Use password type for all secret integration properties

Merge branch 'security-integrations-password-fields-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2409 Changelog: security

Use password type for all secret integration properties
Merge branch 'security-integrations-password-fields-14-10' into '14-10-stable-ee' See merge request gitlab-org/security/gitlab!2409 Changelog: security
c4e2f9c3 · Markus Koller · GitLab Release Tools Bot · 0a0775a3 · c4e2f9c3 · c4e2f9c3
Commit c4e2f9c3 authored Apr 29, 2022 by Markus Koller Committed by GitLab Release Tools Bot Apr 29, 2022
14 changed files
--- a/app/models/integrations/asana.rb
+++ b/app/models/integrations/asana.rb
@@ -27,10 +27,12 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'api_key',
          title: 'API key',
          help: s_('AsanaService|User Personal Access Token. User must have access to the task. All comments are attributed to this user.'),
+          non_empty_password_title: s_('ProjectService|Enter new API key'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current API key.'),
          # Example Personal Access Token from Asana docs
          placeholder: '0/68a9e79b868c6789e79a124c30b0',
          required: true

--- a/app/models/integrations/assembla.rb
+++ b/app/models/integrations/assembla.rb
@@ -19,8 +19,19 @@ module Integrations

    def fields
      [
-        { type: 'text', name: 'token', placeholder: '', required: true },
-        { type: 'text', name: 'subdomain', placeholder: '' }
+        {
+          type: 'password',
+          name: 'token',
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '',
+          required: true
+        },
+        {
+          type: 'text',
+          name: 'subdomain',
+          placeholder: ''
+        }
      ]
    end


--- a/app/models/integrations/bamboo.rb
+++ b/app/models/integrations/bamboo.rb
@@ -54,10 +54,12 @@ module Integrations
            required: true
          },
          {
-            type: 'text',
+            type: 'password',
            name: 'build_key',
-            placeholder: s_('KEY'),
            help: s_('BambooService|Bamboo build plan key.'),
+            non_empty_password_title: s_('BambooService|Enter new build key'),
+            non_empty_password_help: s_('BambooService|Leave blank to use your current build key.'),
+            placeholder: s_('KEY'),
            required: true
          },
          {

--- a/app/models/integrations/base_slash_commands.rb
+++ b/app/models/integrations/base_slash_commands.rb
@@ -26,7 +26,13 @@ module Integrations

    def fields
      [
-        { type: 'text', name: 'token', placeholder: 'XXxxXXxxXXxxXXxxXXxxXXxx' }
+        {
+          type: 'password',
+          name: 'token',
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: 'XXxxXXxxXXxxXXxxXXxxXXxx'
+        }
      ]
    end


--- a/app/models/integrations/buildkite.rb
+++ b/app/models/integrations/buildkite.rb
@@ -76,10 +76,12 @@ module Integrations

    def fields
      [
-        { type: 'text',
+        { type: 'password',
          name: 'token',
          title: _('Token'),
          help: s_('ProjectService|The token you get after you create a Buildkite pipeline with a GitLab repository.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          required: true },

        { type: 'text',

--- a/app/models/integrations/campfire.rb
+++ b/app/models/integrations/campfire.rb
@@ -25,11 +25,13 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          title: _('Campfire token'),
-          placeholder: '',
          help: s_('CampfireService|API authentication token from Campfire.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '',
          required: true
        },
        {

--- a/app/models/integrations/drone_ci.rb
+++ b/app/models/integrations/drone_ci.rb
@@ -96,8 +96,21 @@ module Integrations

    def fields
      [
-        { type: 'text', name: 'token', help: s_('ProjectService|Token for the Drone project.'), required: true },
-        { type: 'text', name: 'drone_url', title: s_('ProjectService|Drone server URL'), placeholder: 'http://drone.example.com', required: true }
+        {
+          type: 'password',
+          name: 'token',
+          help: s_('ProjectService|Token for the Drone project.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          required: true
+        },
+        {
+          type: 'text',
+          name: 'drone_url',
+          title: s_('ProjectService|Drone server URL'),
+          placeholder: 'http://drone.example.com',
+          required: true
+        }
      ]
    end


--- a/app/models/integrations/flowdock.rb
+++ b/app/models/integrations/flowdock.rb
@@ -24,7 +24,15 @@ module Integrations

    def fields
      [
-        { type: 'text', name: 'token', placeholder: s_('FlowdockService|1b609b52537...'), required: true, help: 'Enter your Flowdock token.' }
+        {
+          type: 'password',
+          name: 'token',
+          help: s_('FlowdockService|Enter your Flowdock token.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
+          placeholder: '1b609b52537...',
+          required: true
+        }
      ]
    end


--- a/app/models/integrations/harbor.rb
+++ b/app/models/integrations/harbor.rb
@@ -64,11 +64,12 @@ module Integrations
          required: true
        },
        {
-          type: 'text',
+          type: 'password',
          name: 'password',
          title: s_('HarborIntegration|Harbor password'),
-          non_empty_password_title: s_('HarborIntegration|Enter Harbor password'),
-          non_empty_password_help: s_('HarborIntegration|Password for your Harbor username.'),
+          help: s_('HarborIntegration|Password for your Harbor username.'),
+          non_empty_password_title: s_('HarborIntegration|Enter new Harbor password'),
+          non_empty_password_help: s_('HarborIntegration|Leave blank to use your current password.'),
          required: true
        }
      ]

