Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
5a0c0e15
Commit
5a0c0e15
authored
Aug 28, 2017
by
Nick Thomas
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Address review comments
parent
d40a7d41
Changes
16
Show whitespace changes
Inline
Side-by-side
Showing
16 changed files
with
75 additions
and
49 deletions
+75
-49
app/helpers/form_helper.rb
app/helpers/form_helper.rb
+2
-3
app/models/application_setting.rb
app/models/application_setting.rb
+5
-10
app/models/key.rb
app/models/key.rb
+0
-1
app/validators/key_restriction_validator.rb
app/validators/key_restriction_validator.rb
+29
-0
app/views/profiles/keys/_key.html.haml
app/views/profiles/keys/_key.html.haml
+2
-2
app/views/profiles/keys/_key_details.html.haml
app/views/profiles/keys/_key_details.html.haml
+1
-1
changelogs/unreleased/17849-allow-admin-to-restrict-min-key-length-and-techno.yml
...849-allow-admin-to-restrict-min-key-length-and-techno.yml
+1
-1
db/migrate/20161020180657_add_minimum_key_length_to_application_settings.rb
...0180657_add_minimum_key_length_to_application_settings.rb
+4
-3
doc/security/README.md
doc/security/README.md
+1
-1
doc/security/img/ssh_keys_restrictions_settings.png
doc/security/img/ssh_keys_restrictions_settings.png
+0
-0
doc/security/ssh_keys_restrictions.md
doc/security/ssh_keys_restrictions.md
+4
-3
lib/api/settings.rb
lib/api/settings.rb
+1
-1
lib/gitlab/git_access.rb
lib/gitlab/git_access.rb
+1
-1
lib/gitlab/ssh_public_key.rb
lib/gitlab/ssh_public_key.rb
+6
-9
spec/lib/gitlab/git_access_spec.rb
spec/lib/gitlab/git_access_spec.rb
+8
-12
spec/models/application_setting_spec.rb
spec/models/application_setting_spec.rb
+10
-1
No files found.
app/helpers/form_helper.rb
View file @
5a0c0e15
module
FormHelper
prepend
::
EE
::
FormHelper
def
form_errors
(
model
,
headline
=
'The form contains the following
'
)
def
form_errors
(
model
,
type:
'form
'
)
return
unless
model
.
errors
.
any?
pluralized
=
'error'
.
pluralize
(
model
.
errors
.
count
)
headline
=
headline
+
' '
+
pluralized
+
':'
headline
=
"The
#{
type
}
contains the following
#{
pluralized
}
:"
content_tag
(
:div
,
class:
'alert alert-danger'
,
id:
'error_explanation'
)
do
content_tag
(
:h4
,
headline
)
<<
...
...
app/models/application_setting.rb
View file @
5a0c0e15
...
...
@@ -16,13 +16,9 @@ class ApplicationSetting < ActiveRecord::Base
# Setting a key restriction to `-1` means that all keys of this type are
# forbidden.
FORBIDDEN_KEY_VALUE
=
-
1
FORBIDDEN_KEY_VALUE
=
KeyRestrictionValidator
::
FORBIDDEN
SUPPORTED_KEY_TYPES
=
%i[rsa dsa ecdsa ed25519]
.
freeze
def
self
.
supported_key_restrictions
(
type
)
[
0
,
*
Gitlab
::
SSHPublicKey
.
supported_sizes
(
type
),
FORBIDDEN_KEY_VALUE
]
end
serialize
:restricted_visibility_levels
# rubocop:disable Cop/ActiveRecordSerialize
serialize
:import_sources
# rubocop:disable Cop/ActiveRecordSerialize
serialize
:disabled_oauth_sign_in_sources
,
Array
# rubocop:disable Cop/ActiveRecordSerialize
...
...
@@ -169,11 +165,11 @@ class ApplicationSetting < ActiveRecord::Base
numericality:
{
greater_than_or_equal_to:
0
}
SUPPORTED_KEY_TYPES
.
each
do
|
type
|
validates
:"
#{
type
}
_key_restriction"
,
presence:
true
,
inclusion:
{
in:
ApplicationSetting
.
supported_key_restrictions
(
type
)
}
validates
:"
#{
type
}
_key_restriction"
,
presence:
true
,
key_restriction:
{
type:
type
}
end
validates
:allowed_key_types
,
presence:
true
validates_each
:restricted_visibility_levels
do
|
record
,
attr
,
value
|
value
&
.
each
do
|
level
|
unless
Gitlab
::
VisibilityLevel
.
options
.
value?
(
level
)
...
...
@@ -489,8 +485,7 @@ class ApplicationSetting < ActiveRecord::Base
def
key_restriction_for
(
type
)
attr_name
=
"
#{
type
}
_key_restriction"
# rubocop:disable GitlabSecurity/PublicSend
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
has_attribute?
(
attr_name
)
?
public_send
(
attr_name
)
:
FORBIDDEN_KEY_VALUE
# rubocop:disable GitlabSecurity/PublicSend
end
private
...
