diff options
| author | Nick Thomas <nick@gitlab.com> | 2017-08-25 16:08:48 +0300 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2017-08-30 22:50:44 +0300 |
| commit | 6847060266792471c9c14518a5106e0f622cd6c5 (patch) | |
| tree | 291238748abd929e77aaf462b8833bd336e39f5d /app/helpers/application_settings_helper.rb | |
| parent | b49b7bc147955df6589b13942d0437a3b4518c7b (diff) | |
Rework the permissions model for SSH key restrictions
`allowed_key_types` is removed and the `minimum_<type>_bits` fields are
renamed to `<tech>_key_restriction`. A special sentinel value (`-1`) signifies
that the key type is disabled.
This also feeds through to the UI - checkboxes per key type are out, inline
selection of "forbidden" and "allowed" (i.e., no restrictions) are in.
As with the previous model, unknown key types are disallowed, even if the
underlying ssh daemon happens to support them. The defaults have also been
changed from the lowest known bit size to "no restriction". So if someone
does happen to have a 768-bit RSA key, it will continue to work on upgrade, at
least until the administrator restricts them.
Diffstat (limited to 'app/helpers/application_settings_helper.rb')
| -rw-r--r-- | app/helpers/application_settings_helper.rb | 28 |
1 files changed, 13 insertions, 15 deletions
diff --git a/app/helpers/application_settings_helper.rb b/app/helpers/application_settings_helper.rb index 75d090359d0..0c74d464601 100644 --- a/app/helpers/application_settings_helper.rb +++ b/app/helpers/application_settings_helper.rb @@ -81,18 +81,16 @@ module ApplicationSettingsHelper end end - def allowed_key_types_checkboxes(help_block_id) - Gitlab::SSHPublicKey.technology_names.map do |type| - checked = current_application_settings.allowed_key_types.include?(type) - checkbox_id = "allowed_key_types-#{type}" - - label_tag(checkbox_id, class: checked ? 'active' : nil) do - check_box_tag('application_setting[allowed_key_types][]', type, checked, - autocomplete: 'off', - 'aria-describedby' => help_block_id, - id: checkbox_id) + type.upcase - end + def key_restriction_options_for_select(type) + bit_size_options = Gitlab::SSHPublicKey.supported_sizes(type).map do |bits| + ["Must be at least #{bits} bits", bits] end + + [ + ['Are allowed', 0], + *bit_size_options, + ['Are forbidden', ApplicationSetting::FORBIDDEN_KEY_VALUE] + ] end def repository_storages_options_for_select @@ -127,6 +125,9 @@ module ApplicationSettingsHelper :domain_blacklist_enabled, :domain_blacklist_raw, :domain_whitelist_raw, + :dsa_key_restriction, + :ecdsa_key_restriction, + :ed25519_key_restriction, :email_author_in_body, :enabled_git_access_protocol, :gravatar_enabled, @@ -155,10 +156,6 @@ module ApplicationSettingsHelper :metrics_port, :metrics_sample_interval, :metrics_timeout, - :minimum_dsa_bits, - :minimum_ecdsa_bits, - :minimum_ed25519_bits, - :minimum_rsa_bits, :password_authentication_enabled, :performance_bar_allowed_group_id, :performance_bar_enabled, @@ -174,6 +171,7 @@ module ApplicationSettingsHelper :repository_storages, :require_two_factor_authentication, :restricted_visibility_levels, + :rsa_key_restriction, :send_user_confirmation_email, :sentry_dsn, :sentry_enabled, |