Commit 40c46f39 authored by Doug Stull's avatar Doug Stull Committed by Alper Akgun

Rename application settings columns for inclusive language

- follow our diversity and inclusion guidelines.
parent e7e53ab3
......@@ -218,8 +218,8 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
# TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
params.delete(:domain_denylist_raw) if params[:domain_denylist_file]
params.delete(:domain_denylist_raw) if params[:domain_blacklist]
params.delete(:domain_allowlist_raw) if params[:domain_whitelist]
params.delete(:domain_denylist_raw) if params[:domain_denylist]
params.delete(:domain_allowlist_raw) if params[:domain_allowlist]
params.require(:application_setting).permit(
visible_application_setting_attributes
......
......@@ -199,11 +199,11 @@ module ApplicationSettingsHelper
:default_projects_limit,
:default_snippet_visibility,
:disabled_oauth_sign_in_sources,
:domain_blacklist,
:domain_blacklist_enabled,
:domain_denylist,
:domain_denylist_enabled,
# TODO Remove domain_denylist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
:domain_denylist_raw,
:domain_whitelist,
:domain_allowlist,
# TODO Remove domain_allowlist_raw in APIv5 (See https://gitlab.com/gitlab-org/gitlab-foss/issues/67204)
:domain_allowlist_raw,
:outbound_local_requests_allowlist_raw,
......
......@@ -40,8 +40,8 @@ class ApplicationSetting < ApplicationRecord
serialize :restricted_visibility_levels # rubocop:disable Cop/ActiveRecordSerialize
serialize :import_sources # rubocop:disable Cop/ActiveRecordSerialize
serialize :disabled_oauth_sign_in_sources, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_blacklist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_allowlist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :domain_denylist, Array # rubocop:disable Cop/ActiveRecordSerialize
serialize :repository_storages # rubocop:disable Cop/ActiveRecordSerialize
serialize :asset_proxy_whitelist, Array # rubocop:disable Cop/ActiveRecordSerialize
......@@ -184,9 +184,9 @@ class ApplicationSetting < ApplicationRecord
validates :enabled_git_access_protocol,
inclusion: { in: %w(ssh http), allow_blank: true }
validates :domain_blacklist,
presence: { message: 'Domain blacklist cannot be empty if Blacklist is enabled.' },
if: :domain_blacklist_enabled?
validates :domain_denylist,
presence: { message: 'Domain denylist cannot be empty if denylist is enabled.' },
if: :domain_denylist_enabled?
validates :housekeeping_incremental_repack_period,
presence: true,
......
......@@ -60,7 +60,7 @@ module ApplicationSettingImplementation
diff_max_patch_bytes: Gitlab::Git::Diff::DEFAULT_MAX_PATCH_BYTES,
disabled_oauth_sign_in_sources: [],
dns_rebinding_protection_enabled: true,
domain_whitelist: Settings.gitlab['domain_whitelist'],
domain_allowlist: Settings.gitlab['domain_allowlist'],
dsa_key_restriction: 0,
ecdsa_key_restriction: 0,
ed25519_key_restriction: 0,
......@@ -203,19 +203,19 @@ module ApplicationSettingImplementation
end
def domain_allowlist_raw
array_to_string(self.domain_whitelist)
array_to_string(self.domain_allowlist)
end
def domain_denylist_raw
array_to_string(self.domain_blacklist)
array_to_string(self.domain_denylist)
end
def domain_allowlist_raw=(values)
self.domain_whitelist = strings_to_array(values)
self.domain_allowlist = strings_to_array(values)
end
def domain_denylist_raw=(values)
self.domain_blacklist = strings_to_array(values)
self.domain_denylist = strings_to_array(values)
end
def domain_denylist_file=(file)
......@@ -242,7 +242,7 @@ module ApplicationSettingImplementation
end
# This method separates out the strings stored in the
# application_setting.outbound_local_requests_allowlist array into 2 arrays;
# application_setting.outbound_local_requests_whitelist array into 2 arrays;
# an array of IPAddr objects (`[IPAddr.new('127.0.0.1')]`), and an array of
# domain strings (`['www.example.com']`).
def outbound_local_requests_allowlist_arrays
......