...
app/models/key.rb
View file @
5a0c0e15
require
'digest/md5'
class
Key
<
ActiveRecord
::
Base
include
AfterCommitQueue
include
Gitlab
::
CurrentSettings
include
Sortable
...
...
app/validators/key_restriction_validator.rb
0 → 100644
View file @
5a0c0e15
class
KeyRestrictionValidator
<
ActiveModel
::
EachValidator
FORBIDDEN
=
-
1
def
self
.
supported_sizes
(
type
)
Gitlab
::
SSHPublicKey
.
supported_sizes
(
type
)
end
def
self
.
supported_key_restrictions
(
type
)
[
0
,
*
supported_sizes
(
type
),
FORBIDDEN
]
end
def
validate_each
(
record
,
attribute
,
value
)
unless
valid_restriction?
(
value
)
record
.
errors
.
add
(
attribute
,
"must be forbidden, allowed, or one of these sizes:
#{
supported_sizes_message
}
"
)
end
end
private
def
supported_sizes_message
sizes
=
self
.
class
.
supported_sizes
(
options
[
:type
])
sizes
.
to_sentence
(
last_word_connector:
', or '
,
two_words_connector:
' or '
)
end
def
valid_restriction?
(
value
)
choices
=
self
.
class
.
supported_key_restrictions
(
options
[
:type
])
choices
.
include?
(
value
)
end
end
app/views/profiles/keys/_key.html.haml
View file @
5a0c0e15
...
...
@@ -3,8 +3,8 @@
-
if
key
.
valid?
=
icon
'key'
,
class:
'settings-list-icon hidden-xs'
-
else
=
icon
'exclamation-triangle'
,
class:
'settings-list-icon hidden-xs'
,
title:
'The key is disabled because it is invalid'
=
icon
'exclamation-triangle'
,
class:
'settings-list-icon hidden-xs
has-tooltip
'
,
title:
key
.
errors
.
full_messages
.
join
(
', '
)
.key-list-item-info
...
...
app/views/profiles/keys/_key_details.html.haml
View file @
5a0c0e15
...
...
@@ -16,7 +16,7 @@
%strong
=
@key
.
last_used_at
.
try
(
:to_s
,
:medium
)
||
'N/A'
.col-md-8
=
form_errors
(
@key
,
'The key has the following
'
)
unless
@key
.
valid?
=
form_errors
(
@key
,
type:
'key
'
)
unless
@key
.
valid?
%p
%span
.light
Fingerprint:
%code
.key-fingerprint
=
@key
.
fingerprint
...
...
changelogs/unreleased/17849-allow-admin-to-restrict-min-key-length-and-techno.yml
View file @
5a0c0e15
---
title
:
Add settings for minimum key strength and allowed key type
title
:
Add settings for minimum
SSH
key strength and allowed key type
merge_request
:
13712
author
:
Cory Hinshaw
type
:
added
db/migrate/20161020180657_add_minimum_key_length_to_application_settings.rb
View file @
5a0c0e15
...
...
@@ -7,12 +7,13 @@ class AddMinimumKeyLengthToApplicationSettings < ActiveRecord::Migration
disable_ddl_transaction!
def
up
# A key restriction has t
wo
possible states:
# A key restriction has t
hese
possible states:
#
# * -1 means "this key type is completely disabled"
# * >= 0 means "keys must have at least this many bits to be valid"
# * 0 means "all keys of this type are valid"
# * > 0 means "keys must have at least this many bits to be valid"
#
#
A value of 0 is equivalent to "there are no restrictions on keys of this type"
#
The default is 0, for backward compatibility
add_column_with_default
:application_settings
,
:rsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:dsa_key_restriction
,
:integer
,
default:
0
add_column_with_default
:application_settings
,
:ecdsa_key_restriction
,
:integer
,
default:
0
...
...
doc/security/README.md
View file @
5a0c0e15
# Security
-
[
Password length limits
](
password_length_limits.md
)
-
[
Restrict
allowed
SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Restrict SSH key technologies and minimum length
](
ssh_keys_restrictions.md
)
-
[
Rack attack
](
rack_attack.md
)
-
[
Webhooks and insecure internal web services
](
webhooks.md
)
-
[
Information exclusivity
](
information_exclusivity.md
)
...
...
doc/security/img/ssh_keys_restrictions_settings.png
View replaced file @
d40a7d41
View file @
5a0c0e15
13.4 KB
|
W:
|
H:
66.9 KB
|
W:
|
H:
2-up
Swipe
Onion skin
doc/security/ssh_keys_restrictions.md
View file @
5a0c0e15
...
...
@@ -2,12 +2,13 @@
`ssh-keygen`
allows users to create RSA keys with as few as 768 bits, which
falls well below recommendations from certain standards groups (such as the US
NIST). Some organizations deploying Git
l
ab will need to enforce minimum key
NIST). Some organizations deploying Git
L
ab will need to enforce minimum key
strength, either to satisfy internal security policy or for regulatory
compliance.
Similarly, certain standards groups recommend using RSA or ECDSA over the older
DSA and administrators may need to limit the allowed SSH key algorithms.
Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
the older DSA, and administrators may need to limit the allowed SSH key
algorithms.
GitLab allows you to restrict the allowed SSH key technology as well as specify
the minimum key length for each technology.
...
...
lib/api/settings.rb
View file @
5a0c0e15
...
...
@@ -125,7 +125,7 @@ module API
ApplicationSetting
::
SUPPORTED_KEY_TYPES
.
each
do
|
type
|
optional
:"
#{
type
}
_key_restriction"
,
type:
Integer
,
values:
ApplicationSetting
.
supported_key_restrictions
(
type
),
values:
KeyRestrictionValidator
.
supported_key_restrictions
(
type
),
desc:
"Restrictions on the complexity of uploaded
#{
type
.
upcase
}
keys. A value of
#{
ApplicationSetting
::
FORBIDDEN_KEY_VALUE
}
disables all
#{
type
.
upcase
}
keys."
end
...
...
lib/gitlab/git_access.rb
View file @
5a0c0e15
...
...
@@ -37,8 +37,8 @@ module Gitlab
end
def
check
(
cmd
,
changes
)
check_valid_actor!
check_protocol!
check_valid_actor!
check_active_user!
check_project_accessibility!
check_project_moved!
...
...
lib/gitlab/ssh_public_key.rb
View file @
5a0c0e15
...
...
@@ -13,6 +13,10 @@ module Gitlab
Technologies
.
find
{
|
tech
|
tech
.
name
.
to_s
==
name
.
to_s
}
end
def
self
.
technology_for_key
(
key
)
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
end
def
self
.
supported_sizes
(
name
)
technology
(
name
)
&
.
supported_sizes
end
...
...
@@ -37,9 +41,7 @@ module Gitlab
end
def
type
return
unless
valid?
technology
.
name
technology
.
name
if
valid?
end
def
bits
...
...
@@ -63,12 +65,7 @@ module Gitlab
def
technology
@technology
||=
begin
tech
=
Technologies
.
find
{
|
tech
|
key
.
is_a?
(
tech
.
key_class
)
}
raise
"Unsupported key type:
#{
key
.
class
}
"
unless
tech
tech
end
self
.
class
.
technology_for_key
(
key
)
||
raise
(
"Unsupported key type:
#{
key
.
class
}
"
)
end
end
end
spec/lib/gitlab/git_access_spec.rb
View file @
5a0c0e15
...
...
@@ -165,29 +165,25 @@ describe Gitlab::GitAccess do
stub_application_setting
(
rsa_key_restriction:
4096
)
end
it
'does not allow keys which are too small'
do
aggregate_failures
do
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
'Your SSH key must be at least 4096 bits.'
)
end
end
end
context
'key type is not allowed'
do
before
do
stub_application_setting
(
rsa_key_restriction:
ApplicationSetting
::
FORBIDDEN_KEY_VALUE
)
end
it
'does not allow keys which are too small'
do
aggregate_failures
do
it
'does not allow keys which are too small'
,
aggregate_failures:
true
do
expect
(
actor
).
not_to
be_valid
expect
{
pull_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
expect
{
push_access_check
}.
to
raise_unauthorized
(
/Your SSH key type is forbidden/
)
end
end
end
end
it_behaves_like
'#check with a key that is not valid'
do
let
(
:actor
)
{
build
(
:rsa_key_2048
,
user:
user
)
}
...
...
spec/models/application_setting_spec.rb
View file @
5a0c0e15
...
...
@@ -77,6 +77,15 @@ describe ApplicationSetting do
expect
(
described_class
::
SUPPORTED_KEY_TYPES
).
to
contain_exactly
(
:rsa
,
:dsa
,
:ecdsa
,
:ed25519
)
end
it
'does not allow all key types to be disabled'
do
described_class
::
SUPPORTED_KEY_TYPES
.
each
do
|
type
|
setting
[
"
#{
type
}
_key_restriction"
]
=
described_class
::
FORBIDDEN_KEY_VALUE
end
expect
(
setting
).
not_to
be_valid
expect
(
setting
.
errors
.
messages
).
to
have_key
(
:allowed_key_types
)
end
where
(
:type
)
do
described_class
::
SUPPORTED_KEY_TYPES
end
...
...
@@ -85,7 +94,7 @@ describe ApplicationSetting do
let
(
:field
)
{
:"
#{
type
}
_key_restriction"
}
it
{
is_expected
.
to
validate_presence_of
(
field
)
}
it
{
is_expected
.
to
allow_value
(
*
described_class
.
supported_key_restrictions
(
type
)).
for
(
field
)
}
it
{
is_expected
.
to
allow_value
(
*
KeyRestrictionValidator
.
supported_key_restrictions
(
type
)).
for
(
field
)
}
it
{
is_expected
.
not_to
allow_value
(
128
).
for
(
field
)
}
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment