115,6 @@ class SmartcardController < ApplicationController ...@@ -52,20 +115,6 @@ class SmartcardController < ApplicationController
AuditEventService.new(user, user, options).for_authentication.security_event AuditEventService.new(user, user, options).for_authentication.security_event
end end
def certificate_header
header = request.headers['HTTP_X_SSL_CLIENT_CERTIFICATE']
return unless header
unescaped_header = CGI.unescape(header)
if unescaped_header.include?("\n")
# NGINX forwarding the $ssl_client_escaped_cert variable
unescaped_header
else
# older version of NGINX forwarding the now deprecated $ssl_client_cert variable
header.gsub(/ (?!CERTIFICATE)/, "\n")
end
end
def after_sign_in_path_for(resource) def after_sign_in_path_for(resource)
stored_location_for(:redirect) || stored_location_for(resource) || root_url(port: Gitlab.config.gitlab.port) stored_location_for(:redirect) || stored_location_for(resource) || root_url(port: Gitlab.config.gitlab.port)
end end
......
- if smartcard_enabled? - if smartcard_enabled?
.login-box.tab-pane{ id: 'smartcard', role: 'tabpanel', class: active_when(form_based_auth_provider_has_active_class?(:smartcard)) } .login-box.tab-pane{ id: 'smartcard', role: 'tabpanel', class: active_when(form_based_auth_provider_has_active_class?(:smartcard)) }
.login-body .login-body
= form_tag(smartcard_auth_url(port: smartcard_config_port), html: { 'aria-live' => 'assertive'}) do = form_tag(auth_smartcard_url, html: { 'aria-live' => 'assertive'}) do
.submit-container .submit-container
= submit_tag _('Login with smartcard'), class: 'btn btn-success' = submit_tag _('Login with smartcard'), class: 'btn btn-success'
...@@ -9,8 +9,7 @@ ...@@ -9,8 +9,7 @@
= _('Use your smart card to authenticate with the LDAP server.') = _('Use your smart card to authenticate with the LDAP server.')
.login-body .login-body
= form_tag(smartcard_ldap_auth_url(provider: server['provider_name'], = form_tag(auth_smartcard_url(provider: server['provider_name']),
port: smartcard_config_port),
html: { 'aria-live' => 'assertive'}) do html: { 'aria-live' => 'assertive'}) do
.submit-container .submit-container
= submit_tag(_('Sign in with smart card'), = submit_tag(_('Sign in with smart card'),
......
# frozen_string_literal: true # frozen_string_literal: true
post 'smartcard/auth' => 'smartcard#auth' resource :smartcard, only: [], controller: :smartcard do
post 'smartcard/ldap_auth' => 'smartcard#ldap_auth' collection do
post :auth
get :extract_certificate
get :verify_certificate
end
end
...@@ -5,61 +5,47 @@ require 'spec_helper' ...@@ -5,61 +5,47 @@ require 'spec_helper'
describe SmartcardController, type: :request do describe SmartcardController, type: :request do
include LdapHelpers include LdapHelpers
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': 'certificate' } } let(:smartcard_host) { 'smartcard.example.com' }
let(:openssl_certificate_store) { instance_double(OpenSSL::X509::Store) } let(:smartcard_port) { 3443 }
let(:audit_event_service) { instance_double(AuditEventService) }
let(:session_enforcer) { instance_double(Gitlab::Auth::Smartcard::SessionEnforcer) }
shared_examples 'a client certificate authentication' do |auth_method| describe '#auth' do
context 'with smartcard_auth enabled' do let(:params) { {} }
it 'allows sign in' do
subject
expect(request.env['warden']).to be_authenticated subject { post auth_smartcard_path, params: params }
end
it 'redirects to root' do before do
subject stub_smartcard_config(
client_certificate_required_host: smartcard_host,
client_certificate_required_port: smartcard_port
)
end
expect(response).to redirect_to(root_url) context 'with smartcard_auth enabled' do
