Patch #29606 » 0001-Allow-unchecked-LDAPS-TLS-connections.patch
app/models/auth_source.rb | ||
---|---|---|
43 | 43 |
'attr_mail', |
44 | 44 |
'onthefly_register', |
45 | 45 |
'tls', |
46 |
'verify_peer', |
|
46 | 47 |
'filter', |
47 | 48 |
'timeout' |
48 | 49 |
app/models/auth_source_ldap.rb | ||
---|---|---|
37 | 37 | |
38 | 38 |
before_validation :strip_ldap_attributes |
39 | 39 | |
40 |
safe_attributes 'ldap_mode' |
|
41 | ||
42 |
LDAP_MODES = [ |
|
43 |
:ldap, |
|
44 |
:ldaps_verify_none, |
|
45 |
:ldaps_verify_peer |
|
46 |
] |
|
47 | ||
40 | 48 |
def initialize(attributes=nil, *args) |
41 | 49 |
super |
42 | 50 |
self.port = 389 if self.port == 0 |
... | ... | |
101 | 109 |
raise AuthSourceException.new(e.message) |
102 | 110 |
end |
103 | 111 | |
112 |
def ldap_mode |
|
113 |
case |
|
114 |
when tls && verify_peer |
|
115 |
:ldaps_verify_peer |
|
116 |
when tls && !verify_peer |
|
117 |
:ldaps_verify_none |
|
118 |
else |
|
119 |
:ldap |
|
120 |
end |
|
121 |
end |
|
122 | ||
123 |
def ldap_mode=(ldap_mode) |
|
124 |
case ldap_mode.try(:to_sym) |
|
125 |
when :ldaps_verify_peer |
|
126 |
self.tls = true |
|
127 |
self.verify_peer = true |
|
128 |
when :ldaps_verify_none |
|
129 |
self.tls = true |
|
130 |
self.verify_peer = false |
|
131 |
else |
|
132 |
self.tls = false |
|
133 |
self.verify_peer = false |
|
134 |
end |
|
135 |
end |
|
136 | ||
104 | 137 |
private |
105 | 138 | |
106 | 139 |
def with_timeout(&block) |
... | ... | |
143 | 176 | |
144 | 177 |
def initialize_ldap_con(ldap_user, ldap_password) |
145 | 178 |
options = { :host => self.host, |
146 |
:port => self.port, |
|
147 |
:encryption => (self.tls ? :simple_tls : nil) |
|
179 |
:port => self.port |
|
148 | 180 |
} |
181 |
if tls |
|
182 |
options[:encryption] = { |
|
183 |
:method => :simple_tls, |
|
184 |
# Always provide non-empty tls_options, to make sure, that all |
|
185 |
# OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert |
|
186 |
# store are used. |
|
187 |
:tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE } |
|
188 |
} |
|
189 |
end |
|
190 | ||
149 | 191 |
options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank? |
150 | 192 |
Net::LDAP.new options |
151 | 193 |
end |
app/views/auth_sources/_form_auth_source_ldap.html.erb | ||
---|---|---|
3 | 3 |
<div class="box tabular"> |
4 | 4 |
<p><%= f.text_field :name, :required => true %></p> |
5 | 5 |
<p><%= f.text_field :host, :required => true %></p> |
6 |
<p><%= f.text_field :port, :required => true, :size => 6 %> <%= f.check_box :tls, :no_label => true %> LDAPS</p> |
|
6 |
<p> |
|
7 |
<%= f.text_field :port, :required => true, :size => 6 %> |
|
8 |
<%= f.select :ldap_mode, AuthSourceLdap::LDAP_MODES.map { |m| [l("label_#{m}"), m] }, :no_label => true %> |
|
9 |
<em class="info ldaps_warning"><%= l("label_ldaps_warning") %></em> |
|
10 |
</p> |
|
7 | 11 |
<p><%= f.text_field :account %></p> |
8 | 12 |
<p><%= f.password_field :account_password, :label => :field_password, |
9 | 13 |
:name => 'dummy_password', |
config/locales/de.yml | ||
---|---|---|
608 | 608 |
label_latest_compatible_version: Letzte kompatible Version |
609 | 609 |
label_latest_revision: Aktuellste Revision |
610 | 610 |
label_latest_revision_plural: Aktuellste Revisionen |
611 |
label_ldap: LDAP |
|
611 | 612 |
label_ldap_authentication: LDAP-Authentifizierung |
613 |
label_ldaps_verify_none: LDAPS ohne Zertifikatsprüfung |
|
614 |
label_ldaps_verify_peer: LDAPS mit Zertifikatsprüfung |
|
615 |
label_ldaps_warning: Es wird empfohlen, eine verschlüsselte LDAPS mit Zertifikatsprüfung zu verwenden, um Manipulationen an der Authorisierung zu verhindern. |
|
612 | 616 |
label_less_or_equal: "<=" |
613 | 617 |
label_less_than_ago: vor weniger als |
614 | 618 |
label_link: Link |
config/locales/en.yml | ||
---|---|---|
892 | 892 |
label_general: General |
893 | 893 |
label_scm: SCM |
894 | 894 |
label_plugins: Plugins |
895 |
label_ldap: LDAP |
|
895 | 896 |
label_ldap_authentication: LDAP authentication |
897 |
label_ldaps_verify_none: LDAPS without certificate check |
|
898 |
label_ldaps_verify_peer: LDAPS with certificate check |
|
899 |
label_ldaps_warning: It is recommended to use an encrypted LDAPS connection with certificate check to hamper any manipulation of the authorization process. |
|
896 | 900 |
label_downloads_abbr: D/L |
897 | 901 |
label_optional_description: Optional description |
898 | 902 |
label_add_another_file: Add another file |
db/migrate/20180913072918_add_verify_peer_to_auth_sources.rb | ||
---|---|---|
1 |
class AddVerifyPeerToAuthSources < ActiveRecord::Migration[5.2] |
|
2 |
def change |
|
3 |
change_table :auth_sources do |t| |
|
4 |
t.boolean :verify_peer, default: true, null: false |
|
5 |
end |
|
6 |
end |
|
7 |
end |
public/javascripts/application.js | ||
---|---|---|
857 | 857 |
return true; |
858 | 858 |
} |
859 | 859 | |
860 |
$(function ($) { |
|
861 |
$('#auth_source_ldap_mode').change(function () { |
|
862 |
$('.ldaps_warning').toggle($(this).val() != 'ldaps_verify_peer'); |
|
863 |
}).change(); |
|
864 |
}); |
|
865 | ||
860 | 866 |
$(document).ready(setupAjaxIndicator); |
861 | 867 |
$(document).ready(hideOnLoad); |
862 | 868 |
$(document).ready(addFormObserversForDoubleSubmit); |
test/unit/auth_source_ldap_test.rb | ||
---|---|---|
40 | 40 |
assert_nil auth_source.attr_mail |
41 | 41 |
assert_equal false, auth_source.onthefly_register |
42 | 42 |
assert_equal false, auth_source.tls |
43 |
assert_equal true, auth_source.verify_peer |
|
44 |
assert_equal :ldap, auth_source.ldap_mode |
|
43 | 45 |
assert_nil auth_source.filter |
44 | 46 |
assert_nil auth_source.timeout |
45 | 47 |
end |
... | ... | |
77 | 79 |
assert a.valid? |
78 | 80 |
end |
79 | 81 | |
82 |
test 'ldap_mode setter sets tls and verify_peer' do |
|
83 |
a = AuthSourceLdap.new |
|
84 | ||
85 |
a.ldap_mode = 'ldaps_verify_peer' |
|
86 |
assert a.tls |
|
87 |
assert a.verify_peer |
|
88 | ||
89 |
a.ldap_mode = 'ldaps_verify_none' |
|
90 |
assert a.tls |
|
91 |
assert !a.verify_peer |
|
92 | ||
93 |
a.ldap_mode = 'ldap' |
|
94 |
assert !a.tls |
|
95 |
assert !a.verify_peer |
|
96 |
end |
|
97 | ||
98 |
test 'ldap_mode getter reads from tls and verify_peer' do |
|
99 |
a = AuthSourceLdap.new |
|
100 | ||
101 |
a.tls = true |
|
102 |
a.verify_peer = true |
|
103 |
assert_equal :ldaps_verify_peer, a.ldap_mode |
|
104 | ||
105 |
a.tls = true |
|
106 |
a.verify_peer = false |
|
107 |
assert_equal :ldaps_verify_none, a.ldap_mode |
|
108 | ||
109 |
a.tls = false |
|
110 |
a.verify_peer = false |
|
111 |
assert_equal :ldap, a.ldap_mode |
|
112 | ||
113 |
a.tls = false |
|
114 |
a.verify_peer = true |
|
115 |
assert_equal :ldap, a.ldap_mode |
|
116 |
end |
|
117 | ||
80 | 118 |
if ldap_configured? |
81 | 119 |
test '#authenticate with a valid LDAP user should return the user attributes' do |
82 | 120 |
auth = AuthSourceLdap.find(1) |