Smartcards allow to use SAN extensions without matching emails and URI

Problem to solve

The solution as implemented in #8605 (closed) got the email address from the Subject Alternative Name (SAN) field of the EMAIL cert, as anticipated. However, it also required that the SAN contain the URI that matched the hostname of the GitLab server. This won’t work for CACs that are issued globally, and so won’t be tailorable specifically to GitLab.

Intended users

Further details

Proposal

Only do URI check if there's multiple email definitions

Permissions and Security

Documentation

Testing

• Need to check that this doesn't introduce opportunities to impersonate or deface users

What does success look like, and how can we measure that?

Users using smartcards with SAN extensions should be able to login into gitlab, on the following two scenarios:

1. The user certificate only has one email entry in the SAN extensions and it should be used to login into gitlab
2. The user certificate has multiple email entries and should only use the one that match the URI as described here https://docs.gitlab.com/ee/administration/auth/smartcard.html#authentication-against-a-local-database-with-x509-certificates-and-san-extensions-premium-only

What is the type of buyer?

Premium

Links / references

/label feature