before do
enable_smartcard_authentication
end end
it 'logs audit event' do it 'redirects to extract certificate' do
expect(AuditEventService).to(
receive(:new)
.with(instance_of(User), instance_of(User), with: auth_method)
.and_return(audit_event_service))
expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
subject subject
end
it 'stores active session' do
expect(::Gitlab::Auth::Smartcard::SessionEnforcer).to(
receive(:new).and_return(session_enforcer))
expect(session_enforcer).to receive(:update_session)
subject expect(response).to have_gitlab_http_status(:redirect)
expect(response.location).to(
eq(extract_certificate_smartcard_url(host: smartcard_host,
port: smartcard_port)))
end end
context 'user does not exist' do context 'with provider param' do
context 'signup allowed' do let(:provider) { 'ldap-provider' }
it 'creates user' do let(:params) { { provider: provider } }
expect { subject }.to change { User.count }.from(0).to(1)
end
end
context 'signup disabled' do
it 'renders 401' do
allow(Gitlab::CurrentSettings.current_application_settings).to(
receive(:allow_signup?).and_return(false))
subject it 'forwards the provider param' do
subject
expect(flash[:alert]).to eql('Failed to signing using smartcard authentication') expect(response).to have_gitlab_http_status(:redirect)
expect(response).to redirect_to(new_user_session_path) expect(response.location).to(
expect(request.env['warden']).not_to be_authenticated eq(extract_certificate_smartcard_url(host: smartcard_host,
end port: smartcard_port,
provider: provider)))
end end
end end
end end
...@@ -77,166 +63,324 @@ describe SmartcardController, type: :request do ...@@ -77,166 +63,324 @@ describe SmartcardController, type: :request do
end end
end end
describe '#auth' do describe '#extract_certificate' do
let(:subject_dn) { '/O=Random Corp Ltd/CN=gitlab-user/emailAddress=gitlab-user@random-corp.org' } let(:certificate) { 'certificate' }
let(:issuer_dn) { '/O=Random Corp Ltd/CN=Random Corp' } let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': certificate } }
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': 'certificate' } } let(:params) { {} }
let(:openssl_certificate_store) { instance_double(OpenSSL::X509::Store) }
let(:openssl_certificate) { instance_double(OpenSSL::X509::Certificate, subject: subject_dn, issuer: issuer_dn) }
let(:audit_event_service) { instance_double(AuditEventService) }
before do subject do
allow(Gitlab::Auth::Smartcard).to receive(:enabled?).and_return(true) get(extract_certificate_smartcard_path, headers: certificate_headers,
allow(Gitlab::Auth::Smartcard::Certificate).to receive(:store).and_return(openssl_certificate_store) params: params)
allow(openssl_certificate_store).to receive(:verify).and_return(true)
allow(OpenSSL::X509::Certificate).to receive(:new).and_return(openssl_certificate)
end end
subject { post '/-/smartcard/auth', params: {}, headers: certificate_headers } before do
stub_config_setting(host: 'example.com',
it_behaves_like 'a client certificate authentication', 'smartcard' port: 443)
stub_smartcard_config(
client_certificate_required_host: smartcard_host,
client_certificate_required_port: smartcard_port
)
host! "#{smartcard_host}:#{smartcard_port}"
end
context 'user already exists' do context 'with smartcard_auth enabled' do
before do before do
user = create(:user) enable_smartcard_authentication
create(:smartcard_identity, subject: subject_dn, issuer: issuer_dn, user: user)
end end
it 'finds existing user' do it 'redirects to verify certificate' do
expect { subject }.not_to change { User.count } subject
expect(request.env['warden']).to be_authenticated
expect(response).to have_gitlab_http_status(:redirect)
expect(response.location).to(
eq(verify_certificate_smartcard_url(host: ::Gitlab.config.gitlab.host,
port: ::Gitlab.config.gitlab.port,
client_certificate: certificate)))
end end
end
context 'certificate header formats from NGINX' do context 'with provider param' do
shared_examples 'valid certificate header' do let(:provider) { 'ldap-provider' }
it 'authenticates user' do let(:params) { { provider: provider } }
expect(Gitlab::Auth::Smartcard::Certificate).to receive(:new).with(expected_certificate).and_call_original
it 'forwards the provider param' do
subject subject
expect(request.env['warden']).to be_authenticated expect(response).to have_gitlab_http_status(:redirect)
expect(response.location).to(
eq(verify_certificate_smartcard_url(host: ::Gitlab.config.gitlab.host,
port: ::Gitlab.config.gitlab.port,
client_certificate: certificate,
provider: provider)))
end end
end end
let(:expected_certificate) { "-----BEGIN CERTIFICATE-----\nrow\nrow\n-----END CERTIFICATE-----" } context 'missing NGINX client certificate header' do
let(:certificate_headers) { {} }
context 'escaped format' do it 'renders unauthorized' do
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN%20CERTIFICATE-----%0Arow%0Arow%0A-----END%20CERTIFICATE-----' } } subject
it_behaves_like 'valid certificate header' expect(response).to have_gitlab_http_status(:unauthorized)
end
end end
context 'deprecated format' do context 'request from different host / port' do
let(:certificate_headers) { { 'X-SSL-CLIENT-CERTIFICATE': '-----BEGIN CERTIFICATE----- row row -----END CERTIFICATE-----' } } it 'renders 404' do
host! 'another.host:42'
subject
it_behaves_like 'valid certificate header' expect(response).to have_gitlab_http_status(:not_found)
end
end end
end end
context 'missing certificate headers' do context 'with smartcard_auth disabled' do
let(:certificate_headers) { nil } before do
allow(Gitlab::Auth::Smartcard).to receive(:enabled?).and_return(false)
end
it 'renders 401' do it 'renders 404' do
subject subject
expect(response).to have_gitlab_http_status(:unauthorized) expect(response).to have_gitlab_http_status(:not_found)
expect(request.env['warden']).not_to be_authenticated
end end
end end
end end
describe '#ldap_auth ' do describe '#verify_certificate' do
let(:subject_ldap_dn) { 'uid=john doe,ou=people,dc=example,dc=com' } shared_examples 'a client certificate authentication' do |auth_method|
let(:issuer_dn) { 'CN=Random Corp,O=Random Corp Ltd,C=US' } context 'with smartcard_auth enabled' do
let(:issuer) { instance_double(OpenSSL::X509::Name, to_s: issuer_dn) } it 'allows sign in' do
let(:serial) { '42' } subject
let(:openssl_certificate) do
instance_double(OpenSSL::X509::Certificate, expect(request.env['warden']).to be_authenticated
issuer: issuer, serial: serial) end
end
it 'redirects to root' do
subject
expect(response).to redirect_to(root_url)
end
it 'logs audit event' do
audit_event_service = instance_double(AuditEventService)
expect(AuditEventService).to(
receive(:new)
.with(instance_of(User), instance_of(User), with: auth_method)
.and_return(audit_event_service))
expect(audit_event_service).to receive_message_chain(:for_authentication, :security_event)
subject
end
it 'stores active session' do
session_enforcer = instance_double(Gitlab::Auth::Smartcard::SessionEnforcer)
expect(::Gitlab::Auth::Smartcard::SessionEnforcer).to(
receive(:new).and_return(session_enforcer))
expect(session_enforcer).to receive(:update_session)
subject
end
context 'user does not exist' do
context 'signup allowed' do
it 'creates user' do
