app/validators/ssh_key_validator.rb


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

# frozen_string_literal: true

# SshKeyValidator
#
# Custom validator for SSH keys.
#
#   class Project < ActiveRecord::Base
#     validates :key, ssh_key: true
#   end
#
class SshKeyValidator < ActiveModel::EachValidator # rubocop:disable Gitlab/NamespacedClass -- Allow setting ssh_key by convention
  def validate_each(record, attribute, value)
    public_key = Gitlab::SSHPublicKey.new(value)

    restriction = Gitlab::CurrentSettings.key_restriction_for(public_key.type)

    if restriction == ApplicationSetting::FORBIDDEN_KEY_VALUE
      record.errors.add(attribute, forbidden_key_type_message)
    elsif public_key.bits < restriction
      record.errors.add(attribute, "must be at least #{restriction} bits")
    end
  end

  private

  def forbidden_key_type_message
    allowed_types = Gitlab::CurrentSettings.allowed_key_types.map(&:upcase)

    "type is forbidden. Must be #{Gitlab::Sentence.to_exclusive_sentence(allowed_types)}"
  end
end