Commit 47ab3dd0 authored by Alex Pooley's avatar Alex Pooley

Merge branch 'support_ecdsa-sk_and_ed25519-sk_ssh_keys' into 'master'

Support "ecdsa-sk" and "ed25519-sk" SSH keys

See merge request gitlab-org/gitlab!78934
parents 1bf766cd 782a634c
......@@ -234,7 +234,9 @@ module ApplicationSettingsHelper
:outbound_local_requests_allowlist_raw,
:dsa_key_restriction,
:ecdsa_key_restriction,
:ecdsa_sk_key_restriction,
:ed25519_key_restriction,
:ed25519_sk_key_restriction,
:eks_integration_enabled,
:eks_account_id,
:eks_access_key_id,
......
......@@ -69,7 +69,9 @@ module ApplicationSettingImplementation
domain_allowlist: Settings.gitlab['domain_allowlist'],
dsa_key_restriction: 0,
ecdsa_key_restriction: 0,
ecdsa_sk_key_restriction: 0,
ed25519_key_restriction: 0,
ed25519_sk_key_restriction: 0,
eks_access_key_id: nil,
eks_account_id: nil,
eks_integration_enabled: false,
......
# frozen_string_literal: true
class AddEcdsaSkAndEd25519SkKeyRestrictionsToApplicationSettings < Gitlab::Database::Migration[1.0]
enable_lock_retries!
def change
add_column :application_settings, :ecdsa_sk_key_restriction, :integer, default: 0, null: false
add_column :application_settings, :ed25519_sk_key_restriction, :integer, default: 0, null: false
end
end
787b1be4b69ef0eeb049ee6a3d7126dc75094b79fba18f469fffe78b16fce6a3
\ No newline at end of file
......@@ -10617,6 +10617,8 @@ CREATE TABLE application_settings (
runner_token_expiration_interval integer,
group_runner_token_expiration_interval integer,
project_runner_token_expiration_interval integer,
ecdsa_sk_key_restriction integer DEFAULT 0 NOT NULL,
ed25519_sk_key_restriction integer DEFAULT 0 NOT NULL,
CONSTRAINT app_settings_container_reg_cleanup_tags_max_list_size_positive CHECK ((container_registry_cleanup_tags_service_max_list_size >= 0)),
CONSTRAINT app_settings_dep_proxy_ttl_policies_worker_capacity_positive CHECK ((dependency_proxy_ttl_group_policy_worker_capacity >= 0)),
CONSTRAINT app_settings_ext_pipeline_validation_service_url_text_limit CHECK ((char_length(external_pipeline_validation_service_url) <= 255)),
......@@ -65,6 +65,8 @@ Example response:
"dsa_key_restriction": 0,
"ecdsa_key_restriction": 0,
"ed25519_key_restriction": 0,
"ecdsa_sk_key_restriction": 0,
"ed25519_sk_key_restriction": 0,
"first_day_of_week": 0,
"enforce_terms": true,
"terms": "Hello world!",
......@@ -166,6 +168,8 @@ Example response:
"dsa_key_restriction": 0,
"ecdsa_key_restriction": 0,
"ed25519_key_restriction": 0,
"ecdsa_sk_key_restriction": 0,
"ed25519_sk_key_restriction": 0,
"first_day_of_week": 0,
"enforce_terms": true,
"terms": "Hello world!",
......@@ -268,7 +272,9 @@ listed in the descriptions of the relevant settings.
| `domain_allowlist` | array of strings | no | Force people to use only corporate emails for sign-up. Default is `null`, meaning there is no restriction. |
| `dsa_key_restriction` | integer | no | The minimum allowed bit length of an uploaded DSA key. Default is `0` (no restriction). `-1` disables DSA keys. |
| `ecdsa_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA key. Default is `0` (no restriction). `-1` disables ECDSA keys. |
| `ecdsa_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ECDSA_SK key. Default is `0` (no restriction). `-1` disables ECDSA_SK keys. |
| `ed25519_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519 key. Default is `0` (no restriction). `-1` disables ED25519 keys. |
| `ed25519_sk_key_restriction` | integer | no | The minimum allowed curve size (in bits) of an uploaded ED25519_SK key. Default is `0` (no restriction). `-1` disables ED25519_SK keys. |
| `eks_access_key_id` | string | no | AWS IAM access key ID. |
| `eks_account_id` | string | no | Amazon account ID. |
| `eks_integration_enabled` | boolean | no | Enable integration with Amazon EKS. |
......
......@@ -172,7 +172,7 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
- `id_dsa`
- `.id_dsa`
- Private ed25519 SSH keys:
- Private ED25519 SSH keys:
- `/ssh/id_ed25519`
- `/.ssh/personal_ed25519`
......@@ -188,6 +188,22 @@ Files blocked by this rule are listed below. For a complete list of criteria, se
- `id_ecdsa`
- `.id_ecdsa`
- Private ECDSA_SK SSH keys (GitLab 14.8 and later):
- `/ssh/id_ecdsa_sk`
- `/.ssh/personal_ecdsa_sk`
- `/config/server_ecdsa_sk`
- `id_ecdsa_sk`
- `.id_ecdsa_sk`
- Private ED25519_SK SSH keys (GitLab 14.8 and later):
- `/ssh/id_ed25519_sk`
- `/.ssh/personal_ed25519_sk`
- `/config/server_ed25519_sk`
- `id_ed25519_sk`
- `.id_ed25519_sk`
- Any files ending with these suffixes:
- `*.pem`
......
......@@ -13,9 +13,9 @@ NIST). Some organizations deploying GitLab need to enforce minimum key
strength, either to satisfy internal security policy or for regulatory
compliance.
Similarly, certain standards groups recommend using RSA, ECDSA, or ED25519 over
the older DSA, and administrators may need to limit the allowed SSH key
algorithms.
Similarly, certain standards groups recommend using RSA, ECDSA, ED25519,
ECDSA_SK, or ED25519_SK over the older DSA, and administrators may need to
limit the allowed SSH key algorithms.
GitLab allows you to restrict the allowed SSH key technology as well as specify
the minimum key length for each technology:
......@@ -45,6 +45,8 @@ By default, the GitLab.com and self-managed settings for the
- DSA SSH keys are forbidden ([since GitLab 11.0](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys)).
- ECDSA SSH keys are allowed.
- ED25519 SSH keys are allowed.
- ECDSA_SK SSH keys are allowed (GitLab 14.8 and later).
- ED25519_SK SSH keys are allowed (GitLab 14.8 and later).
<!-- ## Troubleshooting
......
......@@ -116,8 +116,10 @@ reactivate 2FA from scratch if they want to use it again.
WARNING:
This feature might not be available to you. Check the **version history** note above for details.
Two-factor authentication can be enforced for Git over SSH operations. The one-time password (OTP)
verification can be done via a GitLab Shell command:
Two-factor authentication can be enforced for Git over SSH operations. However, we recommend using
[ED25519_SK](../ssh/index.md#ed25519_sk-ssh-keys) or [ECDSA_SK](../ssh/index.md#ecdsa_sk-ssh-keys) SSH keys instead.
The one-time password (OTP) verification can be done using a command:
```shell
ssh git@<hostname> 2fa_verify
......
......@@ -28,6 +28,8 @@ To view the version of SSH installed on your system, run `ssh -V`.
To communicate with GitLab, you can use the following SSH key types:
- [ED25519](#ed25519-ssh-keys)
- [ED25519_SK](#ed25519_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [ECDSA_SK](#ecdsa_sk-ssh-keys) (Available in GitLab 14.8 and later.)
- [RSA](#rsa-ssh-keys)
- DSA ([Deprecated](https://about.gitlab.com/releases/2018/06/22/gitlab-11-0-released/#support-for-dsa-ssh-keys) in GitLab 11.0.)
- ECDSA (As noted in [Practical Cryptography With Go](https://leanpub.com/gocrypto/read#leanpub-auto-ecdsa), the security issues related to DSA also apply to ECDSA.)
......@@ -42,6 +44,20 @@ suggests that [ED25519](https://ed25519.cr.yp.to/) keys are more secure and perf
OpenSSH 6.5 introduced ED25519 SSH keys in 2014 and they should be available on most
operating systems.
### ED25519_SK SSH keys
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ED25519_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
### ECDSA_SK SSH keys
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/78934) in GitLab 14.8.
To use ECDSA_SK SSH keys on GitLab, your local client and GitLab server
must have [OpenSSH 8.2](https://www.openssh.com/releasenotes.html#8.2) or later installed.
### RSA SSH keys
Available documentation suggests that ED25519 is more secure than RSA.
