Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Jérome Perrin
gitlab-ce
Commits
b84ca08e
Commit
b84ca08e
authored
Aug 28, 2017
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Address review comments
parent
68470602
Changes
11
Show whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
29 additions
and
36 deletions
+29
-36
app/helpers/form_helper.rb
app/helpers/form_helper.rb
+2
-2
app/models/application_setting.rb
app/models/application_setting.rb
+1
-2
app/models/key.rb
app/models/key.rb
+0
-1
app/views/profiles/keys/_key_details.html.haml
app/views/profiles/keys/_key_details.html.haml
+1
-1
changelogs/unreleased/17849-allow-admin-to-restrict-min-key-length-and-techno.yml
...849-allow-admin-to-restrict-min-key-length-and-techno.yml
+1
-1
db/migrate/20161020180657_add_minimum_key_length_to_application_settings.rb
...0180657_add_minimum_key_length_to_application_settings.rb
+4
-3
doc/security/README.md
doc/security/README.md
+1
-1
doc/security/ssh_keys_restrictions.md
doc/security/ssh_keys_restrictions.md
+4
-3
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+1
-1
lib/gitlab/ssh_public_key.rb
lib/gitlab/ssh_public_key.rb
+6
-9
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+8
-12
No files found.
app/helpers/form_helper.rb
View file @
b84ca08e
module
FormHelper
module
FormHelper
def
form_errors
(
model
,
headline
=
'The form contains the following
'
)
def
form_errors
(
model
,
type:
'form
'
)
return
unless
model
.
errors
.
any?
return
unless
model
.
errors
.
any?
pluralized
=
'error'
.
pluralize
(
model
.
errors
.
count
)
pluralized
=
'error'
.
pluralize
(
model
.
errors
.
count
)
headline
=
headline
+
' '
+
pluralized
+
':'
headline
=
"The
#{
type
}
contains the following
#{
pluralized
}
:"
content_tag
(
:div
,
class:
'alert alert-danger'
,
id:
'error_explanation'
)
do
content_tag
(
:div
,
class:
'alert alert-danger'
,
id:
'error_explanation'
)
do
content_tag
(
:h4
,
headline
)
<<
content_tag
(
:h4
,
headline
)
<<
...
...
app/models/application_setting.rb
View file @
b84ca08e
...
@@ -442,8 +442,7 @@ class ApplicationSetting < ActiveRecord::Base
...
@@ -442,8 +442,7 @@ class ApplicationSetting < ActiveRecord::Base
def
key_restriction_for
(
type
)
def
key_restriction_for
(
type
)
attr_name
=
"
#{
type
}
_key_restriction"
attr_name
=
"
#{
type
}
_key_restriction"
# rubocop:disable GitlabSecurity/PublicSend
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
# rubocop:disable GitlabSecurity/PublicSend
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
end
end
private
private
...
...
app/models/key.rb
View file @
b84ca08e
require
'digest/md5'
require
'digest/md5'
class
Key
<
ActiveRecord
::
Base
class
Key
<
ActiveRecord
::
Base
include
AfterCommitQueue
include
Gitlab
::
CurrentSettings
include
Gitlab
::
CurrentSettings
include
Sortable
include
Sortable
...
...
app/views/profiles/keys/_key_details.html.haml
View file @
b84ca08e
...
@@ -16,7 +16,7 @@
...
@@ -16,7 +16,7 @@
%strong
=
@key
.
last_used_at
.
try
(
:to_s
,
:medium
)
||
'N/A'
%strong
=
@key
.
last_used_at
.
try
(
:to_s
,
:medium
)
||
'N/A'
.col-md-8
.col-md-8
=
form_errors
(
@key
,
'The key has the following
'
)
unless
@key
.
valid?
=
form_errors
(
@key
,
type:
'key
'
)
unless
@key
.
valid?
%p
%p
%span
.light
Fingerprint:
%span
.light
Fingerprint:
%code
.key-fingerprint
=
@key
.
fingerprint
%code
.key-fingerprint
=
@key
.
fingerprint
...
...
changelogs/unreleased/17849-allow-admin-to-restrict-min-key-length-and-techno.yml
View file @
b84ca08e
---
---
title
:
Add settings for minimum key strength and allowed key type
title
:
Add settings for minimum
SSH
key strength and allowed key type
merge_request
:
13712
merge_request
:
13712
author
:
Cory Hinshaw
author
:
Cory Hinshaw
type
:
added
type
:
added
db/migrate/20161020180657_add_minimum_key_length_to_application_settings.rb
View file @
b84ca08e
...
@@ -7,12 +7,13 @@ class AddMinimumKeyLengthToApplicationSettings < ActiveRecord::Migration
...
@@ -7,12 +7,13 @@ class AddMinimumKeyLengthToApplicationSettings < ActiveRecord::Migration
disable_ddl_transaction!
disable_ddl_transaction!
def
up
def
up
# A key restriction has t
wo
possible states:
# A key restriction has t
hese
possible states:
#
#
# * -1 means "this key type is completely disabled"
# * -1 means "this key type is completely disabled"
# * >= 0 means "keys must have at least this many bits to be valid"
# * 0 means "all keys of this type are valid"
# * > 0 means "keys must have at least this many bits to be valid"
#
#
#
A value of 0 is equivalent to "there are no restrictions on keys of this type"
#
The default is 0, for backward compatibility
add_column_with_default
:application_settings
,
:rsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:rsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:dsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:dsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:ecdsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:ecdsa_key_restriction
,
:integer
,
default:
0
...
