Add support for encrypted SMTP credentials
Part of: omnibus-gitlab#6276 (closed)
Additional MRs:
- Omnibus (includes smtp doc update)
What does this MR do?
This enables users to provide smtp credentials from an encrypted file, rather than having them in plaintext on the filesystem.
It makes use of the same encrypted_settings feature we added for ldap credentials in 13.7. Allowing users to optionally provide the user_name and password through a file that is written to and encrypted via rake commands.
New rake commands (matching the syntax used for gitlab:ldap:secret:*
)
-
gitlab:smtp:secret:write
for piping plaintext content into the encryption -
gitlab:smtp:secret:edit
for editing the secrets using a terminal editor -
gitlab:smtp:secret:show
for printing the current secrets to std out
A portion of this MR changes the LDAP commands as well, extracting the common code into a base class to be shared between the smtp and ldap commands.
Screenshots or Screencasts (strongly suggested)
Demo recording: https://youtu.be/cYxS2dqcfaQ?list=PL05JrBw4t0KrPasGZcEUoHHIYdUtzpfA4&t=158
How to setup and validate locally (strongly suggested)
- Ensure encrypted configuration keys are enabled: https://docs.gitlab.com/ee/administration/encrypted_configuration.html
bundle exec rake gitlab:env:info RAILS_ENV=development GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true
- Copy the smtp_settings.rb.example to be smtp_settings.rb and edit it to use encrypted secrets
<snip> ActionMailer::Base.smtp_settings = { address: "email.server.com", port: 465, ## If you are using encrypted smtp credentials then you should instead use the secrets user_name/password ## See: https://docs.gitlab.com/ee/administration/raketasks/smtp.html#secrets user_name: secrets.username, password: secrets.password, domain: "gitlab.company.com", authentication: :login, enable_starttls_auto: true, openssl_verify_mode: 'peer' # See ActionMailer documentation for other possible options } <snip>
- Create encrypted secrets, and uncomment the defaults
bundle exec rake gitlab:smtp:secret:edit EDITOR=vim
- Confirm the secerts show in the rails app by running a rails console
puts ActionMailer::Base.smtp_settings.inspect
Does this MR meet the acceptance criteria?
Conformity
-
I have included changelog trailers, or none are needed. (Does this MR need a changelog?) -
I have added/updated documentation, or it's not needed. (Is documentation required?) -
I have self-reviewed this MR per code review guidelines. -
This MR does not harm performance, or I have asked a reviewer to help assess the performance impact. (Merge request performance guidelines) -
I have followed the style guides. -
This change is backwards compatible across updates, or this does not apply.
Availability and Testing
If users provide the credentials directly, the encrypted settings are not called and there should be no impact to existing setups.
Users who's smtp servers do not require credentials may see a filesytem performance change as we will be checking for whether the encrypted file exists. This happens only during initializers, so shouldn't impact running performance.
-
I have added/updated tests following the Testing Guide, or it's not needed. (Consider all test levels. See the Test Planning Process.)
Security
Does this MR contain changes to processing or storing of credentials or tokens, authorization and authentication methods or other items described in the security review guidelines? If not, then delete this Security section.
-
Label as security and @ mention @gitlab-com/gl-security/appsec
-
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team