......@@ -64,6 +80,8 @@ Before you create a key pair, see if a key pair already exists.
| Algorithm | Public key | Private key |
| --------- | ---------- | ----------- |
| ED25519 (preferred) | `id_ed25519.pub` | `id_ed25519` |
| ED25519_SK | `id_ed25519_sk.pub` | `id_ed25519_sk` |
| ECDSA_SK | `id_ecdsa_sk.pub` | `id_ecdsa_sk` |
| RSA (at least 2048-bit key size) | `id_rsa.pub` | `id_rsa` |
| DSA (deprecated) | `id_dsa.pub` | `id_dsa` |
| ECDSA | `id_ecdsa.pub` | `id_ecdsa` |
......@@ -177,6 +195,67 @@ OpenSSH format.
ssh-keygen -o -t rsa -b 4096 -C "<comment>"
```
## Generate an SSH key pair for a FIDO/U2F hardware security key
To generate ED25519_SK or ECDSA_SK SSH keys, you must use OpenSSH 8.2 or later.
1. Insert a hardware security key into your computer.
1. Open a terminal.
1. Type `ssh-keygen -t` followed by the key type and an optional comment.
This comment is included in the `.pub` file that's created.
You may want to use an email address for the comment.
For example, for ED25519_SK:
```shell
ssh-keygen -t ed25519-sk -C "<comment>"
```
For ECDSA_SK:
```shell
ssh-keygen -t ecdsa-sk -C "<comment>"
```
If your security key supports FIDO2 resident keys, you can enable this when
creating your SSH key:
```shell
ssh-keygen -t ed25519-sk -O resident -C "<comment>"
```
`-O resident` indicates that the key should be stored on the FIDO authenticator itself.
Resident key is easier to import to a new computer because it can be loaded directly
from the security key by [`ssh-add -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-add.1#K)
or [`ssh-keygen -K`](https://man.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man1/ssh-keygen#K).
1. Select Enter. Output similar to the following is displayed:
```plaintext
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
```
1. Touch the button on the hardware security key.
1. Accept the suggested filename and directory:
```plaintext
Enter file in which to save the key (/home/user/.ssh/id_ed25519_sk):
```
1. Specify a [passphrase](https://www.ssh.com/academy/ssh/passphrase):
```plaintext
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
```
1. A confirmation is displayed, including information about where your files are stored.
A public and private key are generated.
[Add the public SSH key to your GitLab account](#add-an-ssh-key-to-your-gitlab-account).
## Add an SSH key to your GitLab account
To use SSH with GitLab, copy your public key to your GitLab account.
......@@ -210,7 +289,8 @@ To use SSH with GitLab, copy your public key to your GitLab account.
1. On the left sidebar, select **SSH Keys**.
1. In the **Key** box, paste the contents of your public key.
If you manually copied the key, make sure you copy the entire key,
which starts with `ssh-ed25519` or `ssh-rsa`, and may end with a comment.
which starts with `ssh-rsa`, `ssh-dss`, `ecdsa-sha2-nistp256`, `ecdsa-sha2-nistp384`, `ecdsa-sha2-nistp521`,
`ssh-ed25519`, `sk-ecdsa-sha2-nistp256@openssh.com`, or `sk-ssh-ed25519@openssh.com`, and may end with a comment.
1. In the **Title** box, type a description, like `Work Laptop` or
`Home Workstation`.
1. Optional. In the **Expires at** box, select an expiration date. ([Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/36243) in GitLab 12.9.)
......@@ -318,7 +398,8 @@ on the files make them readable to you but not accessible to others.
## Configure two-factor authentication (2FA)
You can set up two-factor authentication (2FA) for
[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations).
[Git over SSH](../security/two_factor_authentication.md#2fa-for-git-over-ssh-operations). We recommend using
[ED25519_SK](#ed25519_sk-ssh-keys) or [ECDSA_SK](#ecdsa_sk-ssh-keys) SSH keys.
## Use EGit on Eclipse
......
......@@ -280,7 +280,7 @@ NOTE:
SSH clone URLs can be customized in `gitlab.rb` by setting `gitlab_rails['gitlab_ssh_host']` and
other related settings.
## Configure defaults for RSA, DSA, ECDSA, ED25519 SSH keys
## Configure defaults for RSA, DSA, ECDSA, ED25519, ECDSA_SK, ED25519_SK SSH keys
These options specify the permitted types and lengths for SSH keys.
......
......@@ -7,13 +7,15 @@
- aws\/credentials$
# RSA DSA ECSDA and ED25519 SSH keys
# RSA, DSA, ECSDA, ED25519, ECDSA_SK, ED25519_SK SSH keys
- (ssh|config)\/(personal|server)_(rsa|dsa|ed\d+|ecdsa)
- (ssh|config)\/(personal|server)_(rsa|dsa|ed25519|ecdsa|ecdsa_sk|ed25519_sk)
- id_rsa$
- id_dsa$
- id_ed25519$
- id_ecdsa$
- id_ecdsa_sk$
- id_ed25519_sk$
# privatekey.pem and secret.key
......
......@@ -10,7 +10,9 @@ module Gitlab
Technology.new(:rsa, SSHData::PublicKey::RSA, [1024, 2048, 3072, 4096], %w(ssh-rsa)),
Technology.new(:dsa, SSHData::PublicKey::DSA, [1024, 2048, 3072], %w(ssh-dss)),
Technology.new(:ecdsa, SSHData::PublicKey::ECDSA, [256, 384, 521], %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)),
Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519))
Technology.new(:ed25519, SSHData::PublicKey::ED25519, [256], %w(ssh-ed25519)),
Technology.new(:ecdsa_sk, SSHData::PublicKey::SKECDSA, [256], %w(sk-ecdsa-sha2-nistp256@openssh.com)),
Technology.new(:ed25519_sk, SSHData::PublicKey::SKED25519, [256], %w(sk-ssh-ed25519@openssh.com))
].freeze
def self.technology(name)
......@@ -98,6 +100,10 @@ module Gitlab
key.openssl.group.order.num_bits
when :ed25519
256
when :ecdsa_sk
256
when :ed25519_sk
256
end
end
......
......@@ -148,5 +148,24 @@ FactoryBot.define do
KEY
end
end
factory :ecdsa_sk_key_256 do
key do
<<~KEY.delete("\n")
sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyN
TZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBDZ+f5tSRhlB7EN39f93SscTN5PUv
bD3UQsNrlE1ZdbwPMMRul2zlPiUvwAvnJitW0jlD/vwZOW2YN+q+iZ5c0MAAAAEc3NoOg== dummy@gitlab.com
KEY
end
end
factory :ed25519_sk_key_256 do
key do
<<~KEY.delete("\n")
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tA
AAAIEX/dQ0v4127bEo8eeG1EV0ApO2lWbSnN6RWusn/NjqIAAAABHNzaDo= dummy@gitlab.com
KEY
end
end
end
end
......@@ -85,6 +85,8 @@ RSpec.describe 'Admin updates settings' do
select 'Are allowed', from: 'DSA SSH keys'
select 'Must be at least 384 bits', from: 'ECDSA SSH keys'
select 'Are forbidden', from: 'ED25519 SSH keys'
select 'Are forbidden', from: 'ECDSA_SK SSH keys'
select 'Are forbidden', from: 'ED25519_SK SSH keys'
click_on 'Save changes'
end
......@@ -95,6 +97,8 @@ RSpec.describe 'Admin updates settings' do
expect(find_field('DSA SSH keys').value).to eq('0')
expect(find_field('ECDSA SSH keys').value).to eq('384')
expect(find_field('ED25519 SSH keys').value).to eq(forbidden)
expect(find_field('ECDSA_SK SSH keys').value).to eq(forbidden)
expect(find_field('ED25519_SK SSH keys').value).to eq(forbidden)
end
it 'change Account and Limit Settings' do
......
......@@ -49,7 +49,12 @@ RSpec.describe 'Profile > SSH Keys' do
context 'when only DSA and ECDSA keys are allowed' do
before do
forbidden = ApplicationSetting::FORBIDDEN_KEY_VALUE
stub_application_setting(rsa_key_restriction: forbidden, ed25519_key_restriction: forbidden)
stub_application_setting(
rsa_key_restriction: forbidden,
ed25519_key_restriction: forbidden,
ecdsa_sk_key_restriction: forbidden,
ed25519_sk_key_restriction: forbidden
)
end
it 'shows a validation error' do
......
......@@ -17,9 +17,9 @@ RSpec.describe SshKeysHelper do
end
it 'returns only allowed algorithms' do
expect(ssh_key_allowed_algorithms).to match('ed25519')
stub_application_setting(ed25519_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
expect(ssh_key_allowed_algorithms).not_to match('ed25519')
expect(ssh_key_allowed_algorithms).to match('rsa')
stub_application_setting(rsa_key_restriction: ApplicationSetting::FORBIDDEN_KEY_VALUE)
expect(ssh_key_allowed_algorithms).not_to match('rsa')
end
end
end
......@@ -12,7 +12,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
end
where(:name) do
[:rsa, :dsa, :ecdsa, :ed25519]
[:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
end
with_them do
......@@ -24,7 +24,7 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
describe '.supported_types' do
it 'returns array with the names of supported technologies' do
expect(described_class.supported_types).to eq(
[:rsa, :dsa, :ecdsa, :ed25519]
[:rsa, :dsa, :ecdsa, :ed25519, :ecdsa_sk, :ed25519_sk]
)
end
end
......@@ -35,7 +35,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa, [1024, 2048, 3072, 4096]],
[:dsa, [1024, 2048, 3072]],
[:ecdsa, [256, 384, 521]],
[:ed25519, [256]]
[:ed25519, [256]],
[:ecdsa_sk, [256]],
[:ed25519_sk, [256]]
]
end
......@@ -53,6 +55,8 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
ssh-dss
ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521
ssh-ed25519
sk-ecdsa-sha2-nistp256@openssh.com
sk-ssh-ed25519@openssh.com
)
)
end
......@@ -64,7 +68,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa, %w(ssh-rsa)],
[:dsa, %w(ssh-dss)],
[:ecdsa, %w(ecdsa-sha2-nistp256 ecdsa-sha2-nistp384 ecdsa-sha2-nistp521)],
[:ed25519, %w(ssh-ed25519)]
[:ed25519, %w(ssh-ed25519)],
[:ecdsa_sk, %w(sk-ecdsa-sha2-nistp256@openssh.com)],
[:ed25519_sk, %w(sk-ssh-ed25519@openssh.com)]
]
end
......@@ -122,7 +128,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
rsa_key_8192
dsa_key_2048
ecdsa_key_256
ed25519_key_256)
ed25519_key_256
ecdsa_sk_key_256
ed25519_sk_key_256)
end
with_them do
......@@ -201,7 +209,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_2048, :rsa],
[:dsa_key_2048, :dsa],
[:ecdsa_key_256, :ecdsa],
[:ed25519_key_256, :ed25519]
[:ed25519_key_256, :ed25519],
[:ecdsa_sk_key_256, :ecdsa_sk],
[:ed25519_sk_key_256, :ed25519_sk]
]
end
......@@ -231,7 +241,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 8192],
[:dsa_key_2048, 2048],
[:ecdsa_key_256, 256],
[:ed25519_key_256, 256]
[:ed25519_key_256, 256],
[:ecdsa_sk_key_256, 256],
[:ed25519_sk_key_256, 256]
]
end
......@@ -261,7 +273,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 'fb:53:7f:e9:2f:f7:17:aa:c8:32:52:06:8e:05:e2:82'],
[:dsa_key_2048, 'c8:85:1e:df:44:0f:20:00:3c:66:57:2b:21:10:5a:27'],
[:ecdsa_key_256, '67:a3:a9:7d:b8:e1:15:d4:80:40:21:34:bb:ed:97:38'],
[:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73']
[:ed25519_key_256, 'e6:eb:45:8a:3c:59:35:5f:e9:5b:80:12:be:7e:22:73'],
[:ecdsa_sk_key_256, '56:b9:bc:99:3d:2f:cf:63:6b:70:d8:f9:40:7e:09:4c'],
[:ed25519_sk_key_256, 'f9:a0:64:0b:4b:72:72:0e:62:92:d7:04:14:74:1c:c9']
]
end
......@@ -289,7 +303,9 @@ RSpec.describe Gitlab::SSHPublicKey, lib: true do
[:rsa_key_8192, 'SHA256:CtHFQAS+9Hb8z4vrv4gVQPsHjNN0WIZhWODaB1mQLs4'],
[:dsa_key_2048, 'SHA256:+a3DQ7cU5GM+gaYOfmc0VWNnykHQSuth3VRcCpWuYNI'],
[:ecdsa_key_256, 'SHA256:C+I5k3D+IGeM6k5iBR1ZsphqTKV+7uvL/XZ5hcrTr7g'],
[:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0']
[:ed25519_key_256, 'SHA256:DCKAjzxWrdOTjaGKBBjtCW8qY5++GaiAJflrHPmp6W0'],
[:ecdsa_sk_key_256, 'SHA256:N0sNKBgWKK8usPuPegtgzHQQA9vQ/dRhAEhwFDAnLA4'],
[:ed25519_sk_key_256, 'SHA256:U8IKRkIHed6vFMTflwweA3HhIf2DWgZ8EFTm9fgwOUk']
]
end
......
......@@ -20,6 +20,8 @@ RSpec.describe Key, :mailer do
it { is_expected.to allow_value(attributes_for(:dsa_key_2048)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ecdsa_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ed25519_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ecdsa_sk_key_256)[:key]).for(:key) }
it { is_expected.to allow_value(attributes_for(:ed25519_sk_key_256)[:key]).for(:key) }
it { is_expected.not_to allow_value('foo-bar').for(:key) }
context 'key format' do
......@@ -191,6 +193,8 @@ RSpec.describe Key, :mailer do
[:dsa_key_2048, 0, true],
[:ecdsa_key_256, 0, true],
[:ed25519_key_256, 0, true],
[:ecdsa_sk_key_256, 0, true],
[:ed25519_sk_key_256, 0, true],
[:rsa_key_2048, 1024, true],
[:rsa_key_2048, 2048, true],
......@@ -206,10 +210,18 @@ RSpec.describe Key, :mailer do
[:ed25519_key_256, 256, true],
[:ed25519_key_256, 384, false],
[:ecdsa_sk_key_256, 256, true],
[:ecdsa_sk_key_256, 384, false],
[:ed25519_sk_key_256, 256, true],
[:ed25519_sk_key_256, 384, false],
[:rsa_key_2048, forbidden, false],
[:dsa_key_2048, forbidden, false],
[:ecdsa_key_256, forbidden, false],
[:ed25519_key_256, forbidden, false]
[:ed25519_key_256, forbidden, false],
[:ecdsa_sk_key_256, forbidden, false],
[:ed25519_sk_key_256, forbidden, false]
]
end
......
......@@ -32,6 +32,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
expect(json_response['dsa_key_restriction']).to eq(0)
expect(json_response['ecdsa_key_restriction']).to eq(0)
expect(json_response['ed25519_key_restriction']).to eq(0)
expect(json_response['ecdsa_sk_key_restriction']).to eq(0)
expect(json_response['ed25519_sk_key_restriction']).to eq(0)
expect(json_response['performance_bar_allowed_group_id']).to be_nil
expect(json_response['allow_local_requests_from_hooks_and_services']).to be(false)
expect(json_response['allow_local_requests_from_web_hooks_and_services']).to be(false)
......@@ -111,6 +113,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
dsa_key_restriction: 2048,
ecdsa_key_restriction: 384,
ed25519_key_restriction: 256,
ecdsa_sk_key_restriction: 256,
ed25519_sk_key_restriction: 256,
enforce_terms: true,
terms: 'Hello world!',
performance_bar_allowed_group_path: group.full_path,
......@@ -163,6 +167,8 @@ RSpec.describe API::Settings, 'Settings', :do_not_mock_admin_mode_setting do
expect(json_response['dsa_key_restriction']).to eq(2048)
expect(json_response['ecdsa_key_restriction']).to eq(384)
expect(json_response['ed25519_key_restriction']).to eq(256)
expect(json_response['ecdsa_sk_key_restriction']).to eq(256)
expect(json_response['ed25519_sk_key_restriction']).to eq(256)
expect(json_response['enforce_terms']).to be(true)
expect(json_response['terms']).to eq('Hello world!')
expect(json_response['performance_bar_allowed_group_id']).to eq(group.id)
......
......@@ -90,8 +90,8 @@ RSpec.describe 'profiles/keys/_key.html.haml' do
using RSpec::Parameterized::TableSyntax
where(:valid, :expiry, :result) do
false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
false | 2.days.ago | 'Key type is forbidden. Must be DSA, ECDSA, or ED25519'
false | 2.days.from_now | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
false | 2.days.ago | 'Key type is forbidden. Must be DSA, ECDSA, ED25519, ECDSA_SK, or ED25519_SK'
true | 2.days.ago | 'Key usable beyond expiration date.'
true | 2.days.from_now | ''
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment