Smartcards allow to use SAN extensions without matching emails and URI
Problem to solve
The solution as implemented in #8605 (closed) got the email address from the Subject Alternative Name (SAN) field of the EMAIL cert, as anticipated. However, it also required that the SAN contain the URI that matched the hostname of the GitLab server. This won’t work for CACs that are issued globally, and so won’t be tailorable specifically to GitLab.
Intended users
Further details
Proposal
Only do URI check if there's multiple email definitions
Permissions and Security
Documentation
Testing
-
Need to check that this doesn't introduce opportunities to impersonate or deface users
What does success look like, and how can we measure that?
Users using smartcards with SAN extensions should be able to login into gitlab, on the following two scenarios:
- The user certificate only has one email entry in the SAN extensions and it should be used to login into gitlab
- The user certificate has multiple email entries and should only use the one that match the URI as described here https://docs.gitlab.com/ee/administration/auth/smartcard.html#authentication-against-a-local-database-with-x509-certificates-and-san-extensions-premium-only
What is the type of buyer?
Premium
Links / references
/label feature
Edited by Liam McAndrew