Set `Net::LDAP` `ca_file` option

dcc12505 · Michael Kozono · b67c0078 · dcc12505 · dcc12505
Commit dcc12505 authored Jun 08, 2017 by Michael Kozono
Hide whitespace changes
Inline Side-by-side

Showing with 45 additions and 5 deletions

lib/gitlab/ldap/config.rb lib/gitlab/ldap/config.rb +15 -5

spec/lib/gitlab/ldap/config_spec.rb spec/lib/gitlab/ldap/config_spec.rb +30 -0

No files found.
--- a/lib/gitlab/ldap/config.rb
+++ b/lib/gitlab/ldap/config.rb
@@ -179,11 +179,21 @@ module Gitlab
      end

      def tls_options(method)
-        if method && options['verify_certificates']
-          OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-        else
-          { verify_mode: OpenSSL::SSL::VERIFY_NONE }
-        end
+        return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method
+
+        opts = if options['verify_certificates']
+                 OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+               else
+                 # It is important to explicitly set verify_mode for two reasons:
+                 # 1. The behavior of OpenSSL is undefined when verify_mode is not set.
+                 # 2. The net-ldap gem implementation verifies the certificate hostname
+                 #    unless verify_mode is set to VERIFY_NONE.
+                 { verify_mode: OpenSSL::SSL::VERIFY_NONE }
+               end
+
+        opts[:ca_file] = options['ca_file'] if options['ca_file'].present?
+
+        opts
      end

      def auth_options

--- a/spec/lib/gitlab/ldap/config_spec.rb
+++ b/spec/lib/gitlab/ldap/config_spec.rb
@@ -138,6 +138,36 @@ describe Gitlab::LDAP::Config, lib: true do
        })
      end
    end
+
+    context 'when ca_file is specified' do
+      it 'passes it through in tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ca_file'             => '/etc/ca.pem'
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).to include({ ca_file: '/etc/ca.pem' })
+      end
+    end
+
+    context 'when ca_file is a blank string' do
+      it 'does not add the ca_file key to tls_options' do
+        stub_ldap_config(
+          options: {
+            'host'                => 'ldap.example.com',
+            'port'                => 686,
+            'encryption'          => 'simple_tls',
+            'ca_file'             => ' '
+          }
+        )
+
+        expect(config.adapter_options[:encryption][:tls_options]).not_to have_key(:ca_file)
+      end
+    end
  end

  describe '#omniauth_options' do