From 6847060266792471c9c14518a5106e0f622cd6c5 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Fri, 25 Aug 2017 14:08:48 +0100 Subject: Rework the permissions model for SSH key restrictions `allowed_key_types` is removed and the `minimum__bits` fields are renamed to `_key_restriction`. A special sentinel value (`-1`) signifies that the key type is disabled. This also feeds through to the UI - checkboxes per key type are out, inline selection of "forbidden" and "allowed" (i.e., no restrictions) are in. As with the previous model, unknown key types are disallowed, even if the underlying ssh daemon happens to support them. The defaults have also been changed from the lowest known bit size to "no restriction". So if someone does happen to have a 768-bit RSA key, it will continue to work on upgrade, at least until the administrator restricts them. --- lib/gitlab/ssh_public_key.rb | 52 ++++++++++++++++++-------------------------- 1 file changed, 21 insertions(+), 31 deletions(-) (limited to 'lib/gitlab/ssh_public_key.rb') diff --git a/lib/gitlab/ssh_public_key.rb b/lib/gitlab/ssh_public_key.rb index 2df31bcc246..a3f8730fb04 100644 --- a/lib/gitlab/ssh_public_key.rb +++ b/lib/gitlab/ssh_public_key.rb @@ -1,31 +1,20 @@ module Gitlab class SSHPublicKey - TYPES = %w[rsa dsa ecdsa ed25519].freeze - - Technology = Struct.new(:name, :allowed_sizes) + Technology = Struct.new(:name, :key_class, :supported_sizes) Technologies = [ - Technology.new('rsa', [1024, 2048, 3072, 4096]), - Technology.new('dsa', [1024, 2048, 3072]), - Technology.new('ecdsa', [256, 384, 521]), - Technology.new('ed25519', [256]) + Technology.new(:rsa, OpenSSL::PKey::RSA, [1024, 2048, 3072, 4096]), + Technology.new(:dsa, OpenSSL::PKey::DSA, [1024, 2048, 3072]), + Technology.new(:ecdsa, OpenSSL::PKey::EC, [256, 384, 521]), + Technology.new(:ed25519, Net::SSH::Authentication::ED25519::PubKey, [256]) ].freeze - def self.technology_names - Technologies.map(&:name) - end - def self.technology(name) - Technologies.find { |ssh_key_technology| ssh_key_technology.name == name } + Technologies.find { |tech| tech.name.to_s == name.to_s } end - private_class_method :technology - def self.allowed_sizes(name) - technology(name).allowed_sizes - end - - def self.allowed_type?(type) - technology_names.include?(type.to_s) + def self.supported_sizes(name) + technology(name)&.supported_sizes end attr_reader :key_text, :key @@ -50,18 +39,7 @@ module Gitlab def type return unless valid? - case key - when OpenSSL::PKey::EC - :ecdsa - when OpenSSL::PKey::RSA - :rsa - when OpenSSL::PKey::DSA - :dsa - when Net::SSH::Authentication::ED25519::PubKey - :ed25519 - else - raise "Unsupported key type: #{key.class}" - end + technology.name end def bits @@ -80,5 +58,17 @@ module Gitlab raise "Unsupported key type: #{type}" end end + + private + + def technology + @technology ||= + begin + tech = Technologies.find { |tech| key.is_a?(tech.key_class) } + raise "Unsupported key type: #{key.class}" unless tech + + tech + end + end end end -- cgit v1.2.1