expect { subject }.to change { User.count }.from(0).to(1)
end
end
context 'signup disabled' do
it 'renders 401' do
allow(Gitlab::CurrentSettings.current_application_settings).to(
receive(:allow_signup?).and_return(false))
subject
expect(flash[:alert]).to eql('Failed to signing using smartcard authentication')
expect(response).to redirect_to(new_user_session_path)
expect(request.env['warden']).not_to be_authenticated
end
end
end
context 'missing client certificate param' do
let(:params) { {} }
let(:ldap_connection) { instance_double(::Net::LDAP) } it 'renders unauthorized' do
let(:ldap_email) { 'john.doe@example.com' } subject
let(:ldap_entry) do
Net::LDAP::Entry.new.tap do |entry| expect(response).to have_gitlab_http_status(:unauthorized)
entry['dn'] = subject_ldap_dn expect(request.env['warden']).not_to be_authenticated
entry['uid'] = 'john doe' end
entry['cn'] = 'John Doe' end
entry['mail'] = ldap_email
end end
end
let(:ldap_user_search_scope) { 'dc=example,dc=com' }
let(:ldap_search_params) do
{ attributes: array_including('dn', 'cn', 'mail', 'uid', 'userid'),
base: ldap_user_search_scope,
filter: Net::LDAP::Filter.ex(
'userCertificate:certificateExactMatch',
"{ serialNumber #{serial}, issuer \"#{issuer_dn}\" }") }
end
subject do context 'with smartcard_auth disabled' do
post('/-/smartcard/ldap_auth', before do
{ params: { provider: 'ldapmain' }, allow(Gitlab::Auth::Smartcard).to receive(:enabled?).and_return(false)
headers: certificate_headers } ) end
it 'renders 404' do
subject
expect(response).to have_gitlab_http_status(:not_found)
end
end
end end
let(:client_certificate) { 'certificate' }
let(:params) { { client_certificate: client_certificate } }
let(:serial) { '42' }
let(:subject_dn) { '/O=Random Corp Ltd/CN=gitlab-user/emailAddress=gitlab-user@random-corp.org' }
let(:issuer_dn) { 'CN=Random Corp,O=Random Corp Ltd,C=US' }
before do before do
allow(Gitlab::Auth::Smartcard).to receive(:enabled?).and_return(true) enable_smartcard_authentication
stub_certificate_store
stub_certificate
end
allow(Gitlab::Auth::Smartcard::LdapCertificate).to( context 'Smartcard::Certificate' do
receive(:store).and_return(openssl_certificate_store)) subject { get verify_certificate_smartcard_path, params: params }
allow(openssl_certificate_store).to receive(:verify).and_return(true)
allow(OpenSSL::X509::Certificate).to( it_behaves_like 'a client certificate authentication', 'smartcard'
receive(:new).and_return(openssl_certificate))
allow(Net::LDAP).to receive(:new).and_return(ldap_connection) context 'user already exists' do
allow(ldap_connection).to( before do
receive(:search).with(ldap_search_params).and_return([ldap_entry])) user = create(:user)
end create(:smartcard_identity, subject: subject_dn, issuer: issuer_dn, user: user)
end
it 'finds existing user' do
expect { subject }.not_to change { User.count }
expect(request.env['warden']).to be_authenticated
end
end
context 'certificate header formats from NGINX' do
shared_examples 'valid certificate header' do
it 'authenticates user' do
expect(Gitlab::Auth::Smartcard::Certificate).to receive(:new).with(expected_certificate).and_call_original
it_behaves_like 'a client certificate authentication', 'smartcard_ldap' subject
it 'sets correct parameters for LDAP search' do expect(request.env['warden']).to be_authenticated
expect(ldap_connection).to( end
receive(:search).with(ldap_search_params).and_return([ldap_entry])) end
let(:expected_certificate) { "-----BEGIN CERTIFICATE-----\nrow\nrow\n-----END CERTIFICATE-----" }
context 'escaped format' do
let(:client_certificate) { '-----BEGIN%20CERTIFICATE-----%0Arow%0Arow%0A-----END%20CERTIFICATE-----' }
it_behaves_like 'valid certificate header'
end
subject context 'deprecated format' do
let(:client_certificate) { '-----BEGIN CERTIFICATE----- row row -----END CERTIFICATE-----' }
it_behaves_like 'valid certificate header'
end
end
end end
context 'user already exists' do context 'Smartcard::LdapCertificate' do
let_it_be(:user) { create(:user) } let(:ldap_connection) { instance_double(::Net::LDAP) }
let(:subject_ldap_dn) { 'uid=john doe,ou=people,dc=example,dc=com' }
let(:ldap_email) { 'john.doe@example.com' }
let(:ldap_entry) do
Net::LDAP::Entry.new.tap do |entry|
entry['dn'] = subject_ldap_dn
entry['uid'] = 'john doe'
entry['cn'] = 'John Doe'
entry['mail'] = ldap_email
end
end
let(:ldap_user_search_scope) { 'dc=example,dc=com' }
let(:ldap_search_params) do
{ attributes: array_including('dn', 'cn', 'mail', 'uid', 'userid'),
base: ldap_user_search_scope,
filter: Net::LDAP::Filter.ex(
'userCertificate:certificateExactMatch',
"{ serialNumber #{serial}, issuer \"#{issuer_dn}\" }") }
end
subject do
get(verify_certificate_smartcard_path,
{ params: params.merge({ provider: 'ldapmain' }) })
end
before do
allow(Net::LDAP).to receive(:new).and_return(ldap_connection)
allow(ldap_connection).to(
receive(:search).with(ldap_search_params).and_return([ldap_entry]))
end
it 'finds existing user' do it_behaves_like 'a client certificate authentication', 'smartcard_ldap'
create(:identity, { provider: 'ldapmain',
extern_uid: subject_ldap_dn,
user: user })
expect { subject }.not_to change { User.count } it 'sets correct parameters for LDAP search' do
expect(ldap_connection).to(
receive(:search).with(ldap_search_params).and_return([ldap_entry]))
expect(request.env['warden']).to be_authenticated subject
end end
context "user has a different identity" do context 'user already exists' do
let(:ldap_email) { user.email } let_it_be(:user) { create(:user) }
before do it 'finds existing user' do
create(:identity, { provider: 'ldapmain', create(:identity, { provider: 'ldapmain',
extern_uid: 'different_identity_dn', extern_uid: subject_ldap_dn,
user: user }) user: user })
end
it "doesn't login a user" do expect { subject }.not_to change { User.count }
subject
expect(request.env['warden']).not_to be_authenticated expect(request.env['warden']).to be_authenticated
end end
it "doesn't create a new user entry either" do context 'user has a different identity' do
expect { subject }.not_to change { User.count } let(:ldap_email) { user.email }
before do
create(:identity, { provider: 'ldapmain',
extern_uid: 'different_identity_dn',
user: user })
end
it "doesn't login a user" do
subject
expect(request.env['warden']).not_to be_authenticated
end
it "doesn't create a new user entry either" do
expect { subject }.not_to change { User.count }
end
end end
end end
end end
end end
def enable_smartcard_authentication
allow(Gitlab::Auth::Smartcard).to receive(:enabled?).and_return(true)
end
def stub_smartcard_config(smartcard_settings)
allow(::Gitlab.config.smartcard).to(receive_messages(smartcard_settings))
end
def stub_certificate_store
openssl_certificate_store = instance_double(OpenSSL::X509::Store)
allow(Gitlab::Auth::Smartcard::Base).to receive(:store).and_return(openssl_certificate_store)
allow(openssl_certificate_store).to receive(:verify).and_return(true)
end
def stub_certificate
issuer = instance_double(OpenSSL::X509::Name, to_s: issuer_dn)
openssl_certificate = instance_double(OpenSSL::X509::Certificate, subject: subject_dn, issuer: issuer, serial: serial)
allow(OpenSSL::X509::Certificate).to receive(:new).and_return(openssl_certificate)
end
end end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment