Add settings for minimum key strength and allowed key type

This is an amalgamation of: * Cory Hinshaw: Initial implementation !5552 * Rémy Coutable: Updates !9350 * Nick Thomas: Resolve conflicts and add ED25519 support !13712
author: Nick Thomas <nick@gitlab.com> 2017-08-21 11:30:03 +0100
committer: Nick Thomas <nick@gitlab.com> 2017-08-30 20:50:44 +0100
commit: b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 (patch)
tree: 0d76c74fb6260de1e3c9694a8501491b2eb486ef /spec/models
parent: 81f08d30e641dc1a6666022ab1f5d36dbcdced7e (diff)
download: gitlab-ce-b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01.tar.gz
2 files changed, 116 insertions, 2 deletions
diff --git a/spec/models/application_setting_spec.rb b/spec/models/application_setting_spec.rb
index 359753b600e..44d473db07d 100644
--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -72,6 +72,27 @@ describe ApplicationSetting do
         .is_greater_than(0)
     end
 
+    it { is_expected.to validate_presence_of(:minimum_rsa_bits) }
+    it { is_expected.to allow_value(*Gitlab::SSHPublicKey.allowed_sizes('rsa')).for(:minimum_rsa_bits) }
+    it { is_expected.not_to allow_value(128).for(:minimum_rsa_bits) }
+
+    it { is_expected.to validate_presence_of(:minimum_dsa_bits) }
+    it { is_expected.to allow_value(*Gitlab::SSHPublicKey.allowed_sizes('dsa')).for(:minimum_dsa_bits) }
+    it { is_expected.not_to allow_value(128).for(:minimum_dsa_bits) }
+
+    it { is_expected.to validate_presence_of(:minimum_ecdsa_bits) }
+    it { is_expected.to allow_value(*Gitlab::SSHPublicKey.allowed_sizes('ecdsa')).for(:minimum_ecdsa_bits) }
+    it { is_expected.not_to allow_value(128).for(:minimum_ecdsa_bits) }
+
+    it { is_expected.to validate_presence_of(:minimum_ed25519_bits) }
+    it { is_expected.to allow_value(*Gitlab::SSHPublicKey.allowed_sizes('ed25519')).for(:minimum_ed25519_bits) }
+    it { is_expected.not_to allow_value(128).for(:minimum_ed25519_bits) }
+
+    describe 'allowed_key_types validations' do
+      it { is_expected.to allow_value(Gitlab::SSHPublicKey.technology_names).for(:allowed_key_types) }
+      it { is_expected.not_to allow_value(['foo']).for(:allowed_key_types) }
+    end
+
     it_behaves_like 'an object with email-formated attributes', :admin_notification_email do
       subject { setting }
     end
@@ -441,4 +462,16 @@ describe ApplicationSetting do
       end
     end
   end
+
+  context 'allowed key types attribute' do
+    it 'set value with array of symbols' do
+      setting.allowed_key_types = [:rsa]
+      expect(setting.allowed_key_types).to contain_exactly(:rsa)
+    end
+
+    it 'get value as array of symbols' do
+      setting.allowed_key_types = ['rsa']
+      expect(setting.allowed_key_types).to eq(['rsa'])
+    end
+  end
 end
diff --git a/spec/models/key_spec.rb b/spec/models/key_spec.rb
index 3508391c721..83b11baa371 100644
--- a/spec/models/key_spec.rb
+++ b/spec/models/key_spec.rb
@@ -1,6 +1,13 @@
 require 'spec_helper'
 
 describe Key, :mailer do
+  include Gitlab::CurrentSettings
+
+  describe 'modules' do
+    subject { described_class }
+    it { is_expected.to include_module(Gitlab::CurrentSettings) }
+  end
+
   describe "Associations" do
     it { is_expected.to belong_to(:user) }
   end
@@ -11,8 +18,10 @@ describe Key, :mailer do
 
     it { is_expected.to validate_presence_of(:key) }
     it { is_expected.to validate_length_of(:key).is_at_most(5000) }
-    it { is_expected.to allow_value('ssh-foo').for(:key) }
-    it { is_expected.to allow_value('ecdsa-foo').for(:key) }
+    it { is_expected.to allow_value(attributes_for(:rsa_key_2048)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
+    it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
     it { is_expected.not_to allow_value('foo-bar').for(:key) }
   end
 