......@@ -1843,15 +1843,15 @@ class User < ApplicationRecord
valid = true
error = nil
if Gitlab::CurrentSettings.domain_blacklist_enabled?
blocked_domains = Gitlab::CurrentSettings.domain_blacklist
if Gitlab::CurrentSettings.domain_denylist_enabled?
blocked_domains = Gitlab::CurrentSettings.domain_denylist
if domain_matches?(blocked_domains, email)
error = 'is not from an allowed domain.'
valid = false
end
end
allowed_domains = Gitlab::CurrentSettings.domain_whitelist
allowed_domains = Gitlab::CurrentSettings.domain_allowlist
unless allowed_domains.blank?
if domain_matches?(allowed_domains, email)
valid = true
......
......@@ -31,14 +31,14 @@
.form-text.text-muted
= _("See GitLab's %{password_policy_guidelines}").html_safe % { password_policy_guidelines: password_policy_guidelines_link }
.form-group
= f.label :domain_whitelist, _('Allowed domains for sign-ups'), class: 'label-bold'
= f.label :domain_allowlist, _('Allowed domains for sign-ups'), class: 'label-bold'
= f.text_area :domain_allowlist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
.form-text.text-muted ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
.form-group
= f.label :domain_blacklist_enabled, _('Domain denylist'), class: 'label-bold'
= f.label :domain_denylist_enabled, _('Domain denylist'), class: 'label-bold'
.form-check
= f.check_box :domain_blacklist_enabled, class: 'form-check-input'
= f.label :domain_blacklist_enabled, class: 'form-check-label' do
= f.check_box :domain_denylist_enabled, class: 'form-check-input'
= f.label :domain_denylist_enabled, class: 'form-check-label' do
Enable domain denylist for sign ups
.form-group
.form-check
......@@ -47,7 +47,7 @@
.option-title
Upload denylist file
.form-check
= radio_button_tag :denylist_type, :raw, @application_setting.domain_blacklist.present? || @application_setting.domain_blacklist.blank?, class: 'form-check-input'
= radio_button_tag :denylist_type, :raw, @application_setting.domain_denylist.present? || @application_setting.domain_denylist.blank?, class: 'form-check-input'
= label_tag :denylist_type_raw, class: 'form-check-label' do
.option-title
Enter denylist manually
......@@ -56,7 +56,7 @@
= f.file_field :domain_denylist_file, class: 'form-control', accept: '.txt,.conf'
.form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines or commas for multiple entries.
.form-group.js-denylist-raw
= f.label :domain_blacklist, _('Denied domains for sign-ups'), class: 'label-bold'
= f.label :domain_denylist, _('Denied domains for sign-ups'), class: 'label-bold'
= f.text_area :domain_denylist_raw, placeholder: 'domain.com', class: 'form-control', rows: 8
.form-text.text-muted Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com
.form-group
......
---
title: Use allowlist/denylist in application settings backend
merge_request: 46170
author:
type: changed
......@@ -198,7 +198,7 @@ Settings.gitlab.default_projects_features['snippets'] = true if Settin
Settings.gitlab.default_projects_features['builds'] = true if Settings.gitlab.default_projects_features['builds'].nil?
Settings.gitlab.default_projects_features['container_registry'] = true if Settings.gitlab.default_projects_features['container_registry'].nil?
Settings.gitlab.default_projects_features['visibility_level'] = Settings.__send__(:verify_constant, Gitlab::VisibilityLevel, Settings.gitlab.default_projects_features['visibility_level'], Gitlab::VisibilityLevel::PRIVATE)
Settings.gitlab['domain_whitelist'] ||= []
Settings.gitlab['domain_allowlist'] ||= []
Settings.gitlab['import_sources'] ||= Gitlab::ImportSources.values
Settings.gitlab['trusted_proxies'] ||= []
Settings.gitlab['content_security_policy'] ||= Gitlab::ContentSecurityPolicy::ConfigLoader.default_settings_hash
......
