diff options
author | Nick Thomas <nick@gitlab.com> | 2017-08-25 14:08:48 +0100 |
---|---|---|
committer | Nick Thomas <nick@gitlab.com> | 2017-08-30 20:50:44 +0100 |
commit | 6847060266792471c9c14518a5106e0f622cd6c5 (patch) | |
tree | 291238748abd929e77aaf462b8833bd336e39f5d /spec/models/key_spec.rb | |
parent | b49b7bc147955df6589b13942d0437a3b4518c7b (diff) | |
download | gitlab-ce-6847060266792471c9c14518a5106e0f622cd6c5.tar.gz |
Rework the permissions model for SSH key restrictions
`allowed_key_types` is removed and the `minimum_<type>_bits` fields are
renamed to `<tech>_key_restriction`. A special sentinel value (`-1`) signifies
that the key type is disabled.
This also feeds through to the UI - checkboxes per key type are out, inline
selection of "forbidden" and "allowed" (i.e., no restrictions) are in.
As with the previous model, unknown key types are disallowed, even if the
underlying ssh daemon happens to support them. The defaults have also been
changed from the lowest known bit size to "no restriction". So if someone
does happen to have a 768-bit RSA key, it will continue to work on upgrade, at
least until the administrator restricts them.
Diffstat (limited to 'spec/models/key_spec.rb')
-rw-r--r-- | spec/models/key_spec.rb | 66 |
1 files changed, 18 insertions, 48 deletions
diff --git a/spec/models/key_spec.rb b/spec/models/key_spec.rb index 83b11baa371..96baeaff0a4 100644 --- a/spec/models/key_spec.rb +++ b/spec/models/key_spec.rb @@ -104,19 +104,34 @@ describe Key, :mailer do end end - context 'validate it meets minimum bit length' do + context 'validate it meets key restrictions' do where(:factory, :minimum, :result) do + forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE + [ + [:rsa_key_2048, 0, true], + [:dsa_key_2048, 0, true], + [:ecdsa_key_256, 0, true], + [:ed25519_key_256, 0, true], + [:rsa_key_2048, 1024, true], [:rsa_key_2048, 2048, true], [:rsa_key_2048, 4096, false], + [:dsa_key_2048, 1024, true], [:dsa_key_2048, 2048, true], [:dsa_key_2048, 4096, false], + [:ecdsa_key_256, 256, true], [:ecdsa_key_256, 384, false], + [:ed25519_key_256, 256, true], - [:ed25519_key_256, 384, false] + [:ed25519_key_256, 384, false], + + [:rsa_key_2048, forbidden, false], + [:dsa_key_2048, forbidden, false], + [:ecdsa_key_256, forbidden, false], + [:ed25519_key_256, forbidden, false] ] end @@ -124,58 +139,13 @@ describe Key, :mailer do subject(:key) { build(factory) } before do - stub_application_setting("minimum_#{key.public_key.type}_bits" => minimum) + stub_application_setting("#{key.public_key.type}_key_restriction" => minimum) end it { expect(key.valid?).to eq(result) } end end - context 'validate the key type is allowed' do - it 'accepts RSA, DSA, ECDSA and ED25519 keys by default' do - expect(build(:rsa_key_2048)).to be_valid - expect(build(:dsa_key_2048)).to be_valid - expect(build(:ecdsa_key_256)).to be_valid - expect(build(:ed25519_key_256)).to be_valid - end - - it 'rejects RSA, ECDSA and ED25519 keys if DSA is the only allowed type' do - stub_application_setting(allowed_key_types: ['dsa']) - - expect(build(:rsa_key_2048)).not_to be_valid - expect(build(:dsa_key_2048)).to be_valid - expect(build(:ecdsa_key_256)).not_to be_valid - expect(build(:ed25519_key_256)).not_to be_valid - end - - it 'rejects RSA, DSA and ED25519 keys if ECDSA is the only allowed type' do - stub_application_setting(allowed_key_types: ['ecdsa']) - - expect(build(:rsa_key_2048)).not_to be_valid - expect(build(:dsa_key_2048)).not_to be_valid - expect(build(:ecdsa_key_256)).to be_valid - expect(build(:ed25519_key_256)).not_to be_valid - end - - it 'rejects DSA, ECDSA and ED25519 keys if RSA is the only allowed type' do - stub_application_setting(allowed_key_types: ['rsa']) - - expect(build(:rsa_key_2048)).to be_valid - expect(build(:dsa_key_2048)).not_to be_valid - expect(build(:ecdsa_key_256)).not_to be_valid - expect(build(:ed25519_key_256)).not_to be_valid - end - - it 'rejects RSA, DSA and ECDSA keys if ED25519 is the only allowed type' do - stub_application_setting(allowed_key_types: ['ed25519']) - - expect(build(:rsa_key_2048)).not_to be_valid - expect(build(:dsa_key_2048)).not_to be_valid - expect(build(:ecdsa_key_256)).not_to be_valid - expect(build(:ed25519_key_256)).to be_valid - end - end - context 'callbacks' do it 'adds new key to authorized_file' do key = build(:personal_key, id: 7) |