Merge branch '60071-remove-gitlab-keys-usage' into 'master'

Remove usage of gitlab-shell gitlab-keys script See merge request gitlab-org/gitlab-ce!32138

Merge branch '60071-remove-gitlab-keys-usage' into 'master'
Remove usage of gitlab-shell gitlab-keys script See merge request gitlab-org/gitlab-ce!32138
4e2af302 · Nick Thomas · 1843502f · a1ec2ad0 · 4e2af302 · 4e2af302
Commit 4e2af302 authored Aug 29, 2019 by Nick Thomas
8 changed files
--- a/config/initializers/1_settings.rb
+++ b/config/initializers/1_settings.rb
@@ -515,7 +515,7 @@ Settings['sidekiq']['log_format'] ||= 'default'
 Settings['gitlab_shell'] ||= Settingslogic.new({})
 Settings.gitlab_shell['path']           = Settings.absolute(Settings.gitlab_shell['path'] || Settings.gitlab['user_home'] + '/gitlab-shell/')
 Settings.gitlab_shell['hooks_path']     = :deprecated_use_gitlab_shell_path_instead
-Settings.gitlab_shell['authorized_keys_file'] ||= nil
+Settings.gitlab_shell['authorized_keys_file'] ||= File.join(Dir.home, '.ssh', 'authorized_keys')
 Settings.gitlab_shell['secret_file'] ||= Rails.root.join('.gitlab_shell_secret')
 Settings.gitlab_shell['receive_pack']   = true if Settings.gitlab_shell['receive_pack'].nil?
 Settings.gitlab_shell['upload_pack']    = true if Settings.gitlab_shell['upload_pack'].nil?

--- a/lib/gitlab/authorized_keys.rb
+++ b/lib/gitlab/authorized_keys.rb
@@ -13,6 +13,24 @@ module Gitlab
      @logger = logger
    end
+    # Checks if the file is accessible or not
+    #
+    # @return [Boolean]
+    def accessible?
+      open_authorized_keys_file('r') { true }
+    rescue Errno::ENOENT, Errno::EACCES
+      false
+    end
+    # Creates the authorized_keys file if it doesn't exist
+    #
+    # @return [Boolean]
+    def create
+      open_authorized_keys_file(File::CREAT) { true }
+    rescue Errno::EACCES
+      false
+    end
    # Add id and its key to the authorized_keys file
    #
    # @param [String] id identifier of key prefixed by `key-`
@@ -102,10 +120,14 @@ module Gitlab
      []
    end
+    def file
+      @file ||= Gitlab.config.gitlab_shell.authorized_keys_file
+    end
    private
    def lock(timeout = 10)
-      File.open("#{authorized_keys_file}.lock", "w+") do |f|
+      File.open("#{file}.lock", "w+") do |f|
        f.flock File::LOCK_EX
        Timeout.timeout(timeout) { yield }
      ensure
@@ -114,7 +136,7 @@ module Gitlab
    end
    def open_authorized_keys_file(mode)
-      File.open(authorized_keys_file, mode, 0o600) do |file|
+      File.open(file, mode, 0o600) do |file|
        file.chmod(0o600)
        yield file
      end
@@ -141,9 +163,5 @@ module Gitlab
    def strip(key)
      key.split(/[ ]+/)[0, 2].join(' ')
    end
-    def authorized_keys_file
-      Gitlab.config.gitlab_shell.authorized_keys_file
-    end
  end
 end
--- a/lib/gitlab/shell.rb
+++ b/lib/gitlab/shell.rb
@@ -165,17 +165,8 @@ module Gitlab
    def add_key(key_id, key_content)
      return unless self.authorized_keys_enabled?
-      if shell_out_for_gitlab_keys?