# frozen_string_literal: true
class RenameApplicationSettingsToAllowDenyNames < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
end
def down
undo_rename_column_concurrently :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
undo_rename_column_concurrently :application_settings, :domain_blacklist, :domain_denylist
undo_rename_column_concurrently :application_settings, :domain_whitelist, :domain_allowlist
end
end
# frozen_string_literal: true
class CleanupApplicationSettingsToAllowDenyRename < ActiveRecord::Migration[6.0]
include Gitlab::Database::MigrationHelpers
disable_ddl_transaction!
def up
cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
end
def down
undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist_enabled, :domain_denylist_enabled
undo_cleanup_concurrent_column_rename :application_settings, :domain_blacklist, :domain_denylist
undo_cleanup_concurrent_column_rename :application_settings, :domain_whitelist, :domain_allowlist
end
end
c718bc731f7dc3e1f0104dfdb79a3dc46c46849153ec9b228600eeb5a92465e7
\ No newline at end of file
a61310c95a1302871ea18881d45bc0c7357baa8f24daa31b7e2174318dab5707
\ No newline at end of file
......@@ -9083,7 +9083,6 @@ CREATE TABLE application_settings (
max_attachment_size integer DEFAULT 10 NOT NULL,
default_project_visibility integer DEFAULT 0 NOT NULL,
default_snippet_visibility integer DEFAULT 0 NOT NULL,
domain_whitelist text,
user_oauth_applications boolean DEFAULT true,
after_sign_out_path character varying,
session_expire_delay integer DEFAULT 10080 NOT NULL,
......@@ -9119,8 +9118,6 @@ CREATE TABLE application_settings (
elasticsearch_search boolean DEFAULT false NOT NULL,
repository_storages character varying DEFAULT 'default'::character varying,
enabled_git_access_protocol character varying,
domain_blacklist_enabled boolean DEFAULT false,
domain_blacklist text,
usage_ping_enabled boolean DEFAULT true NOT NULL,
sign_in_text_html text,
help_page_text_html text,
......@@ -9341,6 +9338,9 @@ CREATE TABLE application_settings (
secret_detection_token_revocation_url text,
encrypted_secret_detection_token_revocation_token text,
encrypted_secret_detection_token_revocation_token_iv text,
domain_denylist_enabled boolean DEFAULT false,
domain_denylist text,
domain_allowlist text,
new_user_signups_cap integer,
CONSTRAINT app_settings_registry_exp_policies_worker_capacity_positive CHECK ((container_registry_expiration_policies_worker_capacity >= 0)),
CONSTRAINT check_2dba05b802 CHECK ((char_length(gitpod_url) <= 255)),
......
......@@ -43,9 +43,9 @@ Example response:
"home_page_url" : null,
"default_snippet_visibility" : "private",
"outbound_local_requests_whitelist": [],
"domain_whitelist" : [],
"domain_blacklist_enabled" : false,
"domain_blacklist" : [],
"domain_allowlist" : [],
"domain_denylist_enabled" : false,
"domain_denylist" : [],
"created_at" : "2016-01-04T15:44:55.176Z",
"default_ci_config_path" : null,
"default_project_visibility" : "private",
......@@ -133,9 +133,9 @@ Example response:
"default_snippet_visibility": "private",
"default_group_visibility": "private",
"outbound_local_requests_whitelist": [],
"domain_whitelist": [],
"domain_blacklist_enabled" : false,
"domain_blacklist" : [],
"domain_allowlist": [],
"domain_denylist_enabled" : false,
"domain_denylist" : [],
"external_authorization_service_enabled": true,
"external_authorization_service_url": "https://authorize.me",
"external_authorization_service_default_label": "default",
......@@ -231,9 +231,9 @@ listed in the descriptions of the relevant settings.
| `diff_max_patch_bytes` | integer | no | Maximum diff patch size (Bytes). |
| `disabled_oauth_sign_in_sources` | array of strings | no | Disabled OAuth sign-in sources. |
| `dns_rebinding_protection_enabled` | boolean | no | Enforce DNS rebinding attack protection. |
| `domain_blacklist_enabled` | boolean | no | (**If enabled, requires:** `domain_blacklist`) Allows blocking sign-ups from emails from specific domains. |
| `domain_blacklist` | array of strings | no | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
| `domain_whitelist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
| `domain_denylist_enabled` | boolean | no | (**If enabled, requires:** `domain_denylist`) Allows blocking sign-ups from emails from specific domains. |
| `domain_denylist` | array of strings | no | Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: `domain.com`, `*.domain.com`. |
| `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
| `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
| `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
| `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
......
