Merge branch '320970-enforce-ssh-key-expiration-by-default' into 'master'

Enforce SSH key expiration by default See merge request gitlab-org/gitlab!62432

Merge branch '320970-enforce-ssh-key-expiration-by-default' into 'master'
Enforce SSH key expiration by default See merge request gitlab-org/gitlab!62432
043b8415 · charlie ablett · 583b94e6 · f023457f · 043b8415 · 043b8415
Commit 043b8415 authored Jun 14, 2021 by charlie ablett
12 changed files
--- a/app/views/notify/ssh_key_expired_email.html.haml
+++ b/app/views/notify/ssh_key_expired_email.html.haml
 %p
  = _('Hi %{username}!') % { username: sanitize_name(@user.name) }
 %p
-  = _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:')
+  = _('SSH keys with the following fingerprints have expired and can no longer be used:')
 %table
  %tbody
    - @fingerprints.each do |fingerprint|

--- a/app/views/notify/ssh_key_expired_email.text.erb
+++ b/app/views/notify/ssh_key_expired_email.text.erb
 <%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>

-<%= _('Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:') %>
+<%= _('SSH keys with the following fingerprints have expired and can no longer be used:') %>

 <% @fingerprints.each do |fingerprint| %>
  - <%= fingerprint %>

--- a/app/views/notify/ssh_key_expiring_soon.text.erb
+++ b/app/views/notify/ssh_key_expiring_soon.text.erb
 <%= _('Hi %{username}!') % { username: sanitize_name(@user.name) } %>

-<%= _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:') %>
+<%= _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:') %>

 <% @fingerprints.each do |fingerprint| %>
  - <%= fingerprint %>

--- a/app/views/notify/ssh_key_expiring_soon_email.html.haml
+++ b/app/views/notify/ssh_key_expiring_soon_email.html.haml
 %p
  = _('Hi %{username}!') % { username: sanitize_name(@user.name) }
 %p
-  = _('Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:')
+  = _('SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:')
 %table
  %tbody
    - @fingerprints.each do |fingerprint|

--- a/db/migrate/20210531070452_default_enforce_ssh_key_expiration.rb
+++ b/db/migrate/20210531070452_default_enforce_ssh_key_expiration.rb
+# frozen_string_literal: true
+
+class DefaultEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
+  def change
+    change_column_default(:application_settings, :enforce_ssh_key_expiration, from: false, to: true)
+  end
+end
--- a/db/migrate/20210531071107_enable_enforce_ssh_key_expiration.rb
+++ b/db/migrate/20210531071107_enable_enforce_ssh_key_expiration.rb
+# frozen_string_literal: true
+
+class EnableEnforceSshKeyExpiration < ActiveRecord::Migration[6.0]
+  class ApplicationSetting < ActiveRecord::Base
+    self.table_name = 'application_settings'
+  end
+
+  def up
+    ApplicationSetting.reset_column_information
+
+    ApplicationSetting.where.not(enforce_ssh_key_expiration: false).each do |application_setting|
+      application_setting.update!(enforce_ssh_key_expiration: true)
+    end
+  end
+end
--- a/db/schema_migrations/20210531070452
+++ b/db/schema_migrations/20210531070452
+e569b99998d9c670af17ec747e37726671601ba06fa97da83373649adb3aab31
\ No newline at end of file
--- a/db/schema_migrations/20210531071107
+++ b/db/schema_migrations/20210531071107
+38dcfcd162a3b49a9b16b45b2f9818275807bf419880729b5c552bccb0d4dc9e
\ No newline at end of file
--- a/db/structure.sql
+++ b/db/structure.sql
@@ -9488,7 +9488,7 @@ CREATE TABLE application_settings (
    rate_limiting_response_text text,
    invisible_captcha_enabled boolean DEFAULT false NOT NULL,
    container_registry_cleanup_tags_service_max_list_size integer DEFAULT 200 NOT NULL,
-    enforce_ssh_key_expiration boolean DEFAULT false NOT NULL,
+    enforce_ssh_key_expiration boolean DEFAULT true NOT NULL,
    git_two_factor_session_expiry integer DEFAULT 15 NOT NULL,
    keep_latest_artifact boolean DEFAULT true NOT NULL,
    notes_create_limit integer DEFAULT 300 NOT NULL,
--- a/doc/user/admin_area/settings/account_and_limit_settings.md
+++ b/doc/user/admin_area/settings/account_and_limit_settings.md
@@ -38,7 +38,7 @@ When you [add files to a repository](../../project/repository/web_editor.md#crea
 through the web UI, the maximum **attachment** size is the limiting factor,
 because the [web server](../../../development/architecture.md#components)
 must receive the file before GitLab can generate the commit.
-Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository. 
+Use [Git LFS](../../../topics/git/lfs/index.md) to add large files to a repository.

 ## Max import size

@@ -189,22 +189,18 @@ Once a lifetime for personal access tokens is set, GitLab:

 ## Enforce SSH key expiration **(ULTIMATE SELF)**

-> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/250480) in GitLab 13.9.
+> - [Enabled by default](https://gitlab.com/gitlab-org/gitlab/-/issues/320970) in GitLab 14.0.

-By default, expired SSH keys **can still be used**.
+By default, expired SSH keys **are not usable**.

-WARNING:
-Allowing use of expired SSH keys by default is deprecated and scheduled to change in GitLab 14.0.
-
-To prevent the use of expired SSH keys:
+To allow the use of expired SSH keys:

 1. Navigate to **Admin Area > Settings > General**.
 1. Expand the **Account and limit** section.
-1. Select the **Enforce SSH key expiration** checkbox.
-
-Enforcing SSH key expiration immediately disables all expired SSH keys.
+1. Uncheck the **Enforce SSH key expiration** checkbox.

-For more information, see the following issue on [SSH key expiration](https://gitlab.com/gitlab-org/gitlab/-/issues/320970).
+Disabling SSH key expiration immediately enables all expired SSH keys.

 ## Do not enforce Personal Access Token expiration **(ULTIMATE SELF)**


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -28342,6 +28342,12 @@ msgstr ""
 msgid "SSH keys allow you to establish a secure connection between your computer and GitLab."
 msgstr ""

+msgid "SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys can not be used:"
+msgstr ""
+
+msgid "SSH keys with the following fingerprints have expired and can no longer be used:"
+msgstr ""
+
 msgid "SSH public key"
 msgstr ""

@@ -37638,12 +37644,6 @@ msgstr ""
 msgid "Your SSH keys (%{count})"
 msgstr ""

-msgid "Your SSH keys with the following fingerprints are scheduled to expire soon. Expired SSH keys will not be usable in future versions of GitLab:"
-msgstr ""
-
-msgid "Your SSH keys with the following fingerprints have expired. Expired SSH keys will not be usable in future versions of GitLab:"
-msgstr ""
-
 msgid "Your To-Do List"
 msgstr ""


--- a/spec/mailers/emails/profile_spec.rb
+++ b/spec/mailers/emails/profile_spec.rb
@@ -264,7 +264,7 @@ RSpec.describe Emails::Profile do
        include_examples 'valid use case'

        it_behaves_like 'has the correct subject', /Your SSH key has expired/
-        it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints have expired/
+        it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints have expired/
      end

      context 'when invalid' do
@@ -291,7 +291,7 @@ RSpec.describe Emails::Profile do
        include_examples 'valid use case'

        it_behaves_like 'has the correct subject', /Your SSH key is expiring soon/
-        it_behaves_like 'has the correct body text', /Your SSH keys with the following fingerprints are scheduled to expire soon/
+        it_behaves_like 'has the correct body text', /SSH keys with the following fingerprints are scheduled to expire soon/
      end

      context 'when invalid' do