Rework the permissions model for SSH key restrictions

`allowed_key_types` is removed and the `minimum_<type>_bits` fields are
renamed to `<tech>_key_restriction`. A special sentinel value (`-1`) signifies
that the key type is disabled.

This also feeds through to the UI - checkboxes per key type are out, inline
selection of "forbidden" and "allowed" (i.e., no restrictions) are in.

As with the previous model, unknown key types are disallowed, even if the
underlying ssh daemon happens to support them. The defaults have also been
changed from the lowest known bit size to "no restriction". So if someone
does happen to have a 768-bit RSA key, it will continue to work on upgrade, at
least until the administrator restricts them.

1 files changed, 12 insertions, 15 deletions

diff --git a/spec/requests/api/settings_spec.rb b/spec/requests/api/settings_spec.rb
index 60e7c2d0da3..0b9a4b5c3db 100644
--- a/spec/requests/api/settings_spec.rb
+++ b/spec/requests/api/settings_spec.rb
@@ -19,11 +19,10 @@ describe API::Settings, 'Settings' do
       expect(json_response['default_project_visibility']).to be_a String
       expect(json_response['default_snippet_visibility']).to be_a String
       expect(json_response['default_group_visibility']).to be_a String
-      expect(json_response['minimum_rsa_bits']).to eq(1024)
-      expect(json_response['minimum_dsa_bits']).to eq(1024)
-      expect(json_response['minimum_ecdsa_bits']).to eq(256)
-      expect(json_response['minimum_ed25519_bits']).to eq(256)
-      expect(json_response['allowed_key_types']).to contain_exactly('rsa', 'dsa', 'ecdsa', 'ed25519')
+      expect(json_response['rsa_key_restriction']).to eq(0)
+      expect(json_response['dsa_key_restriction']).to eq(0)
+      expect(json_response['ecdsa_key_restriction']).to eq(0)
+      expect(json_response['ed25519_key_restriction']).to eq(0)
     end
   end
 
@@ -50,11 +49,10 @@ describe API::Settings, 'Settings' do
           help_page_hide_commercial_content: true,
           help_page_support_url: 'http://example.com/help',
           project_export_enabled: false,
-          minimum_rsa_bits: 2048,
-          minimum_dsa_bits: 2048,
-          minimum_ecdsa_bits: 384,
-          minimum_ed25519_bits: 256,
-          allowed_key_types: ['rsa']
+          rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE,
+          dsa_key_restriction: 2048,
+          ecdsa_key_restriction: 384,
+          ed25519_key_restriction: 256
 
         expect(response).to have_http_status(200)
         expect(json_response['default_projects_limit']).to eq(3)
@@ -71,11 +69,10 @@ describe API::Settings, 'Settings' do
         expect(json_response['help_page_hide_commercial_content']).to be_truthy
         expect(json_response['help_page_support_url']).to eq('http://example.com/help')
         expect(json_response['project_export_enabled']).to be_falsey
-        expect(json_response['minimum_rsa_bits']).to eq(2048)
-        expect(json_response['minimum_dsa_bits']).to eq(2048)
-        expect(json_response['minimum_ecdsa_bits']).to eq(384)
-        expect(json_response['minimum_ed25519_bits']).to eq(256)
-        expect(json_response['allowed_key_types']).to eq(['rsa'])
+        expect(json_response['rsa_key_restriction']).to eq(ApplicationSetting::FORBIDDEN_KEY_VALUE)
+        expect(json_response['dsa_key_restriction']).to eq(2048)
+        expect(json_response['ecdsa_key_restriction']).to eq(384)
+        expect(json_response['ed25519_key_restriction']).to eq(256)
       end
     end