......@@ -94,6 +94,8 @@ renaming. For example
class RenameUsersUpdatedAtToUpdatedAtTimestamp < ActiveRecord::Migration[4.2]
include Gitlab::Database::MigrationHelpers
DOWNTIME = false
disable_ddl_transaction!
def up
......
......@@ -53,9 +53,9 @@ module API
optional :default_projects_limit, type: Integer, desc: 'The maximum number of personal projects'
optional :default_snippet_visibility, type: String, values: Gitlab::VisibilityLevel.string_values, desc: 'The default snippet visibility'
optional :disabled_oauth_sign_in_sources, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Disable certain OAuth sign-in sources'
optional :domain_blacklist_enabled, type: Boolean, desc: 'Enable domain blacklist for sign ups'
optional :domain_blacklist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :domain_whitelist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :domain_denylist_enabled, type: Boolean, desc: 'Enable domain denylist for sign ups'
optional :domain_denylist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'Users with e-mail addresses that match these domain(s) will NOT be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :domain_allowlist, type: Array[String], coerce_with: Validations::Types::CommaSeparatedToArray.coerce, desc: 'ONLY users with e-mail addresses that match these domain(s) will be able to sign-up. Wildcards allowed. Use separate lines for multiple entries. Ex: domain.com, *.domain.com'
optional :eks_integration_enabled, type: Boolean, desc: 'Enable integration with Amazon EKS'
given eks_integration_enabled: -> (val) { val } do
requires :eks_account_id, type: String, desc: 'Amazon account ID for EKS integration'
......
......@@ -113,7 +113,7 @@ module Gitlab
end
rescue SocketError
# If the dns rebinding protection is not enabled or the domain
# is whitelisted we avoid the dns rebinding checks
# is allowed we avoid the dns rebinding checks
return if domain_allowed?(uri) || !dns_rebind_protection
# In the test suite we use a lot of mocked urls that are either invalid or
......
......@@ -350,7 +350,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
expect(described_class).to be_blocked_url('http://[fe80::c800:eff:fe74:8]', allow_local_network: false)
end
context 'when local domain/IP is whitelisted' do
context 'when local domain/IP is allowed' do
let(:url_blocker_attributes) do
{
allow_localhost: false,
......@@ -360,11 +360,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
before do
allow(ApplicationSetting).to receive(:current).and_return(ApplicationSetting.new)
stub_application_setting(outbound_local_requests_whitelist: whitelist)
stub_application_setting(outbound_local_requests_whitelist: allowlist)
end
context 'with IPs in whitelist' do
let(:whitelist) do
context 'with IPs in allowlist' do
let(:allowlist) do
[
'0.0.0.0',
'127.0.0.1',
......@@ -396,7 +396,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
it_behaves_like 'allows local requests', { allow_localhost: false, allow_local_network: false }
it 'whitelists IP when dns_rebind_protection is disabled' do
it 'allows IP when dns_rebind_protection is disabled' do
url = "http://example.com"
attrs = url_blocker_attributes.merge(dns_rebind_protection: false)
......@@ -410,8 +410,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end
end
context 'with domains in whitelist' do
let(:whitelist) do
context 'with domains in allowlist' do
let(:allowlist) do
[
'www.example.com',
'example.com',
......@@ -420,7 +420,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
]
end
it 'allows domains present in whitelist' do
it 'allows domains present in allowlist' do
domain = 'example.com'
subdomain1 = 'www.example.com'
subdomain2 = 'subdomain.example.com'
......@@ -435,7 +435,7 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
url_blocker_attributes)
end
# subdomain2 is not part of the whitelist so it should be blocked
# subdomain2 is not part of the allowlist so it should be blocked
stub_domain_resolv(subdomain2, '192.168.1.1') do
expect(described_class).to be_blocked_url("http://#{subdomain2}",
url_blocker_attributes)
......@@ -458,8 +458,8 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end
shared_examples 'dns rebinding checks' do
shared_examples 'whitelists the domain' do
let(:whitelist) { [domain] }
shared_examples 'allowlists the domain' do
let(:allowlist) { [domain] }
let(:url) { "http://#{domain}" }
before do
......@@ -475,13 +475,13 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
context 'enabled' do
let(:dns_rebind_value) { true }
it_behaves_like 'whitelists the domain'
it_behaves_like 'allowlists the domain'
end
context 'disabled' do
let(:dns_rebind_value) { false }
it_behaves_like 'whitelists the domain'
it_behaves_like 'allowlists the domain'
end
end
end
......@@ -504,11 +504,11 @@ RSpec.describe Gitlab::UrlBlocker, :stub_invalid_dns_only do
end
context 'with ports' do
let(:whitelist) do
let(:allowlist) do
["127.0.0.1:2000"]
end
it 'allows domain with port when resolved ip has port whitelisted' do
it 'allows domain with port when resolved ip has port allowed' do
stub_domain_resolv("www.resolve-domain.com", '127.0.0.1') do
expect(described_class).not_to be_blocked_url("http://www.resolve-domain.com:2000", url_blocker_attributes)
end
......
......@@ -319,7 +319,7 @@ RSpec.describe User do
expect(subject).to validate_presence_of(:username)
end
it 'rejects blacklisted names' do
it 'rejects denied names' do
user = build(:user, username: 'dashboard')
expect(user).not_to be_valid
......@@ -442,9 +442,9 @@ RSpec.describe User do
end
describe 'email' do
context 'when no signup domains whitelisted' do
context 'when no signup domains allowed' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return([])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return([])
end
it 'accepts any email' do
......@@ -455,7 +455,7 @@ RSpec.describe User do
context 'bad regex' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['([a-zA-Z0-9]+)+\.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['([a-zA-Z0-9]+)+\.com'])
end
it 'does not hang on evil input' do
......@@ -467,9 +467,9 @@ RSpec.describe User do
end
end
context 'when a signup domain is whitelisted and subdomains are allowed' do
context 'when a signup domain is allowed and subdomains are allowed' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com', '*.example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com', '*.example.com'])
end
it 'accepts info@example.com' do
......@@ -488,9 +488,9 @@ RSpec.describe User do
end
end
context 'when a signup domain is whitelisted and subdomains are not allowed' do
context 'when a signup domain is allowed and subdomains are not allowed' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['example.com'])
end
it 'accepts info@example.com' do
......@@ -514,15 +514,15 @@ RSpec.describe User do
end
end
context 'domain blacklist' do
context 'domain denylist' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist_enabled?).and_return(true)
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist_enabled?).and_return(true)
allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['example.com'])
end
context 'bad regex' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['([a-zA-Z0-9]+)+\.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['([a-zA-Z0-9]+)+\.com'])
end
it 'does not hang on evil input' do
......@@ -534,7 +534,7 @@ RSpec.describe User do
end
end
context 'when a signup domain is blacklisted' do
context 'when a signup domain is denied' do
it 'accepts info@test.com' do
user = build(:user, email: 'info@test.com')
expect(user).to be_valid
......@@ -551,13 +551,13 @@ RSpec.describe User do
end
end
context 'when a signup domain is blacklisted but a wildcard subdomain is allowed' do
context 'when a signup domain is denied but a wildcard subdomain is allowed' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_blacklist).and_return(['test.example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['*.example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_denylist).and_return(['test.example.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['*.example.com'])
end
it 'gives priority to whitelist and allow info@test.example.com' do
it 'gives priority to allowlist and allow info@test.example.com' do
user = build(:user, email: 'info@test.example.com')
expect(user).to be_valid
end
......@@ -565,7 +565,7 @@ RSpec.describe User do
context 'with both lists containing a domain' do
before do
allow_any_instance_of(ApplicationSetting).to receive(:domain_whitelist).and_return(['test.com'])
allow_any_instance_of(ApplicationSetting).to receive(:domain_allowlist).and_return(['test.com'])
end
it 'accepts info@test.com' do
......@@ -3637,9 +3637,9 @@ RSpec.describe User do
end
end
context 'when a domain whitelist is in place' do
context 'when a domain allowlist is in place' do
before do
stub_application_setting(domain_whitelist: ['gitlab.com'])
stub_application_setting(domain_allowlist: ['gitlab.com'])
end
it 'creates a ghost user' do
......
......@@ -377,41 +377,41 @@ RSpec.describe API::Settings, 'Settings' do
end
end
context 'domain_blacklist settings' do
it 'rejects domain_blacklist_enabled when domain_blacklist is empty' do
context 'domain_denylist settings' do
it 'rejects domain_denylist_enabled when domain_denylist is empty' do
put api('/application/settings', admin),
params: {
domain_blacklist_enabled: true,
domain_blacklist: []
domain_denylist_enabled: true,
domain_denylist: []
}
expect(response).to have_gitlab_http_status(:bad_request)
message = json_response["message"]
expect(message["domain_blacklist"]).to eq(["Domain blacklist cannot be empty if Blacklist is enabled."])
expect(message["domain_denylist"]).to eq(["Domain denylist cannot be empty if denylist is enabled."])
end
it 'allows array for domain_blacklist' do
it 'allows array for domain_denylist' do
put api('/application/settings', admin),
params: {
domain_blacklist_enabled: true,
domain_blacklist: ['domain1.com', 'domain2.com']
domain_denylist_enabled: true,
domain_denylist: ['domain1.com', 'domain2.com']
}
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['domain_blacklist_enabled']).to be(true)
expect(json_response['domain_blacklist']).to eq(['domain1.com', 'domain2.com'])
expect(json_response['domain_denylist_enabled']).to be(true)
expect(json_response['domain_denylist']).to eq(['domain1.com', 'domain2.com'])
end
it 'allows a string for domain_blacklist' do
it 'allows a string for domain_denylist' do
put api('/application/settings', admin),
params: {
domain_blacklist_enabled: true,
domain_blacklist: 'domain3.com, *.domain4.com'
domain_denylist_enabled: true,
domain_denylist: 'domain3.com, *.domain4.com'
}
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['domain_blacklist_enabled']).to be(true)
expect(json_response['domain_blacklist']).to eq(['domain3.com', '*.domain4.com'])
expect(json_response['domain_denylist_enabled']).to be(true)
expect(json_response['domain_denylist']).to eq(['domain3.com', '*.domain4.com'])
end
end
......
......@@ -66,7 +66,7 @@ RSpec.describe ApplicationSettings::UpdateService do
context 'when params is blank' do
let(:params) { {} }
it 'does not add to whitelist' do
it 'does not add to allowlist' do
expect { subject.execute }.not_to change {
application_settings.outbound_local_requests_whitelist
}
......@@ -80,7 +80,7 @@ RSpec.describe ApplicationSettings::UpdateService do
let(:params) { { add_to_outbound_local_requests_whitelist: ['example.com', ''] } }
it 'adds to whitelist' do
it 'adds to allowlist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
......@@ -98,7 +98,7 @@ RSpec.describe ApplicationSettings::UpdateService do
let(:params) { { outbound_local_requests_allowlist_raw: 'example.com;gitlab.com' } }
it 'overwrites the existing whitelist' do
it 'overwrites the existing allowlist' do
expect { subject.execute }.to change {
application_settings.outbound_local_requests_whitelist
}
......
......@@ -49,15 +49,15 @@ end
RSpec.shared_examples 'application settings examples' do
context 'restricted signup domains' do
it_behaves_like 'string of domains', :domain_allowlist, :domain_whitelist
it_behaves_like 'string of domains', :domain_allowlist, :domain_allowlist
end
context 'blacklisted signup domains' do
it_behaves_like 'string of domains', :domain_denylist, :domain_blacklist
context 'denied signup domains' do
it_behaves_like 'string of domains', :domain_denylist, :domain_denylist
it 'sets multiple domain with file' do
setting.domain_denylist_file = File.open(Rails.root.join('spec/fixtures/', 'domain_denylist.txt'))
expect(setting.domain_blacklist).to contain_exactly('example.com', 'test.com', 'foo.bar')
expect(setting.domain_denylist).to contain_exactly('example.com', 'test.com', 'foo.bar')
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment