Allow to use Smartcard certificates with SAN extensions that only defines one email entry to login without matching URI
Users using Smartcards with SAN extensions should be able to login into gitlab, on the following two scenarios:
- The user certificate only has one email entry in the SAN extensions and it should be used to login into gitlab
- The user certificate has multiple email entries and should only use the one that match the URI as described here https://docs.gitlab.com/ee/administration/auth/smartcard.html#authentication-against-a-local-database-with-x509-certificates-and-san-extensions-premium-only
What does this MR do?
This MR allows users using Smartcards with certificates that has one email entry in the SAN extensions (scenario 1). Like the ones from Common Access Cards (CAC) that are issued globally, and can't be tailored to be used with GitLab
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides -
Separation of EE specific content
Security
This MR contains changes to authentication methods, and the main concern is if these changes could allow to impersonate an user using Smartcards
-
Security reports checked/validated by a reviewer from the AppSec team
Related #33907 (closed)
Edited by Sebastián Arcila Valenzuela