Add Let's Encrypt application settings

Store Let's Encrypt account email in application settings Also add explicit terms of service consent

Add Let's Encrypt application settings
Store Let's Encrypt account email in application settings Also add explicit terms of service consent
db6989dd · Vladimir Shushlin · Stan Hu · 22ed1ba3 · db6989dd · db6989dd
Commit db6989dd authored Apr 27, 2019 by Vladimir Shushlin Committed by Stan Hu Apr 27, 2019
9 changed files
--- a/app/controllers/admin/application_settings_controller.rb
+++ b/app/controllers/admin/application_settings_controller.rb
@@ -127,6 +127,7 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
    [
      *::ApplicationSettingsHelper.visible_attributes,
      *::ApplicationSettingsHelper.external_authorization_service_attributes,
+      *lets_encrypt_visible_attributes,
      :domain_blacklist_file,
      disabled_oauth_sign_in_sources: [],
      import_sources: [],
@@ -134,4 +135,13 @@ class Admin::ApplicationSettingsController < Admin::ApplicationController
      restricted_visibility_levels: []
    ]
  end
+
+  def lets_encrypt_visible_attributes
+    return [] unless Feature.enabled?(:pages_auto_ssl)
+
+    [
+      :lets_encrypt_notification_email,
+      :lets_encrypt_terms_of_service_accepted
+    ]
+  end
 end
--- a/app/models/application_setting.rb
+++ b/app/models/application_setting.rb
@@ -229,6 +229,16 @@ class ApplicationSetting < ApplicationRecord
            presence: true,
            if: -> (setting) { setting.external_auth_client_cert.present? }

+  validates :lets_encrypt_notification_email,
+            devise_email: true,
+            format: { without: /@example\.(com|org|net)\z/,
+                      message: N_("Let's Encrypt does not accept emails on example.com") },
+            allow_blank: true
+
+  validates :lets_encrypt_notification_email,
+            presence: true,
+            if: :lets_encrypt_terms_of_service_accepted?
+
  validates_with X509CertificateCredentialsValidator,
                 certificate: :external_auth_client_cert,
                 pkey: :external_auth_client_key,

--- a/app/views/admin/application_settings/_pages.html.haml
+++ b/app/views/admin/application_settings/_pages.html.haml
@@ -5,16 +5,33 @@
    .form-group
      = f.label :max_pages_size, 'Maximum size of pages (MB)', class: 'label-bold'
      = f.number_field :max_pages_size, class: 'form-control'
-      .form-text.text-muted 0 for unlimited
+      .form-text.text-muted
+        = _("0 for unlimited")
    .form-group
      .form-check
        = f.check_box :pages_domain_verification_enabled, class: 'form-check-input'
        = f.label :pages_domain_verification_enabled, class: 'form-check-label' do
-          Require users to prove ownership of custom domains
+          = _("Require users to prove ownership of custom domains")
      .form-text.text-muted
-        Domain verification is an essential security measure for public GitLab
-        sites. Users are required to demonstrate they control a domain before
-        it is enabled
+        = _("Domain verification is an essential security measure for public GitLab sites. Users are required to demonstrate they control a domain before it is enabled")
        = link_to icon('question-circle'), help_page_path('user/project/pages/getting_started_part_three.md', anchor: 'dns-txt-record')
+    - if Feature.enabled?(:pages_auto_ssl)
+      %h5
+        = _("Configure Let's Encrypt")
+      %p
+        - lets_encrypt_link_start = '<a href="%{url}" target="_blank" rel="noopener noreferrer">'.html_safe % { url: "https://letsencrypt.org/" }
+        = _("%{lets_encrypt_link_start}Let's Encrypt%{lets_encrypt_link_end} is a free, automated, and open certificate authority (CA), that give digital certificates in order to enable HTTPS (SSL/TLS) for websites.").html_safe % { lets_encrypt_link_start: lets_encrypt_link_start, lets_encrypt_link_end: '</a>'.html_safe }
+      .form-group
+        = f.label :lets_encrypt_notification_email, _("Email"), class: 'label-bold'
+        = f.text_field :lets_encrypt_notification_email, class: 'form-control'
+        .form-text.text-muted
+          = _("A Let's Encrypt account will be configured for this GitLab installation using your email address. You will receive emails to warn of expiring certificates.")
+      .form-group
+        .form-check
+          = f.check_box :lets_encrypt_terms_of_service_accepted, class: 'form-check-input'
+          = f.label :lets_encrypt_terms_of_service_accepted, class: 'form-check-label' do
+            // Terms of Service should actually be a link, but the best way to get the url is using API
+            // So it will be done in later MR
+            = _("I have read and agree to the Let's Encrypt Terms of Service")

-  = f.submit 'Save changes', class: "btn btn-success"
+  = f.submit _('Save changes'), class: "btn btn-success"
--- a/db/migrate/20190320174702_add_lets_encrypt_notification_email_to_application_settings.rb
+++ b/db/migrate/20190320174702_add_lets_encrypt_notification_email_to_application_settings.rb
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLetsEncryptNotificationEmailToApplicationSettings < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  def change
+    add_column :application_settings, :lets_encrypt_notification_email, :string
+  end
+end
--- a/db/migrate/20190329085614_add_lets_encrypt_terms_of_service_accepted_to_application_settings.rb
+++ b/db/migrate/20190329085614_add_lets_encrypt_terms_of_service_accepted_to_application_settings.rb
+# frozen_string_literal: true
+
+# See http://doc.gitlab.com/ce/development/migration_style_guide.html
+# for more information on how to write migrations for GitLab.
+
+class AddLetsEncryptTermsOfServiceAcceptedToApplicationSettings < ActiveRecord::Migration[5.0]
+  include Gitlab::Database::MigrationHelpers
+
+  # Set this constant to true if this migration requires downtime.
+  DOWNTIME = false
+
+  disable_ddl_transaction!
+
+  def up
+    add_column_with_default(:application_settings, :lets_encrypt_terms_of_service_accepted, :boolean, default: false)
+  end
+
+  def down
+    remove_column :application_settings, :lets_encrypt_terms_of_service_accepted
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -187,6 +187,8 @@ ActiveRecord::Schema.define(version: 20190426180107) do
    t.string "encrypted_external_auth_client_key_iv"
    t.string "encrypted_external_auth_client_key_pass"
    t.string "encrypted_external_auth_client_key_pass_iv"
+    t.string "lets_encrypt_notification_email"
+    t.boolean "lets_encrypt_terms_of_service_accepted", default: false, null: false
    t.index ["usage_stats_set_by_user_id"], name: "index_application_settings_on_usage_stats_set_by_user_id", using: :btree
  end


--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -138,6 +138,9 @@ msgstr ""
 msgid "%{label_for_message} unavailable"
 msgstr ""

+msgid "%{lets_encrypt_link_start}Let's Encrypt%{lets_encrypt_link_end} is a free, automated, and open certificate authority (CA), that give digital certificates in order to enable HTTPS (SSL/TLS) for websites."
+msgstr ""
+
 msgid "%{level_name} is not allowed in a %{group_level_name} group."
 msgstr ""

@@ -245,6 +248,9 @@ msgstr ""
 msgid "- show less"
 msgstr ""

+msgid "0 for unlimited"
+msgstr ""
+
 msgid "1 %{type} addition"
 msgid_plural "%{count} %{type} additions"
 msgstr[0] ""
@@ -366,6 +372,9 @@ msgstr ""
 msgid "A Jekyll site that uses Netlify for CI/CD instead of GitLab, but still with all the other great GitLab features."
 msgstr ""

+msgid "A Let's Encrypt account will be configured for this GitLab installation using your email address. You will receive emails to warn of expiring certificates."
+msgstr ""
+
 msgid "A default branch cannot be chosen for an empty project."
 msgstr ""

@@ -2525,6 +2534,9 @@ msgstr ""
 msgid "Configure Gitaly timeouts."
 msgstr ""

+msgid "Configure Let's Encrypt"
+msgstr ""
+
 msgid "Configure automatic git checks and housekeeping on repositories."
 msgstr ""

@@ -3280,6 +3292,9 @@ msgstr ""
 msgid "Domain"
 msgstr ""

+msgid "Domain verification is an essential security measure for public GitLab sites. Users are required to demonstrate they control a domain before it is enabled"
+msgstr ""
+
 msgid "Don't show again"
 msgstr ""

@@ -4622,6 +4637,9 @@ msgstr ""
 msgid "I accept the|Terms of Service and Privacy Policy"
 msgstr ""

+msgid "I have read and agree to the Let's Encrypt Terms of Service"
+msgstr ""
+
 msgid "ID"
 msgstr ""

@@ -5311,6 +5329,9 @@ msgstr ""
 msgid "Leave the \"File type\" and \"Delivery method\" options on their default values."
 msgstr ""

+msgid "Let's Encrypt does not accept emails on example.com"
+msgstr ""
+
 msgid "Limited to showing %d event at most"
 msgid_plural "Limited to showing %d events at most"
 msgstr[0] ""
@@ -7626,6 +7647,9 @@ msgstr ""
 msgid "Require all users to accept Terms of Service and Privacy Policy when they access GitLab."
 msgstr ""

+msgid "Require users to prove ownership of custom domains"
+msgstr ""
+
 msgid "Resend invite"
 msgstr ""


--- a/spec/features/admin/admin_settings_spec.rb
+++ b/spec/features/admin/admin_settings_spec.rb
@@ -375,6 +375,37 @@ describe 'Admin updates settings' do
      expect(Gitlab::CurrentSettings.pages_domain_verification_enabled?).to be_truthy
      expect(page).to have_content "Application settings saved successfully"
    end
+
+    context 'When pages_auto_ssl is enabled' do
+      before do
+        stub_feature_flags(pages_auto_ssl: true)
+        visit preferences_admin_application_settings_path
+      end
+
+      it "Change Pages Let's Encrypt settings" do
+        page.within('.as-pages') do
+          fill_in 'Email', with: 'my@test.example.com'
+          check "I have read and agree to the Let's Encrypt Terms of Service"
+          click_button 'Save changes'
+        end
+
+        expect(Gitlab::CurrentSettings.lets_encrypt_notification_email).to eq 'my@test.example.com'
+        expect(Gitlab::CurrentSettings.lets_encrypt_terms_of_service_accepted).to eq true
+      end
+    end
+
+    context 'When pages_auto_ssl is disabled' do
+      before do
+        stub_feature_flags(pages_auto_ssl: false)
+        visit preferences_admin_application_settings_path
+      end
+
+      it "Doesn't show Let's Encrypt options" do
+        page.within('.as-pages') do
+          expect(page).not_to have_content('Email')
+        end
+      end
+    end
  end

  def check_all_events

--- a/spec/models/application_setting_spec.rb
+++ b/spec/models/application_setting_spec.rb
@@ -31,6 +31,20 @@ describe ApplicationSetting do
    it { is_expected.to allow_value("dev.gitlab.com").for(:commit_email_hostname) }
    it { is_expected.not_to allow_value("@dev.gitlab").for(:commit_email_hostname) }

+    it { is_expected.to allow_value("myemail@gitlab.com").for(:lets_encrypt_notification_email) }
+    it { is_expected.to allow_value(nil).for(:lets_encrypt_notification_email) }
+    it { is_expected.not_to allow_value("notanemail").for(:lets_encrypt_notification_email) }
+    it { is_expected.not_to allow_value("myemail@example.com").for(:lets_encrypt_notification_email) }
+    it { is_expected.to allow_value("myemail@test.example.com").for(:lets_encrypt_notification_email) }
+
+    context "when user accepted let's encrypt terms of service" do
+      before do
+        setting.update(lets_encrypt_terms_of_service_accepted: true)
+      end
+
+      it { is_expected.not_to allow_value(nil).for(:lets_encrypt_notification_email) }
+    end
+
    describe 'default_artifacts_expire_in' do
      it 'sets an error if it cannot parse' do
        setting.update(default_artifacts_expire_in: 'a')