Merge branch 'remove-email-from-published-keys' into 'master'

Only publish ssh key-type and key Now when requesting my keys; my emailadres is exposed. [My keys](https://gitlab.com/zj.keys) To prevent harvesting only key-type and the key itself are displayed instead of all data supplied when uploaded. See merge request !850

Merge branch 'remove-email-from-published-keys' into 'master'
Only publish ssh key-type and key Now when requesting my keys; my emailadres is exposed. [My keys](https://gitlab.com/zj.keys) To prevent harvesting only key-type and the key itself are displayed instead of all data supplied when uploaded. See merge request !850
c6cbee84 · Douwe Maan · 4b3b286e · 4ccd767a · c6cbee84 · c6cbee84
Commit c6cbee84 authored Aug 06, 2015 by Douwe Maan
6 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -36,6 +36,7 @@ v 7.14.0 (unreleased)
  - Add support for CI skipped status
  - Fetch code from forks to refs/merge-requests/:id/head when merge request created
  - Remove satellites 
+  - Remove comments and email addresses when publicly exposing ssh keys (Zeger-Jan van de Weg)
 v 7.13.2
  - Fix randomly failed spec
@@ -61,6 +62,8 @@ v 7.13.1
 v 7.13.0
  - Remove repository graph log to fix slow cache updates after push event (Stan Hu)
  - Return comments in created order in merge request API (Stan Hu)
+v 7.13.0 (unreleased)
  - Only enable HSTS header for HTTPS and port 443 (Stan Hu)
  - Fix user autocomplete for unauthenticated users accessing public projects (Stan Hu)
  - Fix redirection to home page URL for unauthorized users (Daniel Gerhardt)

--- a/app/models/key.rb
+++ b/app/models/key.rb
@@ -39,6 +39,11 @@ class Key < ActiveRecord::Base
    self.key = key.strip unless key.blank?
  end
+  def publishable_key
+    #Removes anything beyond the keytype and key itself
+    self.key.split[0..1].join(' ')
+  end
  # projects that has this key
  def projects
    user.authorized_projects

--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -619,7 +619,7 @@ class User < ActiveRecord::Base
  end
  def all_ssh_keys
-    keys.map(&:key)
+    keys.map(&:publishable_key)
  end
  def temp_oauth_email?

--- a/spec/controllers/profile_keys_controller_spec.rb
+++ b/spec/controllers/profile_keys_controller_spec.rb
@@ -48,6 +48,17 @@ describe Profiles::KeysController do
        expect(response.body).not_to eq("")
        expect(response.body).to eq(user.all_ssh_keys.join("\n"))
+        # Unique part of key 1
+        expect(response.body).to match(/PWx6WM4lhHNedGfBpPJNPpZ/)
+        # Key 2
+        expect(response.body).to match(/AQDmTillFzNTrrGgwaCKaSj/)
+      end
+      it "should not render the comment of the key" do
+        get :get_keys, username: user.username
+        expect(response.body).not_to match(/dummy@gitlab.com/)
      end
      it "should respond with text/plain content type" do

--- a/spec/factories.rb
+++ b/spec/factories.rb
@@ -100,7 +100,7 @@ FactoryGirl.define do
  factory :key do
    title
    key do
-      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0="
+      "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIEAiPWx6WM4lhHNedGfBpPJNPpZ7yKu+dnn1SJejgt4596k6YjzGGphH2TUxwKzxcKDKKezwkpfnxPkSMkuEspGRt/aZZ9wa++Oi7Qkr8prgHc4soW6NUlfDzpvZK2H5E7eQaSeP3SAwGmQKUFHCddNaP0L+hM7zhFNzjFvpaMgJw0= dummy@gitlab.com"
    end
    factory :deploy_key, class: 'DeployKey' do

--- a/spec/models/key_spec.rb
+++ b/spec/models/key_spec.rb
@@ -32,6 +32,13 @@ describe Key do
  describe "Methods" do
    it { is_expected.to respond_to :projects }
+    it { is_expected.to respond_to :publishable_key }
+    describe "#publishable_keys" do
+      it 'strips all personal information' do
+        expect(build(:key).publishable_key).not_to match(/dummy@gitlab/)
+      end
+    end
  end
  context "validation of uniqueness" do