--- a/app/models/integrations/packagist.rb
+++ b/app/models/integrations/packagist.rb
@@ -36,10 +36,12 @@ module Integrations
          required: true
        },
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          title: _('Token'),
          help: s_('Enter your Packagist token.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          placeholder: '',
          required: true
        },

--- a/app/models/integrations/pivotaltracker.rb
+++ b/app/models/integrations/pivotaltracker.rb
@@ -27,9 +27,11 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'token',
          help: s_('PivotalTrackerService|Pivotal Tracker API token. User must have access to the story. All comments are attributed to this user.'),
+          non_empty_password_title: s_('ProjectService|Enter new token'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current token.'),
          required: true
        },
        {

--- a/app/models/integrations/pushover.rb
+++ b/app/models/integrations/pushover.rb
@@ -22,18 +22,22 @@ module Integrations
    def fields
      [
        {
-          type: 'text',
+          type: 'password',
          name: 'api_key',
          title: _('API key'),
          help: s_('PushoverService|Enter your application key.'),
+          non_empty_password_title: s_('ProjectService|Enter new API key'),
+          non_empty_password_help: s_('ProjectService|Leave blank to use your current API key.'),
          placeholder: '',
          required: true
        },
        {
-          type: 'text',
+          type: 'password',
          name: 'user_key',
          title: _('User key'),
          help: s_('PushoverService|Enter your user key.'),
+          non_empty_password_title: s_('PushoverService|Enter new user key'),
+          non_empty_password_help: s_('PushoverService|Leave blank to use your current user key.'),
          placeholder: '',
          required: true
        },

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -5614,6 +5614,12 @@ msgstr ""
 msgid "BambooService|Bamboo service root URL."
 msgstr ""

+msgid "BambooService|Enter new build key"
+msgstr ""
+
+msgid "BambooService|Leave blank to use your current build key."
+msgstr ""
+
 msgid "BambooService|Run CI/CD pipelines with Atlassian Bamboo."
 msgstr ""

@@ -16101,7 +16107,7 @@ msgstr ""
 msgid "FloC|Federated Learning of Cohorts"
 msgstr ""

-msgid "FlowdockService|1b609b52537..."
+msgid "FlowdockService|Enter your Flowdock token."
 msgstr ""

 msgid "FlowdockService|Send event notifications from GitLab to Flowdock flows."
@@ -18357,7 +18363,7 @@ msgstr ""
 msgid "HarborIntegration|Base URL of the Harbor instance."
 msgstr ""

-msgid "HarborIntegration|Enter Harbor password"
+msgid "HarborIntegration|Enter new Harbor password"
 msgstr ""

 msgid "HarborIntegration|Harbor URL"
@@ -18372,6 +18378,9 @@ msgstr ""
 msgid "HarborIntegration|Harbor username"
 msgstr ""

+msgid "HarborIntegration|Leave blank to use your current password."
+msgstr ""
+
 msgid "HarborIntegration|Password for your Harbor username."
 msgstr ""

@@ -29398,6 +29407,9 @@ msgstr ""
 msgid "ProjectService|Leave blank to use your current API key"
 msgstr ""

+msgid "ProjectService|Leave blank to use your current API key."
+msgstr ""
+
 msgid "ProjectService|Leave blank to use your current password"
 msgstr ""

@@ -30751,6 +30763,9 @@ msgstr ""
 msgid "PushoverService|%{user_name} pushed new branch \"%{ref}\"."
 msgstr ""

+msgid "PushoverService|Enter new user key"
+msgstr ""
+
 msgid "PushoverService|Enter your application key."
 msgstr ""

@@ -30766,6 +30781,9 @@ msgstr ""
 msgid "PushoverService|Leave blank for all active devices."
 msgstr ""

+msgid "PushoverService|Leave blank to use your current user key."
+msgstr ""
+
 msgid "PushoverService|Low priority"
 msgstr ""


--- a/spec/models/integrations/every_integration_spec.rb
+++ b/spec/models/integrations/every_integration_spec.rb
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe 'Every integration' do
+  all_integration_names = Integration.available_integration_names
+
+  all_integration_names.each do |integration_name|
+    describe integration_name do
+      let(:integration_class) { Integration.integration_name_to_model(integration_name) }
+      let(:integration) { integration_class.new }
+
+      context 'secret fields', :aggregate_failures do
+        it "uses type: 'password' for all secret fields" do
+          integration.fields.each do |field|
+            next unless Integrations::Field::SECRET_NAME.match?(field[:name])
+
+            expect(field[:type]).to eq('password'),
+              "Field '#{field[:name]}' should use type 'password'"
+          end
+        end
+
+        it 'defines non-empty titles and help texts for all secret fields' do
+          integration.fields.each do |field|
+            next unless field[:type] == 'password'
+
+            expect(field[:non_empty_password_title]).to be_present,
+              "Field '#{field[:name]}' should define :non_empty_password_title"
+            expect(field[:non_empty_password_help]).to be_present,
+              "Field '#{field[:name]}' should define :non_empty_password_help"
+          end
+        end
+      end
+    end
+  end
+end