-        gitlab_shell_fast_execute([
-          gitlab_shell_keys_path,
-          'add-key',
-          key_id,
-          strip_key(key_content)
-        ])
-      else
      gitlab_authorized_keys.add_key(key_id, key_content)
    end
-    end
    # Batch-add keys to authorized_keys
    #
@@ -184,20 +175,8 @@ module Gitlab
    def batch_add_keys(keys)
      return unless self.authorized_keys_enabled?
-      if shell_out_for_gitlab_keys?
-        begin
-          IO.popen("#{gitlab_shell_keys_path} batch-add-keys", 'w') do |io|
-            add_keys_to_io(keys, io)
-          end
-          $?.success?
-        rescue Error
-          false
-        end
-      else
      gitlab_authorized_keys.batch_add_keys(keys)
    end
-    end
    # Remove ssh key from authorized_keys
    #
@@ -207,12 +186,8 @@ module Gitlab
    def remove_key(id, _ = nil)
      return unless self.authorized_keys_enabled?
-      if shell_out_for_gitlab_keys?
-        gitlab_shell_fast_execute([gitlab_shell_keys_path, 'rm-key', id])
-      else
      gitlab_authorized_keys.rm_key(id)
    end
-    end
    # Remove all ssh keys from gitlab shell
    #
@@ -222,12 +197,8 @@ module Gitlab
    def remove_all_keys
      return unless self.authorized_keys_enabled?
-      if shell_out_for_gitlab_keys?
-        gitlab_shell_fast_execute([gitlab_shell_keys_path, 'clear'])
-      else
      gitlab_authorized_keys.clear
    end
-    end
    # Remove ssh keys from gitlab shell that are not in the DB
    #
@@ -341,14 +312,6 @@ module Gitlab
      File.join(Gitlab.config.repositories.storages[storage].legacy_disk_path, dir_name)
    end
-    def gitlab_shell_projects_path
-      File.join(gitlab_shell_path, 'bin', 'gitlab-projects')
-    end
-    def gitlab_shell_keys_path
-      File.join(gitlab_shell_path, 'bin', 'gitlab-keys')
-    end
    def authorized_keys_enabled?
      # Return true if nil to ensure the authorized_keys methods work while
      # fixing the authorized_keys file during migration.
@@ -359,35 +322,6 @@ module Gitlab
    private
-    def shell_out_for_gitlab_keys?
-      Gitlab.config.gitlab_shell.authorized_keys_file.blank?
-    end
-    def gitlab_shell_fast_execute(cmd)
-      output, status = gitlab_shell_fast_execute_helper(cmd)
-      return true if status.zero?
-      Rails.logger.error("gitlab-shell failed with error #{status}: #{output}") # rubocop:disable Gitlab/RailsLogger
-      false
-    end
-    def gitlab_shell_fast_execute_raise_error(cmd, vars = {})
-      output, status = gitlab_shell_fast_execute_helper(cmd, vars)
-      raise Error, output unless status.zero?
-      true
-    end
-    def gitlab_shell_fast_execute_helper(cmd, vars = {})
-      vars.merge!(ENV.to_h.slice(*GITLAB_SHELL_ENV_VARS))
-      # Don't pass along the entire parent environment to prevent gitlab-shell
-      # from wasting I/O by searching through GEM_PATH
-      Bundler.with_original_env { Popen.popen(cmd, nil, vars) }
-    end
    def git_timeout
      Gitlab.config.gitlab_shell.git_timeout
    end
@@ -407,18 +341,10 @@ module Gitlab
    def batch_read_key_ids(batch_size: 100, &block)
      return unless self.authorized_keys_enabled?
-      if shell_out_for_gitlab_keys?
-        IO.popen("#{gitlab_shell_keys_path} list-key-ids") do |key_id_stream|
-          key_id_stream.lazy.each_slice(batch_size) do |lines|
-            yield(lines.map { |l| l.chomp.to_i })
-          end
-        end
-      else
      gitlab_authorized_keys.list_key_ids.lazy.each_slice(batch_size) do |key_ids|
        yield(key_ids)
      end
    end
-    end
    def strip_key(key)
      key.split(/[ ]+/)[0, 2].join(' ')

--- a/lib/system_check/app/authorized_keys_permission_check.rb
+++ b/lib/system_check/app/authorized_keys_permission_check.rb
+# frozen_string_literal: true
+module SystemCheck
+  module App
+    class AuthorizedKeysPermissionCheck < SystemCheck::BaseCheck
+      set_name 'Is authorized keys file accessible?'
+      set_skip_reason 'skipped (authorized keys not enabled)'
+      def skip?
+        !authorized_keys_enabled?
+      end
+      def check?
+        authorized_keys.accessible?
+      end
+      def repair!
+        authorized_keys.create
+      end
+      def show_error
+        try_fixing_it([
+          "sudo chmod 700 #{File.dirname(authorized_keys.file)}",
+          "touch #{authorized_keys.file}",
+          "sudo chmod 600 #{authorized_keys.file}"
+        ])
+        fix_and_rerun
+      end
+      private
+      def authorized_keys_enabled?
+        Gitlab::CurrentSettings.current_application_settings.authorized_keys_enabled
+      end
+      def authorized_keys
+        @authorized_keys ||= Gitlab::AuthorizedKeys.new
+      end
+    end
+  end
+end
--- a/lib/system_check/rake_task/app_task.rb
+++ b/lib/system_check/rake_task/app_task.rb
@@ -30,7 +30,8 @@ module SystemCheck
          SystemCheck::App::RubyVersionCheck,
          SystemCheck::App::GitVersionCheck,
          SystemCheck::App::GitUserDefaultSSHConfigCheck,
-          SystemCheck::App::ActiveUsersCheck
+          SystemCheck::App::ActiveUsersCheck,
+          SystemCheck::App::AuthorizedKeysPermissionCheck
        ]
      end
    end

--- a/spec/lib/gitlab/authorized_keys_spec.rb
+++ b/spec/lib/gitlab/authorized_keys_spec.rb
@@ -5,10 +5,81 @@ require 'spec_helper'
 describe Gitlab::AuthorizedKeys do
  let(:logger) { double('logger').as_null_object }
-  subject { described_class.new(logger) }
+  subject(:authorized_keys) { described_class.new(logger) }
+  describe '#accessible?' do
+    subject { authorized_keys.accessible? }
+    context 'authorized_keys file exists' do
+      before do
+        create_authorized_keys_fixture
+      end
+      after do
+        delete_authorized_keys_file
+      end
+      context 'can open file' do
+        it { is_expected.to be_truthy }
+      end
+      context 'cannot open file' do
+        before do
+          allow(File).to receive(:open).and_raise(Errno::EACCES)
+        end
+        it { is_expected.to be_falsey }
+      end
+    end
+    context 'authorized_keys file does not exist' do
+      it { is_expected.to be_falsey }
+    end
+  end
+  describe '#create' do
+    subject { authorized_keys.create }
+    context 'authorized_keys file exists' do
+      before do
+        create_authorized_keys_fixture
+      end
+      after do
+        delete_authorized_keys_file
+      end
+      it { is_expected.to be_truthy }
+    end
+    context 'authorized_keys file does not exist' do
+      after do
+        delete_authorized_keys_file
+      end
+      it 'creates authorized_keys file' do
+        expect(subject).to be_truthy
+        expect(File.exist?(tmp_authorized_keys_path)).to be_truthy
+      end
+    end
+    context 'cannot create file' do
+      before do
+        allow(File).to receive(:open).and_raise(Errno::EACCES)
+      end
+      it { is_expected.to be_falsey }
+    end
+  end
  describe '#add_key' do
+    let(:id) { 'key-741' }
+    subject { authorized_keys.add_key(id, key) }
    context 'authorized_keys file exists' do
+      let(:key) { 'ssh-rsa AAAAB3NzaDAxx2E trailing garbage' }
      before do
        create_authorized_keys_fixture
      end
@@ -21,19 +92,20 @@ describe Gitlab::AuthorizedKeys do
        auth_line = "command=\"#{Gitlab.config.gitlab_shell.path}/bin/gitlab-shell key-741\",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaDAxx2E"
        expect(logger).to receive(:info).with('Adding key (key-741): ssh-rsa AAAAB3NzaDAxx2E')
-        expect(subject.add_key('key-741', 'ssh-rsa AAAAB3NzaDAxx2E trailing garbage'))
+        expect(subject).to be_truthy
-          .to be_truthy
        expect(File.read(tmp_authorized_keys_path)).to eq("existing content\n#{auth_line}\n")
      end
    end
    context 'authorized_keys file does not exist' do
+      let(:key) { 'ssh-rsa AAAAB3NzaDAxx2E' }
      before do
        delete_authorized_keys_file
      end
      it 'creates the file' do
-        expect(subject.add_key('key-741', 'ssh-rsa AAAAB3NzaDAxx2E')).to be_truthy
+        expect(subject).to be_truthy
        expect(File.exist?(tmp_authorized_keys_path)).to be_truthy
      end
    end
@@ -47,6 +119,8 @@ describe Gitlab::AuthorizedKeys do
      ]
    end
+    subject { authorized_keys.batch_add_keys(keys) }
    context 'authorized_keys file exists' do
      before do
        create_authorized_keys_fixture
@@ -62,7 +136,7 @@ describe Gitlab::AuthorizedKeys do
        expect(logger).to receive(:info).with('Adding key (key-12): ssh-dsa ASDFASGADG')
        expect(logger).to receive(:info).with('Adding key (key-123): ssh-rsa GFDGDFSGSDFG')
-        expect(subject.batch_add_keys(keys)).to be_truthy
+        expect(subject).to be_truthy
        expect(File.read(tmp_authorized_keys_path)).to eq("existing content\n#{auth_line1}\n#{auth_line2}\n")
      end
@@ -70,7 +144,7 @@ describe Gitlab::AuthorizedKeys do
        let(:keys) { [double(shell_id: 'key-123', key: "ssh-rsa A\tSDFA\nSGADG")] }
        it "doesn't add keys" do
-          expect(subject.batch_add_keys(keys)).to be_falsey
+          expect(subject).to be_falsey
          expect(File.read(tmp_authorized_keys_path)).to eq("existing content\n")
        end
      end
@@ -82,16 +156,28 @@ describe Gitlab::AuthorizedKeys do
      end
      it 'creates the file' do
-        expect(subject.batch_add_keys(keys)).to be_truthy
+        expect(subject).to be_truthy
        expect(File.exist?(tmp_authorized_keys_path)).to be_truthy
      end
    end
  end
  describe '#rm_key' do
+    let(:key) { 'key-741' }
+    subject { authorized_keys.rm_key(key) }
    context 'authorized_keys file exists' do
+      let(:other_line) { "command=\"#{Gitlab.config.gitlab_shell.path}/bin/gitlab-shell key-742\",options ssh-rsa AAAAB3NzaDAxx2E" }
+      let(:delete_line) { "command=\"#{Gitlab.config.gitlab_shell.path}/bin/gitlab-shell key-741\",options ssh-rsa AAAAB3NzaDAxx2E" }
      before do
        create_authorized_keys_fixture
+        File.open(tmp_authorized_keys_path, 'a') do |auth_file|
+          auth_file.puts delete_line
+          auth_file.puts other_line
+        end
      end
      after do
@@ -99,16 +185,10 @@ describe Gitlab::AuthorizedKeys do
      end
      it "removes the right line" do
-        other_line = "command=\"#{Gitlab.config.gitlab_shell.path}/bin/gitlab-shell key-742\",options ssh-rsa AAAAB3NzaDAxx2E"
-        delete_line = "command=\"#{Gitlab.config.gitlab_shell.path}/bin/gitlab-shell key-741\",options ssh-rsa AAAAB3NzaDAxx2E"
        erased_line = delete_line.gsub(/./, '#')
-        File.open(tmp_authorized_keys_path, 'a') do |auth_file|
-          auth_file.puts delete_line
-          auth_file.puts other_line
-        end
        expect(logger).to receive(:info).with('Removing key (key-741)')
-        expect(subject.rm_key('key-741')).to be_truthy
+        expect(subject).to be_truthy
        expect(File.read(tmp_authorized_keys_path)).to eq("existing content\n#{erased_line}\n#{other_line}\n")
      end
    end
@@ -118,13 +198,13 @@ describe Gitlab::AuthorizedKeys do
        delete_authorized_keys_file
      end
-      it 'returns false' do
+      it { is_expected.to be_falsey }
-        expect(subject.rm_key('key-741')).to be_falsey
-      end
    end
  end
  describe '#clear' do
+    subject { authorized_keys.clear }
    context 'authorized_keys file exists' do
      before do
        create_authorized_keys_fixture
@@ -134,9 +214,7 @@ describe Gitlab::AuthorizedKeys do
        delete_authorized_keys_file
      end
-      it "returns true" do
+      it { is_expected.to be_truthy }
-        expect(subject.clear).to be_truthy
-      end
    end
    context 'authorized_keys file does not exist' do
@@ -144,13 +222,13 @@ describe Gitlab::AuthorizedKeys do
        delete_authorized_keys_file
      end
-      it "still returns true" do
+      it { is_expected.to be_truthy }
-        expect(subject.clear).to be_truthy
-      end
    end
  end
  describe '#list_key_ids' do
+    subject { authorized_keys.list_key_ids }
    context 'authorized_keys file exists' do
      before do
        create_authorized_keys_fixture(
@@ -163,9 +241,7 @@ describe Gitlab::AuthorizedKeys do
        delete_authorized_keys_file
      end
-      it 'returns array of key IDs' do
+      it { is_expected.to eq([1, 2, 3, 9000]) }
-        expect(subject.list_key_ids).to eq([1, 2, 3, 9000])
-      end
    end
    context 'authorized_keys file does not exist' do
@@ -173,9 +249,7 @@ describe Gitlab::AuthorizedKeys do
        delete_authorized_keys_file
      end
-      it 'returns an empty array' do
+      it { is_expected.to be_empty }
-        expect(subject.list_key_ids).to be_empty
-      end
    end
  end

--- a/spec/lib/gitlab/shell_spec.rb
+++ b/spec/lib/gitlab/shell_spec.rb
@@ -52,29 +52,6 @@ describe Gitlab::Shell do
  describe '#add_key' do
    context 'when authorized_keys_enabled is true' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with add-key command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([
-              :gitlab_shell_keys_path,
-              'add-key',
-              'key-123',
-              'ssh-rsa foobar'
-            ])
-          gitlab_shell.add_key('key-123', 'ssh-rsa foobar trailing garbage')
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#add_key with id and key' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
@@ -85,62 +62,24 @@ describe Gitlab::Shell do
        gitlab_shell.add_key('key-123', 'ssh-rsa foobar')
      end
    end
-    end
    context 'when authorized_keys_enabled is false' do
      before do
        stub_application_setting(authorized_keys_enabled: false)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-        end
-        it 'does nothing' do
-          expect(gitlab_shell).not_to receive(:gitlab_shell_fast_execute)
-          gitlab_shell.add_key('key-123', 'ssh-rsa foobar trailing garbage')
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'does nothing' do
        expect(Gitlab::AuthorizedKeys).not_to receive(:new)
        gitlab_shell.add_key('key-123', 'ssh-rsa foobar trailing garbage')
      end
    end
-    end
    context 'when authorized_keys_enabled is nil' do
      before do
        stub_application_setting(authorized_keys_enabled: nil)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with add-key command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([
-              :gitlab_shell_keys_path,
-              'add-key',
-              'key-123',
-              'ssh-rsa foobar'
-            ])
-          gitlab_shell.add_key('key-123', 'ssh-rsa foobar trailing garbage')
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#add_key with id and key' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
@@ -152,47 +91,11 @@ describe Gitlab::Shell do
      end
    end
  end
-  end
  describe '#batch_add_keys' do
    let(:keys) { [double(shell_id: 'key-123', key: 'ssh-rsa foobar')] }
    context 'when authorized_keys_enabled is true' do
-      context 'authorized_keys_file not set' do
-        let(:io) { double }
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-        end
-        context 'valid keys' do
-          before do
-            allow(gitlab_shell)
-              .to receive(:gitlab_shell_keys_path)
-              .and_return(:gitlab_shell_keys_path)
-          end
-          it 'calls gitlab-keys with batch-add-keys command' do
-            expect(IO)
-              .to receive(:popen)
-              .with("gitlab_shell_keys_path batch-add-keys", 'w')
-              .and_yield(io)
-            expect(io).to receive(:puts).with("key-123\tssh-rsa foobar")
-            expect(gitlab_shell.batch_add_keys(keys)).to be_truthy
-          end
-        end
-        context 'invalid keys' do
-          let(:keys) { [double(shell_id: 'key-123', key: "ssh-rsa A\tSDFA\nSGADG")] }
-          it 'catches failure and returns false' do
-            expect(gitlab_shell.batch_add_keys(keys)).to be_falsey
-          end
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#batch_add_keys with keys to be added' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
@@ -203,62 +106,24 @@ describe Gitlab::Shell do
        gitlab_shell.batch_add_keys(keys)
      end
    end
-    end
    context 'when authorized_keys_enabled is false' do
      before do
        stub_application_setting(authorized_keys_enabled: false)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-        end
-        it 'does nothing' do
-          expect(IO).not_to receive(:popen)
-          gitlab_shell.batch_add_keys(keys)
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'does nothing' do
        expect(Gitlab::AuthorizedKeys).not_to receive(:new)
        gitlab_shell.batch_add_keys(keys)
      end
    end
-    end
    context 'when authorized_keys_enabled is nil' do
      before do
        stub_application_setting(authorized_keys_enabled: nil)
      end
-      context 'authorized_keys_file not set' do
-        let(:io) { double }
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls gitlab-keys with batch-add-keys command' do
-          expect(IO)
-            .to receive(:popen)
-            .with("gitlab_shell_keys_path batch-add-keys", 'w')
-            .and_yield(io)
-          expect(io).to receive(:puts).with("key-123\tssh-rsa foobar")
-          gitlab_shell.batch_add_keys(keys)
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#batch_add_keys with keys to be added' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
@@ -270,32 +135,9 @@ describe Gitlab::Shell do
      end
    end
  end
-  end
  describe '#remove_key' do
    context 'when authorized_keys_enabled is true' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with rm-key command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([
-              :gitlab_shell_keys_path,
-              'rm-key',
-              'key-123'
-            ])
-          gitlab_shell.remove_key('key-123')
-        end
-      end
-      context 'authorized_keys_file not set' do
      it 'calls Gitlab::AuthorizedKeys#rm_key with the key to be removed' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
        expect(gitlab_authorized_keys).to receive(:rm_key).with('key-123')
@@ -303,61 +145,24 @@ describe Gitlab::Shell do
        gitlab_shell.remove_key('key-123')
      end
    end
-    end
    context 'when authorized_keys_enabled is false' do
      before do
        stub_application_setting(authorized_keys_enabled: false)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-        end
-        it 'does nothing' do
-          expect(gitlab_shell).not_to receive(:gitlab_shell_fast_execute)
-          gitlab_shell.remove_key('key-123')
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'does nothing' do
        expect(Gitlab::AuthorizedKeys).not_to receive(:new)
        gitlab_shell.remove_key('key-123')
      end
    end
-    end
    context 'when authorized_keys_enabled is nil' do
      before do
        stub_application_setting(authorized_keys_enabled: nil)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with rm-key command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([
-              :gitlab_shell_keys_path,
-              'rm-key',
-              'key-123'
-            ])
-          gitlab_shell.remove_key('key-123')
-        end
-      end
-      context 'authorized_keys_file not set' do
      it 'calls Gitlab::AuthorizedKeys#rm_key with the key to be removed' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
        expect(gitlab_authorized_keys).to receive(:rm_key).with('key-123')
@@ -366,28 +171,9 @@ describe Gitlab::Shell do
      end
    end
  end
-  end
  describe '#remove_all_keys' do
    context 'when authorized_keys_enabled is true' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with clear command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([:gitlab_shell_keys_path, 'clear'])
-          gitlab_shell.remove_all_keys
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#clear' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
        expect(gitlab_authorized_keys).to receive(:clear)
@@ -395,57 +181,24 @@ describe Gitlab::Shell do
        gitlab_shell.remove_all_keys
      end
    end
-    end
    context 'when authorized_keys_enabled is false' do
      before do
        stub_application_setting(authorized_keys_enabled: false)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-        end
-        it 'does nothing' do
-          expect(gitlab_shell).not_to receive(:gitlab_shell_fast_execute)
-          gitlab_shell.remove_all_keys
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'does nothing' do
        expect(Gitlab::AuthorizedKeys).not_to receive(:new)
        gitlab_shell.remove_all_keys
      end
    end
-    end
    context 'when authorized_keys_enabled is nil' do
      before do
        stub_application_setting(authorized_keys_enabled: nil)
      end
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          allow(gitlab_shell)
-            .to receive(:gitlab_shell_keys_path)
-            .and_return(:gitlab_shell_keys_path)
-        end
-        it 'calls #gitlab_shell_fast_execute with clear command' do
-          expect(gitlab_shell)
-            .to receive(:gitlab_shell_fast_execute)
-            .with([:gitlab_shell_keys_path, 'clear'])
-          gitlab_shell.remove_all_keys
-        end
-      end
-      context 'authorized_keys_file set' do
      it 'calls Gitlab::AuthorizedKeys#clear' do
        expect(Gitlab::AuthorizedKeys).to receive(:new).and_return(gitlab_authorized_keys)
        expect(gitlab_authorized_keys).to receive(:clear)
@@ -454,29 +207,9 @@ describe Gitlab::Shell do
      end
    end
  end
-  end
  describe '#remove_keys_not_found_in_db' do
    context 'when keys are in the file that are not in the DB' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          gitlab_shell.remove_all_keys
-          gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
-          gitlab_shell.add_key('key-9876', 'ssh-rsa ASDFASDF')
-          @another_key = create(:key) # this one IS in the DB
-        end
-        it 'removes the keys' do
-          expect(gitlab_shell).to receive(:remove_key).with('key-1234')
-          expect(gitlab_shell).to receive(:remove_key).with('key-9876')
-          expect(gitlab_shell).not_to receive(:remove_key).with("key-#{@another_key.id}")
-          gitlab_shell.remove_keys_not_found_in_db
-        end
-      end
-      context 'authorized_keys_file set' do
      before do
        gitlab_shell.remove_all_keys
        gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
@@ -492,25 +225,8 @@ describe Gitlab::Shell do
        gitlab_shell.remove_keys_not_found_in_db
      end
    end
-    end
    context 'when keys there are duplicate keys in the file that are not in the DB' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          gitlab_shell.remove_all_keys
-          gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
-          gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
-        end
-        it 'removes the keys' do
-          expect(gitlab_shell).to receive(:remove_key).with('key-1234')
-          gitlab_shell.remove_keys_not_found_in_db
-        end
-      end
-      context 'authorized_keys_file set' do
      before do
        gitlab_shell.remove_all_keys
        gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
@@ -523,25 +239,8 @@ describe Gitlab::Shell do
        gitlab_shell.remove_keys_not_found_in_db
      end
    end
-    end
    context 'when keys there are duplicate keys in the file that ARE in the DB' do
-      context 'authorized_keys_file not set' do
-        before do
-          stub_gitlab_shell_setting(authorized_keys_file: nil)
-          gitlab_shell.remove_all_keys
-          @key = create(:key)
-          gitlab_shell.add_key(@key.shell_id, @key.key)
-        end
-        it 'does not remove the key' do
-          expect(gitlab_shell).not_to receive(:remove_key).with("key-#{@key.id}")
-          gitlab_shell.remove_keys_not_found_in_db
-        end
-      end
-      context 'authorized_keys_file set' do
      before do
        gitlab_shell.remove_all_keys
        @key = create(:key)
@@ -554,26 +253,9 @@ describe Gitlab::Shell do
        gitlab_shell.remove_keys_not_found_in_db
      end
    end
-    end
    unless ENV['CI'] # Skip in CI, it takes 1 minute
      context 'when the first batch can be skipped, but the next batch has keys that are not in the DB' do
-        context 'authorized_keys_file not set' do
-          before do
-            stub_gitlab_shell_setting(authorized_keys_file: nil)
-            gitlab_shell.remove_all_keys
-            100.times { |i| create(:key) } # first batch is all in the DB
-            gitlab_shell.add_key('key-1234', 'ssh-rsa ASDFASDF')
-          end
-          it 'removes the keys not in the DB' do
-            expect(gitlab_shell).to receive(:remove_key).with('key-1234')
-            gitlab_shell.remove_keys_not_found_in_db
-          end
-        end
-        context 'authorized_keys_file set' do
        before do
          gitlab_shell.remove_all_keys
          100.times { |i| create(:key) } # first batch is all in the DB
@@ -588,7 +270,6 @@ describe Gitlab::Shell do
      end
    end
  end
-  end
  describe 'projects commands' do
    let(:gitlab_shell_path) { File.expand_path('tmp/tests/gitlab-shell') }

--- a/spec/lib/system_check/app/authorized_keys_permission_check_spec.rb
+++ b/spec/lib/system_check/app/authorized_keys_permission_check_spec.rb
+# frozen_string_literal: true
+require 'spec_helper'
+describe SystemCheck::App::AuthorizedKeysPermissionCheck do
+  subject(:system_check) { described_class.new }
+  describe '#skip?' do
+    subject { system_check.skip? }
+    context 'authorized keys enabled' do
+      it { is_expected.to eq(false) }
+    end
+    context 'authorized keys not enabled' do
+      before do
+        stub_application_setting(authorized_keys_enabled: false)
+      end
+      it { is_expected.to eq(true) }
+    end
+  end
+  describe '#check?' do
+    subject { system_check.check? }
+    before do
+      expect_next_instance_of(Gitlab::AuthorizedKeys) do |instance|
+        allow(instance).to receive(:accessible?) { accessible? }
+      end
+    end
+    context 'authorized keys is accessible' do
+      let(:accessible?) { true }
+      it { is_expected.to eq(true) }
+    end
+    context 'authorized keys is not accessible' do
+      let(:accessible?) { false }
+      it { is_expected.to eq(false) }
+    end
+  end
+  describe '#repair!' do
+    subject { system_check.repair! }
+    before do
+      expect_next_instance_of(Gitlab::AuthorizedKeys) do |instance|
+        allow(instance).to receive(:create) { created }
+      end
+    end
+    context 'authorized_keys file created' do
+      let(:created) { true }
+      it { is_expected.to eq(true) }
+    end
+    context 'authorized_keys file is not created' do
+      let(:created) { false }
+      it { is_expected.to eq(false) }
+    end
+  end
+end