diff options
| author | Nick Thomas <nick@gitlab.com> | 2017-08-21 11:30:03 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2017-08-30 20:50:44 +0100 |
| commit | b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 (patch) | |
| tree | 0d76c74fb6260de1e3c9694a8501491b2eb486ef /spec/models/key_spec.rb | |
| parent | 81f08d30e641dc1a6666022ab1f5d36dbcdced7e (diff) | |
| download | gitlab-ce-b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01.tar.gz | |
Add settings for minimum key strength and allowed key type
This is an amalgamation of:
* Cory Hinshaw: Initial implementation !5552
* Rémy Coutable: Updates !9350
* Nick Thomas: Resolve conflicts and add ED25519 support !13712
Diffstat (limited to 'spec/models/key_spec.rb')
| -rw-r--r-- | spec/models/key_spec.rb | 85 |
1 files changed, 83 insertions, 2 deletions
diff --git a/spec/models/key_spec.rb b/spec/models/key_spec.rb index 3508391c721..83b11baa371 100644 --- a/spec/models/key_spec.rb +++ b/spec/models/key_spec.rb @@ -1,6 +1,13 @@ require 'spec_helper' describe Key, :mailer do + include Gitlab::CurrentSettings + + describe 'modules' do + subject { described_class } + it { is_expected.to include_module(Gitlab::CurrentSettings) } + end + describe "Associations" do it { is_expected.to belong_to(:user) } end @@ -11,8 +18,10 @@ describe Key, :mailer do it { is_expected.to validate_presence_of(:key) } it { is_expected.to validate_length_of(:key).is_at_most(5000) } - it { is_expected.to allow_value('ssh-foo').for(:key) } - it { is_expected.to allow_value('ecdsa-foo').for(:key) } + it { is_expected.to allow_value(attributes_for(:rsa_key_2048)[:key]).for(:key) } + it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) } + it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) } + it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) } it { is_expected.not_to allow_value('foo-bar').for(:key) } end @@ -95,6 +104,78 @@ describe Key, :mailer do end end + context 'validate it meets minimum bit length' do + where(:factory, :minimum, :result) do + [ + [:rsa_key_2048, 1024, true], + [:rsa_key_2048, 2048, true], + [:rsa_key_2048, 4096, false], + [:dsa_key_2048, 1024, true], + [:dsa_key_2048, 2048, true], + [:dsa_key_2048, 4096, false], + [:ecdsa_key_256, 256, true], + [:ecdsa_key_256, 384, false], + [:ed25519_key_256, 256, true], + [:ed25519_key_256, 384, false] + ] + end + + with_them do + subject(:key) { build(factory) } + + before do + stub_application_setting("minimum_#{key.public_key.type}_bits" => minimum) + end + + it { expect(key.valid?).to eq(result) } + end + end + + context 'validate the key type is allowed' do + it 'accepts RSA, DSA, ECDSA and ED25519 keys by default' do + expect(build(:rsa_key_2048)).to be_valid + expect(build(:dsa_key_2048)).to be_valid + expect(build(:ecdsa_key_256)).to be_valid + expect(build(:ed25519_key_256)).to be_valid + end + + it 'rejects RSA, ECDSA and ED25519 keys if DSA is the only allowed type' do + stub_application_setting(allowed_key_types: ['dsa']) + + expect(build(:rsa_key_2048)).not_to be_valid + expect(build(:dsa_key_2048)).to be_valid + expect(build(:ecdsa_key_256)).not_to be_valid + expect(build(:ed25519_key_256)).not_to be_valid + end + + it 'rejects RSA, DSA and ED25519 keys if ECDSA is the only allowed type' do + stub_application_setting(allowed_key_types: ['ecdsa']) + + expect(build(:rsa_key_2048)).not_to be_valid + expect(build(:dsa_key_2048)).not_to be_valid + expect(build(:ecdsa_key_256)).to be_valid + expect(build(:ed25519_key_256)).not_to be_valid + end + + it 'rejects DSA, ECDSA and ED25519 keys if RSA is the only allowed type' do + stub_application_setting(allowed_key_types: ['rsa']) + + expect(build(:rsa_key_2048)).to be_valid + expect(build(:dsa_key_2048)).not_to be_valid + expect(build(:ecdsa_key_256)).not_to be_valid + expect(build(:ed25519_key_256)).not_to be_valid + end + + it 'rejects RSA, DSA and ECDSA keys if ED25519 is the only allowed type' do + stub_application_setting(allowed_key_types: ['ed25519']) + + expect(build(:rsa_key_2048)).not_to be_valid + expect(build(:dsa_key_2048)).not_to be_valid + expect(build(:ecdsa_key_256)).not_to be_valid + expect(build(:ed25519_key_256)).to be_valid + end + end + context 'callbacks' do it 'adds new key to authorized_file' do key = build(:personal_key, id: 7) |