Patch #29606 » 0001-Allow-unchecked-LDAPS-TLS-connections.patch
| app/models/auth_source.rb | ||
|---|---|---|
| 43 | 43 |
'attr_mail', |
| 44 | 44 |
'onthefly_register', |
| 45 | 45 |
'tls', |
| 46 |
'verify_peer', |
|
| 46 | 47 |
'filter', |
| 47 | 48 |
'timeout' |
| 48 | 49 | |
| app/models/auth_source_ldap.rb | ||
|---|---|---|
| 37 | 37 | |
| 38 | 38 |
before_validation :strip_ldap_attributes |
| 39 | 39 | |
| 40 |
safe_attributes 'ldap_mode' |
|
| 41 | ||
| 42 |
LDAP_MODES = [ |
|
| 43 |
:ldap, |
|
| 44 |
:ldaps_verify_none, |
|
| 45 |
:ldaps_verify_peer |
|
| 46 |
] |
|
| 47 | ||
| 40 | 48 |
def initialize(attributes=nil, *args) |
| 41 | 49 |
super |
| 42 | 50 |
self.port = 389 if self.port == 0 |
| ... | ... | |
| 101 | 109 |
raise AuthSourceException.new(e.message) |
| 102 | 110 |
end |
| 103 | 111 | |
| 112 |
def ldap_mode |
|
| 113 |
case |
|
| 114 |
when tls && verify_peer |
|
| 115 |
:ldaps_verify_peer |
|
| 116 |
when tls && !verify_peer |
|
| 117 |
:ldaps_verify_none |
|
| 118 |
else |
|
| 119 |
:ldap |
|
| 120 |
end |
|
| 121 |
end |
|
| 122 | ||
| 123 |
def ldap_mode=(ldap_mode) |
|
| 124 |
case ldap_mode.try(:to_sym) |
|
| 125 |
when :ldaps_verify_peer |
|
| 126 |
self.tls = true |
|
| 127 |
self.verify_peer = true |
|
| 128 |
when :ldaps_verify_none |
|
| 129 |
self.tls = true |
|
| 130 |
self.verify_peer = false |
|
| 131 |
else |
|
| 132 |
self.tls = false |
|
| 133 |
self.verify_peer = false |
|
| 134 |
end |
|
| 135 |
end |
|
| 136 | ||
| 104 | 137 |
private |
| 105 | 138 | |
| 106 | 139 |
def with_timeout(&block) |
| ... | ... | |
| 143 | 176 | |
| 144 | 177 |
def initialize_ldap_con(ldap_user, ldap_password) |
| 145 | 178 |
options = { :host => self.host,
|
| 146 |
:port => self.port, |
|
| 147 |
:encryption => (self.tls ? :simple_tls : nil) |
|
| 179 |
:port => self.port |
|
| 148 | 180 |
} |
| 181 |
if tls |
|
| 182 |
options[:encryption] = {
|
|
| 183 |
:method => :simple_tls, |
|
| 184 |
# Always provide non-empty tls_options, to make sure, that all |
|
| 185 |
# OpenSSL::SSL::SSLContext::DEFAULT_PARAMS as well as the default cert |
|
| 186 |
# store are used. |
|
| 187 |
:tls_options => { :verify_mode => verify_peer? ? OpenSSL::SSL::VERIFY_PEER : OpenSSL::SSL::VERIFY_NONE }
|
|
| 188 |
} |
|
| 189 |
end |
|
| 190 | ||
| 149 | 191 |
options.merge!(:auth => { :method => :simple, :username => ldap_user, :password => ldap_password }) unless ldap_user.blank? && ldap_password.blank?
|
| 150 | 192 |
Net::LDAP.new options |
| 151 | 193 |
end |
| app/views/auth_sources/_form_auth_source_ldap.html.erb | ||
|---|---|---|
| 3 | 3 |
<div class="box tabular"> |
| 4 | 4 |
<p><%= f.text_field :name, :required => true %></p> |
| 5 | 5 |
<p><%= f.text_field :host, :required => true %></p> |
| 6 |
<p><%= f.text_field :port, :required => true, :size => 6 %> <%= f.check_box :tls, :no_label => true %> LDAPS</p> |
|
| 6 |
<p> |
|
| 7 |
<%= f.text_field :port, :required => true, :size => 6 %> |
|
| 8 |
<%= f.select :ldap_mode, AuthSourceLdap::LDAP_MODES.map { |m| [l("label_#{m}"), m] }, :no_label => true %>
|
|
| 9 |
<em class="info ldaps_warning"><%= l("label_ldaps_warning") %></em>
|
|
| 10 |
</p> |
|
| 7 | 11 |
<p><%= f.text_field :account %></p> |
| 8 | 12 |
<p><%= f.password_field :account_password, :label => :field_password, |
| 9 | 13 |
:name => 'dummy_password', |
| config/locales/de.yml | ||
|---|---|---|
| 608 | 608 |
label_latest_compatible_version: Letzte kompatible Version |
| 609 | 609 |
label_latest_revision: Aktuellste Revision |
| 610 | 610 |
label_latest_revision_plural: Aktuellste Revisionen |
| 611 |
label_ldap: LDAP |
|
| 611 | 612 |
label_ldap_authentication: LDAP-Authentifizierung |
| 613 |
