Encrypted ldap POC: Rails encrypted credentials

Two different (but similar) implementation options

Rails encrypted config

This involves introducing the option for the master key to rails, and update ldap to optionally check the Rails.application.encrypted for the ldap credential. Users can edit the credentials using rails encrypted:edit <password-file> (gitlab-rails encrypted:edit <passwordfile> from omnibus).

https://blog.eq8.eu/til/rails-52-credentials-tricks.html

Using the lockbox gem

The railscodebase is already using lockbox for encrypting/decrypting the tfstate files. gitlab!26619 (merged)

Introduce an optional config for providing an encyrpted password file to ldap. Read the file using lockbox. And introduce some rake commands for writing the secret.

Additional details

Sidenote: The ldap password code is located here: https://gitlab.com/gitlab-org/gitlab/-/blob/63d934809641277edbf546fd7ae0610a475f002c/lib/gitlab/auth/ldap/config.rb#L273

Edited May 27, 2020 by DJ Mountney