Automatic merge of gitlab-org/gitlab master

app/assets/stylesheets/framework/ci_variable_list.scss

@@ -98,13 +98,3 @@
     color: $gl-text-color-disabled;
   }
 }
-
-.group-variable-list {
-  color: $gray-500;
-
-  .table-section:not(:first-child) {
-    @include media-breakpoint-down(sm) {
-      border-top: hidden;
-    }
-  }
-}

app/views/admin/application_settings/_account_and_limit.html.haml

@@ -31,6 +31,7 @@
 
     = render_if_exists 'admin/application_settings/personal_access_token_expiration_policy', form: f
     = render_if_exists 'admin/application_settings/enforce_pat_expiration', form: f
+    = render_if_exists 'admin/application_settings/enforce_ssh_key_expiration', form: f
 
     .form-group
       = f.label :user_oauth_applications, _('User OAuth applications'), class: 'label-bold'

app/views/ci/group_variables/_index.html.haml

 - variables = @project.group.self_and_ancestors.map(&:variables).flatten
 
-.row
-  .col-lg-12
-    .group-variable-list
-      = render 'ci/group_variables/variable_header'
-      - variables.each do |variable|
-        .group-variable-row.d-flex.w-100.border-bottom.pt-2.pb-2
-          .table-section.section-40.gl-mr-3.key
-            = variable.key
-          .table-section.section-40.gl-mr-3
-            %a.group-origin-link{ href: group_settings_ci_cd_path(variable.group) }
-              = variable.group.name
+.ci-variable-table
+  %table.gl-table.gl-w-full.gl-table-layout-fixed
+    = render 'ci/group_variables/variable_header'
+    - variables.each do |variable|
+      %tr
+        %td.gl-text-truncate
+          = variable.key
+        %td.gl-text-truncate
+          %a.group-origin-link{ href: group_settings_ci_cd_path(variable.group) }
+            = variable.group.name

app/views/ci/group_variables/_variable_header.html.haml

-.group-variable-keys.d-flex.w-100.align-items-center.pb-2.border-bottom
-  .bold.table-section.section-40.gl-mr-3
+%tr
+  %th
     = s_('Key')
-  .bold.table-section.section-40.gl-mr-3
+  %th
     = s_('Group')

changelogs/unreleased/250480-enforce-ssh-key-expiry.yml

+---
+title: Add enforced SSH key expiration
+merge_request: 51921
+author:
+type: added

changelogs/unreleased/258550-fix-long-ci-variable-name-overflows-on-origin.yml

+---
+title: Fix long CI variable name overflows on origin
+merge_request: 51021
+author: Kev @KevSlashNull
+type: fixed

db/migrate/20210118111307_add_enforce_ssh_key_expiration_to_application_settings.rb

+# frozen_string_literal: true
+
+class AddEnforceSshKeyExpirationToApplicationSettings < ActiveRecord::Migration[6.0]
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :enforce_ssh_key_expiration, :boolean, default: false, null: false
+  end
+end

db/schema_migrations/20210118111307

+f33cc3eebc9197db381d81150a140582e30905d3964d6fb444caad6c9eff1b31
\ No newline at end of file

db/structure.sql

@@ -9410,6 +9410,7 @@ CREATE TABLE application_settings (
     rate_limiting_response_text text,
     invisible_captcha_enabled boolean DEFAULT false NOT NULL,
     container_registry_cleanup_tags_service_max_list_size integer DEFAULT 200 NOT NULL,
+    enforce_ssh_key_expiration boolean DEFAULT false NOT NULL,
     CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
     CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
     CONSTRAINT check_17d9558205 CHECK ((char_length((kroki_url)::text) <= 1024)),

doc/ci/pipelines/index.md

@@ -132,10 +132,6 @@ Pipelines can be manually executed, with predefined or manually-specified [varia
 You might do this if the results of a pipeline (for example, a code build) are required outside the normal
 operation of the pipeline.
 
-[In GitLab 13.7 and later](https://gitlab.com/gitlab-org/gitlab/-/issues/30101),
-all global variables with descriptions defined in the `.gitlab-ci.yml` file are
-displayed in the variable fields.
-
 To execute a pipeline manually:
 
 1. Navigate to your project's **CI/CD > Pipelines**.
@@ -143,10 +139,33 @@ To execute a pipeline manually:
 1. On the **Run Pipeline** page:
     1. Select the branch to run the pipeline for in the **Create for** field.
     1. Enter any [environment variables](../variables/README.md) required for the pipeline run.
+       You can set specific variables to have their [values prefilled in the form](#prefill-variables-in-manual-pipelines).
     1. Click the **Create pipeline** button.
 
 The pipeline now executes the jobs as configured.
 
+#### Prefill variables in manual pipelines
+
+> [Introduced in](https://gitlab.com/gitlab-org/gitlab/-/issues/30101) GitLab 13.7.
+
+You can use the [`value` and `description`](../yaml/README.md#prefill-variables-in-manual-pipelines)
+keywords to define [variables](../variables/README.md) that are prefilled when running
+a pipeline manually.
+
+In pipelines triggered manually, the **Run pipelines** page displays all variables
+with a `description` and `value` defined in the `.gitlab-ci.yml` file. The values
+can then be modified if needed, which overrides the value for that single pipeline run.
+
+The description is displayed below the variable. It can be used to explain what
+the variable is used for, what the acceptable values are, and so on:
+
+```yaml
+variables:
+  DEPLOY_ENVIRONMENT:
+    value: "staging"  # Deploy to staging by default
+    description: "The deployment target. Change this variable to 'canary' or 'production' if needed."
+```
+
 ### Run a pipeline by using a URL query string
 
 > [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/24146) in GitLab 12.5.

doc/ci/variables/README.md

@@ -70,7 +70,8 @@ When you need a specific custom environment variable, you can
 or directly [in the `.gitlab-ci.yml` file](#create-a-custom-variable-in-gitlab-ciyml).
 
 The variables are used by the runner any time the pipeline runs.
-You can also [override variable values manually for a specific pipeline](../jobs/index.md#specifying-variables-when-running-manual-jobs).
+You can also [override variable values manually for a specific pipeline](../jobs/index.md#specifying-variables-when-running-manual-jobs),
+or have them [prefilled in manual pipelines](../pipelines/index.md#prefill-variables-in-manual-pipelines).
 
