Encrypted ldap POC: Rails encrypted credentials
Two different (but similar) implementation options
Rails encrypted config
This involves introducing the option for the master key to rails, and update ldap to optionally check the Rails.application.encrypted
for the ldap credential. Users can edit the credentials using rails encrypted:edit <password-file>
(gitlab-rails encrypted:edit <passwordfile>
from omnibus).
https://blog.eq8.eu/til/rails-52-credentials-tricks.html
Using the lockbox gem
The railscodebase is already using lockbox for encrypting/decrypting the tfstate files. gitlab!26619 (merged)
Introduce an optional config for providing an encyrpted password file to ldap. Read the file using lockbox. And introduce some rake commands for writing the secret.
Additional details
Sidenote: The ldap password code is located here: https://gitlab.com/gitlab-org/gitlab/-/blob/63d934809641277edbf546fd7ae0610a475f002c/lib/gitlab/auth/ldap/config.rb#L273