Only one CA certificate is loaded for smart card authentication
Summary
If multiple certificates are present in the file specified in GitLab.rb gitlab_rails['smartcard_ca_file'], only one certificate is loaded. This appears to prevent successful smart card authentication for customers where multiple root CAs or intermediate certificates are needed.
Steps to reproduce
- Configure a standalone gitlab instance for smart card authentication
- Use a file with multiple certificates as the ca file specified in gitlab_rails['smartcard_ca_file']
- Attempt to log in using smart card authentication
Example Project
@SteveTerhar can suggest a customer who can work with us on this.
What is the current bug behavior?
Users who attempt to authenticate are redirected to the login page and presented with a "Failed to signing using smartcard authentication" alert message.
What is the expected correct behavior?
The system should perform a match on e-mail and log the user into the correct GitLab account.
Possible fixes
Because the store function in smartcard/base.rb calls store.add_cert, only one cert in the smartcard_ca_file is loaded. By changing that call to store.add_file we were able to load multiple certs and log in successfully.
https://gitlab.com/gitlab-org/gitlab/blob/master/ee/lib/gitlab/auth/smartcard/base.rb#L15
Note: If we use add_file and include intermediate certificates in the file, I believe the intermediate certs would be treated like root certs and trusted without any verification. We would have to validate that this wouldn't introduce a vulnerability.