Merge branch '195668-no-longer-accept-fingerprint-to-internal-authorized-keys' into 'master'

No longer accept fingerprints for /internal/authorized_keys See merge request gitlab-org/gitlab!63783

Merge branch '195668-no-longer-accept-fingerprint-to-internal-authorized-keys' into 'master'
No longer accept fingerprints for /internal/authorized_keys See merge request gitlab-org/gitlab!63783
b8008c9c · Robert Speicher · 8f0fce0e · afeaa2e7 · b8008c9c · b8008c9c
Commit b8008c9c authored Jun 11, 2021 by Robert Speicher
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 51 deletions

lib/api/internal/base.rb lib/api/internal/base.rb +4 -7

spec/requests/api/internal/base_spec.rb spec/requests/api/internal/base_spec.rb +9 -44

No files found.
--- a/lib/api/internal/base.rb
+++ b/lib/api/internal/base.rb
@@ -167,18 +167,15 @@ module API
        end

        #
-        # Get a ssh key using the fingerprint
+        # Check whether an SSH key is known to GitLab
        #
-        # rubocop: disable CodeReuse/ActiveRecord
        get '/authorized_keys', feature_category: :source_code_management do
-          fingerprint = params.fetch(:fingerprint) do
-            Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
-          end
-          key = Key.find_by(fingerprint: fingerprint)
+          fingerprint = Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
+
+          key = Key.find_by_fingerprint(fingerprint)
          not_found!('Key') if key.nil?
          present key, with: Entities::SSHKey
        end
-        # rubocop: enable CodeReuse/ActiveRecord

        #
        # Discover user by ssh key, user id or username

--- a/spec/requests/api/internal/base_spec.rb
+++ b/spec/requests/api/internal/base_spec.rb
@@ -341,9 +341,9 @@ RSpec.describe API::Internal::Base do
  end

  describe "GET /internal/authorized_keys" do
-    context "using an existing key's fingerprint" do
+    context "using an existing key" do
      it "finds the key" do
-        get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token })
+        get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })

        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['id']).to eq(key.id)
@@ -351,58 +351,23 @@ RSpec.describe API::Internal::Base do
      end

      it 'exposes the comment of the key as a simple identifier of username + hostname' do
-        get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token })
+        get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })

        expect(response).to have_gitlab_http_status(:ok)
        expect(json_response['key']).to include("#{key.user_name} (#{Gitlab.config.gitlab.host})")
      end
    end

-    context "non existing key's fingerprint" do
-      it "returns 404" do
-        get(api('/internal/authorized_keys'), params: { fingerprint: "no:t-:va:li:d0", secret_token: secret_token })
+    it "returns 404 with a partial key" do
+      get(api('/internal/authorized_keys'), params: { key: key.key.split[1][0...-3], secret_token: secret_token })

-        expect(response).to have_gitlab_http_status(:not_found)
-      end
+      expect(response).to have_gitlab_http_status(:not_found)
    end

-    context "using a partial fingerprint" do
-      it "returns 404" do
-        get(api('/internal/authorized_keys'), params: { fingerprint: "#{key.fingerprint[0..5]}%", secret_token: secret_token })
-
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-    end
-
-    context "sending the key" do
-      context "using an existing key" do
-        it "finds the key" do
-          get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })
-
-          expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['id']).to eq(key.id)
-          expect(json_response['key'].split[1]).to eq(key.key.split[1])
-        end
-
-        it 'exposes the comment of the key as a simple identifier of username + hostname' do
-          get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token })
+    it "returns 404 with an not valid base64 string" do
+      get(api('/internal/authorized_keys'), params: { key: "whatever!", secret_token: secret_token })

-          expect(response).to have_gitlab_http_status(:ok)
-          expect(json_response['key']).to include("#{key.user_name} (#{Gitlab.config.gitlab.host})")
-        end
-      end
-
-      it "returns 404 with a partial key" do
-        get(api('/internal/authorized_keys'), params: { key: key.key.split[1][0...-3], secret_token: secret_token })
-
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
-
-      it "returns 404 with an not valid base64 string" do
-        get(api('/internal/authorized_keys'), params: { key: "whatever!", secret_token: secret_token })
-
-        expect(response).to have_gitlab_http_status(:not_found)
-      end
+      expect(response).to have_gitlab_http_status(:not_found)
    end
  end