label_ldaps_verify_none: LDAPS (ohne Zertifikatsprüfung) |
|
| 614 |
label_ldaps_verify_peer: LDAPS |
|
| 615 |
label_ldaps_warning: Es wird empfohlen, eine verschlüsselte LDAPS-Verbindung mit Zertifikatsprüfung zu verwenden, um Manipulationen während der Authentifizierung zu verhindern. |
|
| 612 | 616 |
label_less_or_equal: "<=" |
| 613 | 617 |
label_less_than_ago: vor weniger als |
| 614 | 618 |
label_link: Link |
| config/locales/en.yml | ||
|---|---|---|
| 892 | 892 |
label_general: General |
| 893 | 893 |
label_scm: SCM |
| 894 | 894 |
label_plugins: Plugins |
| 895 |
label_ldap: LDAP |
|
| 895 | 896 |
label_ldap_authentication: LDAP authentication |
| 897 |
label_ldaps_verify_none: LDAPS (without certificate check) |
|
| 898 |
label_ldaps_verify_peer: LDAPS |
|
| 899 |
label_ldaps_warning: It is recommended to use an encrypted LDAPS connection with certificate check to prevent any manipulation during the authentication process. |
|
| 896 | 900 |
label_downloads_abbr: D/L |
| 897 | 901 |
label_optional_description: Optional description |
| 898 | 902 |
label_add_another_file: Add another file |
| db/migrate/20180913072918_add_verify_peer_to_auth_sources.rb | ||
|---|---|---|
| 1 |
class AddVerifyPeerToAuthSources < ActiveRecord::Migration[5.2] |
|
| 2 |
def change |
|
| 3 |
change_table :auth_sources do |t| |
|
| 4 |
t.boolean :verify_peer, default: true, null: false |
|
| 5 |
end |
|
| 6 |
end |
|
| 7 |
end |
|
| public/javascripts/application.js | ||
|---|---|---|
| 857 | 857 |
return true; |
| 858 | 858 |
} |
| 859 | 859 | |
| 860 |
$(function ($) {
|
|
| 861 |
$('#auth_source_ldap_mode').change(function () {
|
|
| 862 |
$('.ldaps_warning').toggle($(this).val() != 'ldaps_verify_peer');
|
|
| 863 |
}).change(); |
|
| 864 |
}); |
|
| 865 | ||
| 860 | 866 |
$(document).ready(setupAjaxIndicator); |
| 861 | 867 |
$(document).ready(hideOnLoad); |
| 862 | 868 |
$(document).ready(addFormObserversForDoubleSubmit); |
| test/unit/auth_source_ldap_test.rb | ||
|---|---|---|
| 40 | 40 |
assert_nil auth_source.attr_mail |
| 41 | 41 |
assert_equal false, auth_source.onthefly_register |
| 42 | 42 |
assert_equal false, auth_source.tls |
| 43 |
assert_equal true, auth_source.verify_peer |
|
| 44 |
assert_equal :ldap, auth_source.ldap_mode |
|
| 43 | 45 |
assert_nil auth_source.filter |
| 44 | 46 |
assert_nil auth_source.timeout |
| 45 | 47 |
end |
| ... | ... | |
| 77 | 79 |
assert a.valid? |
| 78 | 80 |
end |
| 79 | 81 | |
| 82 |
test 'ldap_mode setter sets tls and verify_peer' do |
|
| 83 |
a = AuthSourceLdap.new |
|
| 84 | ||
| 85 |
a.ldap_mode = 'ldaps_verify_peer' |
|
| 86 |
assert a.tls |
|
| 87 |
assert a.verify_peer |
|
| 88 | ||
| 89 |
a.ldap_mode = 'ldaps_verify_none' |
|
| 90 |
assert a.tls |
|
| 91 |
assert !a.verify_peer |
|
| 92 | ||
| 93 |
a.ldap_mode = 'ldap' |
|
| 94 |
assert !a.tls |
|
| 95 |
assert !a.verify_peer |
|
| 96 |
end |
|
| 97 | ||
| 98 |
test 'ldap_mode getter reads from tls and verify_peer' do |
|
| 99 |
a = AuthSourceLdap.new |
|
| 100 | ||
| 101 |
a.tls = true |
|
| 102 |
a.verify_peer = true |
|
| 103 |
assert_equal :ldaps_verify_peer, a.ldap_mode |
|
| 104 | ||
| 105 |
a.tls = true |
|
| 106 |
a.verify_peer = false |
|
| 107 |
assert_equal :ldaps_verify_none, a.ldap_mode |
|
| 108 | ||
| 109 |
a.tls = false |
|
| 110 |
a.verify_peer = false |
|
| 111 |
assert_equal :ldap, a.ldap_mode |
|
| 112 | ||
| 113 |
a.tls = false |
|
| 114 |
a.verify_peer = true |
|
| 115 |
assert_equal :ldap, a.ldap_mode |
|
| 116 |
end |
|
| 117 | ||
| 80 | 118 |
if ldap_configured? |
| 81 | 119 |
test '#authenticate with a valid LDAP user should return the user attributes' do |
| 82 | 120 |
auth = AuthSourceLdap.find(1) |
- « Previous
- 1
- 2
- 3
- Next »
