diff options
| author | Nick Thomas <nick@gitlab.com> | 2017-08-25 14:08:48 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2017-08-30 20:50:44 +0100 |
| commit | 6847060266792471c9c14518a5106e0f622cd6c5 (patch) | |
| tree | 291238748abd929e77aaf462b8833bd336e39f5d /app/models/key.rb | |
| parent | b49b7bc147955df6589b13942d0437a3b4518c7b (diff) | |
| download | gitlab-ce-6847060266792471c9c14518a5106e0f622cd6c5.tar.gz | |
Rework the permissions model for SSH key restrictions
`allowed_key_types` is removed and the `minimum_<type>_bits` fields are
renamed to `<tech>_key_restriction`. A special sentinel value (`-1`) signifies
that the key type is disabled.
This also feeds through to the UI - checkboxes per key type are out, inline
selection of "forbidden" and "allowed" (i.e., no restrictions) are in.
As with the previous model, unknown key types are disallowed, even if the
underlying ssh daemon happens to support them. The defaults have also been
changed from the lowest known bit size to "no restriction". So if someone
does happen to have a 768-bit RSA key, it will continue to work on upgrade, at
least until the administrator restricts them.
Diffstat (limited to 'app/models/key.rb')
| -rw-r--r-- | app/models/key.rb | 37 |
1 files changed, 12 insertions, 25 deletions
diff --git a/app/models/key.rb b/app/models/key.rb index 27c91679ec9..2334603b58b 100644 --- a/app/models/key.rb +++ b/app/models/key.rb @@ -24,7 +24,7 @@ class Key < ActiveRecord::Base uniqueness: true, presence: { message: 'cannot be generated' } - validate :key_meets_minimum_bit_length, :key_type_is_allowed + validate :key_meets_restrictions delegate :name, :email, to: :user, prefix: true @@ -100,37 +100,24 @@ class Key < ActiveRecord::Base self.fingerprint = public_key.fingerprint end - def key_meets_minimum_bit_length - case public_key.type - when :rsa - if public_key.bits < current_application_settings.minimum_rsa_bits - errors.add(:key, "length must be at least #{current_application_settings.minimum_rsa_bits} bits") - end - when :dsa - if public_key.bits < current_application_settings.minimum_dsa_bits - errors.add(:key, "length must be at least #{current_application_settings.minimum_dsa_bits} bits") - end - when :ecdsa - if public_key.bits < current_application_settings.minimum_ecdsa_bits - errors.add(:key, "elliptic curve size must be at least #{current_application_settings.minimum_ecdsa_bits} bits") - end - when :ed25519 - if public_key.bits < current_application_settings.minimum_ed25519_bits - errors.add(:key, "length must be at least #{current_application_settings.minimum_ed25519_bits} bits") - end + def key_meets_restrictions + restriction = current_application_settings.key_restriction_for(public_key.type) + + if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE + errors.add(:key, forbidden_key_type_message) + elsif public_key.bits < restriction + errors.add(:key, "must be at least #{restriction} bits") end end - def key_type_is_allowed - unless current_application_settings.allowed_key_types.include?(public_key.type.to_s) - allowed_types = - current_application_settings + def forbidden_key_type_message + allowed_types = + current_application_settings .allowed_key_types .map(&:upcase) .to_sentence(last_word_connector: ', or ', two_words_connector: ' or ') - errors.add(:key, "type is not allowed. Must be #{allowed_types}") - end + "type is forbidden. Must be #{allowed_types}" end def notify_user |