From b0f982fbdf69c292ab4530c0aaaf1ab42f4e7a01 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Mon, 21 Aug 2017 11:30:03 +0100 Subject: Add settings for minimum key strength and allowed key type MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is an amalgamation of: * Cory Hinshaw: Initial implementation !5552 * Rémy Coutable: Updates !9350 * Nick Thomas: Resolve conflicts and add ED25519 support !13712 --- doc/api/settings.md | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) (limited to 'doc/api') diff --git a/doc/api/settings.md b/doc/api/settings.md index 94a9f8265fb..a43e13e6217 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -48,7 +48,12 @@ Example response: "plantuml_enabled": false, "plantuml_url": null, "terminal_max_session_time": 0, - "polling_interval_multiplier": 1.0 + "polling_interval_multiplier": 1.0, + "minimum_rsa_bits": 1024, + "minimum_dsa_bits": 1024, + "minimum_ecdsa_bits": 256, + "minimum_ed25519_bits": 256, + "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"] } ``` @@ -88,6 +93,11 @@ PUT /application/settings | `plantuml_url` | string | yes (if `plantuml_enabled` is `true`) | The PlantUML instance URL for integration. | | `terminal_max_session_time` | integer | no | Maximum time for web terminal websocket connection (in seconds). Set to 0 for unlimited time. | | `polling_interval_multiplier` | decimal | no | Interval multiplier used by endpoints that perform polling. Set to 0 to disable polling. | +| `minimum_rsa_bits` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `1024`. +| `minimum_dsa_bits` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `1024`. +| `minimum_ecdsa_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `256`. +| `minimum_ed25519_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `256`. +| `allowed_key_types` | array of strings | no | Array of SSH key types accepted by the application. Allowed values are: `rsa`, `dsa`, `ecdsa`, and `ed25519`. Default is `["rsa", "dsa", "ecdsa", "ed25519"]`. ```bash curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/application/settings?signup_enabled=false&default_project_visibility=internal @@ -125,6 +135,11 @@ Example response: "plantuml_enabled": false, "plantuml_url": null, "terminal_max_session_time": 0, - "polling_interval_multiplier": 1.0 + "polling_interval_multiplier": 1.0, + "minimum_rsa_bits": 1024, + "minimum_dsa_bits": 1024, + "minimum_ecdsa_bits": 256, + "minimum_ed25519_bits": 256, + "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"] } ``` -- cgit v1.2.1 From 6847060266792471c9c14518a5106e0f622cd6c5 Mon Sep 17 00:00:00 2001 From: Nick Thomas Date: Fri, 25 Aug 2017 14:08:48 +0100 Subject: Rework the permissions model for SSH key restrictions `allowed_key_types` is removed and the `minimum__bits` fields are renamed to `_key_restriction`. A special sentinel value (`-1`) signifies that the key type is disabled. This also feeds through to the UI - checkboxes per key type are out, inline selection of "forbidden" and "allowed" (i.e., no restrictions) are in. As with the previous model, unknown key types are disallowed, even if the underlying ssh daemon happens to support them. The defaults have also been changed from the lowest known bit size to "no restriction". So if someone does happen to have a 768-bit RSA key, it will continue to work on upgrade, at least until the administrator restricts them. --- doc/api/settings.md | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) (limited to 'doc/api') diff --git a/doc/api/settings.md b/doc/api/settings.md index a43e13e6217..b78f1252108 100644 --- a/doc/api/settings.md +++ b/doc/api/settings.md @@ -49,11 +49,10 @@ Example response: "plantuml_url": null, "terminal_max_session_time": 0, "polling_interval_multiplier": 1.0, - "minimum_rsa_bits": 1024, - "minimum_dsa_bits": 1024, - "minimum_ecdsa_bits": 256, - "minimum_ed25519_bits": 256, - "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"] + "rsa_key_restriction": 0, + "dsa_key_restriction": 0, + "ecdsa_key_restriction": 0, + "ed25519_key_restriction": 0, } ``` @@ -93,11 +92,10 @@ PUT /application/settings | `plantuml_url` | string | yes (if `plantuml_enabled` is `true`) | The PlantUML instance URL for integration. | | `terminal_max_session_time` | integer | no | Maximum time for web terminal websocket connection (in seconds). Set to 0 for unlimited time. | | `polling_interval_multiplier` | decimal | no | Interval multiplier used by endpoints that perform polling. Set to 0 to disable polling. | -| `minimum_rsa_bits` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `1024`. -| `minimum_dsa_bits` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `1024`. -| `minimum_ecdsa_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `256`. -| `minimum_ed25519_bits` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `256`. -| `allowed_key_types` | array of strings | no | Array of SSH key types accepted by the application. Allowed values are: `rsa`, `dsa`, `ecdsa`, and `ed25519`. Default is `["rsa", "dsa", "ecdsa", "ed25519"]`. +| `rsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded RSA key. Default is `0` (no restriction). `-1` disables RSA keys. +| `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. +| `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. +| `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. ```bash curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/application/settings?signup_enabled=false&default_project_visibility=internal @@ -136,10 +134,9 @@ Example response: "plantuml_url": null, "terminal_max_session_time": 0, "polling_interval_multiplier": 1.0, - "minimum_rsa_bits": 1024, - "minimum_dsa_bits": 1024, - "minimum_ecdsa_bits": 256, - "minimum_ed25519_bits": 256, - "allowed_key_types": ["rsa", "dsa", "ecdsa", "ed25519"] + "rsa_key_restriction": 0, + "dsa_key_restriction": 0, + "ecdsa_key_restriction": 0, + "ed25519_key_restriction": 0, } ``` -- cgit v1.2.1 From 03af5e2e8d9f6ca2c438fd8243ab7f6aa86462c4 Mon Sep 17 00:00:00 2001 From: Mark Fletcher Date: Sat, 2 Sep 2017 13:52:12 +0800 Subject: Add to_project_id parameter to Move Issue via API example --- doc/api/issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/api') diff --git a/doc/api/issues.md b/doc/api/issues.md index f30ed08d0fa..5da715ee1b5 100644 --- a/doc/api/issues.md +++ b/doc/api/issues.md @@ -558,7 +558,7 @@ POST /projects/:id/issues/:issue_iid/move | `to_project_id` | integer | yes | The ID of the new project | ```bash -curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" https://gitlab.example.com/api/v4/projects/4/issues/85/move +curl --request POST --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" --data '{"to_project_id": 5}' https://gitlab.example.com/api/v4/projects/4/issues/85/move ``` Example response: -- cgit v1.2.1 From d7cf49bff0074b03380b57ae3c790f63ee821e02 Mon Sep 17 00:00:00 2001 From: "Vitaliy @blackst0ne Klachkov" Date: Sun, 3 Sep 2017 13:00:32 +1100 Subject: Fix typo in the API Deploy Keys documentation page --- doc/api/deploy_keys.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/api') diff --git a/doc/api/deploy_keys.md b/doc/api/deploy_keys.md index 4fa800ecb9c..273d5a56b6f 100644 --- a/doc/api/deploy_keys.md +++ b/doc/api/deploy_keys.md @@ -106,7 +106,7 @@ Example response: Creates a new deploy key for a project. If the deploy key already exists in another project, it will be joined to current -project only if original one was is accessible by the same user. +project only if original one is accessible by the same user. ``` POST /projects/:id/deploy_keys -- cgit v1.2.1 From 6f19fc1147a60f279db35428993ac532841195ad Mon Sep 17 00:00:00 2001 From: Shinya Maeda Date: Thu, 24 Aug 2017 01:28:57 +0900 Subject: Add API support --- doc/api/runners.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'doc/api') diff --git a/doc/api/runners.md b/doc/api/runners.md index 16d362a3530..dcca30dbfa7 100644 --- a/doc/api/runners.md +++ b/doc/api/runners.md @@ -138,7 +138,8 @@ Example response: "ruby", "mysql" ], - "version": null + "version": null, + "access_level": 0 } ``` @@ -156,6 +157,9 @@ PUT /runners/:id | `description` | string | no | The description of a runner | | `active` | boolean | no | The state of a runner; can be set to `true` or `false` | | `tag_list` | array | no | The list of tags for a runner; put array of tags, that should be finally assigned to a runner | +| `run_untagged` | boolean | no | Flag indicating the runner can execute untagged jobs | +| `locked` | boolean | no | Flag indicating the runner is locked | +| `access_level` | integer | no | The access_level of the runner; `unprotected`: 0, `protected`: 1 | ``` curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/runners/6" --form "description=test-1-20150125-test" --form "tag_list=ruby,mysql,tag1,tag2" @@ -190,7 +194,8 @@ Example response: "tag1", "tag2" ], - "version": null + "version": null, + "access_level": 0 } ``` -- cgit v1.2.1 From 1024718e9fddbb0d61d3f64f44303964641fcdd8 Mon Sep 17 00:00:00 2001 From: Shinya Maeda Date: Tue, 29 Aug 2017 15:56:03 +0900 Subject: Refactor access_level to not_protected and ref_protected --- doc/api/runners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/api') diff --git a/doc/api/runners.md b/doc/api/runners.md index dcca30dbfa7..df458af77bb 100644 --- a/doc/api/runners.md +++ b/doc/api/runners.md @@ -159,7 +159,7 @@ PUT /runners/:id | `tag_list` | array | no | The list of tags for a runner; put array of tags, that should be finally assigned to a runner | | `run_untagged` | boolean | no | Flag indicating the runner can execute untagged jobs | | `locked` | boolean | no | Flag indicating the runner is locked | -| `access_level` | integer | no | The access_level of the runner; `unprotected`: 0, `protected`: 1 | +| `access_level` | integer | no | The access_level of the runner; `not_protected`: 0, `ref_protected`: 1 | ``` curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/runners/6" --form "description=test-1-20150125-test" --form "tag_list=ruby,mysql,tag1,tag2" -- cgit v1.2.1 From 13b9b5f11a556b2841aabbf46516d1acab79aa0d Mon Sep 17 00:00:00 2001 From: Shinya Maeda Date: Tue, 29 Aug 2017 16:09:30 +0900 Subject: Improve API arguments as String --- doc/api/runners.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'doc/api') diff --git a/doc/api/runners.md b/doc/api/runners.md index df458af77bb..8146a7e0647 100644 --- a/doc/api/runners.md +++ b/doc/api/runners.md @@ -139,7 +139,7 @@ Example response: "mysql" ], "version": null, - "access_level": 0 + "access_level": "ref_protected" } ``` @@ -159,7 +159,7 @@ PUT /runners/:id | `tag_list` | array | no | The list of tags for a runner; put array of tags, that should be finally assigned to a runner | | `run_untagged` | boolean | no | Flag indicating the runner can execute untagged jobs | | `locked` | boolean | no | Flag indicating the runner is locked | -| `access_level` | integer | no | The access_level of the runner; `not_protected`: 0, `ref_protected`: 1 | +| `access_level` | integer | no | The access_level of the runner; `not_protected` or `ref_protected` | ``` curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/runners/6" --form "description=test-1-20150125-test" --form "tag_list=ruby,mysql,tag1,tag2" @@ -195,7 +195,7 @@ Example response: "tag2" ], "version": null, - "access_level": 0 + "access_level": "ref_protected" } ``` -- cgit v1.2.1 From a2cde2847c68e8061f6f40f106502fa164be7b02 Mon Sep 17 00:00:00 2001 From: Shinya Maeda Date: Tue, 29 Aug 2017 18:57:53 +0900 Subject: Fix runner api doc --- doc/api/runners.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'doc/api') diff --git a/doc/api/runners.md b/doc/api/runners.md index 8146a7e0647..6304a496f94 100644 --- a/doc/api/runners.md +++ b/doc/api/runners.md @@ -159,7 +159,7 @@ PUT /runners/:id | `tag_list` | array | no | The list of tags for a runner; put array of tags, that should be finally assigned to a runner | | `run_untagged` | boolean | no | Flag indicating the runner can execute untagged jobs | | `locked` | boolean | no | Flag indicating the runner is locked | -| `access_level` | integer | no | The access_level of the runner; `not_protected` or `ref_protected` | +| `access_level` | string | no | The access_level of the runner; `not_protected` or `ref_protected` | ``` curl --request PUT --header "PRIVATE-TOKEN: 9koXpg98eAheJpvBs5tK" "https://gitlab.example.com/api/v4/runners/6" --form "description=test-1-20150125-test" --form "tag_list=ruby,mysql,tag1,tag2" -- cgit v1.2.1