Merge branch '8605-add-cert-extensions-options' into 'master'

Add smartcard_san_extensions to gitlab.rb See merge request gitlab-org/omnibus-gitlab!3566

Merge branch '8605-add-cert-extensions-options' into 'master'
3b3011f0 · Balasankar C · 8d3d425e · 5023e824 · 3b3011f0 · 3b3011f0
Commit 3b3011f0 authored 5 years ago by Balasankar C
--- a/changelogs/unreleased/8605-add-cert-extensions-options.yml
+++ b/changelogs/unreleased/8605-add-cert-extensions-options.yml
+---
+title: Add smartcard_san_extentions to gitlab.rb
+merge_request: 3566
+author:
+type: added
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -338,6 +338,7 @@ external_url 'GENERATED_EXTERNAL_URL'
 # gitlab_rails['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
 # gitlab_rails['smartcard_client_certificate_required_port'] = 3444
 # gitlab_rails['smartcard_required_for_git_access'] = false
+# gitlab_rails['smartcard_san_extensions'] = false
  
 ### OmniAuth Settings
 ###! Docs: https://docs.gitlab.com/ce/integration/omniauth.html

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -252,6 +252,7 @@ default['gitlab']['gitlab-rails']['smartcard_enabled'] = false
 default['gitlab']['gitlab-rails']['smartcard_ca_file'] = "/etc/gitlab/ssl/CA.pem"
 default['gitlab']['gitlab-rails']['smartcard_client_certificate_required_port'] = 3444
 default['gitlab']['gitlab-rails']['smartcard_required_for_git_access'] = false
+default['gitlab']['gitlab-rails']['smartcard_san_extensions'] = false
  
 default['gitlab']['gitlab-rails']['kerberos_enabled'] = nil
 default['gitlab']['gitlab-rails']['kerberos_keytab'] = nil

--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -464,6 +464,9 @@ production: &base
    # Browser session with smartcard sign-in is required for Git access
    required_for_git_access: <%= @smartcard_required_for_git_access %>
  
+    # SAN extensions to match users with certificates
+    san_extensions: <%= @smartcard_san_extensions %>
+
  ## Kerberos settings
  kerberos:
    # Allow the HTTP Negotiate authentication method for Git clients

--- a/spec/chef/recipes/gitlab-rails_spec.rb
+++ b/spec/chef/recipes/gitlab-rails_spec.rb
@@ -989,6 +989,26 @@ describe 'gitlab::gitlab-rails' do
            )
          end
        end
+
+        context 'smartcard_san_extensions' do
+          it 'sets smartcard_san_extensions based on config' do
+            stub_gitlab_rb(
+              gitlab_rails: {
+                smartcard_enabled: true,
+                smartcard_san_extensions: true
+              }
+            )
+
+            expect(chef_run).to create_templatesymlink('Create a gitlab.yml and create a symlink to Rails root').with_variables(
+              hash_including(
+                'smartcard_enabled' => true,
+                'smartcard_ca_file' => '/etc/gitlab/ssl/CA.pem',
+                'smartcard_client_certificate_required_port' => 3444,
+                'smartcard_san_extensions' => true
+              )
+            )
+          end
+        end
      end
  
      context 'smartcard authentication is disabled' do