@@ -95,6 +104,78 @@ describe Key, :mailer do
     end
   end
 
+  context 'validate it meets minimum bit length' do
+    where(:factory, :minimum, :result) do
+      [
+        [:rsa_key_2048, 1024, true],
+        [:rsa_key_2048, 2048, true],
+        [:rsa_key_2048, 4096, false],
+        [:dsa_key_2048, 1024, true],
+        [:dsa_key_2048, 2048, true],
+        [:dsa_key_2048, 4096, false],
+        [:ecdsa_key_256, 256, true],
+        [:ecdsa_key_256, 384, false],
+        [:ed25519_key_256, 256, true],
+        [:ed25519_key_256, 384, false]
+      ]
+    end
+
+    with_them do
+      subject(:key) { build(factory) }
+
+      before do
+        stub_application_setting("minimum_#{key.public_key.type}_bits" => minimum)
+      end
+
+      it { expect(key.valid?).to eq(result) }
+    end
+  end
+
+  context 'validate the key type is allowed' do
+    it 'accepts RSA, DSA, ECDSA and ED25519 keys by default' do
+      expect(build(:rsa_key_2048)).to be_valid
+      expect(build(:dsa_key_2048)).to be_valid
+      expect(build(:ecdsa_key_256)).to be_valid
+      expect(build(:ed25519_key_256)).to be_valid
+    end
+
+    it 'rejects RSA, ECDSA and ED25519 keys if DSA is the only allowed type' do
+      stub_application_setting(allowed_key_types: ['dsa'])
+
+      expect(build(:rsa_key_2048)).not_to be_valid
+      expect(build(:dsa_key_2048)).to be_valid
+      expect(build(:ecdsa_key_256)).not_to be_valid
+      expect(build(:ed25519_key_256)).not_to be_valid
+    end
+
+    it 'rejects RSA, DSA and ED25519 keys if ECDSA is the only allowed type' do
+      stub_application_setting(allowed_key_types: ['ecdsa'])
+
+      expect(build(:rsa_key_2048)).not_to be_valid
+      expect(build(:dsa_key_2048)).not_to be_valid
+      expect(build(:ecdsa_key_256)).to be_valid
+      expect(build(:ed25519_key_256)).not_to be_valid
+    end
+
+    it 'rejects DSA, ECDSA and ED25519 keys if RSA is the only allowed type' do
+      stub_application_setting(allowed_key_types: ['rsa'])
+
+      expect(build(:rsa_key_2048)).to be_valid
+      expect(build(:dsa_key_2048)).not_to be_valid
+      expect(build(:ecdsa_key_256)).not_to be_valid
+      expect(build(:ed25519_key_256)).not_to be_valid
+    end
+
+    it 'rejects RSA, DSA and ECDSA keys if ED25519 is the only allowed type' do
+      stub_application_setting(allowed_key_types: ['ed25519'])
+
+      expect(build(:rsa_key_2048)).not_to be_valid
+      expect(build(:dsa_key_2048)).not_to be_valid
+      expect(build(:ecdsa_key_256)).not_to be_valid
+      expect(build(:ed25519_key_256)).to be_valid
+    end
+  end
+
   context 'callbacks' do
     it 'adds new key to authorized_file' do
       key = build(:personal_key, id: 7)
author	Nick Thomas <nick@gitlab.com>	2017-08-21 11:30:03 +0100
committer	Nick Thomas <nick@gitlab.com>	2017-08-30 20:50:44 +0100
commit	b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 (patch)
tree	0d76c74fb6260de1e3c9694a8501491b2eb486ef /spec/models
parent	81f08d30e641dc1a6666022ab1f5d36dbcdced7e (diff)
download	gitlab-ce-b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01.tar.gz