 There are two types of variables: **Variable** and **File**. You cannot set types in
 the `.gitlab-ci.yml` file, but you can set them in the UI and API.
@@ -406,6 +407,10 @@ script:
   - 'eval $LS_CMD'  # will execute 'ls -al $TMP_DIR'
 ```
 
+Use the [`value` and `description`](../yaml/README.md#prefill-variables-in-manual-pipelines)
+keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines)
+when [running a pipeline manually](../pipelines/index.md#run-a-pipeline-manually):
+
 ## Group-level environment variables
 
 > Introduced in GitLab 9.4.

doc/ci/yaml/README.md

@@ -4235,7 +4235,8 @@ There are two types of variables.
 
 - [Custom variables](../variables/README.md#custom-environment-variables):
   You can define their values in the `.gitlab-ci.yml` file, in the GitLab UI,
-  or by using the API.
+  or by using the API. You can also input variables in the GitLab UI when
+  [running a pipeline manually](../pipelines/index.md#run-a-pipeline-manually).
 - [Predefined variables](../variables/predefined_variables.md):
   These values are set by the runner itself.
   One example is `CI_COMMIT_REF_NAME`, which is the branch or tag the project is built for.
@@ -4275,6 +4276,20 @@ All YAML-defined variables are also set to any linked
 
 You can use [YAML anchors for variables](#yaml-anchors-for-variables).
 
+### Prefill variables in manual pipelines
+
+> [Introduced in](https://gitlab.com/gitlab-org/gitlab/-/issues/30101) GitLab 13.7.
+
+You can use the `value` and `description` keywords to define [variables that are prefilled](../pipelines/index.md#prefill-variables-in-manual-pipelines)
+when [running a pipeline manually](../pipelines/index.md#run-a-pipeline-manually):
+
+```yaml
+variables:
+  DEPLOY_ENVIRONMENT:
+    value: "staging"  # Deploy to staging by default
+    description: "The deployment target. Change this variable to 'canary' or 'production' if needed."
+```
+
 ### Configure runner behavior with variables
 
 You can use [CI/CD variables](../variables/README.md) to configure runner Git behavior:

doc/user/admin_area/settings/account_and_limit_settings.md

@@ -164,6 +164,40 @@ Once a lifetime for personal access tokens is set, GitLab will:
 - After three hours, revoke old tokens with no expiration date or with a lifetime longer than the
   allowed lifetime. Three hours is given to allow administrators to change the allowed lifetime,
   or remove it, before revocation takes place.
+  
+## Enforcement of SSH key expiration **(ULTIMATE ONLY)**
+
+> - [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/276221) in [GitLab Ultimate](https://about.gitlab.com/pricing/) 13.9.
+> - It is deployed behind a feature flag, disabled by default.
+> - It is disabled on GitLab.com.
+> - It is not recommended for production use.
+> - To use it in GitLab self-managed instances, ask a GitLab administrator to [enable it](#enable-or-disable-enforcement-of-ssh-key-expiration-feature). **(CORE ONLY)**
+
+GitLab administrators can choose to enforce the expiration of SSH keys after their expiration dates.
+If you enable this feature, this disables all _expired_ SSH keys.
+
+To do this:
+
+1. Navigate to **Admin Area > Settings > General**.
+1. Expand the **Account and limit** section.
+1. Select the **Enforce SSH key expiration** checkbox.
+
+### Enable or disable enforcement of SSH key expiration Feature **(CORE ONLY)**
+
+Enforcement of SSH key expiry is deployed behind a feature flag and is **disabled by default**.
+[GitLab administrators with access to the GitLab Rails console](../../../administration/feature_flags.md) can enable it for your instance from the [rails console](../../../administration/feature_flags.md#start-the-gitlab-rails-console).
+
+To enable it:
+
+```ruby
+Feature.enable(:ff_enforce_ssh_key_expiration)
+```
+
+To disable it:
+
+```ruby
+Feature.disable(:ff_enforce_ssh_key_expiration)
+```
 
 ## Optional enforcement of Personal Access Token expiry **(ULTIMATE SELF)**
 

ee/app/helpers/ee/application_settings_helper.rb

@@ -50,6 +50,7 @@ module EE
         :elasticsearch_analyzers_kuromoji_search,
         :enforce_namespace_storage_limit,
         :enforce_pat_expiration,
+        :enforce_ssh_key_expiration,
         :geo_node_allowed_ips,
         :geo_status_timeout,
         :help_text,

ee/app/models/ee/key.rb

@@ -8,12 +8,28 @@ module EE
       include UsageStatistics
 
       scope :ldap, -> { where(type: 'LDAPKey') }
+
+      validate :expiration, if: -> { ::Key.expiration_enforced? }
+
+      def expiration
+        errors.add(:key, 'has expired and the instance administrator has enforced expiration') if expired?
+      end
     end
 
     class_methods do
       def regular_keys
         where(type: ['LDAPKey', 'Key', nil])
