Commit b8008c9c authored by Robert Speicher's avatar Robert Speicher

Merge branch '195668-no-longer-accept-fingerprint-to-internal-authorized-keys' into 'master'

No longer accept fingerprints for /internal/authorized_keys

See merge request gitlab-org/gitlab!63783
parents 8f0fce0e afeaa2e7
...@@ -167,18 +167,15 @@ module API ...@@ -167,18 +167,15 @@ module API
end end
# #
# Get a ssh key using the fingerprint # Check whether an SSH key is known to GitLab
# #
# rubocop: disable CodeReuse/ActiveRecord
get '/authorized_keys', feature_category: :source_code_management do get '/authorized_keys', feature_category: :source_code_management do
fingerprint = params.fetch(:fingerprint) do fingerprint = Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
Gitlab::InsecureKeyFingerprint.new(params.fetch(:key)).fingerprint
end key = Key.find_by_fingerprint(fingerprint)
key = Key.find_by(fingerprint: fingerprint)
not_found!('Key') if key.nil? not_found!('Key') if key.nil?
present key, with: Entities::SSHKey present key, with: Entities::SSHKey
end end
# rubocop: enable CodeReuse/ActiveRecord
# #
# Discover user by ssh key, user id or username # Discover user by ssh key, user id or username
......
...@@ -341,9 +341,9 @@ RSpec.describe API::Internal::Base do ...@@ -341,9 +341,9 @@ RSpec.describe API::Internal::Base do
end end
describe "GET /internal/authorized_keys" do describe "GET /internal/authorized_keys" do
context "using an existing key's fingerprint" do context "using an existing key" do
it "finds the key" do it "finds the key" do
get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token }) get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['id']).to eq(key.id) expect(json_response['id']).to eq(key.id)
...@@ -351,58 +351,23 @@ RSpec.describe API::Internal::Base do ...@@ -351,58 +351,23 @@ RSpec.describe API::Internal::Base do
end end
it 'exposes the comment of the key as a simple identifier of username + hostname' do it 'exposes the comment of the key as a simple identifier of username + hostname' do
get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token }) get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:ok)
expect(json_response['key']).to include("#{key.user_name} (#{Gitlab.config.gitlab.host})") expect(json_response['key']).to include("#{key.user_name} (#{Gitlab.config.gitlab.host})")
end end
end end
context "non existing key's fingerprint" do it "returns 404 with a partial key" do
it "returns 404" do get(api('/internal/authorized_keys'), params: { key: key.key.split[1][0...-3], secret_token: secret_token })
get(api('/internal/authorized_keys'), params: { fingerprint: "no:t-:va:li:d0", secret_token: secret_token })
expect(response).to have_gitlab_http_status(:not_found) expect(response).to have_gitlab_http_status(:not_found)
end
end end
context "using a partial fingerprint" do it "returns 404 with an not valid base64 string" do
it "returns 404" do get(api('/internal/authorized_keys'), params: { key: "whatever!", secret_token: secret_token })
get(api('/internal/authorized_keys'), params: { fingerprint: "#{key.fingerprint[0..5]}%", secret_token: secret_token })
expect(response).to have_gitlab_http_status(:not_found)
end
end
context "sending the key" do
context "using an existing key" do
it "finds the key" do
get(api('/internal/authorized_keys'), params: { key: key.key.split[1], secret_token: secret_token })
expect(response).to have_gitlab_http_status(:ok)
expect(json_response['id']).to eq(key.id)
expect(json_response['key'].split[1]).to eq(key.key.split[1])
end
it 'exposes the comment of the key as a simple identifier of username + hostname' do
get(api('/internal/authorized_keys'), params: { fingerprint: key.fingerprint, secret_token: secret_token })
expect(response).to have_gitlab_http_status(:ok) expect(response).to have_gitlab_http_status(:not_found)
expect(json_response['key']).to include("#{key.user_name} (#{Gitlab.config.gitlab.host})")
end
end
it "returns 404 with a partial key" do
get(api('/internal/authorized_keys'), params: { key: key.key.split[1][0...-3], secret_token: secret_token })
expect(response).to have_gitlab_http_status(:not_found)
end
it "returns 404 with an not valid base64 string" do
get(api('/internal/authorized_keys'), params: { key: "whatever!", secret_token: secret_token })
expect(response).to have_gitlab_http_status(:not_found)
end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment