Project

General

Profile

Patch #29606 » 0001-Allow-unchecked-LDAPS-TLS-connections.patch

patch against r17480 - Gregor Schmidt, 2018-09-13 15:30

View differences:

app/models/auth_source.rb
43 43
    'attr_mail',
44 44
    'onthefly_register',
45 45
    'tls',
46
    'verify_peer',
46 47
    'filter',
47 48
    'timeout'
48 49

  
app/models/auth_source_ldap.rb
37 37

  
38 38
  before_validation :strip_ldap_attributes
39 39

  
40
  safe_attributes 'ldap_mode'
41

  
42
  LDAP_MODES = [
43
    :ldap,
44
    :ldaps_verify_none,
45
    :ldaps_verify_peer
46
  ]
47

  
40 48
  def initialize(attributes=nil, *args)
41 49
    super
42 50
    self.port = 389 if self.port == 0
......
101 109
    raise AuthSourceException.new(e.message)
102 110
  end
103 111

  
112
  def ldap_mode
113
    case
114
    when tls && verify_peer
115
      :ldaps_verify_peer
116
    when tls && !verify_peer
117
      :ldaps_verify_none
118
    else
119
      :ldap
120
    end
121
  end
122

  
123
  def ldap_mode=(ldap_mode)
124
    case ldap_mode.try(:to_sym)
125
    when :ldaps_verify_peer
126
      self.tls = true
127
      self.verify_peer = true
128
    when :ldaps_verify_none
129
      self.tls = true
130
      self.verify_peer = false
131
    else
132
      self.tls = false
133
      self.verify_peer = false
134
    end
135
  end
136

  
104 137
  private
105 138

  
106 139
  def with_timeout(&block)
......
143 176

  
144 177
  def initialize_ldap_con(ldap_user, ldap_password)
145 178
    options = { :host => self.host,
146
                :port => self.port,
147
                :encryption => (self.tls ? :simple_tls : nil)
179
                :port => self.port
148 180
              }
181
    if tls
182
      options[:encryption] = {
183
        :method => :simple_tls,
184
        # Always provide non-empty tls_options, to make sure, that all
185
        # OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert
186
        # store are used.
187
        :tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE }
188
      }
189
    end
190

  
149 191
    options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
150 192
    Net::LDAP.new options
151 193
  end
app/views/auth_sources/_form_auth_source_ldap.html.erb
3 3
<div class="box tabular">
4 4
  <p><%= f.text_field :name, :required => true %></p>
5 5
  <p><%= f.text_field :host, :required => true %></p>
6
  <p><%= f.text_field :port, :required => true, :size => 6 %> <%= f.check_box :tls, :no_label => true %> LDAPS</p>
6
  <p>
7
    <%= f.text_field :port, :required => true, :size => 6 %>
8
    <%= f.select :ldap_mode, AuthSourceLdap::LDAP_MODES.map { |m| [l("label_#{m}"), m] }, :no_label => true %>
9
    <em class="info ldaps_warning"><%= l("label_ldaps_warning") %></em>
10
  </p>
7 11
  <p><%= f.text_field :account %></p>
8 12
  <p><%= f.password_field :account_password, :label => :field_password,
9 13
           :name => 'dummy_password',
config/locales/de.yml
608 608
  label_latest_compatible_version: Letzte kompatible Version
609 609
  label_latest_revision: Aktuellste Revision
610 610
  label_latest_revision_plural: Aktuellste Revisionen
611
  label_ldap: LDAP
611 612
  label_ldap_authentication: LDAP-Authentifizierung
613
  label_ldaps_verify_none: LDAPS ohne Zertifikatsprüfung
614
  label_ldaps_verify_peer: LDAPS mit Zertifikatsprüfung
615
  label_ldaps_warning: Es wird empfohlen, eine verschlüsselte LDAPS mit Zertifikatsprüfung zu verwenden, um Manipulationen an der Authorisierung zu verhindern.
612 616
  label_less_or_equal: "<="
613 617
  label_less_than_ago: vor weniger als
614 618
  label_link: Link
config/locales/en.yml
892 892
  label_general: General
893 893
  label_scm: SCM
894 894
  label_plugins: Plugins
895
  label_ldap: LDAP
895 896
  label_ldap_authentication: LDAP authentication
897
  label_ldaps_verify_none: LDAPS without certificate check
898
  label_ldaps_verify_peer: LDAPS with certificate check
899
  label_ldaps_warning: It is recommended to use an encrypted LDAPS connection with certificate check to hamper any manipulation of the authorization process.
896 900
  label_downloads_abbr: D/L
897 901
  label_optional_description: Optional description
898 902
  label_add_another_file: Add another file
db/migrate/20180913072918_add_verify_peer_to_auth_sources.rb
1
class AddVerifyPeerToAuthSources < ActiveRecord::Migration[5.2]
2
  def change
3
    change_table :auth_sources do |t|
4
      t.boolean :verify_peer, default: true, null: false
5
    end
6
  end
7
end
public/javascripts/application.js
857 857
  return true;
858 858
}
859 859

  
860
$(function ($) {
861
  $('#auth_source_ldap_mode').change(function () {
862
    $('.ldaps_warning').toggle($(this).val() != 'ldaps_verify_peer');
863
  }).change();
864
});
865

  
860 866
$(document).ready(setupAjaxIndicator);
861 867
$(document).ready(hideOnLoad);
862 868
$(document).ready(addFormObserversForDoubleSubmit);
test/unit/auth_source_ldap_test.rb
40 40
    assert_nil auth_source.attr_mail
41 41
    assert_equal false, auth_source.onthefly_register
42 42
    assert_equal false, auth_source.tls
43
    assert_equal true, auth_source.verify_peer
44
    assert_equal :ldap, auth_source.ldap_mode
43 45
    assert_nil auth_source.filter
44 46
    assert_nil auth_source.timeout
45 47
  end
......
77 79
    assert a.valid?
78 80
  end
79 81

  
82
  test 'ldap_mode setter sets tls and verify_peer' do
83
    a = AuthSourceLdap.new
84

  
85
    a.ldap_mode = 'ldaps_verify_peer'
86
    assert a.tls
87
    assert a.verify_peer
88

  
89
    a.ldap_mode = 'ldaps_verify_none'
90
    assert a.tls
91
    assert !a.verify_peer
92

  
93
    a.ldap_mode = 'ldap'
94
    assert !a.tls
95
    assert !a.verify_peer
96
  end
97

  
98
  test 'ldap_mode getter reads from tls and verify_peer' do
99
    a = AuthSourceLdap.new
100

  
101
    a.tls = true
102
    a.verify_peer = true
103
    assert_equal :ldaps_verify_peer, a.ldap_mode
104

  
105
    a.tls = true
106
    a.verify_peer = false
107
    assert_equal :ldaps_verify_none, a.ldap_mode
108

  
109
    a.tls = false
110
    a.verify_peer = false
111
    assert_equal :ldap, a.ldap_mode
112

  
113
    a.tls = false
114
    a.verify_peer = true
115
    assert_equal :ldap, a.ldap_mode
116
  end
117

  
80 118
  if ldap_configured?
81 119
    test '#authenticate with a valid LDAP user should return the user attributes' do
82 120
      auth = AuthSourceLdap.find(1)
(2-2/3)