Add ability suppress the global "You won't be able [use] SSH" message

This fixes gitlab-org/gitlab-ce#49953, as noted in the documentation
this feature is intended to be used when SSH certificates are
enabled. Then this warning becomes not only pointless, but also
misleading.

This builds on top of gitlab-org/gitlab-ce!21009 since both need to
modify the same documentation, which avoids a merge conflict.

See also the gitlab-org/gitlab-ce#49218 issue and associated merge
request.

11 files changed, 79 insertions, 6 deletions

diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb
index 2bdf2c2c120..1e05f07e676 100644
--- a/app/helpers/application_settings_helper.rb
+++ b/app/helpers/application_settings_helper.rb
@@ -254,6 +254,7 @@ module ApplicationSettingsHelper
       :usage_ping_enabled,
       :instance_statistics_visibility_private,
       :user_default_external,
+      :user_show_add_ssh_key_message,
       :user_oauth_applications,
       :version_check_enabled,
       :web_ide_clientside_preview_enabled
diff --git a/app/helpers/button_helper.rb b/app/helpers/button_helper.rb
index 0171a880164..7adc882bc47 100644
--- a/app/helpers/button_helper.rb
+++ b/app/helpers/button_helper.rb
@@ -73,7 +73,11 @@ module ButtonHelper
   end
 
   def ssh_clone_button(project, append_link: true)
-    dropdown_description = _("You won't be able to pull or push project code via SSH until you add an SSH key to your profile") if current_user.try(:require_ssh_key?)
+    if Gitlab::CurrentSettings.user_show_add_ssh_key_message? &&
+        current_user.try(:require_ssh_key?)
+      dropdown_description = _("You won't be able to pull or push project code via SSH until you add an SSH key to your profile")
+    end
+
     append_url = project.ssh_url_to_repo if append_link
 
     dropdown_item_with_description('SSH', dropdown_description, href: append_url)
diff --git a/app/helpers/projects_helper.rb b/app/helpers/projects_helper.rb
index aaf9dff43ee..6b4079b4113 100644
--- a/app/helpers/projects_helper.rb
+++ b/app/helpers/projects_helper.rb
@@ -192,7 +192,10 @@ module ProjectsHelper
   end
 
   def show_no_ssh_key_message?
-    cookies[:hide_no_ssh_message].blank? && !current_user.hide_no_ssh_key && current_user.require_ssh_key?
+    Gitlab::CurrentSettings.user_show_add_ssh_key_message? &&
+      cookies[:hide_no_ssh_message].blank? &&
+      !current_user.hide_no_ssh_key &&
+      current_user.require_ssh_key?
   end
 
   def show_no_password_message?
diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index bbe7811841a..c77faa4b71d 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -298,7 +298,8 @@ class ApplicationSetting < ActiveRecord::Base
       unique_ips_limit_time_window: 3600,
       usage_ping_enabled: Settings.gitlab['usage_ping_enabled'],
       instance_statistics_visibility_private: false,
-      user_default_external: false
+      user_default_external: false,
+      user_show_add_ssh_key_message: true
     }
   end
 
diff --git a/app/views/admin/application_settings/_account_and_limit.html.haml b/app/views/admin/application_settings/_account_and_limit.html.haml
index 7c8243a7a90..622cb11010e 100644
--- a/app/views/admin/application_settings/_account_and_limit.html.haml
+++ b/app/views/admin/application_settings/_account_and_limit.html.haml
@@ -29,5 +29,11 @@
         = f.check_box :user_default_external, class: 'form-check-input'
         = f.label :user_default_external, class: 'form-check-label' do
           Newly registered users will by default be external
+    .form-group
+      = f.label :user_show_add_ssh_key_message, 'Prompt users to upload SSH keys', class: 'label-bold'
+      .form-check
+        = f.check_box :user_show_add_ssh_key_message, class: 'form-check-input'
+        = f.label :user_show_add_ssh_key_message, class: 'form-check-label' do
+          Inform users without uploaded SSH keys that they can't push over SSH until one is added
 
   = f.submit 'Save changes', class: 'btn btn-success'
diff --git a/changelogs/unreleased/49953-add-user_show_add_ssh_key_message-setting.yml b/changelogs/unreleased/49953-add-user_show_add_ssh_key_message-setting.yml
new file mode 100644
index 00000000000..82423092792
--- /dev/null
+++ b/changelogs/unreleased/49953-add-user_show_add_ssh_key_message-setting.yml
@@ -0,0 +1,5 @@
+---
+title: Add ability to suppress the global "You won't be able to use SSH" message
+merge_request: 21027
+author: Ævar Arnfjörð Bjarmason
+type: added
diff --git a/db/migrate/20180808162000_add_user_show_add_ssh_key_message_to_application_settings.rb b/db/migrate/20180808162000_add_user_show_add_ssh_key_message_to_application_settings.rb
new file mode 100644
index 00000000000..e3019af2cc9
--- /dev/null
+++ b/db/migrate/20180808162000_add_user_show_add_ssh_key_message_to_application_settings.rb
@@ -0,0 +1,19 @@
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddUserShowAddSshKeyMessageToApplicationSettings < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default :application_settings, :user_show_add_ssh_key_message, :boolean, default: true, allow_null: false
+  end
+
+  def down
+    remove_column :application_settings, :user_show_add_ssh_key_message
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index f1d8f4df3b7..1288a98745c 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20180807153545) do
+ActiveRecord::Schema.define(version: 20180808162000) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -170,6 +170,7 @@ ActiveRecord::Schema.define(version: 20180807153545) do
     t.boolean "hide_third_party_offers", default: false, null: false
     t.boolean "instance_statistics_visibility_private", default: false, null: false
     t.boolean "web_ide_clientside_preview_enabled", default: false, null: false
+    t.boolean "user_show_add_ssh_key_message", default: true, null: false
   end
 
   create_table "audit_events", force: :cascade do |t|
diff --git a/doc/administration/operations/ssh_certificates.md b/doc/administration/operations/ssh_certificates.md
index 8968afba01b..9edccd25ced 100644
--- a/doc/administration/operations/ssh_certificates.md
+++ b/doc/administration/operations/ssh_certificates.md
@@ -163,3 +163,20 @@ Such a restriction can currently be hacked in by e.g. providing a
 custom `AuthorizedKeysCommand` which checks if the discovered key-ID
 returned from `gitlab-shell-authorized-keys-check` is a deploy key or
 not (all non-deploy keys should be refused).
+
+## Disabling the global warning about users lacking SSH keys
+
+By default GitLab will show a "You won't be able to pull or push
+project code via SSH" warning to users who have not uploaded an SSH
+key to their profile.
+
+This is counterproductive when using SSH certificates, since users
+aren't expected to upload their own keys.
+
+To disable this warning globally, go to "Application settings ->
+Account and limit settings" and disable the "Show user add SSH key
+message" setting.
+
+This setting was added specifically for use with SSH certificates, but
+can be turned off without using them if you'd like to hide the warning
+for some other reason.
diff --git a/doc/api/settings.md b/doc/api/settings.md
index 68fc56b1fa3..b480d62e16a 100644
--- a/doc/api/settings.md
+++ b/doc/api/settings.md
@@ -56,7 +56,8 @@ Example response:
    "enforce_terms": true,
    "terms": "Hello world!",
    "performance_bar_allowed_group_id": 42,
-   "instance_statistics_visibility_private": false
+   "instance_statistics_visibility_private": false,
+   "user_show_add_ssh_key_message": true
 }
 ```
 
@@ -161,6 +162,8 @@ PUT /application/settings
 | `enforce_terms`                          | boolean          | no                                            | Enforce application ToS to all users                                                                                                                                                                                                                                                                                                                                                                                                         |
 | `terms`                                  | text             | yes (if `enforce_terms` is true)              | Markdown content for the ToS                                                                                                                                                                                                                                                                                                                                                                                                                 |
 | `instance_statistics_visibility_private` | boolean          | no                                            | When set to `true` Instance statistics will only be available to admins                                                                                                                                                                                                                                                                                                                                                                      |
+| `user_show_add_ssh_key_message`          | boolean          | no                                            | When set to `false` disable the "You won't be able to pull or push
++project code via SSH" warning shown to users with no uploaded SSH key                                                                                                                                                                                                                                                                   |
 
 ```bash
 curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/application/settings?signup_enabled=false&default_project_visibility=internal
@@ -206,6 +209,7 @@ Example response:
   "enforce_terms": true,
   "terms": "Hello world!",
   "performance_bar_allowed_group_id": 42,
-  "instance_statistics_visibility_private": false
+  "instance_statistics_visibility_private": false,
+  "user_show_add_ssh_key_message": true
 }
 ```
diff --git a/spec/helpers/button_helper_spec.rb b/spec/helpers/button_helper_spec.rb
index 630f3eff258..0c0a0003231 100644
--- a/spec/helpers/button_helper_spec.rb
+++ b/spec/helpers/button_helper_spec.rb
@@ -79,6 +79,18 @@ describe ButtonHelper do
       end
     end
 
+    context 'without an ssh key on the user and user_show_add_ssh_key_message unset' do
+      before do
+        stub_application_setting(user_show_add_ssh_key_message: false)
+      end
+
+      it 'there is no warning on the dropdown description' do
+        description = element.search('.dropdown-menu-inner-content').first
+
+        expect(description).to be_nil
+      end
+    end
+
     context 'with an ssh key on the user' do
       before do
         create(:key, user: user)