Add S/MIME Email Signing (#2009)

* Add S/MIME Email Signing

See https://docs.gitlab.com/ce/administration/smime_signing_email.html

Signed-off-by: Pierre Belloy <p.belloy@axelor.com>

* Remove s/mime email configs if not enabled

Signed-off-by: Pierre Belloy <p.belloy@axelor.com>

README.md

@@ -772,6 +772,9 @@ Below is the complete list of available options that can be used to customize yo
 | `GITLAB_EMAIL_REPLY_TO` | The reply-to address of emails sent out by GitLab. Defaults to value of `GITLAB_EMAIL`, else defaults to `noreply@example.com`. |
 | `GITLAB_EMAIL_SUBJECT_SUFFIX` | The e-mail subject suffix used in e-mails sent by GitLab. No defaults. |
 | `GITLAB_EMAIL_ENABLED` | Enable or disable gitlab mailer. Defaults to the `SMTP_ENABLED` configuration. |
+| `GITLAB_EMAIL_SMIME_ENABLE` | Enable or disable email S/MIME signing. Defaults is `false`. |
+| `GITLAB_EMAIL_SMIME_KEY_FILE` | Specifies the path to a S/MIME private key file in PEM format, unencrypted. Defaults to ``. |
+| `GITLAB_EMAIL_SMIME_CERT_FILE` | Specifies the path to a S/MIME public certificate key in PEM format. Defaults to ``. |
 | `GITLAB_DEFAULT_THEME` | Default theme ID, by default 2. (1 - Indigo, 2 - Dark, 3 - Light, 4 - Blue, 5 - Green, 6 - Light Indigo, 7 - Light Blue, 8 - Light Green, 9 - Red, 10 - Light Red) |
 | `GITLAB_INCOMING_EMAIL_ADDRESS` | The incoming email address for reply by email. Defaults to the value of `IMAP_USER`, else defaults to `reply@example.com`. Please read the [reply by email](http://doc.gitlab.com/ce/incoming_email/README.html) documentation to currently set this parameter. |
 | `GITLAB_INCOMING_EMAIL_ENABLED` | Enable or disable gitlab reply by email feature. Defaults to the value of `IMAP_ENABLED`. |

assets/runtime/config/gitlabhq/gitlab.yml

@@ -70,6 +70,17 @@ production: &base
     email_display_name: {{GITLAB_EMAIL_DISPLAY_NAME}}
     email_reply_to: {{GITLAB_EMAIL_REPLY_TO}}
     email_subject_suffix: '{{GITLAB_EMAIL_SUBJECT_SUFFIX}}'
+    #start-email-smime
+    email_smime:
+      # Uncomment and set to true if you need to enable email S/MIME signing (default: false)
+      enabled: {{GITLAB_EMAIL_SMIME_ENABLE}}
+      # S/MIME private key file in PEM format, unencrypted
+      # Default is '.gitlab_smime_key' relative to Rails.root (i.e. root of the GitLab app).
+      key_file: {{GITLAB_EMAIL_SMIME_KEY_FILE}}
+      # S/MIME public certificate key in PEM format, will be attached to signed messages
+      # Default is '.gitlab_smime_cert' relative to Rails.root (i.e. root of the GitLab app).
+      cert_file: {{GITLAB_EMAIL_SMIME_CERT_FILE}}
+      #end-email-smime
 
     # Email server smtp settings are in config/initializers/smtp_settings.rb.sample
 

assets/runtime/env-defaults

@@ -283,6 +283,9 @@ GITLAB_EMAIL_SUBJECT_SUFFIX=${GITLAB_EMAIL_SUBJECT_SUFFIX:-}
 GITLAB_EMAIL=${GITLAB_EMAIL:-example@example.com}
 GITLAB_EMAIL_REPLY_TO=${GITLAB_EMAIL_REPLY_TO:-noreply@example.com}
 GITLAB_EMAIL_DISPLAY_NAME=${GITLAB_EMAIL_DISPLAY_NAME:-GitLab}
+GITLAB_EMAIL_SMIME_ENABLE=${GITLAB_EMAIL_SMIME_ENABLE:-false}
+GITLAB_EMAIL_SMIME_KEY_FILE=${GITLAB_EMAIL_SMIME_KEY_FILE:-}
+GITLAB_EMAIL_SMIME_CERT_FILE=${GITLAB_EMAIL_SMIME_CERT_FILE:-}
 
 ## INCOMING MAIL
 IMAP_HOST=${IMAP_HOST:-imap.gmail.com}

assets/runtime/functions

@@ -125,7 +125,7 @@ gitlab_finalize_database_parameters() {
   DB_USER=${DB_USER:-${POSTGRESQL_ENV_USER}}
   DB_PASS=${DB_PASS:-${POSTGRESQL_ENV_PASS}}
   DB_NAME=${DB_NAME:-${POSTGRESQL_ENV_DB}}
-  
+
 
   if [[ -z ${DB_HOST} ]]; then
     echo
@@ -351,6 +351,17 @@ gitlab_configure_mail_delivery() {
     GITLAB_EMAIL_DISPLAY_NAME \
     GITLAB_EMAIL_REPLY_TO \
     GITLAB_EMAIL_SUBJECT_SUFFIX
+
+  if [[ ${GITLAB_EMAIL_SMIME_ENABLE} == true ]]; then
+    exec_as_git sed -i "/#start-email-smime/d" ${GITLAB_CONFIG}
+    exec_as_git sed -i "/#end-email-smime/d" ${GITLAB_CONFIG}
+    update_template ${GITLAB_CONFIG} \
+      GITLAB_EMAIL_SMIME_ENABLE \
+      GITLAB_EMAIL_SMIME_KEY_FILE \
+      GITLAB_EMAIL_SMIME_CERT_FILE
+  else
+    exec_as_git sed -i "/#start-email-smime/,/#end-email-smime/d" ${GITLAB_CONFIG}
+  fi
 }
 
 gitlab_configure_mailroom() {