...
doc/security/README.md
View file @
b84ca08e
# Security
# Security
-
[
Password length limits
](
password_length_limits.md
)
-
[
Password length limits
](
password_length_limits.md
)
-
[
Restrict
allowed
SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Restrict SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Rack attack
](
rack_attack.md
)
-
[
Rack attack
](
rack_attack.md
)
-
[
Webhooks and insecure internal web services
](
webhooks.md
)
-
[
Webhooks and insecure internal web services
](
webhooks.md
)
-
[
Information exclusivity
](
information_exclusivity.md
)
-
[
Information exclusivity
](
information_exclusivity.md
)
...
...
doc/security/ssh_keys_restrictions.md
View file @
b84ca08e
...
@@ -2,12 +2,13 @@
...
@@ -2,12 +2,13 @@
`ssh-keygen`
allows users to create RSA keys with as few as 768 bits, which
`ssh-keygen`
allows users to create RSA keys with as few as 768 bits, which
falls well below recommendations from certain standards groups (such as the US
falls well below recommendations from certain standards groups (such as the US
NIST). Some organizations deploying Git
l
ab will need to enforce minimum key
NIST). Some organizations deploying Git
L
ab will need to enforce minimum key
strength, either to satisfy internal security policy or for regulatory
strength, either to satisfy internal security policy or for regulatory
compliance.
compliance.
Similarly, certain standards groups recommend using RSA or ECDSA over the older
Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
DSA and administrators may need to limit the allowed SSH key algorithms.
the older DSA, and administrators may need to limit the allowed SSH key
algorithms.
GitLab allows you to restrict the allowed SSH key technology as well as specify
GitLab allows you to restrict the allowed SSH key technology as well as specify
the minimum key length for each technology.
the minimum key length for each technology.
...
...
lib/gitlab/git_access.rb
View file @
b84ca08e
...
@@ -34,8 +34,8 @@ module Gitlab
...
@@ -34,8 +34,8 @@ module Gitlab
end
end
def
check
(
cmd
,
changes
)
def
check
(
cmd
,
changes
)
check_valid_actor!
check_protocol!
check_protocol!
check_valid_actor!
check_active_user!
check_active_user!
check_project_accessibility!
check_project_accessibility!
check_project_moved!
check_project_moved!
...
...
lib/gitlab/ssh_public_key.rb
View file @
b84ca08e
...
@@ -13,6 +13,10 @@ module Gitlab
...
@@ -13,6 +13,10 @@ module Gitlab
Technologies
.
find
{
|
tech
|
tech
.
name
.
to_s
==
name
.
to_s
}
Technologies
.
find
{
|
tech
|
tech
.
name
.
to_s
==
name
.
to_s
}
end
end
def
self
.
technology_for_key
(
key
)
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
end
def
self
.
supported_sizes
(
name
)
def
self
.
supported_sizes
(
name
)
technology
(
name
)
&
.
supported_sizes
technology
(
name
)
&
.
supported_sizes
end
end
...
@@ -37,9 +41,7 @@ module Gitlab
...
@@ -37,9 +41,7 @@ module Gitlab
end
end
def
type
def
type
return
unless
valid?
technology
.
name
if
valid?
technology
.
name
end
end
def
bits
def
bits
...
@@ -63,12 +65,7 @@ module Gitlab
...
@@ -63,12 +65,7 @@ module Gitlab
def
technology
def
technology
@technology
||=
@technology
||=
begin
self
.
class
.
technology_for_key
(
key
)
||
raise
(
"Unsupported key type:
#{
key
.
class
}
"
)
tech
=
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
raise
"Unsupported key type:
#{
key
.
class
}
"
unless
tech
tech
end
end
end
end
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @
b84ca08e
...
@@ -165,29 +165,25 @@ describe Gitlab::GitAccess do
...
@@ -165,29 +165,25 @@ describe Gitlab::GitAccess do
stub_application_setting
(
rsa_key_restriction:
4096
)
stub_application_setting
(
rsa_key_restriction:
4096
)
end
end
it
'does not allow keys which are too small'
do
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
aggregate_failures
do
expect
(
actor
).
not_to
be_valid
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
pull_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
end
end
end
end
end
context
'key type is not allowed'
do
context
'key type is not allowed'
do
before
do
before
do
stub_application_setting
(
rsa_key_restriction:
ApplicationSetting
::
FORBIDDEN_KEY_VALUE
)
stub_application_setting
(
rsa_key_restriction:
ApplicationSetting
::
FORBIDDEN_KEY_VALUE
)
end
end
it
'does not allow keys which are too small'
do
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
aggregate_failures
do
expect
(
actor
).
not_to
be_valid
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
pull_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
end
end
end
end
end
end
end
it_behaves_like
'#check with a key that is not valid'
do
it_behaves_like
'#check with a key that is not valid'
do
let
(
:actor
)
{
build
(
:rsa_key_2048
,
user:
user
)
}
let
(
:actor
)
{
build
(
:rsa_key_2048
,
user:
user
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment