Merge branch 'sh-validate-smtp-15-10' into '15-10-stable'

[15.10] Validate that SMTP settings do not enable both TLS and STARTTLS See merge request https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/6877 Merged-by: Balasankar 'Balu' C <balasankar@gitlab.com> Approved-by: Balasankar 'Balu' C <balasankar@gitlab.com> Co-authored-by: Stan Hu <stanhu@gmail.com>

Merge branch 'sh-validate-smtp-15-10' into '15-10-stable'
030f5035 · Balasankar C · 96af311d · 018c6de1 · 030f5035 · 030f5035
Commit 030f5035 authored 1 year ago by Balasankar C
--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab_rails.rb
@@ -34,6 +34,7 @@ module GitlabRails
      parse_incoming_email_logfile
      parse_service_desk_email_logfile
      parse_maximum_request_duration
+      validate_smtp_settings!
    end
  
    def parse_directories
@@ -361,6 +362,10 @@ module GitlabRails
      raise "The maximum request duration needs to be smaller than the worker timeout (#{worker_timeout}s)"
    end
  
+    def validate_smtp_settings!
+      SmtpHelper.validate_smtp_settings!(Gitlab['gitlab_rails'])
+    end
+
    def public_path
      "#{Gitlab['node']['package']['install-dir']}/embedded/service/gitlab-rails/public"
    end

--- a/files/gitlab-cookbooks/gitlab/libraries/smtp_helper.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/smtp_helper.rb
+# frozen_string_literal: true
+
+class SmtpHelper
+  def self.validate_smtp_settings!(rails_config)
+    return unless rails_config['smtp_enable']
+    return unless rails_config['smtp_tls'] && rails_config['smtp_enable_starttls_auto']
+
+    raise "gitlab_rails['smtp_tls'] and gitlab_rails['smtp_enable_starttls_auto'] are mutually exclusive." \
+          " Set one of them to false. SMTP providers usually use port 465 for TLS and port 587 for STARTTLS."
+  end
+end
--- a/spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb
+++ b/spec/chef/cookbooks/gitlab/recipes/gitlab-rails_spec.rb
@@ -1282,6 +1282,58 @@ RSpec.describe 'gitlab::gitlab-rails' do
        }
      end
    end
+
+    context 'when STARTTLS is enabled' do
+      before do
+        stub_gitlab_rb(
+          gitlab_rails: {
+            smtp_enable: true,
+            smtp_enable_starttls_auto: true
+          }
+        )
+      end
+
+      it 'enables STARTTLS in the settings' do
+        expect(chef_run).to render_file('/var/opt/gitlab/gitlab-rails/etc/smtp_settings.rb').with_content { |content|
+          expect(content).not_to include('tls =')
+          expect(content).to include('enable_starttls_auto: true')
+        }
+      end
+    end
+
+    context 'when SMTP TLS is enabled' do
+      before do
+        stub_gitlab_rb(
+          gitlab_rails: {
+            smtp_enable: true,
+            smtp_tls: true
+          }
+        )
+      end
+
+      it 'enables SMTP TLS in the settings' do
+        expect(chef_run).to render_file('/var/opt/gitlab/gitlab-rails/etc/smtp_settings.rb').with_content { |content|
+          expect(content).to include('tls: true')
+          expect(content).not_to include('enable_starttls_auto')
+        }
+      end
+    end
+
+    context 'when TLS and STARTTLS are enabled' do
+      before do
+        stub_gitlab_rb(
+          gitlab_rails: {
+            smtp_enable: true,
+            smtp_tls: true,
+            smtp_enable_starttls_auto: true
+          }
+        )
+      end
+
+      it 'raises an exception' do
+        expect { chef_run }.to raise_error(RuntimeError)
+      end
+    end
  end
  
  describe 'cleaning up the legacy sidekiq log symlink' do