       end
+
+      def expiration_enforced?
+        return false unless enforce_ssh_key_expiration_feature_available?
+
+        ::Gitlab::CurrentSettings.enforce_ssh_key_expiration?
+      end
+
+      def enforce_ssh_key_expiration_feature_available?
+        License.feature_available?(:enforce_ssh_key_expiration) && ::Feature.enabled?(:ff_enforce_ssh_key_expiration)
+      end
     end
   end
 end

ee/app/models/license.rb

@@ -142,6 +142,7 @@ class License < ApplicationRecord
     dependency_scanning
     devops_adoption
     enforce_pat_expiration
+    enforce_ssh_key_expiration
     enterprise_templates
     environment_alerts
     group_ci_cd_analytics

ee/app/views/admin/application_settings/_enforce_ssh_key_expiration.html.haml

+- return unless Key.enforce_ssh_key_expiration_feature_available?
+
+- form = local_assigns.fetch(:form)
+
+.form-group
+  .form-check
+    = form.check_box :enforce_ssh_key_expiration, class: 'form-check-input'
+    = form.label :enforce_ssh_key_expiration, class: 'form-check-label' do
+      = _('Enforce SSH key expiration')

ee/config/feature_flags/development/ff_enforce_ssh_key_expiration.yml

+---
+name: ff_enforce_ssh_key_expiration
+introduced_by_url: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/51921
+rollout_issue_url: https://gitlab.com/gitlab-org/gitlab/-/issues/299092
+milestone: '13.9'
+type: development
+group: group::compliance
+default_enabled: false

ee/spec/helpers/ee/application_settings_helper_spec.rb

@@ -5,7 +5,7 @@ require 'spec_helper'
 RSpec.describe EE::ApplicationSettingsHelper do
   describe '.visible_attributes' do
     context 'personal access token parameters' do
-      it { expect(visible_attributes).to include(*%i(max_personal_access_token_lifetime enforce_pat_expiration)) }
+      it { expect(visible_attributes).to include(*%i(max_personal_access_token_lifetime enforce_pat_expiration enforce_ssh_key_expiration)) }
     end
   end
 end

ee/spec/lib/gitlab/git_access_spec.rb

@@ -779,6 +779,23 @@ RSpec.describe Gitlab::GitAccess do
     end
   end
 
+  describe '#check_valid_actor!' do
+    context 'key expiration is enforced' do
+      let(:actor) { build(:personal_key, expires_at: 2.days.ago) }
+
+      before do
+        stub_licensed_features(enforce_ssh_key_expiration: true)
+        stub_feature_flags(ff_enforce_ssh_key_expiration: true)
+        stub_ee_application_setting(enforce_ssh_key_expiration: true)
+      end
+
+      it 'does not allow expired keys', :aggregate_failures do
+        expect { push_changes }.to raise_forbidden('Your SSH key has expired and the instance administrator has enforced expiration.')
+        expect { pull_changes }.to raise_forbidden('Your SSH key has expired and the instance administrator has enforced expiration.')
+      end
+    end
+  end
+
   private
 
   def access

ee/spec/models/ee/key_spec.rb

+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe Key do
+  describe 'validations' do
+    describe 'expiration' do
+      using RSpec::Parameterized::TableSyntax
+
+      where(:key, :expiration_enforced, :valid ) do
+        build(:personal_key, expires_at: 2.days.ago) | true | false
+        build(:personal_key, expires_at: 2.days.ago) | false | true
+        build(:personal_key) | false | true
+        build(:personal_key) | true | true
+      end
+
+      with_them do
+        it 'checks if ssh key expiration is enforced' do
+          expect(Key).to receive(:expiration_enforced?).and_return(expiration_enforced)
+
+          expect(key.valid?).to eq(valid)
+        end
+      end
+    end
+  end
+
+  describe '.expiration_enforced?' do
+    using RSpec::Parameterized::TableSyntax
+
+    where(:feature_enabled, :licensed, :application_setting, :available) do
+      true  | true  | true  | true
+      true  | true  | false | false
+      true  | false | true  | false
+      true  | false | false | false
+      false | true  | true  | false
+      false | true  | false | false
+      false | false | true  | false
+      false | false | false | false
+    end
+
+    with_them do
+      before do
+        stub_feature_flags(ff_enforce_ssh_key_expiration: feature_enabled)
+        stub_licensed_features(enforce_ssh_key_expiration: licensed)
+        stub_ee_application_setting(enforce_ssh_key_expiration: application_setting)
+      end
+
+      it 'checks if ssh key expiration is enforced' do
+        expect(described_class.expiration_enforced?).to be(available)
+      end
+    end
+  end
+end

locale/gitlab.pot

@@ -10926,6 +10926,9 @@ msgstr ""
 msgid "Enforce DNS rebinding attack protection"
 msgstr ""
 
+msgid "Enforce SSH key expiration"
+msgstr ""
+
 msgid "Enforce personal access token expiration"
 msgstr ""