From 65e85dd1d83c9f4fe550ab66a7ff113c35708c5d Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 26 May 2020 14:24:56 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@12-10-stable-ee

---
 .../admin/application_settings_controller.rb       |  8 ++++-
 .../admin/application_settings/_eks.html.haml      |  2 +-
 ...rity-132-remove-eks-details-from-admin-form.yml |  5 +++
 .../admin/application_settings_controller_spec.rb  | 40 ++++++++++++++++++++++
 .../application_settings/_eks.html.haml_spec.rb    | 34 ++++++++++++++++++
 vendor/gitignore/C++.gitignore                     |  0
 vendor/gitignore/Java.gitignore                    |  0
 7 files changed, 87 insertions(+), 2 deletions(-)
 create mode 100644 changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml
 create mode 100644 spec/views/admin/application_settings/_eks.html.haml_spec.rb
 mode change 100644 => 100755 vendor/gitignore/C++.gitignore
 mode change 100644 => 100755 vendor/gitignore/Java.gitignore

diff --git a/app/controllers/admin/application_settings_controller.rb b/app/controllers/admin/application_settings_controller.rb
index 16254c74ba4..f2fb0fdf126 100644
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -191,8 +191,10 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
 
     params[:application_setting][:import_sources]&.delete("")
     params[:application_setting][:restricted_visibility_levels]&.delete("")
-    params[:application_setting].delete(:elasticsearch_aws_secret_access_key) if params[:application_setting][:elasticsearch_aws_secret_access_key].blank?
     params[:application_setting][:required_instance_ci_template] = nil if params[:application_setting][:required_instance_ci_template].blank?
+
+    remove_blank_params_for!(:elasticsearch_aws_secret_access_key, :eks_secret_access_key)
+
     # TODO Remove domain_blacklist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
     params.delete(:domain_blacklist_raw) if params[:domain_blacklist_file]
     params.delete(:domain_blacklist_raw) if params[:domain_blacklist]
@@ -261,6 +263,10 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
     render action
   end
 
+  def remove_blank_params_for!(*keys)
+    params[:application_setting].delete_if { |setting, value| setting.to_sym.in?(keys) && value.blank? }
+  end
+
   # overridden in EE
   def valid_setting_panels
     VALID_SETTING_PANELS
diff --git a/app/views/admin/application_settings/_eks.html.haml b/app/views/admin/application_settings/_eks.html.haml
index b1f7ed76281..d959b4f9b43 100644
--- a/app/views/admin/application_settings/_eks.html.haml
+++ b/app/views/admin/application_settings/_eks.html.haml
@@ -26,6 +26,6 @@
           = f.text_field :eks_access_key_id, class: 'form-control'
         .form-group
           = f.label :eks_secret_access_key, 'Secret access key', class: 'label-bold'
-          = f.password_field :eks_secret_access_key, value: @application_setting.eks_secret_access_key, class: 'form-control'
+          = f.password_field :eks_secret_access_key, autocomplete: 'off', class: 'form-control'
 
       = f.submit 'Save changes', class: "btn btn-success"
diff --git a/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml b/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml
new file mode 100644
index 00000000000..ce1c48a6345
--- /dev/null
+++ b/changelogs/unreleased/security-132-remove-eks-details-from-admin-form.yml
@@ -0,0 +1,5 @@
+---
+title: Hide EKS secret key in admin integrations settings
+merge_request:
+author:
+type: security
diff --git a/spec/controllers/admin/application_settings_controller_spec.rb b/spec/controllers/admin/application_settings_controller_spec.rb
index 33764818f79..fe28e791ade 100644
--- a/spec/controllers/admin/application_settings_controller_spec.rb
+++ b/spec/controllers/admin/application_settings_controller_spec.rb
@@ -155,6 +155,46 @@ describe Admin::ApplicationSettingsController do
     end
   end
 
+  describe 'PATCH #integrations' do
+    before do
+      stub_feature_flags(instance_level_integrations: false)
+      sign_in(admin)
+    end
+
+    describe 'EKS integration' do
+      let(:application_setting) { ApplicationSetting.current }
+      let(:settings_params) do
+        {
+          eks_integration_enabled: '1',
+          eks_account_id: '123456789012',
+          eks_access_key_id: 'dummy access key',
+          eks_secret_access_key: 'dummy secret key'
+        }
+      end
+
+      it 'updates EKS settings' do
+        patch :integrations, params: { application_setting: settings_params }
+
+        expect(application_setting.eks_integration_enabled).to be_truthy
+        expect(application_setting.eks_account_id).to eq '123456789012'
+        expect(application_setting.eks_access_key_id).to eq 'dummy access key'
+        expect(application_setting.eks_secret_access_key).to eq 'dummy secret key'
+      end
+
+      context 'secret access key is blank' do
+        let(:settings_params) { { eks_secret_access_key: '' } }
+
+        it 'does not update the secret key' do
+          application_setting.update!(eks_secret_access_key: 'dummy secret key')
+
+          patch :integrations, params: { application_setting: settings_params }
+
+          expect(application_setting.reload.eks_secret_access_key).to eq 'dummy secret key'
+        end
+      end
+    end
+  end
+
   describe 'PUT #reset_registration_token' do
     before do
       sign_in(admin)
diff --git a/spec/views/admin/application_settings/_eks.html.haml_spec.rb b/spec/views/admin/application_settings/_eks.html.haml_spec.rb
new file mode 100644
index 00000000000..52434557d3a
--- /dev/null
+++ b/spec/views/admin/application_settings/_eks.html.haml_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+describe 'admin/application_settings/_eks' do
+  let_it_be(:admin) { create(:admin) }
+  let(:page) { Capybara::Node::Simple.new(rendered) }
+
+  before do
+    assign(:application_setting, application_setting)
+    allow(view).to receive(:current_user) { admin }
+    allow(view).to receive(:expanded) { true }
+  end
+
+  shared_examples 'EKS secret access key input' do
+    it 'renders an empty password field' do
+      render
+      expect(rendered).to have_field('Secret access key', type: 'password')
+      expect(page.find_field('Secret access key').value).to be_blank
+    end
+  end
+
+  context 'when eks_secret_access_key is not set' do
+    let(:application_setting) { build(:application_setting) }
+
+    include_examples 'EKS secret access key input'
+  end
+
+  context 'when eks_secret_access_key is set' do
+    let(:application_setting) { build(:application_setting, eks_secret_access_key: 'eks_secret_access_key') }
+
+    include_examples 'EKS secret access key input'
+  end
+end
diff --git a/vendor/gitignore/C++.gitignore b/vendor/gitignore/C++.gitignore
old mode 100644
new mode 100755
diff --git a/vendor/gitignore/Java.gitignore b/vendor/gitignore/Java.gitignore
old mode 100644
new mode 100755
-- 
cgit v1.2.1