diff options
| author | Nick Thomas <nick@gitlab.com> | 2017-08-25 14:08:48 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2017-08-30 20:50:44 +0100 |
| commit | 6847060266792471c9c14518a5106e0f622cd6c5 (patch) | |
| tree | 291238748abd929e77aaf462b8833bd336e39f5d /spec/lib/gitlab/git_access_spec.rb | |
| parent | b49b7bc147955df6589b13942d0437a3b4518c7b (diff) | |
| download | gitlab-ce-6847060266792471c9c14518a5106e0f622cd6c5.tar.gz | |
Rework the permissions model for SSH key restrictions
`allowed_key_types` is removed and the `minimum_<type>_bits` fields are
renamed to `<tech>_key_restriction`. A special sentinel value (`-1`) signifies
that the key type is disabled.
This also feeds through to the UI - checkboxes per key type are out, inline
selection of "forbidden" and "allowed" (i.e., no restrictions) are in.
As with the previous model, unknown key types are disallowed, even if the
underlying ssh daemon happens to support them. The defaults have also been
changed from the lowest known bit size to "no restriction". So if someone
does happen to have a 768-bit RSA key, it will continue to work on upgrade, at
least until the administrator restricts them.
Diffstat (limited to 'spec/lib/gitlab/git_access_spec.rb')
| -rw-r--r-- | spec/lib/gitlab/git_access_spec.rb | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/spec/lib/gitlab/git_access_spec.rb b/spec/lib/gitlab/git_access_spec.rb index a67902c7209..9e4174ecdca 100644 --- a/spec/lib/gitlab/git_access_spec.rb +++ b/spec/lib/gitlab/git_access_spec.rb @@ -162,28 +162,28 @@ describe Gitlab::GitAccess do context 'key is too small' do before do - stub_application_setting(minimum_rsa_bits: 4096) + stub_application_setting(rsa_key_restriction: 4096) end it 'does not allow keys which are too small' do aggregate_failures do expect(actor).not_to be_valid - expect { pull_access_check }.to raise_unauthorized('Your SSH key length must be at least 4096 bits.') - expect { push_access_check }.to raise_unauthorized('Your SSH key length must be at least 4096 bits.') + expect { pull_access_check }.to raise_unauthorized('Your SSH key must be at least 4096 bits.') + expect { push_access_check }.to raise_unauthorized('Your SSH key must be at least 4096 bits.') end end end context 'key type is not allowed' do before do - stub_application_setting(allowed_key_types: ['ecdsa']) + stub_application_setting(rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE) end it 'does not allow keys which are too small' do aggregate_failures do expect(actor).not_to be_valid - expect { pull_access_check }.to raise_unauthorized('Your SSH key type is not allowed. Must be ECDSA.') - expect { push_access_check }.to raise_unauthorized('Your SSH key type is not allowed. Must be ECDSA.') + expect { pull_access_check }.to raise_unauthorized(/Your SSH key type is forbidden/) + expect { push_access_check }.to raise_unauthorized(/Your SSH key type is forbidden/) end end end |