Commit 2c4011f0 authored by Stan Hu's avatar Stan Hu Committed by Stan Hu

Merge branch '3271-disable-geo-primary-node-keys' into 'security-9-5-ee'

Disable geo primary node keys (9.5)

See merge request gitlab/gitlab-ee!536
parent bfc2fcea
...@@ -12,4 +12,16 @@ class GeoNodeKey < Key ...@@ -12,4 +12,16 @@ class GeoNodeKey < Key
def destroyed_when_orphaned? def destroyed_when_orphaned?
true true
end end
# Geo secondary nodes use these keys to get read access to all projects.
# If the secondary is promoted to a primary, its key is no longer valid.
#
# This is necessary because keys are placed in the `~git/.ssh` directory;
# repository mirroring and other actions that shell out to SSH make use of
# the same directory. A Geo secondary does not perform any of these actions,
# but if it is made a primary and the keys are not removed, every user on the
# GitLab instance will be able to access every project using this key.
def active?
geo_node&.secondary?
end
end end
...@@ -269,7 +269,7 @@ module Gitlab ...@@ -269,7 +269,7 @@ module Gitlab
if deploy_key? if deploy_key?
deploy_key.has_access_to?(project) deploy_key.has_access_to?(project)
elsif geo_node_key? elsif geo_node_key?
true geo_node_key.active?
elsif user elsif user
user.can?(:read_project, project) user.can?(:read_project, project)
elsif ci? elsif ci?
......
...@@ -352,13 +352,21 @@ describe Gitlab::GitAccess do ...@@ -352,13 +352,21 @@ describe Gitlab::GitAccess do
end end
describe 'geo node key permissions' do describe 'geo node key permissions' do
let(:key) { build(:geo_node_key) } let(:key) { build(:geo_node_key, geo_node: geo_node) }
let(:actor) { key } let(:actor) { key }
context 'pull code' do context 'assigned to primary geo node' do
subject { access.send(:check_download_access!) } let(:geo_node) { build(:geo_node, primary: true) }
it { expect { pull_access_check }.to raise_not_found }
it { expect { push_access_check }.to raise_not_found }
end
context 'assigned to secondary geo node' do
let(:geo_node) { build(:geo_node, primary: false) }
it { expect { subject }.not_to raise_error } it { expect { pull_access_check }.not_to raise_error }
it { expect { push_access_check }.to raise_unauthorized(described_class::ERROR_MESSAGES[:upload]) }
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment