Allow to use Smartcard certificates with SAN extensions that only defines one email entry to login without matching URI (!20052) · Merge requests · GitLab.org / GitLab

Sebastián Arcila Valenzuela requested to merge 33907-smartcard-flex-single-san-email-entries into master Nov 13, 2019

Users using Smartcards with SAN extensions should be able to login into gitlab, on the following two scenarios:

The user certificate only has one email entry in the SAN extensions and it should be used to login into gitlab
The user certificate has multiple email entries and should only use the one that match the URI as described here https://docs.gitlab.com/ee/administration/auth/smartcard.html#authentication-against-a-local-database-with-x509-certificates-and-san-extensions-premium-only

What does this MR do?

This MR allows users using Smartcards with certificates that has one email entry in the SAN extensions (scenario 1). Like the ones from Common Access Cards (CAC) that are issued globally, and can't be tailored to be used with GitLab

Does this MR meet the acceptance criteria?

Conformity

Security

This MR contains changes to authentication methods, and the main concern is if these changes could allow to impersonate an user using Smartcards

Security reports checked/validated by a reviewer from the AppSec team

Related #33907 (closed)

Edited Nov 15, 2019 by Sebastián Arcila Valenzuela

Allow to use Smartcard certificates with SAN extensions that only defines one email entry to login without matching URI

What does this MR do?

Does this MR meet the acceptance criteria?

Conformity

Security

Merge request reports