Add FortiAuthenticator configuration to gitlab.rb

d5977e27 · Imre (Admin) · 73718929 · d5977e27 · d5977e27 · d5977e27
Commit d5977e27 authored 4 years ago by Imre (Admin)
--- a/changelogs/unreleased/forti_authenticator.yml
+++ b/changelogs/unreleased/forti_authenticator.yml
+---
+title: Add FortiAuthenticator configuration to gitlab.rb
+merge_request: 4645
+author:
+type: added
--- a/files/gitlab-config-template/gitlab.rb.template
+++ b/files/gitlab-config-template/gitlab.rb.template
@@ -492,6 +492,13 @@ gitlab_rails['object_store']['objects']['terraform_state']['bucket'] = nil
 #   }
 # ]
  
+### FortiAuthenticator authentication settings
+# gitlab_rails['forti_authenticator_enabled'] = false
+# gitlab_rails['forti_authenticator_host'] = 'forti_authenticator.example.com'
+# gitlab_rails['forti_authenticator_port'] = 443
+# gitlab_rails['forti_authenticator_username'] = 'admin'
+# gitlab_rails['forti_authenticator_access_token'] = 's3cr3t'
+
 ### Backup Settings
 ###! Docs: https://docs.gitlab.com/omnibus/settings/backups.html
  

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -331,6 +331,12 @@ default['gitlab']['gitlab-rails']['omniauth_external_providers'] = nil
 default['gitlab']['gitlab-rails']['omniauth_providers'] = []
 default['gitlab']['gitlab-rails']['omniauth_allow_bypass_two_factor'] = nil
  
+default['gitlab']['gitlab-rails']['forti_authenticator_enabled'] = false
+default['gitlab']['gitlab-rails']['forti_authenticator_host'] = nil
+default['gitlab']['gitlab-rails']['forti_authenticator_port'] = 443
+default['gitlab']['gitlab-rails']['forti_authenticator_username'] = nil
+default['gitlab']['gitlab-rails']['forti_authenticator_access_token'] = nil
+
 default['gitlab']['gitlab-rails']['shared_path'] = "/var/opt/gitlab/gitlab-rails/shared"
  
 default['gitlab']['gitlab-rails']['backup_path'] = "/var/opt/gitlab/backups"

--- a/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/gitlab.yml.erb
@@ -720,6 +720,21 @@ production: &base
      - <%= provider.to_json %>
 <% end %>
  
+  # FortiAuthenticator settings
+  forti_authenticator:
+    # Allow using FortiAuthenticator as OTP provider
+    enabled: <%= @forti_authenticator_enabled %>
+
+    # Host and port of FortiAuthenticator instance
+    host: <%= @forti_authenticator_host %>
+    port: <%= @forti_authenticator_port %>
+
+    # Username for accessing FortiAuthenticator API
+    username: <%= quote(@forti_authenticator_username) %>
+
+    # Access token for FortiAuthenticator API
+    access_token: <%= quote(@forti_authenticator_access_token) %>
+
  # Shared file storage settings
  shared:
    path: <%= @shared_path %>

--- a/spec/chef/recipes/gitlab-rails_spec.rb
+++ b/spec/chef/recipes/gitlab-rails_spec.rb
@@ -1386,6 +1386,44 @@ RSpec.describe 'gitlab::gitlab-rails' do
      end
    end
  
+    context 'FortiAuthenticator settings' do
+      context 'FortiAuthenticator is configured' do
+        it 'exposes the FortiAuthenticator settings' do
+          stub_gitlab_rb(
+            gitlab_rails: {
+              forti_authenticator_enabled: true,
+              forti_authenticator_host: 'forti_authenticator.example.com',
+              forti_authenticator_port: 444,
+              forti_authenticator_username: 'janedoe',
+              forti_authenticator_access_token: '123s3cr3t456'
+            }
+          )
+
+          expect(chef_run).to create_templatesymlink('Create a gitlab.yml and create a symlink to Rails root').with_variables(
+            hash_including(
+              'forti_authenticator_enabled' => true,
+              'forti_authenticator_host' => 'forti_authenticator.example.com',
+              'forti_authenticator_port' => 444,
+              'forti_authenticator_username' => 'janedoe',
+              'forti_authenticator_access_token' => '123s3cr3t456'
+            )
+          )
+        end
+      end
+
+      context 'FortiAuthenticator is disabled' do
+        context 'FortiAuthenticator is not configured' do
+          it 'does not expose FortiAuthenticator settings' do
+            expect(chef_run).to create_templatesymlink('Create a gitlab.yml and create a symlink to Rails root').with_variables(
+              hash_including(
+                'forti_authenticator_enabled' => false
+              )
+            )
+          end
+        end
+      end
+    end
+
    context 'Sidekiq log_format' do
      context 'json' do
        it 'sets the Sidekiq log_format to json' do