Module: TLSHelper

Included in:
GitLab::Exporter::WebExporter
Defined in:
lib/gitlab_exporter/tls_helper.rb

Overview

Contains helper methods to generate TLS related configuration for web servers

Constant Summary collapse

CERT_REGEX = 
/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/.freeze

Instance Method Summary collapse

Instance Method Details

#load_ca_certs_bundle(ca_certs_string) ⇒ Object

In Ruby OpenSSL v3.0.0, this can be replaced by OpenSSL::X509::Certificate.load github.com/ruby/openssl/issues/254



32
33
34
35
36
37
38
 
# File 'lib/gitlab_exporter/tls_helper.rb', line 32

def load_ca_certs_bundle(ca_certs_string)
  return [] unless ca_certs_string

  ca_certs_string.scan(CERT_REGEX).map do |ca_cert_string|
    OpenSSL::X509::Certificate.new(ca_cert_string)
  end
end

#validate_tls_config(config) ⇒ Object 



5
6
7
8
9
10
11
 
# File 'lib/gitlab_exporter/tls_helper.rb', line 5

def validate_tls_config(config)
  %i[tls_cert_path tls_key_path].each do |key|
    fail "TLS enabled, but #{key} not specified in config" unless config.key?(key)

    fail "File specified via #{key} not found: #{config[key]}" unless File.exist?(config[key])
  end
end

#webrick_tls_config(config) ⇒ Object 



13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
 
# File 'lib/gitlab_exporter/tls_helper.rb', line 13

def webrick_tls_config(config)
  # This monkey-patches WEBrick::GenericServer, so never require this unless TLS is enabled.
  require "webrick/ssl"

  certs = load_ca_certs_bundle(File.binread(config[:tls_cert_path]))

  {
    SSLEnable: true,
    SSLCertificate: certs.shift,
    SSLPrivateKey: OpenSSL::PKey.read(File.binread(config[:tls_key_path])),
    # SSLStartImmediately is true by default according to the docs, but when WEBrick creates the
    # SSLServer internally, the switch was always nil for some reason. Setting this explicitly fixes this.
    SSLStartImmediately: true,
    SSLExtraChainCert: certs
  }
end