1 files changed, 31 insertions, 31 deletions

diff --git a/app/models/application_setting.rb b/app/models/application_setting.rb
index 988ee4802b9..0f9053262c2 100644
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -13,6 +13,15 @@ class ApplicationSetting < ActiveRecord::Base
                             [\r\n]          # any number of newline characters
                           }x
 
+  # Setting a key restriction to `-1` means that all keys of this type are
+  # forbidden.
+  FORBIDDEN_KEY_VALUE = -1
+  SUPPORTED_KEY_TYPES = %i[rsa dsa ecdsa ed25519].freeze
+
+  def self.supported_key_restrictions(type)
+    [0, *Gitlab::SSHPublicKey.supported_sizes(type), FORBIDDEN_KEY_VALUE]
+  end
+
   serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
   serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
   serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
@@ -20,7 +29,6 @@ class ApplicationSetting < ActiveRecord::Base
   serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize
   serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
   serialize :sidekiq_throttling_queues, Array # rubocop:disable Cop/ActiveRecordSerialize
-  serialize :allowed_key_types, Array # rubocop:disable Cop/ActiveRecordSerialize
 
   cache_markdown_field :sign_in_text
   cache_markdown_field :help_page_text
@@ -147,23 +155,11 @@ class ApplicationSetting < ActiveRecord::Base
             presence: true,
             numericality: { greater_than_or_equal_to: 0 }
 
-  validates :allowed_key_types, presence: true
-
-  validates :minimum_rsa_bits,
-            presence: true,
-            inclusion: { in: Gitlab::SSHPublicKey.allowed_sizes('rsa') }
-
-  validates :minimum_dsa_bits,
-            presence: true,
-            inclusion: { in: Gitlab::SSHPublicKey.allowed_sizes('dsa') }
-
-  validates :minimum_ecdsa_bits,
-            presence: true,
-            inclusion: { in: Gitlab::SSHPublicKey.allowed_sizes('ecdsa') }
-
-  validates :minimum_ed25519_bits,
-            presence: true,
-            inclusion: { in: Gitlab::SSHPublicKey.allowed_sizes('ed25519') }
+  SUPPORTED_KEY_TYPES.each do |type|
+    validates :"#{type}_key_restriction",
+              presence: true,
+              inclusion: { in: ApplicationSetting.supported_key_restrictions(type) }
+  end
 
   validates_each :restricted_visibility_levels do |record, attr, value|
     value&.each do |level|
@@ -189,14 +185,6 @@ class ApplicationSetting < ActiveRecord::Base
     end
   end
 
-  validates_each :allowed_key_types do |record, attr, value|
-    value&.each do |type|
-      unless Gitlab::SSHPublicKey.allowed_type?(type)
-        record.errors.add(attr, "'#{type}' is not a valid SSH key type")
-      end
-    end
-  end
-
   before_validation :ensure_uuid!
 
   before_save :ensure_runners_registration_token
@@ -240,7 +228,6 @@ class ApplicationSetting < ActiveRecord::Base
     {
       after_sign_up_text: nil,
       akismet_enabled: false,
-      allowed_key_types: Gitlab::SSHPublicKey.technology_names,
       container_registry_token_expire_delay: 5,
       default_artifacts_expire_in: '30 days',
       default_branch_protection: Settings.gitlab['default_branch_protection'],
@@ -250,6 +237,9 @@ class ApplicationSetting < ActiveRecord::Base
       default_group_visibility: Settings.gitlab.default_projects_features['visibility_level'],
       disabled_oauth_sign_in_sources: [],
       domain_whitelist: Settings.gitlab['domain_whitelist'],
+      dsa_key_restriction: 0,
+      ecdsa_key_restriction: 0,
+      ed25519_key_restriction: 0,
       gravatar_enabled: Settings.gravatar['enabled'],
       help_page_text: nil,
       help_page_hide_commercial_content: false,
@@ -268,10 +258,7 @@ class ApplicationSetting < ActiveRecord::Base
       max_attachment_size: Settings.gitlab['max_attachment_size'],
       password_authentication_enabled: Settings.gitlab['password_authentication_enabled'],
       performance_bar_allowed_group_id: nil,
-      minimum_rsa_bits: 1024,
-      minimum_dsa_bits: 1024,
-      minimum_ecdsa_bits: 256,
-      minimum_ed25519_bits: 256,
+      rsa_key_restriction: 0,
       plantuml_enabled: false,
       plantuml_url: nil,
       project_export_enabled: true,
@@ -446,6 +433,19 @@ class ApplicationSetting < ActiveRecord::Base
     usage_ping_can_be_configured? && super
   end
 
+  def allowed_key_types
+    SUPPORTED_KEY_TYPES.select do |type|
+      key_restriction_for(type) != FORBIDDEN_KEY_VALUE
+    end
+  end
+
+  def key_restriction_for(type)
+    attr_name = "#{type}_key_restriction"
+
+    # rubocop:disable GitlabSecurity/PublicSend
+    has_attribute?(attr_name) ? public_send(attr_name) : FORBIDDEN_KEY_VALUE
+  end
+
   private
 
   def ensure_uuid!